Posted by iq454
Yes, IT WORKED.
I'll run you through the procedure exactly. I'll try to explain as best I can.
Open your Windows folder and your Windows\system32 folder at the same time and order them both by size.
Now, because the files name might be different for all of us(or even the size for that matter), we have to work off the files size...If yours is different, you can see what to do anyways.
These are the sizes to look for(In my case anyway).
19, 56 and 91 and 96 kB in your windows folder AND
32, 64 and 96 kB in your system32 folder.
The way to find these files is it to check by hovering your mouse over each and every one. If it's part of this hijack, it will not display its type, description or who made it(microsoft or whoever).
So, start in your system32 folder and find all the files that are 96kB, hold the "ctrl" key and hover the mouse over it, if no type, description or who made it is displayed, then highlight it, while still holding the "ctrl" key, go up to the next file and check it also, if it has a type, description, and who made it, then DON'T highlight it and move on like this until you get all files 96kB in size. DONT DELETE THEM YET. Keep going up until you find all files that are 64kB also, and do exactly the same thing, then do the same for the files that are 32kB.
Once you have them all highlighted, go to your windows folder that should already be opened and find the file that BHOdemon reported,(it will take 30 seconds to create a new dll) so this is enough time, because all the files we need to delete are already highlighted.
The only one we have to take a few seconds to get to is the file in windows folder that BHO reported.
Now delete all them files you highlighted in your system 32 folder, it will then say "this is a system file, if you delete it, blahblahblah" just delete it as this might be the main program that started it all, if it really is a system file we need, then it will say who made it(microsft or whoever) when we hover the mouse over it, but if it didn't, then it belongs to this hijack(Because all legit files have a description and who made it). Then quickly go into your windows folder and delete that file BHO reported.
That's it. Hijack defeated.
You see the pattern this hijack made? The person who made it was so smart, that if someone like me found the files to delete, then the main program (in system32 folder) would make the same hijack, only in another type of file and maybe location too, but it only goes between windows folder and system32 folder(like exe's, dll or txt), and if we found those exe's or whetever and deleted them, it would then make a main dll of 64kB and an exe or 32kB equaling 96 kB, or an "ocx" of 64kB and a "exe" of 32kB equaling 96kB, and if we found those dll's, ocx's, txt's, or exe, it would then make another dll or exe or txt equaling 96kB, the program or hijack actually does have and end thank god.
All of this was to throw us of course, and anything that scanned it. But now we can see that the whole hijack was in a main file of 96kB, don't know which one, but we know what its size is.
Again, if we leave the exe's and delete the 96kB dll file only, those 3 exe's would then make either, another dll of 96kB, or make 3 exe's(because remember, each exe is 32kB 3x32 is 96, then those 3 exe's "might" make more exe's of itself incase we found the pattern, and found out how to look for it would be by the file size(like I did)because remember I found 11 once?. This might be because I was deleting dll's before all this, and it just kept creating extra exe's.
May be confusing, but that's that pattern and how I defeated it.
And no virus, spyware or even BHO program can detect this, because the main one(s) are turned off, until the one that is active is deleted, which is the one BHO or spyware programs will detect, which is uselss in ths case.
Have a nice day.
PS: If you have problems, you can reach me @ neobot@the-pentagon.com