TechSpot

Possible google hijack problem help plse?

By Terrac
Dec 3, 2008
  1. Hi ppl. Wonder if someone can advise.

    A friend of mine is having google search and windows update problems on his XP machine. He is currently going through the 8 step plan and i'll post the logs as soon as these complete. AVG, Spybot, Spyhunter show no problems at all.

    The strange problems are. when searching for certain things in google the results that come back are kinda strange and erratic. If he searches for "Windows update" in Google there is a delay before results are displayed and they come up as per attached pic "googledave.jpg" obviously incorrect with random links, sometimes referring to hottv.com and various other dodgy looking sites. if I search on my machine they are correct as per "googleme.jpg"

    anyone heard of this before?

    Also if he goes to start menu and trys to do a "windows update" from there internet explorer trys to send him to the VISTA update page even though he's on Windows XP?
    see "update.jpg" attachment.

    I'll post the logs ASAP guys just wanted to put the feelers out to see if anyone has ever heard of this before. I cant seem to find anything whilst searching but i'm maybe looking in the wrong places.

    thanks...
     
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes we have heard of it too much!

    Do the 8 Steps completely.

    If after installing MBAM and SAS they will not run or update stop right there and do the below.

    http://www.techspot.com/vb/post684649-3.html

    Then after Fixit reboots continue the 8 Steps.

    Mike
     
  3. Terrac

    Terrac TS Rookie Topic Starter

    thanks for the speedy reply. Ok at Step 4 we've got a hit already. He's now rebooting his machine and will run Step 5.

    On Step 4 Malwarebytes found:
    C:\WINDOWS\system32\sysaudio.sys (Trojan.Agent) -> Quarantined and deleted successfully.

    log attached.
     
  4. Terrac

    Terrac TS Rookie Topic Starter

    super anti spyware. just a few cookies.
     
  5. mflynn

    mflynn TS Rookie Posts: 2,655

    OK for MBAM that is not a real bad boy, so good.

    Get me the rest of the logs as you run them.

    Mike

    Edit : SAS is OK only tracking cookies.

    What is status of computer now is it running any better?

    Get me a HJT Log.

    Mike
     
  6. Terrac

    Terrac TS Rookie Topic Starter

    Step 6 and Java says it's upto date.

    here's the Hijackthis log from Step 7.
     
  7. mflynn

    mflynn TS Rookie Posts: 2,655

    What is being found is not pointing to the Google redirection you are having a problem with.

    HJT log is clean of Malware just some wheel spinners.

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    Mike
     
  8. Terrac

    Terrac TS Rookie Topic Starter

    thank you.. he's busy scanning now. He has windows update back again referring to the correct XP page and not vista. Google still operating as per above.

    will post results.txt ASAP.
     
  9. Terrac

    Terrac TS Rookie Topic Starter

    sdfix report file
     
  10. Terrac

    Terrac TS Rookie Topic Starter

    All sorted!.. he's just done a reboot and then a windows update and IE is working fine again with google now. !

    Many thanks Mflynn for your help and advice!
     
  11. mflynn

    mflynn TS Rookie Posts: 2,655

    That is ok also.

    Ok lets do this last thing to be sure ant it should handle the redirection.

    Then do Smitfraudfix downlaod and instructions here http://siri.geekstogo.com/SmitfraudFix.php

    Do all steps: Including, Delete Trusted Zone and Clean DNS Hijack!

    Attach log back.

    Mike
     
  12. Terrac

    Terrac TS Rookie Topic Starter

    here we go. :)
     
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    OK so how bout a system status what works what don't and speed and performance.

    Mike
     
  14. Terrac

    Terrac TS Rookie Topic Starter

    he says everything is fine again now. Internet Explorer loads very quickly whereas before it was taking a few seconds. Google searches are coming up as normal. Windows update is working as normal. He says system seems to boot nice and quickly and appears to be running a lot better all around.

    System is a Q6600 quad core, 4GB ram, Windows XP Pro, Asrock 4CoreViiV mboard with Nvidia 8800GTS.

    many thanks... he's over the moon...
     
  15. SpiritWind

    SpiritWind TS Rookie Posts: 164

    Adobe Reader

    Hi :

    Your friend's computer, according to the HijackThis log, has an outdated and
    malware-prone Adobe Reader . Recently, Researchers found a new hackertoolkit that uses nothing but Adobe securityleaks in order to infect systems. "PDF Xploit Pack" ( http://www.trustedsource.org/blog/153/Rise-Of-The-PDF-Exploits )adds all kind of exploits to PDF-files. When a certain exploit has successfully infected the OS, the IP address is sent to the attackers, so they need to try again. This to reduce the time it takes to manage the bots.

    Use of PDF-files is becoming more and more popular among malcreants, this because other toolkits also have PDF exploits now. A year ago only 3% of the exploits were PDF directed.

    So, it would seem wise to uninstall this "reader" and use the safer "Foxit Reader"
    or "CutePDF" .

    Unable to tell by the "log" IF the Java ( from Sun) is up-to-date, which would be
    a security risk . Would be wise to run "JavaRa" from http://raproducts.org .
    Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.

    Accept any prompts.
    Open JavaRa.exe again and select Search For Updates.

    Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    Excellent advice and I agree. Do away with Acrobat Reader and get FoxitReader.

    The JavaRa is what I use and recomend also.

    Check back later fro a thread closing including removing the cleanup tools.

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...