shopnav and 2020search revived???

My son has gotten a hijacker loaded on his system. It appears to be a revival of the "shopnav" and "2020search" hijackers-- only this time on steroids.

Adaware won't remove these, even cloaked. Removal instructions I've found in various places (most at least a year old) don't quite match up to what I'm finding in the registry. HijackThis doesn't tell me anything that I haven't already found out-- it only lists the hostile registry entries that I have already identified and tried to remove.

Every attempt to delete the components fails. They are almost immediately reinstalled. Registry keys that I delete are replaced within 30 seconds. Whatever is replacing them is cloaked-- no obviously questionable processes show up on the task manager (Win 98se), Adaware log, HijackThis log, nor on AIDA32. The only oddities are "pstore.exe" and "wmiexe.exe"-- which appear to be NT protection components.

Furthermore, the system will no longer boot into safe mode. In an act of desperation, I tried forcing it into safe mode by powering it down in the middle of a boot. (I've already backed up the data and I'm going to reload the OS anyway). It booted to safe mode, but the keyboard and mouse were locked out. This wasn't just a quirk of timing-- it did this three times in a row.

Did my son accidentally cause this mess, or is this a new breed of Monster Scumware? Am I overlooking something blantantly dumb? Any ideas? Know of any other places I could go for help? (I've tried several that are linked through this forum--- no help, but I'm still looking.)

Thanks!

P.S. I'll post the HT log if anyone requests it. I didn't on this message because I haven't provide full specs and info on the system...

 

Thanks--- This looks helpful. I'll check it out and let you know how it goes. (Or doesn't.)

 

Yes indeed-y, it does boot to safe mode that way. I have successfully removed every particle of hijacker I could find, but the system is still acting a little hinky, and still won't boot to safe mode by any other method but through msconfig. I'm going to reload the OS anyway.

Thanks for the advice, though!

 

"Hinky"-- doesn't shut down the same as it used to, some browser defaults have changed, I'm getting blue-screens in situations I didn't get them before. (The F8 key is definitely changed, because I've never had any problems using it to access safe mode before, and I've done it a lot on this machine.)

Why? Basically, because I don't know what else may have changed, and I don't trust that all the system settings are restored correctly.

Experience has taught me that when these things start happening after doing major registry surgery due to this kind of attack, the performance of the OS often continues to degrade. Windows inherently keeps "dirt" in the registry, and unless you're really good at cleaning it up (which takes time), it will eventually come back to bite you.

In my case, I was considering reloading the OS anyway, because this is an old work system I gave to my son to use, and formatting & reloading was a faster way to clean it up than uninstalling and deleting all of my old stuff.

Seriously, though, I think the practically of wiping & reloading a system is often underestimated. I've seen MANY people spend countless hours trying to fix a busted registry-- often many more hours than it would take to make a "clean start"-- only to get a "hinky" system that annoys them for months afterward. (The use of Norton Ghost -- or similar program -- can make the reload process even more practical and less painful.)

You're right that using msconfig to access safe mode is a more reliable method. (Providing the system will boot at all.) Embarassingly, I use that method so rarely that I had forgotten about it. Thanks for jogging my memory, though-- you gave good advice!

 

I took no offense at your question. (Got to start using the smilies again...) Many people (still) don't backup enough (groan!) and in those cases, there's a good reason to keep at it.

As I said, I was already going to reload the OS anyway. Actually, I only kept at it because (as you suggested) I wanted to see if I could defeat the monster. I did learn some things that could help me in the future, so thanks again!