Possible Google hijack

Hi, all.

This is my first time in this forum. I have used the Major Geeks page to sort out a number of spyware problems, and thank the Geeks for that. I have basically given up on Explorer and am now using Mozilla Firefox, but I've still got a bug in Explorer that I can't seem to fix:

If I type in Google.com, I am redirected to Google.co.jp. I get a google page, but the text is all a series of [] [] []'s.

I clean out cookies, etc., with a utility I downloaded from this site, and I check my system with Spybot, AD-Aware, C-cleaner, and Spy Sweeper. For viruses I use VET and the free version of AGV. And more, but I won't bore you with details.

Has anyone had this problem? Does anyone suggest a fix?

 

Hi M.A. & mayo,

Just a hunch, but take a look at the Hosts file and make sure its OK.

PP

 

Still trying to figure out a way to find whatever is hijacking Google to google.co.jp/. I've taken MajorGeeks advice and am using Firefox. None of my spyware detects whatever bit of junk is doing this. I've checked out the hosts file. Gotten nowhere.

Any ideas out there?

--MAYO

 

tell us what you have done

after you have ran through the tutorial MA posted
You can Download Hijack This here:

http://majorgeeks.com/download3155.html

and follow the HJT Tutorial & LOG File Posting:
http://forums.majorgeeks.com/showthread.php?t=38752

 

Thanks for that. I was going to attach my Hijack This log file (as a text file), but I can't see/find the "manage attachments to upload." Below is an e-mail I sent to VET, but received no joy, alas.

Anything you can think of to help me out would be most appreciated!

My e-mail to VET follows... (Regarding the system volume information directory mentioned below, my computer denies me access to the directory. I am the administrator; I can't access the directory in safe mode either.)

==============
I subscribe to VET, and I've been having a problem with
the trojan horse HARNIG.P. I was running Ad-Aware
SE Personal, which had previously found a problem it
called "Alexis related." I also ran HiJack This. My
problem seemed to be related to Explorer. I found
that I couldn't access Google.Com. It would switch
me to something like Google.co.jp, which I assume
is the Japanese site. Most of the script was blocks
that looked like this: []. I figured I had some sort of
a hijacker, and so I ran various utilities in Safe mode.
(I use XP.) I noticed that was detecting:
O17 - HKLM\System\CCS\Services\Tcpip\..\
{09C108BF-296E-4F29-B0F2-0C2F33719AEF}
: NameServer = 202.67
When I deleted the Alexa Related malware with
Ad-Aware, I checked with HijackThis and the 017
string I typed in above was missing. Only went to
016. I then got out of Safe Mode, used Explorer,
and lo and behold, I could access Google.Com. I
then closed Explorer, opened it again, and at some
point I was getting the same hijack. I brought up
HijackThis again, and the 017 string was there. I
removed it, then turned on Restore and I ran Ad-Aware.
This time I was in normal mode, and AVG (I use their
free edition along with VET) warned me that I had a
problem with Trojan Horse Harnig.P. Insistently, it kept
bringing up a warning to run AVG. I did. AVG found
nothing. I turned off AVG's resident shield protection
and ran Ad-Aware again. This time VET told me I had
two problems and should run VET. I stopped Ad-Aware
(which after running it later, should no problems) and
ran VET. VET reported no problems. However, when
AVG displayed its warning, I copied it, as it provided a
location for the trojan. That location is:

c:\system volume information\-restore{b339b7a0-
b5f1-45d2-ac08-30c4f60059cb}-irp61\a003071.exe

There may be minor errors, as I wrote down the
location and didn't cut and paste it.

Seems to me that the problem is in my restore files.
==============

Last note: I just used Hijack This, found deleted the 017 problems, then tried to use Google in explorer...and I was hijacked to google.co.jp.

 

disable your system restore. The tutorial instructs you to do this. Disabling SR will remove any restore points and files (bad ones included) along with it.

 

Thanks for that. I've done that--disabled Sytem Restore, but the problem still pops up later.

Cheers!