Trouoble with hijacker - have followed 8 steps

By haveahijacker · 5 replies
Apr 5, 2009
  1. Hi,

    I have a hijacker that is redirecting links from google search results.

    Firefox is also crashing unexpectedly, and the system tray clock disappeared.

    I have followed the eight steps and the three log files are attached. I renamed hijackthis :) I have also run ClamWin AV and Spy-bot search and destroy.

    Any help would be appreciated.


  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Run HJT Scan only and select and Fix all lines listed below
    Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end.


    First boot to Safe Mode networking!

    Open SAS and UPDATE then click Preferences then Repairs then do the following fixes.

    Enable Windows Explorer options
    Internet Zone Security Reset
    Local page Reset
    Remove Explorer Policy Restrictions
    Remove Internet Explorer Policy Restrictions
    Remove WinOldApp policy restrictions
    Repair broken Network Connection (WinSock LSP Chain)
    Reset Desktop Componets
    Reset Desktop Policies
    Reset URL PreFixes
    Reset Web Settings
    Reset Windows Clock Time Display (one or other 12 or 24 Hr)
    Reset Winlogon Shell
    Reset ZoneMap Settings
    User Agent Post Platform Reset
    User Agent reset

    Then the below

    Download ComboFix

    Get it here:
    Or here:

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Download SDFix to Desktop.

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

  3. haveahijacker

    haveahijacker TS Rookie Topic Starter

    next round of reports (was: Trouble with hijacker - have followed 8 steps)


    Have carried out the steps in the above email and the reports are attached.

    I can now use google without being redirected.

    How do the reports look now?

    Many thanks for your help.

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    A comment: your original logs were so clean, I was going to thank you! Don't think I would have done much more- EXCEPT:

    Real Time Monitoring is suppose to be temporarily disabled before running the scans.
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    Mike has been somewhat overrun lately, so this might help out:

    Update Java:
    Update Adobe: Most current version: Adobe Reader 9.1
    Your logs are all clean. (thank you, thank you, thank you!) Since the original problem has been resolved, you can remove the cleaning tools and old restore points:

    Download OTCleanIt HERE & save it to your desktop.
    Clear your existing System Restore points and establish a new clean restore point:

    Please let us know if you need further help.
  5. haveahijacker

    haveahijacker TS Rookie Topic Starter

    Thank you so much for your help (both Mike and Bobbye), and so quickly as well. It it gratifying to know that there is still genourosity on the internet!

    I think all is well now, the problem is resolved, I've learnt a few new tricks and scrapped over 2 gig of rubbish from my computer that I hadn't previously even known about.

    Many thanks once again,

  6. mflynn

    mflynn TS Rookie Posts: 2,655


    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt

    Save to desktop.

    This will remove all the tools we used to clean your computer.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    Run CCleaner (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner Temp and Registry, repeatedly until no more found.

    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

    Yes! Even if you use system restore and other backups Registry and Images.

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.
    Look at

    Run SpyBot ocassionally and use the Immunize function.

    I highly reccomend Hostman: Hostman

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...