Ad:

Viruses, Spyware and other Nasties Discussion Thread
Unsolved
Views: 7571

Jul 19th, 2007

STRANGE IE7/Google hijack! Please Help!!!

Expand Post »

Hello all, and thank you in advance for any replies

I have recently come accross a machine that has been hijacked!! Let me explain...

This is an XP Pro SP2 system, running IE7 with all the latest updates. Whenever a Google search is performed (.com + .co.uk, from the searchbar, google home page, or any other subsequent Google pages, the usual results are returned fine, but whenever i click on a link, (any result, any search) I am redirected to another (usually) search engine, such as LookSearch, or various advertisment sites.

This problem is exclusive to IE (have recently installed firefox as a work-around) and does not seem to affect any other search engine (Yahoo, Ask, Live etc work fine).

I have ran the usual Spyware/AV scans using SpyBot, Ad-Aware and Windows Defender, (all with latest updates, as of 19th July) none of which were much help.

In a last-ditch attempt at salvation, i grabbed a HijackThis! log, which i will attach to this post, in the hope that someone more knoweledgeable than myself can find the problem. There doesnt appear to be any new programs/toolbars etc so i really am stuck!

Please please please help, any posts will be geratly appreciated!!!

PS having spent hours searching the net, the closest thing i could find was a 3 year old thread on some random forum where the problem lay with an "sp.html" and some associated rogue dlls and exes, but having scoured the HDD could not find evidence of this.

Again, thanks in advance for any replies!

Attached Files

hijackthis.txt (8.1 KB, 24 views)

Similar Threads

I could Connect but not open pages in IT Professionals' Lounge
Add to Rep error in DaniWeb Community Feedback
wierd email problem in Windows NT / 2000 / XP
Yahoo but not google in Search Engine Optimization
What is the quietest computer case made?? in Cases, Fans and Power Supplies

DeViAnT\gAmEr

Reputation Points: 12

Solved Threads: 0

Light Poster

$DeViAnT\gAmEr is offline$ Offline

45 posts
since Jul 2006

Permalink

Jul 19th, 2007

Re: STRANGE IE7/Google hijack! Please Help!!!

First, go to add/remove pgms and uninstall MyWebSearch, then delete the pgm folder of that name.
This is your main problem :
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
And then there is this, a pest:
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm021YYGB
-fix both with hijackthis, then delete the file C:\WINDOWS\Temp\startdrv.exe [you may have to do it in safe mode....]
Alternatively you could download Unlocker to delete it...
If it returns you could try Combofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Last edited by gerbil; Jul 19th, 2007 at 1:11 pm.

gerbil

Reputation Points: 239

Solved Threads: 296

Industrious Poster

Offline

4,169 posts
since May 2005

Permalink

Jul 19th, 2007

Re: STRANGE IE7/Google hijack! Please Help!!!

Hey man, thanks a lot for the info, seriously i mean it, this ones been a real head-scratcher. Unfortunately though i will not be able to have another look at this machine until monday (owner away), BUT as soon as i can i will have a look and let you know how it goes!

Did you have the same problem? if so do you have any idea what could have caused this?

Thanks again mate, loads!

speak soon,

Rich

DeViAnT\gAmEr

Reputation Points: 12

Solved Threads: 0

Light Poster

$DeViAnT\gAmEr is offline$ Offline

45 posts
since Jul 2006

Permalink

Jul 19th, 2007

Re: STRANGE IE7/Google hijack! Please Help!!!

Me? No. It was late so I did not complete. Run ComboFix because it will remove files associated with that trojan, and add these few entries for fixing just to tidy up...

O2 - BHO: H - {4F862FBA-1E2B-4072-9EA8-1FD3FECB86A1} - somato.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - (no file)

Say how you get on.

gerbil

Reputation Points: 239

Solved Threads: 296

Industrious Poster

Offline

4,169 posts
since May 2005

Permalink

Jul 25th, 2007

Re: STRANGE IE7/Google hijack! Please Help!!!

hi again, thanks for the help its really appreciated. Unfortunately neither that file or registry entries exist, i did however run combofix, and i shall attatch the log file, as well as the quarentine log (i dunno if that helps, but ill up it neway

)

Sorry for the late reply, work has been really busy this week.

thanks again,

rich

Attached Files

	ComboFix.txt (12.2 KB, 23 views)
	ComboFix-quarantined-files.txt (1.8 KB, 17 views)

DeViAnT\gAmEr

Reputation Points: 12

Solved Threads: 0

Light Poster

$DeViAnT\gAmEr is offline$ Offline

45 posts
since Jul 2006

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Bookdoor.rustock problems

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Think this was symantec?

DaniWeb Message

Cancel Changes

User Name
Password