1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Google Hijack Virus, steps complete

By jgc87
Jan 6, 2009
  1. Hi everyone,

    I have the google hijack virus that will allow me to search on google, but once I click a link, it hijacks my browser and goes somewhere else.

    I read the 8-step guide and completed what I can, but this virus is pretty tough and blocked some of the steps. Here is what I could actually do:

    1 - Virus scan - Scanned with eset, removed a trojan, nothing else infected.
    2 - CCleaner - I run it regularly and I just ran it again
    3 - Disabled Virus scanner - Disabled it
    4 - Malware bytes Anti-Malware - I have it installed, but the virus blocks the program before it can update or run, so I can't get any use out of it right now.
    5 - SuperAntiSpyware - Same deal as Malwarebytes.
    6 - Java - My Java was out of date, but I have it updated and I deleted everything else.
    7 - HiijackThis will run, and I have attached my log.

    Also, the virus disables my automatic updates, will not allow me to update eset, disabled my firewall, won't allow me to download avg, won't allow me to install spybot or visit their website, among other things. My system32 folder also pops up every time I restart.

    I think that covers it. I'm pretty close to reformatting simply because my computer runs so slow now and I can't really use the internet all that well. Any solutions to my problem are greatly appreciated.

  2. rf6647

    rf6647 TS Maniac Posts: 829

    • complaining of virus blocks the program before it can update or run -
      • MBAM and SAS scans will begin handling of this thrreat.
      • HJT scan informs what has not been handled
      • Without supporting logs, anything fixed by HJT will not end this threat.

    • Scan with HJT. Tick & Fix. Restart the computer
      O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Joe Crandley\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
      O20 - AppInit_DLLs: C:\Program,Files\RelevantKnowledge\rlai.dll,C:\Program,Files\RelevantKnowledge\rlai.dll,C:\Program,Files\RelevantKnowledge\rlai.dll,C:\Program,Files\RelevantKnowledge\rlai.dll,C:\Program,Files\RelevantKnowledge\rlai.dll,C:\Program Files\RelevantKnowledge\rlai.dll pkobtf.dll
    • Delete folders / files - if present - from the list inside code box above.

    Your are describing an exploit to frustrate reaching anti-malware sites. Here are methods that have been used recently. The alternative was offered by a new member.

    Your symptoms suggest that renaming executables ( "member that used renaming") can likely get things moving.

    1. Since you are discribing a case of difficulty. attempt this method (follow link for 'How To')
      • Use this method to stop any 'non-plug and play' driver that is named in this guide.
      • Please report its name for changes to the method

    2. For infections that have more severe symptoms, Unable to run or update via TechSpot 8 Steps or manually run MBAM or SAS

    3. Message #3 - link to 'fixit download' has demonstrated its effectiveness in many cases. Go to message # 3 'fixit download'. Part of the method renames the executable to get the application to run. Here is another member that used renaming.

    4. Alternative - Web site has a link to download-dot-com - phonetic spelling used
      • There appears to be a connection with 'sagipsul' popups.
      • Read this post. from member.
      • phonetic spelling for web site
        • w.dot-simplysup.dot-com/tremover/download.html

    Secondary Links
    Gadcom often associated with resycled. Is this what you referred to?
    Majestyk; reply # 25; resycledbootcom/

    resycled/boot.com is a worm that propagates on local fixed and removable USB drives. resycled/boot.com may infect drives via autorun.inf file it created that runs a command each time the drive is accessed. Malicious files will be copied to a drives attached on infected computer.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...