Judie’s Gear Diary – 2004-04-14


This is a cautionary tale:
If you ever get hijacked by one of those pesky programs that changes your home-page to some search engine that a. you have never heard of and b. you don't want – pay attention and don't do the first thing I did, which is attempt to remove it.
Steve's computer got hijacked sometime in the past month or so. He was complaining of an unstable/slow system and he had a bunch of ad programs that just appeared, seemingly from out of nowhere. He could not remember opening any email attachments or clicking on any pop-ups – but it is possible he did or there was some other way that it got in. I tried Adaware, Spybot – Search & Destroy, but the ads wouldn't go away. A couple of days ago, his internet explorer and MSN home-pages automatically changed to “http://searchpages.cc/XXXX” with the four X's being a four digit number. His home page was now a completely annoying internet search page broken down into a lot of categories he could care less about. If he entered a web address starting with “www” then the search page would loop and come right back up. If he entered “http://www” then the actual site he wanted would appear. Clicking saved links would also take him to the desired website, because they included the full and proper address. We ran the two ad-programs again, but could not find anything that pertained to this program specifically. Next we looked in the registry, remove programs, and C drive. Finally I noticed at the bottom of the page was a link that said “don't want” or “don't need” -something along those lines…and like a fool I clicked it. A second page appeared that offered a fake link to download a uninstall tool and there were some references to registry lines you should remove to complete the uninstall. Then the message became rude and the parting blow said something about in the future “paying to download your porn.” Whatever and eck!

When I exited out without having clicked or changed anything, all hell broke loose! Steve's wallpaper was the same but all of his programs were gone – except for the recycle bin and an internet explorer icon. Two windows popped up saying to reinsert the Windows XP Home install disc and that a Windows file was missing. I installed the CD, but the computer would not recognize it. I decided to restart the computer to see if there was a chance that it would all go away (wishful thinking, I know), and when it came back up – the computer was stuck on a black DOS screen saying that a Windows/ file was missing and asking for the Windows XP install CD, saying that when the next screen came up to hit the letter R on the keyboard. After trying that about 30 times and getting the same screen over and over, I called Dell support and…you guessed it: I was told that Steve's hard drive was hosed and the chances of saving anything were basically nil. The Dell tech support guy said this was not a worm, but a full-blown malicious virus. He did not give me a name for it and I am not sure if he had heard of it before, but I am hoping that by my description you will recognize it if you have it. The tech walked me through going in and reformatting the disc and then I had to reinstall everything from scratch including every individual device driver. Obviously, everything on Steve's computer was lost – but at least the hard drive wasn't fried or anything catastrophic – past the loss of his unsaved files.
If you get hijacked by searchpages.cc, for goodness sakes – backup your important documents and photos immediately and especially before you try to remove this little demon. If you are able to successfully remove it, please post how here. I am sure that someone else will run across the same problem and you may save them a lot of aggravation.

{ 0 comments… add one }

Leave a Comment