google highjack ?

Hi best option at this point is to follow our standard cleaning procedures which will give the malware guys something to go on, the logs may show up something you havnt noticed. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Sorry but that will not remove the malware. You still have a WareOut infection which is the source of your problem. Your next steps would have been to follow thru with another one of our stickies to remove the infection and you will notice in the procedure that the DNS setting is also mentioned.

This is the procedure: WareOut Removal

 

Okay almost done. Disable/shutdown Ad-Aware's Ad-watch before doing the below because it could get in the way.

Now Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9

Now install the current version of Sun Java from: Sun Java Runtime Environment

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -

After clicking Fix, exit HJT.
Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now attach a new HJT log

Make sure you tell me how things are working now!
Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You need to uninstall Windows Defender and CounterSpy and then reboot. After reboot you must be absolutely sure that Ad-Aware's Ad-watch is not running. Then try the Reset of Web Settings again. Let me know what happens. If it works now, then attach a new HJT log. If it still fails then shutdown ZoneAlarm and try again.

What is the below for?
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe

 

I'm not sure what you are saying and it sounds contradicting! Your last HijackThis log still showed the above R0 line which means you still had one. Also this is a Google home page which is what you wanted. Unless you wanted www.google.com without the uk. But the real problem is that I thought you meant that you cannot set your Home Page via the General tab in IE-->Tools-->Internet Options.

If you cannot change the home page or reset web settings, you either have a registry setting or system policy blocking it. Or another possibity and the reason I said to uninstall them is that antispyware blockers could be what is blocking the changes.

 

Download the current version of GetRunKey from here: Using GetRunKey

Get a new log and attach it.

 

After getting me the new GetRunKeys log, try the below.

Now Copy the bold text below to notepad. Save it as fixSP.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

You did not download the new version of GetRunKey. You still have version 1.50. Please get the new version and get me a new log. I just want to see some things it will show. However you are correct that this is not a malware problem. You have some policy or registy setting that is locking you out. What it is I'm not sure. What I have given you thus far would normally resolve a problem like this.

 

I still see Ad-Aware Adwatch running! Are you positive this is not the problem??? Please try uninstalling Ad-Aware and then reboot.

After reboot, apply the below registry patch.

Now Copy the bold text below to notepad. Save it as fixSP2.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach a new log from GetRunKey!

Also run IE, click Tools, Internet Options, now on the General tab tell me if the field for address is greyed out or are you able to enter something in the field. If you can enter something in the field, what happens (give the exact word for word message) when you change the Home Page and then click Apply.

 

But according to your GetRunKey log I see Windows Defender running. I asked you to uninstall this a long time ago!!!!!! The point here is that we want ALL protection software uninstalled to verify that it is not blocking the change. You do realize that ZoneAlarm can also lock home pages???? It depends on what version and whther it is a pro version or a free trial version. Did you check the settings in ZoneAlarm?

If after all protection type software is uninstall and your home page can still not be changed by using the registry tweaks I gave you or by changing it manually or by editing the registry manually, then I would say something in your registry must be blocking it or there is some sort of corruption. It could just be that the registry keys are not owned by you or by any administrator level account anymore. And that you will need to take ownership of all of the associated registry keys before you can make the changes to you settings.

We already have an installed programs list in your ShowNew log but it would not hurt to post a new log from ShowNew right now so we can double check on what is in it. We haven't seen a new log from ShowNew since 11-29 so this could be useful.

 

See I told you it was one of the protection components on your PC!

These days it is really important for end users like yourself to understand everything that you have installed and understand all the features and settings they provide. Without knowing this information, many people are often assuming they have a malware problem when they don't.

At anyrate, now that your issues are resolved, we need to move on to the final steps.

Make sure you get all your protection software reinstalled.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome. Surf safely!