TechSpot

Google redirect from common hijack

By winebum
Feb 2, 2005
  1. I have been hit with the Google redirect. I have used every software fix I could find and it keeps coming back. All of the postings that I have found don't have the matching file that my results produced. I have upload the text file from Hijackthis.
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Boot in Safe Mode
    Switch off Restore Points
    Press ctrl/alt/del and in Taskmanager try to STOP these processes (if there):

    winampa.exe
    csrsess.exe
    AgentSvr.exe
    Srvany.exe

    UNinstall your Googlebar(s), it is a mixed-up mess.
    UNinstall anything to do with:

    C:\PROGRA~1\AttMgmt\VPN\Service\Srvany.exe

    Next, run HJT on its own and let it 'fix' (if still there):
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\csrsess.exe
    C:\WINDOWS\msagent\AgentSvr.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/Web...YEAR=2004&gwCountry=US&language=EN&prodOS=011
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://us-auto.proxy.att.com:8001

    ALL lines starting with: O1 - Hosts:

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [csrsess] C:\WINDOWS\system32\csrsess.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com

    ALL lines starting with: O16 - DPF:

    O23 - Service: OnVPN - Unknown - C:\PROGRA~1\AttMgmt\VPN\Service\Srvany.exe

    When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

    Clean out your TEMP directory, all cookies and all your temp. internet files.
    Install Firefox from www.getfirefox.com and stop using IE!!!

    Report back with a new log if you still have problems.
     
  3. winebum

    winebum TS Rookie Topic Starter

    It is still there, Google redirect

    I follow the instructions that was sent and the redirect is still there. I have attached the latest text file.
     

    Attached Files:

  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Boot in Safe Mode
    Stop System Restore
    Press ctrl/alt/del and in Taskmanager try to STOP scrsvc.exe

    Then run HJT on its own and 'fix':
    C:\WINDOWS\system32\scrsvc.exe
    ALL lines starting with: O1 - Hosts:
    O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\system32\scrsvc.exe

    Now delete C:\WINDOWS\system32\scrsvc.exe

    Reboot and reactivate System restore
    HTH
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.