8 Step search result hijack help

By EMS0525
Dec 10, 2009
Topic Status:
Not open for further replies.
  1. kritius

    kritius TechSpot Guru Posts: 2,087

    Right. Do the ComboFix step then.

    Also,

    Download the GMER Rootkit Scanner. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any
    "<--- ROOKIT" entries unless advised!

    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
    • Click NO
    • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
    • Now click the Scan button.
      Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
    • Save it where you can easily find it, such as your desktop.
    Post the contents of GMER.txt in your next reply.
  2. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    Start>run> Combofix /uninstall right?

    The icon is still there
  3. kritius

    kritius TechSpot Guru Posts: 2,087

    Sorry no. Just delete the icon and redownload. Don't use the uninstall switch until I say so.
  4. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    here is the log
  5. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    I accidently performed the Combofix /uninstall before you had told me not to. Thats how i was informed how to do it from the last person i spoke to. I wanted to let you know in case it is pertinent
  6. kritius

    kritius TechSpot Guru Posts: 2,087

    ok.

    Redownload ComboFix and post the log that it produces.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      *brgjjtge.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  7. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    combofix log
  8. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    systemlock log
  9. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  10. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

  11. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Resetting Winsock is quite safe to do
    Here is the command line alternative Start > Run > netsh winsock reset >ok
    Then Restart

    But it is preferred to run the above tool
    Actually, I'm going to run it on mine right now, nothing like resetting all the winsock entries
    I think I've quoted it about a 1000 times, everyone has been happy



    Vista users can run this:
    Manual steps to repair or to reset Winsock for Windows Vista users
    1. Click [​IMG], type cmd in the Start Search box, right-click cmd.exe, click "Run as administrator", and then press Continue.
    2. Type netsh winsock reset at the command prompt, and then press ENTER.
    3. Type netsh int ip reset at the command prompt, and then press ENTER.
    4. Type netsh interface ip delete arpcache at the command prompt, and then press ENTER.
    5. Type Exit, and then press ENTER.
    Restart
     
  12. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    Dont know if it means anything or not... but the search results are not hijacked anymore. I dont think we really did anything though, just scanned and posted the logs here.... I dont think im outta the woods yet.
  13. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39


    did this too....
  14. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I'm thinking it was a Winsock entry, fixed by doing the above :approve:

    But just keep testing (on safe normal sites of course ;)
    And let us know :)

    Edit:
    You know there is an Edit button :D
  15. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Hi EMS0525,

    Can I assume by your absence that this topic is now solved?
    I notice that you logged on 3 hours ago but no further reports from you :confused:
    Did you want any help cleaning up all the tools, or is all ok with you doing this yourself?

    Anyway, if you get a chance to let us know if you're "outta the woods" yet, that will be nice :)
    I'll assume this Topic solved if you don't reply. I hope we all have helped you in this malware removal
  16. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    The search results are not hijacked anymore... Can i supply any logs for confirmation on everything ok? Are all the tools pretty straight forward to uninstall?
  17. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Yep ;)

    As per my >> original post to you
    And the rest:
    • Winsockfix
    • SystemLook
    • GMER Rootkit Scanner
    • Hijackthis (this may have an uninstall command in Add/Remove Programs)
    Can just be deleted ;)

    I don't need any further logs
  18. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    Ok, Thank both of you for helping.
     
  19. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    Its not fixed after all....

    I dont have the time to monkey with it anymore. Unless there is something else i can do its just going to get reformatted. Anything?
  20. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    So the search results were not hijacked anymore, is it possible that you have now been re-infected? (ie you got infected in the first place) Do you have some ideas of where this infection may be coming from? File Sharing? Network?

    I think it would be best to run through the 8-step removal guide again (ie all the programs have obviously updated in the last 4 days)

    I also feel you may be best creating a new topic, since we are starting again ;)
  21. EMS0525

    EMS0525 Newcomer, in training Topic Starter Posts: 39

    My wife needs the computer for work, she logs in at home. I couldnt afford to loose any more time. She had to call off 2 days because of the computer, so tonight i reformatted the hard drive and started over. Its all up and running again, only took 4 hours and if i was to try to fix the problem it would have taken alot longer. This way i also know that its clean and there isnt somethign lingering on it somewhere. Thanks again for your help.
  22. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I'm happy with that. Good idea :grinthumb
    Generally (not always) a computer forum tries to fix the issue, but sometimes a clean install is required.

    Do note: As I stated above, you were not infected originally ;) Surf safe :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.