8 Step search result hijack help

[kritius]

Right. Do the ComboFix step then.

Also,

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

 

[EMS0525]

Start>run> Combofix /uninstall right?

The icon is still there

 

[kritius]

Sorry no. Just delete the icon and redownload. Don't use the uninstall switch until I say so.

 

[EMS0525]

here is the log

 

[EMS0525]

I accidently performed the Combofix /uninstall before you had told me not to. Thats how i was informed how to do it from the last person i spoke to. I wanted to let you know in case it is pertinent

 

[kritius]

ok.

Redownload ComboFix and post the log that it produces.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  *brgjjtge.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[EMS0525]

combofix log

 

[EMS0525]

systemlock log

 

[kimsland]

I'm just going to throw in one option:

Download Winsock Reset http://go.microsoft.com/?linkid=9662461
More info here on Winsock2: http://support.microsoft.com/kb/811259

Run it, then restart, then test again

 

[EMS0525]

I'm just going to throw in one option:

Download Winsock Reset http://go.microsoft.com/?linkid=9662461
More info here on Winsock2: http://support.microsoft.com/kb/811259

Run it, then restart, then test again

kritius?

 

[kimsland]

Resetting Winsock is quite safe to do
Here is the command line alternative Start > Run > netsh winsock reset >ok
Then Restart

But it is preferred to run the above tool
Actually, I'm going to run it on mine right now, nothing like resetting all the winsock entries
I think I've quoted it about a 1000 times, everyone has been happy



Vista users can run this:
Manual steps to repair or to reset Winsock for Windows Vista users

1. Click
   
   , type cmd in the Start Search box, right-click cmd.exe, click "Run as administrator", and then press Continue.
2. Type netsh winsock reset at the command prompt, and then press ENTER.
3. Type netsh int ip reset at the command prompt, and then press ENTER.
4. Type netsh interface ip delete arpcache at the command prompt, and then press ENTER.
5. Type Exit, and then press ENTER.

Restart

 

[EMS0525]

Dont know if it means anything or not... but the search results are not hijacked anymore. I dont think we really did anything though, just scanned and posted the logs here.... I dont think im outta the woods yet.

 

[EMS0525]

Resetting Winsock is quite safe to do
Here is the command line alternative Start > Run > netsh winsock reset >ok
Then Restart

But it is preferred to run the above tool
Actually, I'm going to run it on mine right now, nothing like resetting all the winsock entries
I think I've quoted it about a 1000 times, everyone has been happy

did this too....

 

[kimsland]

I'm thinking it was a Winsock entry, fixed by doing the above :approve:

But just keep testing (on safe normal sites of course
And let us know

Edit:
You know there is an Edit button

 

[kimsland]

Hi EMS0525,

Can I assume by your absence that this topic is now solved?
I notice that you logged on 3 hours ago but no further reports from you
Did you want any help cleaning up all the tools, or is all ok with you doing this yourself?

Anyway, if you get a chance to let us know if you're "outta the woods" yet, that will be nice
I'll assume this Topic solved if you don't reply. I hope we all have helped you in this malware removal

 

[EMS0525]

The search results are not hijacked anymore... Can i supply any logs for confirmation on everything ok? Are all the tools pretty straight forward to uninstall?

 

[kimsland]

Yep

As per my >> original post to you
And the rest:

• Winsockfix
• SystemLook
• GMER Rootkit Scanner
• Hijackthis (this may have an uninstall command in Add/Remove Programs)

Can just be deleted

I don't need any further logs

 

[EMS0525]

Ok, Thank both of you for helping.

 

[EMS0525]

Its not fixed after all....

I dont have the time to monkey with it anymore. Unless there is something else i can do its just going to get reformatted. Anything?

 

[kimsland]

The search results are not hijacked anymore...

So the search results were not hijacked anymore, is it possible that you have now been re-infected? (ie you got infected in the first place) Do you have some ideas of where this infection may be coming from? File Sharing? Network?

I think it would be best to run through the 8-step removal guide again (ie all the programs have obviously updated in the last 4 days)

I also feel you may be best creating a new topic, since we are starting again

 

[EMS0525]

My wife needs the computer for work, she logs in at home. I couldnt afford to loose any more time. She had to call off 2 days because of the computer, so tonight i reformatted the hard drive and started over. Its all up and running again, only took 4 hours and if i was to try to fix the problem it would have taken alot longer. This way i also know that its clean and there isnt somethign lingering on it somewhere. Thanks again for your help.

 

[kimsland]

I'm happy with that. Good idea :grinthumb
Generally (not always) a computer forum tries to fix the issue, but sometimes a clean install is required.

Do note: As I stated above, you were not infected originally Surf safe