Last updated
14/05/2005
Copyright © 1999 - 2004, Sandra Hardmeier, All
Rights Reserved Worldwide
dothesearch / owmngr.exe / searchseekfind / fastfind.org / sysreg.exe / ttps.exe
Stop the hijackware from running before attempting to clean your system - use TaskManager (ctrl/alt/del) to shut it down.
Note that not all instructions may apply to your machine. Make sure you export any registry keys that you delete so they can be restored if things go wrong. This link will lead you to some Microsoft KB articles about the basics of the Registry and working with it.
To clean manually, first go to the registry. You may find a reference to the ttps.exe, owmngr.exe or sysreg.exe at the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
If other references appear in the above keys, 'email me' with full details for assistance if you are unsure what to do, or go to start/run and type MSCONFIG. You can disable the suspicious entries there (the startup tab) without having to delete them from your registry.
Search for, export and delete the following keys:
HKEY_CURRENT_USER\Iexplore\Ads
HKEY_CURRENT_USER\Iexplore\AID
HKEY_CURRENT_USER\Iexplore\ID
HKEY_CURRENT_USER\Iexplore\LoggedIn
Delete only the highlighted entries, not the entire key. Reboot your computer.
Search for and rename ttps.exe
Search for and rename owmngr.exe
Search for and rename sysreg.exe
Search for and rename bho2.dll, sbsrch_v2.dll, sbsrch_v21.dll, sbsrch_v22.dll (any dll starting with the name sbsrch_v), msnie.dll, msvcn.dll, winfgnet.dat. A file called BACKUP.REG can be renamed for safety's sake. It *may* be a backup copy of your registry made by the hijackware at the time of install, but it is a common name and the file should not be trusted.
Search your registry for any key pointing to the above DLL files or msnieupdate. Export and then delete. The most likely location is HKCU\Software\VB and VBA Program Settings
To get rid of the search engine hijackings reset your IE search engine settings as per the instructions at this link, or delete the following entries in the registry (HKCU = HKEY_CURRENT_USERS, HKLM = KKEY_LOCAL_MACHINE):
HKCU\Software\Microsoft\Internet Explorer\Main\ (Search Bar)
HKLM\Software\Microsoft\Internet Explorer\Search\ (CustomizeSearch)
HKLM\Software\Microsoft\Internet Explorer\Search\ (SearchAssistant)
Empty your IE cache and c:\windows\temp. Other executables can be hidden there.
Search your computer for a hidden file called HOSTS and rename to HOSTS.OLD
Go to IE Tools, Internet Options, Temporary Internet Files {Settings Button}, View Objects, Downloaded Programme Files. Check for anything suspicious there.
Also, check c:\ for folders related to the hijackware. If found, rename and move - be CAREFUL that you don't move an entire directory, just the folder.