Google Virus!?

[gize]

Hey all! Didn't know where else to post this to ask all you smart people to assist me. I think my google/IE may have a left over issue from spyware or something. Whenever I do a search on google it just brings up links such as "to find more on "X" or "Y". Its like google no longer looks at individual pages but has some overriding program directing me to other search engine links, if that makes sense. I did have some of the typical file sharing spyware and adware deals but I ran adaware and search and destroy and cleaned them up but now I can't get google to work. I attempted to click on google preferences but it just adds a "#" to the current google address like " www.google.com/#" instead of opening up the preferences. I tried uninstalling IE but it says its in use and cannot delete even after rebooting. My work computer works fine on google. I know there is something funky going on my home computer. You guys have any idea what I can do besides reformatting? I want my google back!!!

 

[Mr. Chambers]

http://www.ocforums.com/showthread.php?p=3831752

Follow the steps in that thread, should fix the problem if it is malware. Which it sure sounds like it is.

 

[laynlow]

I would type more, but I just had surgery. That happened to me once too. Try adaware and spybot first. I don"t remember how I eliminated mine.

 

[tenchi86]

Sounds like a browser hijacking, though I have never heard of FF having that problam. Anyway run Bazooka along with other scanning applications.(MS antispyware, Adware, Spybot, maybe even try and get a trial of spyware doctor, and pest partol)

 

[gize]

Thanks for your responses guys. As I posted I already ran adaware and spybot and it stopped these icons from popping up on my desktop and it stopped the folders being put in my favorites but it didn't fix this google hijack type thing. I still cannot enter preferences or any settings on the google page it just sits there after clicking. I tried yahoo.com search and same thing. I appreciate the link on all the different types of spykillers and I will eventually get frustrated enough to do all that, was hoping for a specific fix for it though.

 

[Mr. Chambers]

Well the problem with asking for a specific fix, is that it's difficult to know exactly what malware you are infected with. Believe it or not running updated versions of 2-3 of those programs IS the easiest and safest way to get rid of it.

I would suggest running adaware, spybot, and spyware doctor or spyware sweeper - as well as CWS Shredder - and *then* posting up a hijackthis log for us.

 

[Scott9027]

Or better yet, take a look at the guide to reading hijackthis logs and then you can figure it out.

 

[palee72]

I had a similar thing happen to me once. Try looking at your hosts file located in winnt/system32/drivers/etc. See if there are any strange enteries there.. if there are, rem the out (us a # in front if I recall). That helped me out.


if you do edit it.. remember to save it with NO FILE EXTENTION!! or it won't work.


Good luck

Lee

 

[palee72]

FYI.. here is a typical host file from my PC at work:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

 

[Wet Neophyte]

I know there is something funky going on my home computer. You guys have any idea what I can do besides reformatting?

are you on NT ...XP?
Restrict administrative accounts from running untrusted applications and isolate/restrict standard users in a manner that prevents the virus etc.. from being able to propigate. For how do to that refer to the TFM www.microsoft.com Trusted facilities manuals.

That will keep that from happening again......personally I'd do a fresh install and configure correctly.

Those IE options are there for a reason.

 

[Grande Juan]

Disable system restore then use the malware, spyware removel programs

 

[gize]

thanks for all the responses guys. All I have run thus far is search and destroy and adaware, latest additions of all. I will try and get hijackthis run on it, sounds like a good program. If/when I get it fixed I will let you all know. I am kind of curious what it is and how I got it. probably some kazaa lite file trojaned in would be my guess.

 

[Grande Juan]

Hijackthis should work it helped me when my homepage got hijacked, google don't you know. The problem I had was that even though the spyware programs reconized the problem and would remove the offending malware. It always came right back, until I disabled system restore and removed the malware in safe mode. I wish the thread Mr.Chambers linked to would have been around then. It would have saved me a lot of time and headaches, check it out.

 

[snafumaster]

bazooka spyware scanner is pretty good for finding obscure stuff. No automated removal but it give comprehensive removal steps.
http://www.download.com/Bazooka-Adw...47782.html?part=dl-bazooka&subj=dl&tag=button
seeing as how you've already tried the normal good removal programs

 

[gize]

Okay all you hijackthis experts, let me know what to delete I already deleted a couple suspicious things like walmart something and itunes and some AZE.search file. this is the updated list. and btw, now when I search for anything in goodle it takes me to that error 404 page, saying "page cannot be found". Thanks in advance and any help would be much appreciated. What a pain! Here is the log from hijackthis:Logfile of HijackThis v1.99.1
Scan saved at 12:28:58 AM, on 7/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Eric\Desktop\temp\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 213.219.251.78 www.google.com
O1 - Hosts: 213.219.251.78 google.com
O1 - Hosts: 213.219.251.78 www.google.co.uk
O1 - Hosts: 213.219.251.78 google.co.uk
O1 - Hosts: 213.219.251.78 www.google.ca
O1 - Hosts: 213.219.251.78 google.ca
O1 - Hosts: 213.219.251.78 www.google.es
O1 - Hosts: 213.219.251.78 google.es
O1 - Hosts: 213.219.251.78 www.google.de
O1 - Hosts: 213.219.251.78 google.de
O1 - Hosts: 213.219.251.78 www.google.fr
O1 - Hosts: 213.219.251.78 google.fr
O1 - Hosts: 213.219.251.78 www.google.com.au
O1 - Hosts: 213.219.251.78 google.com.au
O1 - Hosts: 213.219.251.79 www.yahoo.com
O1 - Hosts: 213.219.251.79 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 213.219.251.80 www.msn.com
O1 - Hosts: 213.219.251.80 msn.com
O1 - Hosts: 213.219.251.80 search.msn.com
O1 - Hosts: 213.219.251.80 www.search.msn.com
O1 - Hosts: 213.219.251.80 go.com
O1 - Hosts: 213.219.251.80 www.go.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run:

 

[gize]

oh and btw, I am using Avant browser and have been all this time if that matters. It appears it uses the base IE stuff so I am not sure it does.

 

[gize]

Anyone able to view my hijack info and tell me if I need to delete anything?

 

[gize]

UPDATE!!! Well I decided to download microsofts anitspyware beta to see if I could get my search back. It found 8 items. That is after running the latest adaware and spybot. The most severe found was IST bar. It also found some www.msn.com redirector that may have been my search problem. I removed and rebooted and ran it again and that redirector was still found so I removed it again and so far so good, have not rebooted again yet, hopefully it stays away. If any of you are having similar problems I highly reccommend, microsofts antispyware beta.

I HAVE MY GOOGLE BACK!!!!! Wooo hooo!!!

Never knew I was so dependent upon searching until I lost it. Thank you for all your help and suggestions everyone!