Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    3 Star Lounger
    Join Date
    Dec 2000
    Location
    La Verne, California, USA
    Posts
    313
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hello,

    My browser has been hijacked and all attempts to remove the malware have proved futile. I am using Windows 7 Home Premium- kept up to date - and I use Spybot, Adaware, Malwarebytes, Hijack This, as well as Avast, AVG, Kaspersky, (All seperately), all with no luck. Google searches are trhe most prone to redirection to a marketing site not related to the link clicked.

    Any help is appreciated.




    Preston

  2. #2
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,487
    Thanks
    284
    Thanked 575 Times in 478 Posts
    Hi Preston,

    Call up Taskman (Ctrl+Shift+Esc) and keep it onscreen, open Notepad and IE in Safe Mode (Taskman > Run > 'iexplore -extoff'). Rename Hijackthis to something random, like 'helpme'.

    Use Spybot in Advanced mode to kill Explorer.exe, > Tools > Process List, this may temporarily stop some of the offending malware. From this point on, use Run from Taskman to navigate and start programs.

    Using Notepad, navigate to Windows > System32 > Drivers > Etc and change your hosts file so that it only contains
    Code:
    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host
    
    127.0.0.1       localhost
    you'll need to make the file writable first then make it read-only again after you have saved it - it is only called hosts - not hosts.txt or anything else.

    Run 'helpme' (hijackthis), it may well run successfully (use Taskman to browse to it), if it runs, navigate to www.hijackthis.de and paste the results into the page there and hit Analyze, when you get the results, you may be able to use Hjt and Spybot's Process List to find and kill more of the malware.

    You should now be able to browse safely to majorgeeks to get some serious help from the forum there, also, it's probably the best site to download software from, it's all tested and they don't have any crapware on site.

    Good luck

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    I'm not sure from your description what you've got, but if I search in Google (!!), I find pages like this:

    Oh, that nasty Google Redirecting Virus | Ask MetaFilter

    == Edit ==

    I meant to ask: what browser are you using, and does it affect other browsers on your system?

  4. #4
    3 Star Lounger
    Join Date
    Dec 2000
    Location
    La Verne, California, USA
    Posts
    313
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I'm using FF- but it affects IE and CHROME also.

  5. #5
    3 Star Lounger
    Join Date
    Dec 2000
    Location
    La Verne, California, USA
    Posts
    313
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks Andy. Will try all of those suggestions.

  6. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    Austin, TX
    Posts
    20
    Thanks
    0
    Thanked 1 Time in 1 Post
    I've removed a ton of hijackware in the past from different systems using the free version of SuperAntiSpyware and I think it's the absolute best at it (in spite of the Cheesy name).

  7. #7
    3 Star Lounger
    Join Date
    Dec 2000
    Location
    La Verne, California, USA
    Posts
    313
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Crusty,

    Thanks for the suggestion. I've tried SuperAntiSpyware and while it did find some trash, I still have the problem! I've used Spybot S&D, AdAware, Malwarebytes, and Spyware Doctor, all with no luck. I've also used AVG, Kaperasky, Avast, and Combo Fix, and I still have redirections from Google searches. This culprit is well-hidden! Thanks for the tip, though.


    Preston

  8. #8
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,487
    Thanks
    284
    Thanked 575 Times in 478 Posts
    You really do need to go to a reputable anti-malware forum to get your PC fixed up, you've probably eradicated most of the malware, now you need to double-check then apply the correct fixes to affect a repair.

  9. #9
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    Quote Originally Posted by PrestonK View Post
    Crusty,

    Thanks for the suggestion. I've tried SuperAntiSpyware and while it did find some trash, I still have the problem! I've used Spybot S&D, AdAware, Malwarebytes, and Spyware Doctor, all with no luck. I've also used AVG, Kaperasky, Avast, and Combo Fix, and I still have redirections from Google searches. This culprit is well-hidden! Thanks for the tip, though.


