I just solved that problem last night: drive by download, I found the search assistant had been activated. Particulars: problem file was ps.html, put in the temp dir. other problems caused too.
I was alerted to an outgoing attempt by ZoneAlarm Pro (the culprit tried to phone home, it was named on-line.exe. When it failed it deleted itself from the downloaded files folder under windows.
I did a search for files that had been modified w/in last day, and found in system32 a .dll file named jsjfc.dll (I think that was the name)... I could not delete the .dll (WTFO?) I tried looking for rogue services, but I keep a tight rein on them and found nothing there that was not supposed to be (though I did find an instance of macrovisions C-Dilla, which I also cleaned out!!)
Well anyway, I also found I had a permanent search page appearing on IE6 (I use about blank). And NOTHING I did got rid of it.
Here's how I fixed it.
1) I ran ad-aware, that ID several problems, and I deleted all the items it ID (this unfortunately included some links under all of the "default" favorites folders in IE, including for example "Entertainment." I will be changing all of the default favorite top-folder names this evening...
2) I ran regseeker's clean registry tool several times. I also did searches for file commands, etc. I had to go this route because the event viewer showed nothing! Neither did the Services listing.
3) I opened XTeqPro and looked at the Internet Explorer sub-links (under the internet heading), and found that a strange BHO that had not been there before (it has NAV and ACROBAT, I cleared the others months ago). XTeqPro will tell you where the BHO is located (instead of having to search for the CLSID). I did that and found the DLL I named above, in the system folder. Ok, now I know the culprit. This one turned out to be the sticker...
4) I reran a search in RegSeeker for the DLL name (a GREAT!!! freeware program by the way) and found several instances of the DLL listed in the registry. One of them actually included an unistall line!!! Duh. I opened the registry entry, and copied the uninstall line.
5) I opened Run and ran the uninstall line. That "disconneted" the DLL, which I was now able to delete directly in Windows Explorer. I opened IE and found the search page gone.
6) I reran regSeeker and deleted every entry with that name from the search window, did the same in the clean registry box.
7) I found an odd .tmp file in the system32 folder, named meebooee.tmp or some such, which I moved out of that folder and tried to delete, but I could not!! Hmmm... I changed the name, still could not delete it... Ok. I ran task manager, killed explorer, then reran explorer, then was able to delete the file.
8) I ran ZoneAlarm's cleaner, then ran Erase on some files(another great freeware tool); then manuall checked all of the temp dirs on the machine to be sure I had got rid of all cookies and links.
9) I logged out and back in, then ran XteqPro, and looked at the BHOs again, and LO!!! I found two more odd ones! The culprit had replanted itself on uninstall (as I had expected). However, I had moved the temp file and deleted it, then I manually searched the registry for the now 3 BHOs listed in XTeq. I found two entries for each BHO, on CLSID and one BHO entry. I deleted them, logged out, and back in, and back into Xteq, and all was gone.
10) I ran regseeker clean up one more time, then ran regclean (I use WinXP w/ updates, etc; heavily tweaked, and I find that RegClean STILL does a good job...). It found some stuff wrong, fixed that.
11) I restored my favorites from my most recent back-up, and checked everything out. All was still fine this a.m. when I checked again.
Note 1: I use ZoneAlarm Pro, NAV, WinXP w/ SP1, lots of tweaks and service disabled, etc. This was the first time I had this happen. Having XteqPro, Ad-Aware, RegSeeker, Eraser, CacheCleaner, RegClean, etc. All helped. I find I use all of these fairly regularly.
Note 2: WinXP SP2 is supposed to prevent these kinds of attacks, and that is supposed to be released today I think. Figures. Oh well it was a learning experience. I'd love to sugar the gas tank of the *^%$%$% who planted that seed...
Regards,
npl
