Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

Google Results Hijack


Recommended Posts

Posted

I have managed to have something invade my system that hijacks the results from a Google search. The search operates normally, but when I click on a result I get a redirect to something else. Whatever it is has not been found by Norton Antivirus, AdAware, or Advance System Care. New scanning software such as Spybot Search and Destroy can be installed, but I can't connect to download the latest file updates.

 

 

Attached is my Hijack This logfile from a scan this morning.

 

Any help would be appreciated. Thanks.

hijackthis logfile 052009.txt

Posted

OK BigB-I'm not an expert here,but entry # 012 looks suspicious to me.I would try to download and install SAS free version here. Don't worry if it won't update-just run the full scan .Also there are some common "fixes" available under "Repairs" from the main window.Also try MB free version here-again,don't worry if it won't update-run the full scan.Let us know how you make out.

Posted
OK BigB-I'm not an expert here,but entry # 012 looks suspicious to me.I would try to download and install SAS free version here. Don't worry if it won't update-just run the full scan .Also there are some common "fixes" available under "Repairs" from the main window.Also try MB free version here-again,don't worry if it won't update-run the full scan.Let us know how you make out.

 

 

I installed SAS and ran it. I had to do so within the AOL Desktop envirionment as the hijack wouldn't allow me to access the website from the straight version of Internet Explorer. I couldn't download the latest definition file, but it didn't matter. I was able to quarantine the items that were causing the problems. FYI...#012 was not the glitch. It's still as it was, but the redirect is now history. Thanks for your help, and thanks for the heads up on SAS. I'm removing AdAware and keeping SAS. (And I'm going to send a donation. The redirect was more of a irritant than a severe problem, but it may have changed over time. Certainly worth some coin!)

 

Have a great day and God bless you!

Posted

Glad to hear that worked out.I would take a shot with Malwarebytes also,just to be sure.I'm sorry I forgot to point you to this thread.For $9.95 you get one full year of Pro with all updates.For an additional $9.95 you get Pro with lifetime updates.That's hard to beat for twenty bucks!

Posted

Yes, it seems your setting were hijacked and you were being redirected to a harmful site (will not give the name out).

 

Could you please post a new log so I can analyse it and tell you if you are all clean now :)

Posted

Hi BigB6905,

 

Please check if the items in red rectangles in the attached images are deleted.

Also, I wouldn't use the service and process below:

O23 - Service: SAiDownloader - TODO: <Company name> - C:\WINDOWS\system32\SAiDownloader.exe

 

Here are the details of hijacked IPs' details:

 

[85.255.112.14.static.ukrtelegroup.com.ua]

[85.255.112.62.static.ukrtelegroup.com.ua]

 

domain: com.ua

remark: Public generic 2LD COM.UA

admin-c: HOST-UANIC

tech-c: HOST-UANIC

tech-c: ST101-UANIC

dom-public: YES

nserver: golf.hostmaster.net.ua

nserver: ba1.ns.net.ua

nserver: ns.net.ua

nserver: sns-pb.isc.org

nserver: ho1.ns.com.ua

nserver: ns-he.kolo.net

changed: HOST-UANIC 20090310142332

source: UANIC

 

% Glue Record:

% ===========

nserver: ho1.ns.com.ua

ip-addr: 195.47.253.3

% Administrative Contact:

% ======================

nic-handle: HOST-UANIC

organization: ôï÷ "èÏÓÔÍÁÊÓÔÅÒ"

organization: Hostmaster Ltd

organization: ïïï "èÏÓÔÍÁÓÔÅÒ"

address: P.O.Box, 98

address: 04060 KIEV

address: UA

phone: +380 (44) 4517456

e-mail: info@hostmaster.net.ua

url: http://www.hostmaster.net.ua

org-id: 31306359

mnt-by: NONE

changed: ST101-UANIC 20090129152739

source: UANIC

% Technical Contact:

% =================

nic-handle: ST101-UANIC

person: Svitlana Tkachenko

address: p.o.box, 98

address: 04060 KYIV

address: UA

e-mail: sveta@net.ua

mnt-by: NONE

changed: ST101-UANIC 20090120101145

source: UANIC

% Technical Contact:

% =================

nic-handle: HOST-UANIC

organization: ôï÷ "èÏÓÔÍÁÊÓÔÅÒ"

organization: Hostmaster Ltd

organization: ïïï "èÏÓÔÍÁÓÔÅÒ"

address: P.O.Box, 98

address: 04060 KIEV

address: UA

phone: +380 (44) 4517456

e-mail: info@hostmaster.net.ua

url: http://www.hostmaster.net.ua

org-id: 31306359

mnt-by: NONE

changed: ST101-UANIC 20090129152739

source: UANIC

 

 

Cheers.

Posted

New Logfile

 

Here is my newest HijackThis log file. FYI, the SAiDownloader.exe is an internet verification of the validity of my sign software in lieu of having a dongle attached to my computer. The validity is checked once or twice a month.

 

Thanks for everyone's input.

hijackthis logfile 052609.txt

Posted

Seems you are still hijacked. Please remove:

  • O2 - BHO: (no name) - A× - (no file)
     
  • O2 - BHO: (no name) - ÐA× - (no file)
     
  • O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.14,85.255.112.62
     
  • O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.14,85.255.112.62

 

You probably got rid of the infection, but never got rid of what the infection left over :smile:

Posted

When I booted my system today, I ran HijackThis and found that the 017-HKLM lines were duplicated in the log. I went ahead and checked all 4 of them as well as the 02-BHO lines and deleted them. The new logfile is attached. I'll reboot the system once more to see if all of them are removed.

 

Thanks again for your help. Have a great day!

 

 

Seems you are still hijacked. Please remove:

  • O2 - BHO: (no name) - A× - (no file)
     
  • O2 - BHO: (no name) - ÐA× - (no file)
     
  • O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.14,85.255.112.62
     
  • O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.14,85.255.112.62

 

You probably got rid of the infection, but never got rid of what the infection left over :smile:

hijackthis logfile 052709.txt

Posted

Great, your last attached HijackThis report shows that, they are all gone.

 

After reboot, if it is still the same, then your HijackThis report is clean.

 

Cheers.

Posted

BINGO! It's all clear. :smile:

 

I appreciate the input from everyone. Thanks a lot!

 

 

Great, your last attached HijackThis report shows that, they are all gone.

 

After reboot, if it is still the same, then your HijackThis report is clean.

 

Cheers.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...