Virus or Malware?

Dell Dell optiplex gx520 desktop compute...
April 6, 2010 at 17:31:54
Specs: Microsoft Windows XP Home Edition, 2.8 GHz / 2.0 Gb
Something has gotten into my son's computer and I can't find it.

Here are the symptoms - I'll use ccleaner as an example, but it happens with lots of other searches also.

If I do a Google search, I will get the standard list of hits, but if I click on any of them, I'll get sent to a totally different site. Let's say I do a search on ccleaner. will appear in the drop down, but if I follow it, I might get taken to

Or if I let Google search for cccleaner, the first hit will be for, the new homepage for ccleaner. If I hover over the link it will say which is the correct link.

However, when I click the link, whoops! this time avast just blocked a trojan. I tried it again and was sent to

I just did a Yahoo Search on the Yankees and instead of following the link to a news report on the Yankees, I was sent to a Ticket Liquidator site.

I can type any URL in the address bar and get to where I want to go, but clicking a link from a Google or Yahoo search takes me to some random site where they want to sell me something.

I ran a full system scan with avast, AVG, Malwarebytes and SuperAntiSpyware. I ran TFC and ccleaner. What was found was cleaned, but the problem still exists.

I can't run Spybot because the install program tries to access the safer-networking site and I think - but can't be sure - that the access attempt is being redirected because I get a message that says:

"The server name or address could not be resolved".

The same install package runs fine on another system, so I'm pretty sure the install is being blocked by whatever has invaded this system.

Any thoughts on what tool(s) I can use to clean this system?

You assistance would be greatly appreciated!

See More: Virus or Malware?

April 6, 2010 at 17:39:12
Sounds like arp poisoning.

Post the results of an ipconfig /all for review

Report •

April 6, 2010 at 18:32:14
Sounds like the google hijack virus. Many ideas there to fix. Boot in safe mode to run tools.

Might boot to a live cd and scan .See hosts file too. for some ideas.

Also see bartsPE and ubcd4win as they can also support a number of antispyware/malware and antivirus programs. They are also basically live xp systems that should view the web correctly if your lan is also working correctly.

There are some linux live cd's too that offer av.

Consider also that you may be able to simply reload the system back to it's OEM state. It is almost 100% effective.

Other links.

Playing to the angels
Les Paul (1915-2009)

Report •

April 6, 2010 at 19:33:03
Yep, sounds like you have a browser hijacker. You may wanna ask in the Security & Virus forum.

Report •

Related Solutions

April 6, 2010 at 20:08:40
Thanks guys!

The link to the lockergnome site seems to have solved the problem.

I downloaded Hitman Pro 3.5 from cnet and ran it. Almost instantly it found vgaoko.sys.

Once I quarantined it and rebooted, the Google links began to work. I was also able to install Spybot.

Next question:

I looked up vgaoko.sys here and noticed some other files and registry entries associated with the threat.

Do I need to be concerned with the "leftovers"?

Thanks again.

Report •

April 7, 2010 at 13:14:12
I am never very fond of a damaged system You can try sfc.exe but you can't check all applications like that..You may wish to run and go with what you have but I like a clean reload in many situations. I make a good state of a computer and make an image. Consider a cloning software maybe.

One thing is really just as important. You may with to start using some "best practices" to avoid this. Simple things like make limited user accounts and all users use them. Only use admin when "runas" will not work. Good hosts file, Anti-virus/malware/spyware and firewall are needed too.

Playing to the angels
Les Paul (1915-2009)

Report •

April 7, 2010 at 14:22:09
Thanks for the suggestions.

Many of them are already in place - in fact I'm a little pissed that avast and/or SuperAntiSpyware didn't prevent this from happening.

Rhetorical questions: If each of the various spyware and/or virus apps finds something, but not one of them finds everything, what is a user supposed to do? Every company claims to be the best, but none of them are 100% effective. Am I supposed to scan my systems with a different app every day and hope nothing sneaks in until I cycle around to the start again?

Report •

April 7, 2010 at 19:01:16
You need to be careful you do not set multiple av's on automatic scan as they might conflict. Some spyware scanners can operate with antivirus only scanners. Yes, nothing is 100% effective, all will tell you that if you ask them.

Personally, I use Webroot's Antivirus with Spysweeper. Yes I have to pay for it but they have multiple discounts that help. I have used it for a number of years now with Xp and now with Windows 7 and had not had ANY infection that it did not block completely until very recently and a quick manual scan with Malwarebytes removed it. I set my primary one to scan daily and update definitions hourly. For me, it works. We have 3 desktops in the house and one laptop away at college and at work, they have been using it on 3 computers particularly sensitive for over a year now without a problem.

Report •

April 7, 2010 at 20:31:45
Thanks for the tips..although I am aware of the multiple AV issues.

As far as your use of a particular AV and Anti-Spyware, our situations are almost parallel. I can say the same thing about avast and SuperAntiSpyware: Many years on 3 networked PC's without an issue - until this recent episode with vgaoko.sys.

Unfortunately, "a quick manual scan with Malwarebytes" didn't find it, nor did AVG. Hitman Pro, something I had never tried before, did.

I think that both of our situations bolster the fact that we should not be settling for a single product and hope that it blocks everything. We should continue to use the one that we have the most faith in, but we should also be running scans with other products every now and then, even if that means un-installing a particular app in order to run the scans.

Report •

April 8, 2010 at 06:24:13
Unfortunately, true. Life would be much easier if no one was out there creating these annoying things. There is some actual intelligence out there that could be making good money working for 'the other side' helping make our computers more secure.

Report •

Ask Question