Re: Thebestse.com spyware/browser hijack :: Removal instruct
AlvinC wrote:Wish I found your forum sooner because it took me a while to stumble through on my own the few steps you listed in getting rid of the that hijacker. Didn't find bestse.com but rather "www.motor-search.info" In addition, I found it inserted the hijacker in mplayer2.exe but the SFP log reported the invalid version was detected, put the bogus mplayer2.exe in Windows\System\sfp\archive, and restored the legitimate mplayer2.exe.
It also added a few links to IE Favorites - Viagara, sex, etc.
Although the Windows Media Player icon was still on desktop, the wmplayer.exe was gone - I'm guessing that's a tie-in to the bogus mplayer2.exe. However I just reran the Media Player setup and everything was fine.
I moved "systeminit.exe", the bogus "mplayer2.exe" and "sstyle.css" to another folder.
Ok I've had similar issues with this same thing except it was specifically for
www.thebestse.com stuff (hence my adding it to the thread).
the current spybot and ad-aware programs deleted all the registry stuff and external files but i still had 4 undetected files that were infected (all with idenitcal file sizes):
wmplayer.exe - d:/Program Files/Windows Media Player/
wmplayer.exe - c:/Program Files/Windows Media Player/
sysdll32.exe - d:/ (can't remember the directory, probably the windows system directory)
mplayer2.exe - c:/Program Files/Windows Media Player/
(i run win2000 off my d:\ but have win 98 on my c:\ as a backup)
For some reason it never infected my d:\ 's mplayer2.exe
Anyways i did basically the same thing as Alvin.
Deleted the 4 files and then just ran the windows media setup to restore the original wmplayer.exe file for my d:\ .