TechSpot

Google re-directing. 8 Steps

By iHateviruses
Mar 14, 2009
  1. Basically if i go to google and click a link or even search for a thread on these forums it will open up another page of fake virus sites like cyberdefender etc. I scanned my computer plenty of times with SuperAntiSpyware and Malwarebytes but it still did not remove the problem.

    I have followed the 8 steps and here's my results.

    You will find my attachments below: HijackThis, Malwarebytes, and SuperAntiSpyware.
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Fix entries using HiJackThis

    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below


    O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
    O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O18 - Filter hijack: text/html - {c5056033-ad75-463d-a71f-f043c0583298} - (no file)
    O20 - AppInit_DLLs: karina.dat rsyjvc.dll
    O21 - SSODL: aAmAq - {3C464B98-96EC-E132-A151-32B067B9289E} - (no file)


    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Hosts File Corrupted



    Download HostsXpert v4.1 and unzip it to your computer, somewhere where you can find it.
    • Double click on HostsXpert.exe to launch the program.
    • Click on Restore MS Hosts File to restore your Hosts file to its default condition.
    • Click on Make ReadOnly to secure it against further infection.
    • Exit the program.

    Visit the Website for more information.

    [​IMG]Download and Run ComboFix

    • Download this file to your desktop from either of the two below listed places :



      HERE or HERE


    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply

    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  3. iHateviruses

    iHateviruses TS Rookie Topic Starter

    Ok im not sure if it worked right because it took forever.

    the file below is what i got from combofix.
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Until kritius gets back to you!

    Update then run MBAM (Quick scan) again as it had found/removed items and may now find more on a 2nd run!

    Optional run SAS and select to remove the tracking cookies!

    Run the ComboFix! Post log!

    Did the bug.txt you posted come from the HostExpert?

    EDIT: If the bug.txt came from ComboFix then reboot to Safe mode and run ComboFix again.

    Only after the above post a new HJT log!

    Mike
     
  5. iHateviruses

    iHateviruses TS Rookie Topic Starter

    I cannot use combofix it doesnt seem to work on my computer. it gives a small loading bar and these random files appear i dont know what to do now.


    I REdownloaded combofix but i cannot click it. do i have to change the name of it?

    i cannot delete this file from my HijackThis: O18 - Filter hijack: text/html - {c5056033-ad75-463d-a71f-f043c0583298} - (no file)

    HELPPP.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    OK we are here to HELPPP calm down!:)

    Yes rename Combofix.exe to 12cbf34.exe and run that!

    If it does not work then try 12cbf34 from Safe Mode networking and if it works do install the Recovery console.

    Mike
     
  7. iHateviruses

    iHateviruses TS Rookie Topic Starter

    yeah i figured it out then lol i was doing it right i didnt know i wasnt supposed to close that "run" box.


    heres my new attachments
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    oowee!

    You are doing a great job!


    Update then run MBAM again Quick scan, we need to see a clean log!

    ComboFix was loaded run it again hopefully a clean log.

    Since ComboFix found so much SAS may now find something that was hidden by the issues ComboFix removed so another SAS.

    Then..

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    Mike
     
  9. iHateviruses

    iHateviruses TS Rookie Topic Starter

    Ok there's that


    NOTE: My google is working now.
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    OK we still have found/repaired baddies in MBAM and ComboFix.

    Another run of each to see a clean log hopefully!

    MBAM first, then Combofix.

    last a new HJT log!

    Mike
     
  11. iHateviruses

    iHateviruses TS Rookie Topic Starter

    no more SDfix?
     
  12. robk

    robk TS Rookie

    I have completed all the steps
    here are my logs
     
  13. robk

    robk TS Rookie

    oops

    posted in the wrong place
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    No no more SDFix.

    But MBAM and ComboFix!

    ComboFix had some especially bad issues that it said it cleaned. It is very important that these issues really were cleaned or you will be reinfected quickly.

    Mike
     
  15. kritius

    kritius TS Guru Posts: 2,084

    Is ComboFix running from the desktop?
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    Sharp eye kritius

    No it is not! Running from: C:\RAWRRR.exe and C:\GRRR.exe

    IHateViruses are you familiar with these names?

    If not do this.

    Start-Run
    type
    combofix /u
    click OK

    This uninstalls Combofix
    Now redownload combofix to the DeskTop again ( do not run) before running it rename ComboFix.exe to 12cbf34.exe and run that.

    Mike
     
  17. iHateviruses

    iHateviruses TS Rookie Topic Starter

    i renamed my combofix to those because it wouldnt allow me to open it. i just typed in the first thing that came to mind.
     
  18. mflynn

    mflynn TS Rookie Posts: 2,655

    OK so did it run?

    If so where is log?

    And the answer to this question from my post above!
    I already have another poster in trouble because they did not follow instructions!

    Mike
     
  19. iHateviruses

    iHateviruses TS Rookie Topic Starter

    i was busy with school stuff all day. just got done with scans now.
     
  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Uninstall Norton Antivirus
    Then run the Norton Removal tool

    Install Avira free AntiVirus, and run a full scan

    Seeming you iHateviruses you may as well have a much better Antivirus program ;)

    Oh and uninstall LimeWire too, otherwise you are just going to be re-infected again and again
     
  21. mflynn

    mflynn TS Rookie Posts: 2,655

    I totally agree with Kim! About Norton and Avira. But!

    I highly advise not installing anything until these 4 Super critical files in red below are fixed! At the very least Aviri will instantly be infected!

    And at least you have some protection now. But to uninstall you will be naked for the time it takes to install the new Virus scanner. Long enough for the Pit Bulls to run wild and kill somebody!

    From ComboFix log!
    c:\windows\system32\lsass.exe . . . is infected!!
    c:\windows\system32\winlogon.exe . . . is infected!!
    c:\windows\system32\services.exe . . . is infected!!
    c:\windows\system32\svchost.exe . . . is infected!!


    And again I ask!
    And the answer to this question from my post above!
    By all means when these are clear remove Norton and install Avira!

    Mike
     
  22. iHateviruses

    iHateviruses TS Rookie Topic Starter

    yeah but im k following mike so ill do that if he checks me off. hes been helping out perfectly so far because im seeing improvement so im just waiting.
     
  23. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    No problems :)
     
  24. iHateviruses

    iHateviruses TS Rookie Topic Starter

    thanks kim. i cant remove norton tho i removed it a long time ago? its not in my C: or add remove programs.
     
  25. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    That's my recommendation
    Also note when I saw "Limewire" I thought no use until that's gone! We can't help if more viruses are being downloaded on your system ;)
    I'd suggest use the free Ubuntu boot CD to run these file sharing programs, not Windows. ;)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...