Browser hijack Google search results

By squid4hire
Dec 11, 2009
Topic Status:
Not open for further replies.
  1. Hi, I have completed the 8 steps preliminary removal instructions and still have this problem. When I search on google, my results are redirected when I click on them. It only appears to be happening on Google and not on other search engines. I am enclosing my logs and would greatly appreciate any help you could provide. Thanks in advance.....


    PS: I also have this annoying trext in my browser heading, every page says it is "Powered by Charter Communications". How can I relinquish this ad???

    Attached Files:

  2. AnonymousSurfer

    AnonymousSurfer TechSpot Enthusiast Posts: 312   +12

    Hi squid4hire,

    Here is the nasty browser hijacker that you should delete using HijackThis.

    Start up HijackThis, then click on System Scan Only, then select the following:
    • O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
    Then check it off and click on Fix checked. Then post if it worked or not.
  3. squid4hire

    squid4hire Newcomer, in training Topic Starter

    hi, i removed this and it seemed to work for a few minutes. I got several alerts from AVG of "trojan horse fake alert lf" and "exploit rogue software scanner " and now it appears as if it is redirecting again.
  4. AnonymousSurfer

    AnonymousSurfer TechSpot Enthusiast Posts: 312   +12

    Ok before we try Combofix, replace AVG with Avast! or Avira. I personally recommend Avast! but it's up to you. Download that and install it, then run a scan and see if it finds anything. Anything it does find, make sure to remove it. Post if your problem consists after. If it does, we will move on to Combofix.
  5. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Anonymous Surfer, I've asked you before-several time- not to have someone remove an entry because you don't recognize it! This is a perfectly good entry for the program he has:

    The entry:
    O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
    The program:
    C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
    The Service:
    O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

    squid4hire, these are all legitimate entries and do NOT need to be removed.

    About changing your antivirus program:

    There is a process to follow so you do not leave the system unprotected:

    • [1] Download the AV program of your choice and save it to your desktop)
      [2] Boot into Safe Mode
      • Restart your computer and start pressing the F8 key on your keyboard.
      • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
      [3] Disconnect from the internet.
      [4]Go to the Control Panel> Add/Remove Programs> uninstall AVG
      [5]Use Windows Explorer to remove program folder: Right click on Start> Explore> My Computer> Local Drive (C)> Programs> right click> Delete on the AVG folder.
      Close

      [6]Double click on the new AV setup on the desktop and run to install.
      [7]Reboot into Normal Mode, reonnect to the internet and check for updates for the new AV.

      Unbranding the Browser:
      Charter is your ISP. This is known as Outlook Express/Internet Explorer Branding. You'll need to change/delete some registry entries to remove the branding.
      Rather than manually editing the registry, go to http://www.dougknox.com/utility/scripts_desc/unbrand.htm and download and run the unbrand.vbs utility. This is a reputable site with some valuable and safe utilities.

      This was found in SAS:
      Filename: sdra64.exe
      Command: C:\WINDOWS\system32\sdra64.exe
      Description: Identified by Sophos as a variant of the Mal/Zbot-I malware.
      File Location: %System%
      Startup Type: This programs starts by appending itself to the Userinit registry key.

      Did you have or did you use the Avenger? It's important that you know the Trojan.Agent/Gen-Nullo might be reporting out as a false positive in Superantispyware.

      You can verify that with an online scan:
      Run Eset NOD32 Online AntiVirus Scanner HERE

      Note: You will need to use Internet Explorer for this scan.
      • Tick the box next to YES, I accept the Terms of Use.
      • Click Start
      • When asked, allow the Active X control to install
      • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
      • Click Start
      • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
      • Click Scan
      • Wait for the scan to finish
      • Re-enable your Antivirus software.
      • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
      Please reopen HijackThis to 'do system scan only'. Check the following if present:

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop


      Close all Windows except HijackThis and click on "Fix Checked."

      Rescan with HijackThis. attach new log and log from the online scan.

      After these are handled, I will direct you to Combofix.
  7. shanks07

    shanks07 Newcomer, in training

    Hi

    Run hijack this "run as admin if you are using vista or 7" Check all these and Fix Checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.charter.net/google/index.php?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Powered by Charter Communications
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    Make sure there is no browser open when you are doing this..
    The proxy override is the one most of the times creates all this kind of issues.
    It worked for me on many computers.
  8. squid4hire

    squid4hire Newcomer, in training Topic Starter

    Thanks, I did everything and am attaching the eset and HJ logs. Thanks for your help....

    PS don't know what Avenger is so I am sure I did not have it......
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Some unusual entries! You have 2 infected files> both show on Drive E- is this your recovery partition? And what model is your computer?

    ]b]E:\I386\APPS\APP20948\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application 9A5E835CDFF8935E260A90D3122D9E90 I

    E:\I386\APPS\APP20948\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application C849EE8D2965433CF9B46D1C34B05149 I

    I'm going to ask for help in moving the files\. Hang on a bit.
  10. squid4hire

    squid4hire Newcomer, in training Topic Starter

    E is my recovery partition. I have an HPm7680n. Let me know...
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    shanks07, you have told this member to remove valid and legitimate entries. Please refrain from assisting in malware cleaning. Only 5 of the entries you listed would be appropriate to be removed and I had already listed them 2 hours earlier.

    Shanks07, please stick with my instruction or those of kritius if he assists.
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Oh and shanks07, just use IE Reset Fixit Tool to get rid of all that stuff anyway, lots easier ;)
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    kimsland, I would appreciate it if you would refrain from giving directions to other members when I am working with a member to clean the system.

    This thread is for the specific use of squid4hire. If you have a malware problem please start a separate thread and follow the Virus and Malware Removal steps HERE.

    Other members are asked to refrain from giving additional instructions unless asked and the member has notified by the helper that intervention has been requested.
  14. squid4hire

    squid4hire Newcomer, in training Topic Starter

    system restore

    I couldn't get this fixed and had to do a system restore. Thanks for your help anyways.......
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    My apology for the delay. Did you do a system restore to earlier date or a restore to Last Known Good Configuration?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.