Google Hijacker kicking my butt

  • Thread starter Thread starter keeperofthecode
  • Start date Start date
K

keeperofthecode

Guest
Very seldom does it ever take me more than an hour to remove viruses but lately these google hijackers have been getting tougher. I've worked on four this week with the hijacker that I got cleaned up but today I worked on one I just couldn't get. Two hours and I'm stumped. I've thrown the book at it. Manual removal, Combofix, gmer, Super Antispyware, Malware bytes, spyware doctor, manual searches, manual searches and more manual searches. I can remove viruses in my sleep but this thing is making me feel like a pizza tech. Does everyone else struggle with these or am I just missing something? Ended up offering for them to take it to my office so I can do more thorough scans which they are going to bring it me monday. It's been a long time since I've been defeated at an onsite job by a virus but today I definetly got broke down. May have to demote myself.
 
I've run into this a few times myself. I've found that UnHackMe's boot up scan has done the trick for me a couple times. Just be careful on what you have it remove, I use the "I'm not sure" option to tell me whether the item it found is generally good or bad.

I'm sure you've done it, but obviously, check the DNS records for the network card, check the hosts file and do a full reset of the settings in IE. I'd also be curious if the problem is only in IE or in FF too. That can often help solve the question of whether its a DNS or hosts file problem.
 
Do they use Google Toolbar? Client last night used it and searches made using Google Toolbar always got re-directed, whereas searches using the search box in the address line didn't get redirected. Uninstalled Google Toolbar and it's affiliates, and removed same from Scheduled Tasks. Problem solved. That was after installing Antivir premium and SAS and scans by them plus MBAM were clean on a previous visit. I'm finding these three amigos less and less effective at detecting a lot of "stuff" lately.

Edit: Forgot to mention, this was after checking the HOSTS file, DNS settings in the router and TCP/IP entries, and checking for proxy servers and rootkits.
 
Last edited:
Only ie redirects. When it comes in my office I'll do more thorough scans. I'm just not used to having to rely on scans. usually when i am working onsite I only use scans to double ckeck i didn't miss anything in my manual search.
 
I got rid of this other week using Combo Fix. iis Had a good point with TDSKiller because that is what Combo fix removed.

It was hard for me to, and I was pretty much in the same situation as you wondering whattt the heckkk lol
 
Funny after I posted this I had a machine come in like this and I could NOT get it cleaned. I kept getting Google redirects, random shopping site pop ups, and Win32 errors. UnhackMe didn't do the trick, nor all my other standard SAS/MBAM scans and I couldn't find anything manually. I ran UnHackMe one more time and it found a rootkit but wanted me to buy/upgrade to remove it. I then ran ComboFix and it nuked it.

So far so good, it seems to be working.....
 
I had the same situation the other day. Did Malwarebytes, HitmanPro, etc. No Love. I knew it had to be loading at boot like a rootkit so I ran MBRCheck.exe, replaced the boot.ini and voila.

Interesting note that HitmanPro detected it but could not remove it. Mine was a TLD3 variant. Nasty. I thought it had me beat like you but this application is really simple and worked great for me. I did not look at the boot.ini beforehand but wish I had. It is certainly a place to look. They have to load somehow.

Good luck.
 
Last edited:
Make sure the hosts file hasn't been changed.
Delete temp files.
Internet Explorer > Tools > Internet Options > Connections > LAN settings > no boxes checked
Use Autoruns, options menu > hide Microsoft and Windows entires, then look under Logon and Image hijacks for malware. If you find and delete any, hit the refresh button to see if a rootkit keeps replacing the file.
 
You also must go to Regedit and look for the startup
services... sometimes you will notice the unusual suspects
in there. You want to MOVE these files immediately to
the desktop, and reboot. It cannot find itself then.

But as long as you wiped the hosts file, checked for
proxy in IE, that ComboFix usually fixes the IE redirector
every time.
 
keeperofthecode said:
I can remove viruses in my sleep but this thing is making me feel like a pizza tech..
Click to expand...

I've just been through the same hell.
I think you might have the Win32/Bamital Trojan.
Main symptom is google search redirects. Direct URl entry works fine but if you click on any link from a google search you get a redirect.
After using every tool/technique available, Microsoft Security essentials removes this one with ease...
I hope this helps
 
Prune said:
I've just been through the same hell.
I think you might have the Win32/Bamital Trojan.
Main symptom is google search redirects. Direct URl entry works fine but if you click on any link from a google search you get a redirect.
After using every tool/technique available, Microsoft Security essentials removes this one with ease...
I hope this helps
Click to expand...

I was going back a couple of days later to work on it some more and when I did Spyware Doctor with Antivirus had removed it.
 
I have seen a couple of viruses recently that absolutely no piece of software were able to detect or remove. In each case, the only way I was able to clean the system was by manually going through several hundred registry keys. These are usually .dll files buried in system32 that have been injected into the shell process or as a rogue driver or service.

Depending on your level of knowledge you may be better of doing a repair install in cases like this. I had two of my best techs (each with over 10 years of experience) looking at these systems and they couldn't find the viruses so they turned the systems back in. Those were some late nights for me! :)
 
Also had a recent google re-director problem that had me stumped.

Turns out the hosts file had many bogus entries but the host file was hidden and not visible from Windows and no matter what attrib command I used I could not access it.

I had to boot up from a Linux boot CD to see and fix the hosts file.
 
You must log in or register to reply here.

Similar threads

JoelM
M365 to Google Workspace Migration
Replies
3
Views
586
Sky-Knight
Sky-Knight
lan101
Youtube TV Google account management change payment information
Replies
17
Views
650
lan101
lan101
britechguy
What's going on here? [Samsung Galaxy S24]
Replies
18
Views
753
GTP
GTP
HCHTech
Alerts!
Replies
10
Views
825
Sky-Knight
Sky-Knight
britechguy
Windows 11 on Incompatible Hardware & with Local User - a new experience
Replies
0
Views
202
britechguy
britechguy
Back
Top