TechSpot

My Google Searches are being redirected

By malik17th
Mar 30, 2009
Topic Status:
Not open for further replies.
  1. Yes, I'm one of those victims :( I followed some of Google's help and manage to get Hijack working and got a log. Can someone take a look and see whats wrong?

    Also, I've downloaded Malwarebytes Anti-Malware and Spy Bots Search and Destroy which was recommended by Google Help. For some reason the installation doesn't work because it doesn't have access to the website. I tried accessing the companies websites and they wouldn't show up because of some DNS server.
     

    Attached Files:

  2. touch

    touch TS Rookie Posts: 978

    Hello malik17th

    It looks like we have to use alternative fix tools to remove the wareout infection you´ve got.

    Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
    http://siri.urz.free.fr/Fix/SmitfraudFix.exe

    Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

    Reboot into Safe Mode
    You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

    Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Select option #2 - Clean by typing 2 and press Enter.
    Wait for the tool to complete and disk cleanup to finish.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

    The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

    Please attach C:\rapport.txt in next reply
     
  3. malik17th

    malik17th TS Rookie Topic Starter

    I'm currently running Vista are there any other compatible programs for Vista?
     
  4. touch

    touch TS Rookie Posts: 978

    SmitFraudFix should works with Windows XP, 2000, and Windows Vista (32 bit)

    My bad. I haven´t updated my instructions, because it is not often we use the tool.
     
  5. malik17th

    malik17th TS Rookie Topic Starter

    ok I've run the program and got the log.
     
  6. touch

    touch TS Rookie Posts: 978

    Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKCU\..\Run: [sysav] C:\Users\Valen\AppData\Roaming\pcdefender.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{470DE41D-15EE-4021-894B-8895490E37CA}: NameServer = 85.255.112.88,85.255.112.236
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FD5827FC-39FC-4194-8E9F-69510EAD5E4E}: NameServer = 85.255.112.88,85.255.112.236
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236


    Reboot to safe mode ->
    Restart your computer.
    When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows Xp Advanced Options menu.
    Select the option for Safe Mode using the arrow keys.
    Then press enter on your keyboard to boot into Safe Mode.

    Find and delete these files (if present):

    C:\Documents and Settings\All Users\Ta1HnnaIasEcfgF.exe
    c:\WINDOWS\ieocx.dll
    C:\Users\Valen\AppData\Roaming\pcdefender.exe

    Reboot normally.


    Now lets check some settings on your system.
    Enter your Control Panel and double-click on Network Connections

    Then right click on your Default Connection
    Usually Local Area Connection for Cable and DSL
    Left click on Properties
    Double-Click on the Internet Protocol (TCP/IP) item
    Select the radio dial that says Obtain DNS Servers Automatically
    Press OK twice to get out of the properties screen and reboot if it asks.

    Next Go start run type cmd and hit OK
    type
    ipconfig /flushdns
    then hit enter, type exit hit enter

    (that space between g and / is needed)

    Reboot and post a new hijackthis log.

    Try malwarebyte again and see if it works for you now. If so, post that log also.
     
  7. malik17th

    malik17th TS Rookie Topic Starter

    ok got my new log, I was able to install Malware but I can't even open it or run it. Been waiting for 30 minutes and the program won't start
     
  8. touch

    touch TS Rookie Posts: 978

    Ok. We´ll try combofix -

    Please download combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

    Now, please make sure no other programs are running, close all other windows.

    Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
    Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
    It may take a while to complete scanning and this is normal.

    You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
    scanning has completed.

    Combofix will create a logfile and display it after your computer has rebooted.

    Usually located in c:\combofix.txt, please attach it to your next post
     
  9. malik17th

    malik17th TS Rookie Topic Starter

    Okay I've tried running ComboFix but it keeps crashing on me every time. Keeps giving me the blue screen with the dumping the memory
     
  10. touch

    touch TS Rookie Posts: 978

    Try running ComboFix from safe mode, and see if it can complete without dumping memory
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.