Google Search Hijack

Discussion in 'Malware Help (A Specialist Will Reply)' started by FlyingFish, Dec 4, 2009.

  1. FlyingFish

    FlyingFish Private E-2

    Hello....

    Google searches are being hijacked. Pretty much like described elsewhere; it appears that it keys on keywords in the search results then, when a result's link is clicked, it redirects to a site with 'related' content.

    I do not know of anything in particular I may have done, downloaded, or gone. Windows XP Professional, Version 5.1.2600; Service Pack 3 Build 2600. Internet Explorer 8.0.6001.18702. Running current version of McAfee Security Center, Virus Scan, Personal Firewall.

    I have completed all of the steps in 'READ & RUN ME FIRST'; A few items were detected and removed, but the search results hijack remains. I was not able to get ComboFix to run. Got the disclaimer box once, it disappeared, hourglass, then nothing else. Tried to re-run several times, but it never even got bavk to the disclaimer box... just the hourglass.

    The log files (except ComboFix) are attached. Thank You in advance for your help...
     

    Attached Files:

    FlyingFish, Dec 4, 2009
    #1
  2. FlyingFish

    FlyingFish Private E-2

    I was ultimately able to run ComboFix, starting it in SafeMode. Combofix indicated it defected a 'rootkit' and had to reboot. Rebooted into normal windows and continued to run.... Unfortunately Mcafee re-started with the reboot and a couple of messages popped up. ComboFix did however continue to run and produced the attached log..
     

    Attached Files:

    FlyingFish, Dec 4, 2009
    #2
  3. FlyingFish

    FlyingFish Private E-2

    It appears that the 'rootkit' was the culprit.... All appears to be back to normal now. Scarry stuff, it was able to evade a lot of anti-virus and anti-malware software before being rooted out.
     
    FlyingFish, Dec 4, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs were not showing any rootkit activity. The scans did remove quite a few items, however, would you tell me what these are:
    C:\Comb15378C
    C:\Comb4484C
    C:\Comb12515C
    C:\Comb
    c:\program files\2a

    You need to use windows explorer to find and remove:
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ycbjmr
     
    TimW, Dec 6, 2009
    #4
  5. FlyingFish

    FlyingFish Private E-2

    Hello....

    Interesting... ComboFix displayed "Rootkit Found!", then indicated a need to reboot.

    "Comb" is what I renamed Combofix before executing. All of the folders you asked about that begin with "Comb.." appear to be created by Combofix. Attached is a screenshot of the contents of one of the folders (its filename and icon). "2a" is what I renamed the Ccleaner installer before executing.

    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ycbjmr has been removed per your instructions....

    Your help is very much appreciated... Thanks! -FF
     
    FlyingFish, Dec 6, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You will need to manually remove those files since ComboFix will not be able to do it when I give you the final instructions.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Dec 8, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds