Google search hijack virus. Help m

Hewlett-packard / Hp pavilion dv8000 (ee944...
January 1, 2009 at 23:28:17
Specs: Microsoft Windows XP Professional, 1.828 GHz / 1022 MB

I would really appreciate any help here. I've used CCleaner, Spybot, AdvancedSystem Care, and now (based on a prior log here), the Anti-Maleware program (which was the only one to find the Redirct Virus). I don't use McCafee or Norton for AntiVirus. I use Avira AntiVirus.

I seem to have the redirct virus for Google, Yahoo, and other seach engines. And this is happening on IE6, FireFox 3, and Chrome.

I am getting redirected to:
209.85.171.199/url?q=<xyz>

Where <xyz> is one of the following (subset) of URLs:

www.savethemarriage.com
www.shopasearch.com
www.7metasearch.com
www.surffast.com
www.shopful.net

None of my other tools detect a problem. I found the problem in the maleware tool, but after a reboot, I still have an issue.


Here is my Maleware Log:

alwarebytes' Anti-Malware 1.31
Database version: 1594
Windows 5.1.2600 Service Pack 3

1/2/2009 1:54:04 AM
mbam-log-2009-01-02 (01-54-04).txt

Scan type: Quick Scan
Objects scanned: 84409
Time elapsed: 13 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.


I would send my hijackthis.log as well, but the system says to wait for a request for this file. So if you need it, please request it and I'll send it.

Thanks so much
Jeff


See More: Google search hijack virus. Help m

Report •


#1
January 2, 2009 at 11:08:13

Once you get SDFix downloaded go offline, turn off your antivirus, and turn off any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Please post your Hijack This log.


Report •

#2
January 4, 2009 at 14:39:01

Hi I have followed all the steps above and all seemed to be fine, have been working on and off the net all day and no probs, at the end of the day thought maybe I should upgrade my antivirus, downloaded the upgrade, had to reboot my laptop and the hijack virus is back again!!!

Did i do something wrong or is there another step to take after the above sdfix process?

Thanks in advance

Mike


Report •

#3
January 4, 2009 at 15:16:27

If you are running a router reset it.

There are more step, if you don't follow through to the clean up many times you get reinfected.

Run Malwareytes again> update and post its log.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

Related Solutions

#4
January 4, 2009 at 22:56:18

I had the original post here and was able to get internal (remote) IT help that seems to have cleared my problem. I used ComboFix, then afterwords, I ran my virus scan again and after that, my problem was no more.

Thanks for the anticipated help. Looks like it's going around and someone else responded to my original post.
Jeff


Report •

#5
January 6, 2009 at 16:20:06

Thanks for the follow-up.

Report •

#6
January 14, 2009 at 07:35:11

I finally removed this beast from my computer.

The story: I run constantly and vigilantly Grisoft, Spyware Blaster, Spybot and Adaware. Despite this, my computer got the Google/Yahoo hijack virus. When I used the search engines, the links returned lead to various sales sites unrelated to the search query. It rendered the search engines useless. I found that ask.com was fully functional and used it to search for solutions.

I follwed suggestions from various chatrooms. First, I looked in the hidden Non Plug and Play drivers and I did NOT have the TDSSserv.sys file on my computer. I downloaded other scanning software including Malwarebytes and CureIt. Both programs found bad guys that my ususal 4 did not find. However the hijact remained. I turned off System Restore and ran the scans again. No effect. I downloaded HiajckThis and ran it and copied the results into those awesome online analyzer programs and removed everything suggested. Still the hijack remained. However, the next time I ran Grisoft it picked up a trojan. I deleted the trojan and the hijack was gone! The trojan was wdmaud.sys. The path was C:\windows\system32\wdmaud.sys.


Report •


Ask Question