Copyright 1999 - 2006, Sandra Hardmeier, All Rights Reserved Worldwide
Last updated 20/08/2006

dothesearch / owmngr.exe / searchseekfind / / sysreg.exe / ttps.exe


Stop the hijackware from running before attempting to clean your system - use TaskManager (ctrl/alt/del) to shut it down.


Note that not all instructions may apply to your machine.  Make sure you export any registry keys that you delete so they can be restored if things go wrong.  This link will lead you to some Microsoft KB articles about the basics of the Registry and working with it.


To clean manually, first go to the registry. You may find a reference to the ttps.exe, owmngr.exe or sysreg.exe at the following registry keys:




If other references appear in the above keys, 'email me' with full details for assistance if you are unsure what to do, or go to start/run and type MSCONFIG. You can disable the suspicious entries there (the startup tab) without having to delete them from your registry.


Search for, export and delete the following keys:







Delete only the highlighted entries, not the entire key.  Reboot your computer.


Search for and rename ttps.exe


Search for and rename owmngr.exe


Search for and rename sysreg.exe


Search for and rename bho2.dll, sbsrch_v2.dll, sbsrch_v21.dll, sbsrch_v22.dll (any dll starting with the name sbsrch_v), msnie.dll, msvcn.dll, winfgnet.dat. A file called BACKUP.REG can be renamed for safety's sake. It *may* be a backup copy of your registry made by the hijackware at the time of install, but it is a common name and the file should not be trusted.


Search your registry for any key pointing to the above DLL files or msnieupdate. Export and then delete. The most likely location is HKCU\Software\VB and VBA Program Settings


To get rid of the search engine hijackings reset your IE search engine settings as per the instructions at this link, or delete the following entries in the registry (HKCU = HKEY_CURRENT_USERS, HKLM = KKEY_LOCAL_MACHINE):


HKCU\Software\Microsoft\Internet Explorer\Main\ (Search Bar)
HKLM\Software\Microsoft\Internet Explorer\Search\ (CustomizeSearch)

HKLM\Software\Microsoft\Internet Explorer\Search\ (SearchAssistant)


Empty your IE cache and c:\windows\temp. Other executables can be hidden there.


Search your computer for a hidden file called HOSTS and rename to HOSTS.OLD


Go to IE Tools, Internet Options, Temporary Internet Files {Settings Button}, View Objects, Downloaded Programme Files. Check for anything suspicious there.


Also, check c:\ for folders related to the hijackware. If found, rename and move - be CAREFUL that you don't move an entire directory, just the folder.