Google Hijacker won't disappear

Status
Not open for further replies.
O

onetwistedpoet

Posts: 12   +0
Hi, I have a virus (?) that is causing google links to be redirected to shopico or search pages containing the google search term I used, Elle.com, or just a blank google page saying "The page - www(dot)google(dot)ca/undefined - does not exist. ".
I am running AVG antivirus and ran a scan that didn't pick anything up, and at its worst this thing (or something else) was closing my firefox browser windows as I opened them. I ran MBAM and now I can use my browser but google is still hijacked. I followed the 8-step process and have attached my logs, hopefully I did everything right.
Thanks!
 

Attachments

  • hijackthis.log
    10.7 KB · Views: 7
Hello

Any particular reason you haven´t updated to SP3 ?

Your Hosts file are hijacked, and you also have a rootkit infection.

Just a note:
"AVG Free does not contain Anti-Rootkit protection so rootkits may be hidden in your system".

I´ll therefore recommend we remove AVG8 when your computer are clean, and install Avast or Avira Free antivivirus.


Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

Choose one of the servers at Majorgeeks....save the file on your desktop

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself

Reboot.

Please download Combofix from:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.


Attach the contents of that log in your next reply.
 
Not quite yet

Thanks for your help, looks like I had some serious cleaning to do. Tried google again, still got redirected to the Elle site when I clicked on a link. Uploaded the log that popped up as well as another file that was in C:/ named combofix as I am not sure which you need.
 

Attachments

  • ComboFix.txt
    12.9 KB · Views: 7
Oh, and I have no reason for not updating to SP3, I just heard about some fiasco with SP2 and so have been wary about getting the SPs.
 
Google redirect

Hi, just checking in, is there anything else I should do before moving on? Google links still send me to random websites.
Thanks.
 
I´ve missed you, sorry.

Open notepad and copy/paste the text in the quotebox below into it:


Killall:

Snapshot::
File::
c:\ Cn911.exe
c:\windows\system32\winsetupsn.exe

FileLook::
c:\windows\system32\892CF5BFDC.sys

Folder::
c:\documents and settings\demo\Application Data\uTorrent
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e80021b-d336-11dc-b1b7-00163683c088}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Click to expand...

Save this as:
CFScript

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

Then attach fresh combofix log.
 
updated combofix for google redirect

Don't worry about it, I really appreciate the help!
Here is my updated combofix.
 

Attachments

  • log.txt
    29.7 KB · Views: 5
It looks like we have improvement, but combofix did´nt behave quite as I expected


Open notepad and copy/paste the text in the codebox below into it:
Name the file as CFScript
and Save it on the desktop

Code: 
Killall::

Snapshot::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e80021b-d336-11dc-b1b7-00163683c088}]

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and attach back the resulting report. along with fresh hijackthis log
 
Google Redirect CFScript error

When I came back to my laptop after running the CFScript, there was a message asking if I was trying to run CFScript and suggesting it may have been spelt wrong. I have attache the HJT log and the CFScript that I used, there was no CF log popped up along with the error message.
 
Looks good, google is sending me where I need to go. It may be my imagination but I think my laptop is running a little smoother now too.
Awesome, thank you so much!
 
Last Step

So I got rid of AVG and installed Avira, not quite sure which is the better of the two but that one looks pretty decent. Thanks again, all smooth sailing from here.
 
My pleasure :)

Avira is better, because AVG Free does not contain Anti-Rootkit protection.

Now your computer problems are solved, it is time for the clean-up procedure ->

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.


Please download OTCleanIt
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Click to expand...

Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place
 
Hello again!
So I have apparently not gotten rid of the virus, a couple of weeks ago my computer started slowing down dramatically for internet (youtube won't even stream smoothly) and I have high speed cable so I checked it out and sure enough Google is once again redirecting me and god knows what else is going in in the bowels of my laptop. Anyways, did the steps again, here are the logs, hopefully this time I can get rid of it for good.
Thanks!
 
Or, it is possible you´ve got new infections ;)

Update malwarebyte, run a complete scan, have it to fix what it find. Attach the log it produce
 
Man I hope I wasn't reinfected, I had my fingers crossed avira was going to do the trick for me.
Anyways here is the log, nothing new to show it seems!
 
Seems to be gone, just like last time. Should I expect it to pop up again and just update avira and scan to get rid of it if google starts redirecting me again?
Also, unrelated, do you know if there is a way to turn off the ads for Avira prompting you to buy it all the time?
Thanks!
 
Status
Not open for further replies.

Similar threads

Shawn Knight
Google fully discontinues cache links in Search
Replies
9
Views
599
Tinderbox
Tinderbox
midian182
Google Chrome celebrates 15 years with a fresh look and enhanced features
Replies
1
Views
362
J95qRP7
J
A
A clever Google-hosted, malicious ad fakes the KeePass website
Replies
3
Views
313
Fastturtle
F

Latest posts

Back