Copyright 1999 - 2006, Sandra Hardmeier, All Rights Reserved Worldwide
Last updated 20/08/2006

dothesearch / owmngr.exe / searchseekfind / fastfind.org / sysreg.exe / ttps.exe

 

Stop the hijackware from running before attempting to clean your system - use TaskManager (ctrl/alt/del) to shut it down.

 

Note that not all instructions may apply to your machine.  Make sure you export any registry keys that you delete so they can be restored if things go wrong.  This link will lead you to some Microsoft KB articles about the basics of the Registry and working with it.

 

To clean manually, first go to the registry. You may find a reference to the ttps.exe, owmngr.exe or sysreg.exe at the following registry keys:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce

 

If other references appear in the above keys, 'email me' with full details for assistance if you are unsure what to do, or go to start/run and type MSCONFIG. You can disable the suspicious entries there (the startup tab) without having to delete them from your registry.

 

Search for, export and delete the following keys:

 

HKEY_CURRENT_USER\Iexplore\Ads

HKEY_CURRENT_USER\Iexplore\AID

HKEY_CURRENT_USER\Iexplore\ID

HKEY_CURRENT_USER\Iexplore\LoggedIn

 

Delete only the highlighted entries, not the entire key.  Reboot your computer.

 

Search for and rename ttps.exe

 

Search for and rename owmngr.exe

 

Search for and rename sysreg.exe

 

Search for and rename bho2.dll, sbsrch_v2.dll, sbsrch_v21.dll, sbsrch_v22.dll (any dll starting with the name sbsrch_v), msnie.dll, msvcn.dll, winfgnet.dat. A file called BACKUP.REG can be renamed for safety's sake. It *may* be a backup copy of your registry made by the hijackware at the time of install, but it is a common name and the file should not be trusted.

 

Search your registry for any key pointing to the above DLL files or msnieupdate. Export and then delete. The most likely location is HKCU\Software\VB and VBA Program Settings

 

To get rid of the search engine hijackings reset your IE search engine settings as per the instructions at this link, or delete the following entries in the registry (HKCU = HKEY_CURRENT_USERS, HKLM = KKEY_LOCAL_MACHINE):

 

HKCU\Software\Microsoft\Internet Explorer\Main\ (Search Bar)
HKLM\Software\Microsoft\Internet Explorer\Search\ (CustomizeSearch)

HKLM\Software\Microsoft\Internet Explorer\Search\ (SearchAssistant)

 

Empty your IE cache and c:\windows\temp. Other executables can be hidden there.

 

Search your computer for a hidden file called HOSTS and rename to HOSTS.OLD

 

Go to IE Tools, Internet Options, Temporary Internet Files {Settings Button}, View Objects, Downloaded Programme Files. Check for anything suspicious there.

 

Also, check c:\ for folders related to the hijackware. If found, rename and move - be CAREFUL that you don't move an entire directory, just the folder.