A good customer recommended me to her sister-in-law because her sister-in-law needed some help finding her way around Windows 7. My customer said, “I live just around the corner. When you’re through there, would you come over and take a look at my computer. I’m having some issues.”
No problem. I know better than to press people about their issues.
Chitka is Devil App from Hell
I got there Friday afternoon to find Internet Explorer with at least eleven toolbars and four (or maybe five) rogue search engines. The home page was snap.do. I see this a lot, and I have tools to get rid of all of it most of the time. What surprised me was something I’d never seen before. On every site I browsed to, there were popup ads. Some were just annoying ads for bellyfat products. Others were pretty racy. Some popups insisted I had to download a flash player before I could view the content. They really looked like they were being served up by the website, but they were not. Some ads said “Chitka” and some said “iLivid” and some didn’t have any clues.
I started my cleaning routine. Microsoft Security Essentials didn’t have anything in its history. My customer said a quick scan with the free Malwarebytes didn’t detect anything. I ran a full scan, and it didn’t detect anything then, either.
As I kept on uninstalling malware and cleaning temp files and the registry, I checked and kept getting popups. I could not get rid of them. I scrubbed Internet Explorer, I ran the Tweaking.com cleaning utility. No change. Tool after tool said everything was fine but the popus were still there.
Worse than just the browser
Eventually I realized it would be good to know if it was just Internet Explorer that was hooped or if this went deeper. I have portable Firefox on a flash drive, and when I fired that up…I got the popups.
I had a real Scooby Doo moment.
Got to be the hosts file.
Fixing or replacing the Hosts files on a 64-bit Windows 7 Home Premium is not as straightforward as I would like it to be. That’s why there are tools and scripts that are supposed to do that. But none of them worked. And the really confusing thing about this was that when I looked at the Hosts file, it looked right.
Normal Hosts file
At that point I drew a line under the billable hours, shut down the computer and told the customer I’d be back on Monday with a plan.
Over the weekend I prowled the usual fixit sites. I found plenty of people who had problems with Chitka, and I found lots of people helping them. What I did not find was anyone who had actually resolved the problem. Just a dozen or so open threads.
“Interesting,” I thought.
I love it when a plan comes together
When I went back this morning, I had a plan. It wasn’t a great plan, but it was, in fact, a plan. And it was an OK plan because this is both a good customer and even if I really screwed up, a new computer wasn’t out of reach for her.
I did get the Hosts file problem fixed. Here’s what I figured out to do, based on all the help threads I found.
First, I ran a program called DDS, which produced an inventory of some important settings, including the Hosts file. That certainly confirmed the hijack. And it was comforting in a way to know that I hadn’t completely misread the situation.
DDS logfile shows browser hijack
Microsoft Fixit for the Hosts file didn’t fix it. Tweaking.com’s fix didn’t fix it. Every time I looked at the Hosts file, it looked normal, but DDS kept telling me it was screwed up. And the popups were relentless.
I know how to edit the Hosts file in 64-bit Windows Home Premium, but when I opened it, the file looked normal. Where the heck is the hijacked file? And why can’t I edit or replace it?
Well, the hell with it. My weekend research project had turned up a tool called RogueKiller, and wow did it ever look scary.
RogueKiller fixed the Hosts file
I had taken the time to read a little bit of the tutorial, so I had a general idea that if it found a hijacked Hosts file it would fix it. The other important thing to know is that not everything it finds is a bad thing, so you don’t generally just want to start clicking on things. I’d downloaded the 64-bit version, so I copied it onto the customer’s desktop and ran it as administrator.
It found the bad Hosts, and when I clicked on Fix Host…it did. I could see the Hosts file was back to normal. I rebooted the computer, fired up Internet Explorer and … no popups.
The Aftermath
I then ran the Malwarebytes Antirootkit tool, which found vestiges of Trojan Sierdef.C and cleaned them. I ran the scan a second time and finally got a clean bill of heath, no toolbars and no popups.
Next I updated Java, FlashPlayer, AdobeReader and all the usual suspects, installed Mike Lin’s Startup Monitor, and flushed the System Restore.
Finally, I uninstalled Microsoft Security Essentials and replaced it with the free version of Avast! antivirus. It’s more verbose and it nags about keeping risky programs up to date. And I replaced Malwarebytes with SuperAntiSpyware, which will lock the browser home page, even in the free version.
Then, I set up a backup.
Three and a half billable hours. Expensive enough to make the customer think twice before clicking indiscriminately, but still not as expensive as a new computer.
Now I just have to fix the thing that makes Outlook 2007 ask if she really wants it to make changes to her computer every time she opens Outlook 2007. I hope there’s a tool for that.
-
- Normal Hosts file
-
- DDS logfile shows browser hijack
-
- RogueKiller fixed the Hosts file
