TechSpot

Google Hijacker won't disappear

By onetwistedpoet
Apr 9, 2009
  1. Hi, I have a virus (?) that is causing google links to be redirected to shopico or search pages containing the google search term I used, Elle.com, or just a blank google page saying "The page - www(dot)google(dot)ca/undefined - does not exist. ".
    I am running AVG antivirus and ran a scan that didn't pick anything up, and at its worst this thing (or something else) was closing my firefox browser windows as I opened them. I ran MBAM and now I can use my browser but google is still hijacked. I followed the 8-step process and have attached my logs, hopefully I did everything right.
    Thanks!
     

    Attached Files:

  2. touch

    touch TS Rookie Posts: 978

    Hello

    Any particular reason you haven´t updated to SP3 ?

    Your Hosts file are hijacked, and you also have a rootkit infection.

    Just a note:
    "AVG Free does not contain Anti-Rootkit protection so rootkits may be hidden in your system".

    I´ll therefore recommend we remove AVG8 when your computer are clean, and install Avast or Avira Free antivivirus.


    Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

    Choose one of the servers at Majorgeeks....save the file on your desktop

    Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
    Run HostsXpert 4.2 - Hosts File Manager from its new home
    Click on "File Handling".
    Click on "Restore MS Hosts File".
    Click OK on the Confirmation box.
    Click on "Make Read Only?"
    Click the X to exit the program.
    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself

    Reboot.

    Please download Combofix from:
    http://subs.geekstogo.com/ComboFix.exe

    And save to the desktop.

    Close all other browser windows.

    Double-click on the combofix icon found on your desktop.

    Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

    When finished, it will produce a logfile located at C:\combofix.txt.


    Attach the contents of that log in your next reply.
     
  3. onetwistedpoet

    onetwistedpoet TS Rookie Topic Starter

    Not quite yet

    Thanks for your help, looks like I had some serious cleaning to do. Tried google again, still got redirected to the Elle site when I clicked on a link. Uploaded the log that popped up as well as another file that was in C:/ named combofix as I am not sure which you need.
     

    Attached Files:

  4. onetwistedpoet

    onetwistedpoet TS Rookie Topic Starter

    Oh, and I have no reason for not updating to SP3, I just heard about some fiasco with SP2 and so have been wary about getting the SPs.
     
  5. onetwistedpoet

    onetwistedpoet TS Rookie Topic Starter

    Google redirect

    Hi, just checking in, is there anything else I should do before moving on? Google links still send me to random websites.
    Thanks.
     
  6. touch

    touch TS Rookie Posts: 978

    I´ve missed you, sorry.

    Open notepad and copy/paste the text in the quotebox below into it:


    Save this as:
    CFScript

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Refering to the picture above, drag CFScript into ComboFix.exe

    Then attach fresh combofix log.
     
  7. onetwistedpoet

    onetwistedpoet TS Rookie Topic Starter

    updated combofix for google redirect

    Don't worry about it, I really appreciate the help!
    Here is my updated combofix.
     

    Attached Files:

    • log.txt
      File size:
      29.7 KB
      Views:
      5
  8. touch

    touch TS Rookie Posts: 978

    It looks like we have improvement, but combofix did´nt behave quite as I expected


    Open notepad and copy/paste the text in the codebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    Code:
    Killall::
    
    Snapshot::
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e80021b-d336-11dc-b1b7-00163683c088}]
    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and attach back the resulting report. along with fresh hijackthis log
     
  9. onetwistedpoet

    onetwistedpoet TS Rookie Topic Starter

    Google Redirect CFScript error

    When I came back to my laptop after running the CFScript, there was a message asking if I was trying to run CFScript and suggesting it may have been spelt wrong. I have attache the HJT log and the CFScript that I used, there was no CF log popped up along with the error message.
     
  10. touch

    touch TS Rookie Posts: 978

  11. onetwistedpoet

    onetwistedpoet TS Rookie Topic Starter

    Google redirect

    Ok great it worked this time, here is the CF log.
     
  12. touch

    touch TS Rookie Posts: 978

    It looks clean, please tell how things are running now ?
     
  13. onetwistedpoet

    onetwistedpoet TS Rookie Topic Starter

    Looks good, google is sending me where I need to go. It may be my imagination but I think my laptop is running a little smoother now too.
    Awesome, thank you so much!
     
  14. touch

    touch TS Rookie Posts: 978

    That´s good news

    What about remove AVG8 and install Avast or Avira ? You decide ;)
     
  15. onetwistedpoet

    onetwistedpoet TS Rookie Topic Starter

    Last Step

    So I got rid of AVG and installed Avira, not quite sure which is the better of the two but that one looks pretty decent. Thanks again, all smooth sailing from here.
     
  16. touch

    touch TS Rookie Posts: 978

    My pleasure :)

    Avira is better, because AVG Free does not contain Anti-Rootkit protection.

    Now your computer problems are solved, it is time for the clean-up procedure ->

    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.


    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place
     
  17. onetwistedpoet

    onetwistedpoet TS Rookie Topic Starter

    Hello again!
    So I have apparently not gotten rid of the virus, a couple of weeks ago my computer started slowing down dramatically for internet (youtube won't even stream smoothly) and I have high speed cable so I checked it out and sure enough Google is once again redirecting me and god knows what else is going in in the bowels of my laptop. Anyways, did the steps again, here are the logs, hopefully this time I can get rid of it for good.
    Thanks!
     
  18. touch

    touch TS Rookie Posts: 978

    Or, it is possible you´ve got new infections ;)

    Update malwarebyte, run a complete scan, have it to fix what it find. Attach the log it produce
     
  19. onetwistedpoet

    onetwistedpoet TS Rookie Topic Starter

    Man I hope I wasn't reinfected, I had my fingers crossed avira was going to do the trick for me.
    Anyways here is the log, nothing new to show it seems!
     
  20. touch

    touch TS Rookie Posts: 978

    Looks like Avira did the trick. How are things running ?
     
  21. onetwistedpoet

    onetwistedpoet TS Rookie Topic Starter

    Seems to be gone, just like last time. Should I expect it to pop up again and just update avira and scan to get rid of it if google starts redirecting me again?
    Also, unrelated, do you know if there is a way to turn off the ads for Avira prompting you to buy it all the time?
    Thanks!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...