1 2 Previous Next 17 Replies Latest reply on Nov 15, 2009 10:39 PM by zenned1

    search engine hijacker

      It doesn't matter if I use internet explorer or firefox, google, yahoo, msn, ask.com.... something is trying to redirect my search. After a redirect or two, it goes ahead and lets me surf in Internet Explorer.  In firefox, ocasionally  I get a message like the one in the screenshot attachment.  I have tried malwarebytes, superantispyware, lavasoft, and of course, mcafee.  I sure hope someone can help me.

        • 1. Re: search engine hijacker

          Hello,

           

          It looks like you might have a rootkit or a modified HOSTS file. Let's first check your HOSTS file. Please attach the following file:

           

          %SYSTEMROOT%\System32\Drivers\etc\HOSTS 
          

           

          %SYSTEMROOT% is the location to your Windows installation. Usually it is "C:\Windows".

           

          C:\Windows\System32\Drivers\etc\HOSTS
          

           

          After posting your HOSTS file, it is a good idea to try a RootRepeal scan and report back what it finds. Be sure to follow these directions carefully.

           

          1. Download RootRepeal
          2. Extract the file to your Desktop and Rename the file to something random like "abcd1234.exe"
          3. Run the program by double-clicking on it.
          4. Click on the REPORT TAB at the bottom of the program. [DO NOT SKIP THIS STEP]
          5. Click on the SCAN Button. Check each option EXCEPT "Files". Click OK.
          6. After a few moments, the scan should be done and show a Report text file. Please reply with the information in this file.

           

           

          Message was edited by: Mark (secured2k) on 11/14/09 10:29 PM
          • 2. Re: search engine hijacker

            yes, this must be it.  It was modified recently.

             

            thank you.

            • 3. Re: search engine hijacker

              Your HOSTS file is clean. Please try the next step with RootRepeal.

              • 4. Re: search engine hijacker

                Here you go.  Thanks for your help.

                • 5. Re: search engine hijacker

                  Your RootRepeal log only shows that you have LavaSoft Ad-Aware and PrevX installed and no other hidden software. Your problem may be caused by some other system modification. Please try the following:

                   

                  Start a Command Prompt

                  Click Start -> Run

                  Type in CMD.EXE

                  Click OK

                   

                  In the Command Prompt, type the following commands and report back the response in a post. Press <ENTER> after each line.

                   

                  NSLOOKUP  WWW.GOOGLE.COM

                   

                  NETSH INT IP RESET NUL

                   

                  NETSH WINSOCK RESET

                   

                  Restart your computer after posting the results.

                  • 6. Re: search engine hijacker

                    To help find out what is starting up with your computer, please download and run the following tool.

                     

                    Download and Run AutoRuns

                     


                    1. When it starts, Press <ESC> to cancel the initial scan.
                    2. Go to the OPTIONS menu and make sure "Verify Code Signatures" AND "Hide Microsoft and Windows Entries" are checked.
                    3. Choose the FILE menu - > Refresh.

                     

                    This will scan your computer's startup locations and list them. It is done when the lower left status bar says "Ready."

                     

                    You can us the FILE menu to save a file with a list of your startup items. Please attach it to your post.

                    • 7. Re: search engine hijacker

                      I didn't know how to post the results except by screenshots.  Here you go.  I sure hope that does something!  Thank you for all your help.

                      • 8. Re: search engine hijacker

                        It looks like you have a hijacked DNS setting. To manually remove the DNS setting follow the steps below.

                         

                        Be careful not to skip any steps or delete anything by mistake as it will break your computer.

                         

                        Click Start -> Run

                        Type in REGEDIT

                        Click OK

                         

                        Navigate to the following location:

                         

                        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces

                         

                        In this registry key, there are sub keys that represent your network interface(s). The "GUID" is unique to your system. For example...

                         

                        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EDC6FC83-D668-433E-8122-F3F1CD2CEB8B}
                        

                         

                        Go to each sub-key and locate the NAMESERVER entry. Double Click on it to modify and delete the bad IP address listed (like 69.145.232.32).

                        The change is immediate but I recommend a reboot afterwards.

                        • 9. Re: search engine hijacker

                          Here is the autorun result.  I will try the next thing now.  Thank you.

                          1 2 Previous Next