CEIDPageLock

CEIDPageLock acts like a browser hijacker, but it also has qualities of a rootkit. Apparently, besides hijacking user’s homepage, the malicious application may try to hide its presence by blocking some of the system’s processes or even the device’s security tool. In other words, if the antimalware tool you are using is not robust enough the malware in question might be able not only to settle in on your computer but also remain undetected. For more information about this threat, for example, how to recognize or delete CEIDPageLock, you will find further in the article. Plus, at the end of the text, we will place detailed removal instructions to help users get rid of this rootkit manually. However, if the steps look too tricky, you could install a reliable antimalware tool instead that could eliminate the infection for you.

At the moment of writing, it seems most of CEIDPageLock’s victims are people from China, although it does not mean your computer cannot get infected with it if you live elsewhere. Our researchers confirm the threat is being distributed via Exploit Kits, so if your device has any vulnerabilities, such as weak passwords or outdated software, it might be less resistant to it. Naturally, to make the system stronger, we would recommend removing possible weaknesses. Additionally, it is crucial to stay away from untrustworthy web pages, pop-up ads, and other suspicious content one could come across while surfing the Internet. Also, the computer might not be so vulnerable if it was protected by a robust antimalware tool that would not be disabled by CEIDPageLock.

The victim might not notice anything strange that would indicate the computer has been infected with this rootkit as it can work silently in the background. Nonetheless, there is a way to confirm whether the malicious application entered your system or not. Our specialists say CEIDPageLock should hijack user’s default homepage by making the affected browser load a fake copy of a legitimate site called 2345.com. You may not see any difference between the 2345.com and the malware’s presented website until you take a closer look at its URL address. As you see, the fake webpage’s link should be 588.gychina.org, which is entirely different from 2345.com. At this point, some of you may wonder what the use of creating a fictitious site is. We believe same as with many browser hijackers its presented search engine could show targeted advertisements. Therefore, its creators and partners might receive advertising revenue from each user’s click. Not to mention, they could sell the information they gather about the victim’s browsing habits.

Even though the malware’s behavior may not look as dangerous compared to similar threats, keep it in mind the advertisements displayed through 588.gychina.org or web pages it could redirect you to might be malicious. It means clicking them could put your privacy and computer’s safety at risk. Consequently, we advise not to take any chances with CEIDPageLock and erase it as fast as possible. Just as we explained earlier if the rootkit is on your system, your browser should load 588.gychina.org instead of your usual homepage. What’s more, our researchers found out the malicious application may create a file called houzi.sys or similar in the %WINDIR%\Temp directory. If you notice these changes on your system, we recommend taking immediate action.

Users who prefer dealing with threats manually could try to erase CEIDPageLock while following the instructions located below this text. At first, we recommend restarting the infected device in Safe Mode with Networking. Then, as shown in the second part of instructions, the user should identify the malware’s created files and delete them one by one. Provided, this sounds a bit too challenging we advise installing a reliable antimalware tool that could remove this rootkit for you. It would not only make it easier to clean the system, but you would also obtain a tool that could guard the computer against future threats.

Restart the computer in Safe Mode

Windows 8/Windows 10

1. Tap Win+I for Windows 8 or open Start menu for Windows 10.
2. Press the Power button.
3. Click and hold Shift then click Restart.
4. Pick Troubleshoot and choose Advanced Options.
5. Go to Startup Settings and click Restart.
6. Press F5 and restart the PC.

Windows XP/Windows Vista/Windows 7

1. Navigate to Start, select Shutdown options and pick Restart.
2. Press and hold F8 when the PC starts restarting.
3. Mark Safe Mode with Networking.
4. Select Enter and log on.

Eliminate CEIDPageLock

1. Press Win+E.
2. Navigate to %WINDIR%\Temp
3. Look for a file called houzi.sys or similarly (it could be any suspicious file with .sys extension).
4. Right-click the malware’s created file and press Delete.
5. Close File Explorer.
6. Press Win+R.
7. Type Regedit and select OK.
8. Then go to HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services
9. Search for a service created by the infection; it might have a name similar to the previously deleted .sys file, for example, houzi.
10. Right-click the suspected service and choose Delete.
11. Close Registry Editor.
12. Empty Recycle bin.
13. Reboot the computer.