    Preston
    Could we know the site you are being redirected to ?? It might help determine which bug is troubling you, but I believe the best solution is to get a copy of HijackThis and follow the instructions to create a log and post it on one of the forums. One of the good folks there will eventually pick up your post and work with you to remove the nasty. It may take awhile and require a good deal of back and forth, but they are successfull almost all the time.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  10. #10
    3 Star Lounger
    Join Date
    Dec 2000
    Location
    La Verne, California, USA
    Posts
    313
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Doc,

    It redirects to many different sites at random. I'll try HiJack This.

    Preston

  11. #11
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Sacramento, CA, USA
    Posts
    116
    Thanks
    7
    Thanked 4 Times in 4 Posts
    A friend's machine had a virus like that (plus lots more). From a google list of search hits, it would redirect once to an advert site. When you hit the Back button and hit the link again, it would go to the proper site. Clever, in that it generated hits (and thus a penny or two I guess) for the adverts, but did so only once so you would learn to tolerate it. At least my friend did.

    I got rid of a dozen or more viruses on his machine by taking the drive out, putting it in an external drive chassis, and running a few different anti-virus programs on the now "dormant" drive, treating it like a data drive. That way the viruses don't activate on bootup and complicate things.

    You can achieve the same thing by booting from a boot CD (could use your Windows install disk) (might have to change the BIOS settings), then running an anti-virus program from, say, a USB flash drive. Prepare the USB flash drive first. Try ClamWin Portable if you don't have anything else.

  12. #12
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    Quote Originally Posted by PrestonK View Post
    Doc,

    It redirects to many different sites at random. I'll try HiJack This.

    Preston
    Preston,

    If you could, please post back and let us know how you make out and what the bug was (if possible). It may help others to help themselves.

    The suggestion by Ralph Finch is a good one if you have another system to slave the drive to or the means to do it externally with a drive enclosure or an IDE/SATA to USB cable to attach the drive to the system. We have to assume that users only have the one PC. But if you do have another system, this method may be faster and easier.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  13. #13
    3 Star Lounger
    Join Date
    Dec 2000
    Location
    La Verne, California, USA
    Posts
    313
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hello all,

    This turned out to be a continuing episode of random redirections and I eventually used many antispyware programs which would somtimes result in a clean scan, yet other times would find things, all different. I had to assume I had acquired a root kit of some kind, and I decided to do a full new install on a new hard drive.

    Preston

  14. #14
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    Thanks for posting back.

    I have yet to come across an infection that cannot be removed, often with a great deal of work, but they can eventually be found and neutralized. That said, it is often the lesser of 2 evils to just scrap things and start over.

    You could have a root kit, but I would suspect it to be a very stubborn Trojan virus from the symptoms you describe. The continued reinfection and random site redirects to other possible sources of infection are classic.

    Best of luck with your choice of options.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  15. #15
    New Lounger
    Join Date
    Dec 2009
    Location
    Seattle, WA, USA
    Posts
    15
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Preston, I know you've already decided to go ahead with a new install and that it's already been suggested that you use Safe Mode for some of the recovery methods, but still I have a question.

    When you ran through the various tools you used were you booted up in Safe Mode? I recall sometimes getting more thorough results when doing that.

    Also, did you try using A-Squared Free as one of the tools? I've had good luck with that.

    Good luck,

    Eric
    -Eric

    New desktop: Core i7-3.4 GHz, 8 GB RAM, 1 TB HD, Win 7 64-bit
    Old desktop: P4-2.8 GHz, 2 GB RAM, 35 GB 10,000 RPM HD, 300 GB 7200 RPM HD, Win XP 32-bit
    Laptop: Core 2 duo 2.0 GHz, 4 GB RAM, 400 GB HD, Vista 64-bit
    various hulks in the garage: P4-2.4 GHz, Athlon XP1800, PII-450

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •