[Tutorial] – Fix Search Results Hijack

About 2 months or so I found myself with a virus after I turned off my ESET Smart Security  to access a site I had blocked. I spent a while trying to fix or bypass the effects of the virus, and wrote a post here about my observations. Well, I fixed the problem a while ago, but till today when I noticed that the post is most viewed; I decided to share it. It’s gonna be a short one as it only deals with fixing the search redirect.

Before you go ahead, make sure that you have cleaned the virus. You should only be having the results hijack issue!

Step 1:

Log in to Windows through Safe Mode, no need to select the networking option.

Step 2:

Go to your Windows installation folder, and;

  •  If you use a 32-bit version of Windows; navigate to the System32 folder, and look for user32.dll file.
  • If you use a 64-bit version of Windows; navigate to the SysWOW64 folder, and look for user32.dll file.

Take ownership of that file, and rename it to user32.dll.old

Step 3:

Open a new window. Go to winsxs inside your Windows folder. Search for user32.dll  … You should find a copy. Basically we’re going to be replacing the one we just renamed with a ‘clean’ backup.
So copy that one to your system32 or SysWOW64 folder, where you just renamed the original.

Step 4:

Restart, and your problem should be gone. If not, just send me a mail at neville@nevi.me or add a comment below.

What caused the problem?

So instead of the usual DNS poisoning, the exploit poisoned what seemed to be a set of search sites and redirected to a malicious site before executing the query. I haven’t had time to read up on user32.dll to see what it does, so I don’t know the exact cause of the problem.

Stay safe!