Browser hijack Google search results

[squid4hire]

Hi, I have completed the 8 steps preliminary removal instructions and still have this problem. When I search on google, my results are redirected when I click on them. It only appears to be happening on Google and not on other search engines. I am enclosing my logs and would greatly appreciate any help you could provide. Thanks in advance.....


PS: I also have this annoying trext in my browser heading, every page says it is "Powered by Charter Communications". How can I relinquish this ad???

 

[AnonymousSurfer]

Hi squid4hire,

Here is the nasty browser hijacker that you should delete using HijackThis.

Start up HijackThis, then click on System Scan Only, then select the following:

• O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"

Then check it off and click on Fix checked. Then post if it worked or not.

 

[squid4hire]

hi, i removed this and it seemed to work for a few minutes. I got several alerts from AVG of "trojan horse fake alert lf" and "exploit rogue software scanner " and now it appears as if it is redirecting again.

 

[AnonymousSurfer]

Ok before we try Combofix, replace AVG with Avast! or Avira. I personally recommend Avast! but it's up to you. Download that and install it, then run a scan and see if it finds anything. Anything it does find, make sure to remove it. Post if your problem consists after. If it does, we will move on to Combofix.

 

[kimsland]

Also since you may be uninstalling AVG8 (which is now old anyway)
You then need to run the AVG Remover Tool: http://www.avg.com/filedir/util/support/avgremover_en.exe
Then Restart
And follow on from AnonymousSurfer support

 

[Bobbye]

Anonymous Surfer, I've asked you before-several time- not to have someone remove an entry because you don't recognize it! This is a perfectly good entry for the program he has:

The entry:
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
The program:
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
The Service:
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

squid4hire, these are all legitimate entries and do NOT need to be removed.

About changing your antivirus program:

There is a process to follow so you do not leave the system unprotected:

• 
  [1] Download the AV program of your choice and save it to your desktop)
  [2] Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  [3] Disconnect from the internet.
  [4]Go to the Control Panel> Add/Remove Programs> uninstall AVG
  [5]Use Windows Explorer to remove program folder: Right click on Start> Explore> My Computer> Local Drive (C)> Programs> right click> Delete on the AVG folder.
  Close
  
  [6]Double click on the new AV setup on the desktop and run to install.
  [7]Reboot into Normal Mode, reonnect to the internet and check for updates for the new AV.
  
  

  "Powered by Charter Communications"

  Unbranding the Browser:
  Charter is your ISP. This is known as Outlook Express/Internet Explorer Branding. You'll need to change/delete some registry entries to remove the branding.
  Rather than manually editing the registry, go to http://www.dougknox.com/utility/scripts_desc/unbrand.htm and download and run the unbrand.vbs utility. This is a reputable site with some valuable and safe utilities.
  
  This was found in SAS:
  Filename: sdra64.exe
  Command: C:\WINDOWS\system32\sdra64.exe
  Description: Identified by Sophos as a variant of the Mal/Zbot-I malware.
  File Location: %System%
  Startup Type: This programs starts by appending itself to the Userinit registry key.
  
  Did you have or did you use the Avenger? It's important that you know the Trojan.Agent/Gen-Nullo might be reporting out as a false positive in Superantispyware.
  
  You can verify that with an online scan:
  Run Eset NOD32 Online AntiVirus Scanner HERE
  
  Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  Please reopen HijackThis to 'do system scan only'. Check the following if present:
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
  
  Close all Windows except HijackThis and click on "Fix Checked."
  
  Rescan with HijackThis. attach new log and log from the online scan.
  
  After these are handled, I will direct you to Combofix.

 

[shanks07]

Hi

Run hijack this "run as admin if you are using vista or 7" Check all these and Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.charter.net/google/index.php?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Powered by Charter Communications
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Make sure there is no browser open when you are doing this..
The proxy override is the one most of the times creates all this kind of issues.
It worked for me on many computers.

 

[squid4hire]

Thanks, I did everything and am attaching the eset and HJ logs. Thanks for your help....

PS don't know what Avenger is so I am sure I did not have it......

 

[Bobbye]

Some unusual entries! You have 2 infected files> both show on Drive E- is this your recovery partition? And what model is your computer?

]b]E:\I386\APPS\APP20948\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application 9A5E835CDFF8935E260A90D3122D9E90 I

E:\I386\APPS\APP20948\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application C849EE8D2965433CF9B46D1C34B05149 I

I'm going to ask for help in moving the files\. Hang on a bit.

 

[squid4hire]

E is my recovery partition. I have an HPm7680n. Let me know...

 

[Bobbye]

shanks07, you have told this member to remove valid and legitimate entries. Please refrain from assisting in malware cleaning. Only 5 of the entries you listed would be appropriate to be removed and I had already listed them 2 hours earlier.

Shanks07, please stick with my instruction or those of kritius if he assists.

 

[kimsland]

It worked for me on many computers.

Oh and shanks07, just use IE Reset Fixit Tool to get rid of all that stuff anyway, lots easier

 

[Bobbye]

kimsland, I would appreciate it if you would refrain from giving directions to other members when I am working with a member to clean the system.

This thread is for the specific use of squid4hire. If you have a malware problem please start a separate thread and follow the Virus and Malware Removal steps HERE.

Other members are asked to refrain from giving additional instructions unless asked and the member has notified by the helper that intervention has been requested.

 

[squid4hire]

system restore

I couldn't get this fixed and had to do a system restore. Thanks for your help anyways.......

 

[Bobbye]

My apology for the delay. Did you do a system restore to earlier date or a restore to Last Known Good Configuration?