I have the unfortunate (or fortunate?) responsibility of being the in-house “geek squad” for my family members any time something happens to their computers. My sister is notorious for getting the strangest malware and adware on her laptop, and this weekend she present me with her latest acquisition… the Snap.Do malware. I hadn’t heard of it or seen it prior to this weekend, but it had me stumped for a while, and it appears it has the rest of the Interwebz stumped as well. What I found is that many people searching for the removal of this malware were unsuccessful in the “tried and true” methods such as Control Panel > Add/Remove Programs, Virus scans, etc. Below is a screenshot of the page that I was being redirected to when launching IE. Also note that my “Home Page” setting in Internet Options was not affected, it correctly stated “http://www.google.com”, but the redirect on launch would still happen.
Below, I will show you what I did to ultimately rid her machine of this baddie. What stumped me the most was that I had seemed to remove it, yet Internet Explorer (version 9) specifically would still redirect the home page to http://search.snap.do or http://feed.snap.do. No matter how many times I cleaned the registry or ran Hijackthis, it would still redirect. As I was nearing the conclusion that I was just going to reformat, I remembered that there is a 32bit and a 64bit version of Internet Explorer installed, so just for kicks I launched the 64bit version. No Redirect!!?? This was interesting! It was only redirecting on the 32bit version. So on another whim, I navigated to the iexplore.exe executable in the Program Files folder and launched IE from there. No Redirect!! So now I had my answer!
The answer was hiding in a command line parameter that was passed with the shortcut that was in the Taskbar and on the Desktop. The screenshots below will show what the malware did, and also how to fix it. If you right click the shortcut in your Taskbar (by the Start button) or on the Desktop, you will most likely see the “Target” field below in which a URL is specified after the executable path. You have two options.. 1) Delete everything after the closing quotation marks, or 2) Delete the shortcut altogether and create new ones. I would recommend option 2 just because it’s guaranteed to work and it’s probably faster to do anyway.
Here is what the Target field had in it:
“C:\Program Files (x86)\Internet Explorer\iexplore.exe” http://feed.snap.do/?publisher=InternetTurbo&dpid=InternetTurbo&co=US&userid=62542d99-d5c8-4ef0-8677-723ce708c829&searchtype=sc
I would also like to note that there was no Toolbar installed and there was nothing about Snap.Do in the Add/Remove Programs list. It appears it had been “successfully” removed by Norton or some other antivirus she used, but it left this nasty remnant which I found others chasing on the net without a valid resolution. Hopefully this helps someone else out in the same boat. It tripped me up for the better part of a weekend. I’d love to hear if it worked for you!