TechSpot

Browser google hijack how do I remove?

By lozp
Dec 9, 2008
  1. hi
    ime new to this forum but after searching the internet for a day i cannot remove this hijack.

    i have a dell desktop running microsoft XP home sp3

    The basics are that every search from google i click on it redirects me to another website, usually another search engine with a similar search. i also foun that i cannot use the system restore as the next button on the restore wont work. evey so often i also get the bule screen on start up. Ad-aware will not connect to the server to download new updates and i have problems just downloading files (keeps on going page cannot be displayed)

    Ive tried what other people have sujested but with no luck. Ive used Ad-aware but the thing just keeps on coming back

    Heres a log from Hijack this

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:41:40, on 09/12/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C2D51C3A-E50B-410B-9CF0-DDFBCCB2F13E}: NameServer = 85.255.113.206;85.255.112.76
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.206;85.255.112.76
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.206;85.255.112.76
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    --
    End of file - 2124 bytes




    Here is some of a log from Ad-Aware;

    Ad-Aware Build
    Log File Created on: 2008-12-09 15:39:59

    Using Definitions File: C:\Documents and Settings\mike\Desktop\core.aawdef
    Computer name: CAMBER
    Name of user performing scan: SYSTEM

    System information
    ===========================
    Number of processors: 1
    Processor type: Intel(R) Pentium(R) 4 CPU 3.00GHz
    Memory Available: 43%
    Total Physical Memory: 534872064 Bytes
    Available Physical Memory: 225234944 Bytes
    Total Page File Size: 1307762688 Bytes
    Available On Page File: 957546496 Bytes
    Total Virtual Memory: 2147352576 Bytes
    Available Virtual Memory: 1101746176 Bytes
    OS: Microsoft Windows XP Service Pack 3 (Build 2600)

    Ad-Aware Settings
    ===========================
    Skipping files larger than 1048576 kB
    Ignoring infections with lower TAI than: 3


    Extended Ad-Aware Settings
    ===========================
    Unloading known modules during scan
    Ignoring spanned files when scanning cab archives
    Reanalyzing results after scanning before displaying results
    Trying to unload modules prior to removal
    Let Windows remove files currently in use at next reboot
    Removing quarantined objects after restore
    Deactivating Ad-Watch during scans
    Writeprotecting system files after repairs
    Include info about ignored objects in log file
    Including basic settings in log file
    Including advanced settings in log file
    Including user and computer name in log file
    Create and save WebUpdate log file

    Databaseinfo
    ===========================
    Version number: 143
    Build Number: 3
    Build Date and Time: 2008/12/03 13:27:03

    Scan Statistics
    ===========================
    Method: Smart
    Scan tracking cookies.............................: On
    Scan ADS filestreams..............................: Off

    Item Scanned: 96889
    Infections Detected: 8
    Infections Ignored: 0

    Scan detailed statistics
    ===========================
    Type Critical Total
    Process Scan....: 0 0
    Registry Scan...: 0 0
    Registry PE Scan: 0 0
    Hosts File Scan.: 0 0
    File Scan.......: 0 0
    Folder Scan.....: 0 0
    LSP Scan........: 0 0
    ADS Scan........: 0 0
    Cookie Scan.....: 0 0
    File Hash Scan..: 0 0

    Infections Found
    ===========================
    Family Id: 538 Name: Possible Browser Hijack attempt Category: Malware TAI:3
    Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet001\Services\Tcpip\Parameters Value: DhcpNameServer Data: 85.255.113.206;85.255.112.76
    Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet001\Services\Tcpip\Parameters Value: NameServer Data: 85.255.113.206;85.255.112.76
    Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C2D51C3A-E50B-410B-9CF0-DDFBCCB2F13E} Value: DhcpNameServer Data: 85.255.113.206;85.255.112.76
    Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C2D51C3A-E50B-410B-9CF0-DDFBCCB2F13E} Value: NameServer Data: 85.255.113.206;85.255.112.76
    Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet003\Services\Tcpip\Parameters Value: DhcpNameServer Data: 85.255.113.206;85.255.112.76
    Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet003\Services\Tcpip\Parameters Value: NameServer Data: 85.255.113.206;85.255.112.76
    Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{C2D51C3A-E50B-410B-9CF0-DDFBCCB2F13E} Value: DhcpNameServer Data: 85.255.113.206;85.255.112.76
    Item Id: 7012 Value: Root: HKLM Path: SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{C2D51C3A-E50B-410B-9CF0-DDFBCCB2F13E} Value: NameServer Data: 85.255.113.206;85.255.112.76


    PLEASE HELP
     
  2. rf6647

    rf6647 TS Maniac Posts: 829

    Your HJT log is far from typical (unless trimmed to keep under limit). But give the following a try.

    Scan with HJT. Tick & Fix the following. Exit. Restart the computer.
    It is more likely you need to follow link under 'attempt this method'.
    In case of difficulty, attempt this method
    • Message # 1 - Effective against other non-plug and play exploits
    • Message #3 - link to 'fixit download' has demonstrated its effectiveness in many cases. Go to message # 3 'fixit download'

    Here is some preaching just shared with another user.

    After being here for over a year, I have no sense how difficult it is to figure out all the rules. Help > FAQ > sub items lead to posting attachments. I believe that posting log file attachments is permitted with the first post.

    Those same FAQ sub items will help you edit out the log from the body of the thread. Put the 3 logs into yet a new reply. This signals a status change (new logs). The moderators have the option to clean up the thread, since this is a good faith effort to get started.

     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...