Not what you were looking for? Ask our experts!
Reply
Contributor
bogue12
Posts: 12
Registered: ‎01-19-2010
Accepted Solution

Browser Hijack Virus

[ Edited ]

Hi I have Norton 360, but it seems my computer is infected with a browser / Google search hijacking virus.  The symptom is that clicking on a Google search link  brings me to a bogus site like www.comparedby.us .  I was hoping that there would be some generic solution to this, but I can't seem to find that.  Can you help?  Thanks!

   - bogue12

delphinium
Posts: 9,862
Kudos: 2,965
Solutions: 293
Registered: ‎11-21-2008

Re: Browser Hijack Virus

[ Edited ]

Hi bogue12:

 

Have you cleared your browser cache and temp files?  You can also try Malwarebytes free version.  Download it, install, update and run a full scan.  You will be able to post the log by using the "add attachments" link below the message window. Save the log to Notepad before attaching as a .txt file.

 

If that doesn't work, it may provide more information about what to do next.

 

http://www.filehippo.com/download_malwarebytes_anti_malware/

 

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
Contributor
bogue12
Posts: 12
Registered: ‎01-19-2010

Re: Browser Hijack Virus

Thanks for your reply.  I previously installed Malwarebytes and recently did a quickscan, and it found nothing.  I am running a full scan now.  In the mean time, I have attached the log file from hijackthis.

Thanks!

floplot
Posts: 10,608
Topics: 218
Kudos: 2,054
Solutions: 367
Registered: ‎04-11-2009

Re: Browser Hijack Virus

Hi bogue

 

Don't forget to update Malwarebytes before doing the scans with it. That program updates quite often.

Success always occurs in private and failure in full view.




floplot
Posts: 10,608
Topics: 218
Kudos: 2,054
Solutions: 367
Registered: ‎04-11-2009

Re: Browser Hijack Virus

Hi bogue

 

I can tell you this much. You have very old Java and Adobe files running on your computer. Both of those sites update their programs quite often for security reasons.

Success always occurs in private and failure in full view.




delphinium
Posts: 9,862
Kudos: 2,965
Solutions: 293
Registered: ‎11-21-2008

Re: Browser Hijack Virus

O4 - HKLM\..\Run: [Nkaqiyixev] rundll32.exe "C:\WINDOWS\utajevoherajo.dll",Startup

 

I don't have a qualified reader available online at the moment, and I am not one.  This seems to be the only item that requires further investigation.  It is coming up as unknown on Google searches.  It is in your startup file.  You could go to msconfig and disable it to see if that prevents the redirect without disabling anything important. If there is no issue and it stops the redirect, you can then pull Hijackthis back up and click fix.
Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
Contributor
bogue12
Posts: 12
Registered: ‎01-19-2010

Re: Browser Hijack Virus

OK, the Malwarebytes full scan took a while.  Indeed it did find some bad files (located in system restore) which are now removed.  Also, I unchecked utajevoherajo in system start-up, as you suggested.  My symptoms (redirected search links) have been intermittent historicall, and so I am not ready to say everything is OK yet.  I will get back to you in 24 hours or when I see the problem again, which ever comes first.

Thanks!


dbrisendine
Posts: 5,584
Kudos: 1,294
Solutions: 263
Registered: ‎10-06-2008

Re: Browser Hijack Virus

Run HiJackThis and check (mark) the following:

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [Nkaqiyixev] rundll32.exe "C:\WINDOWS\utajevoherajo.dll",Startup
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

 

Then select "Fix checked " from the main menu.  Restart your system and see if the redirects are still happening.

Win7 x32 SP1
Newbie
omega7441
Posts: 1
Registered: ‎01-19-2010

Re: Browser Hijack Virus

Some of the recent infections I am seeing on customer computers is that the host file has been modified by the viruses and add re-directors to it. To check it go to C:windows\system32\drivers\etc\host It will ask what you want to open it with, just tell it wordpad or similar. If there is anything below the commented section (the parts with # at the start of the line), delete them. Really it would be safe to delete everything in there most of the time. If your not sure copy and paste what is in there to a reply in this thread.
Contributor
bogue12
Posts: 12
Registered: ‎01-19-2010

Re: Browser Hijack Virus

First, thank you all for your help.  I was about to declare victory, but late today I got another redirect.  It is intermittent, this thing.  Often the redirect is to comparedby<dot>us.  Anyway, before I got the redirect again, I fixed the bad filed from the Malwarebytes scan (as I mentioned before), fixed the HiJackThis files that dbrisendine suggested, and even checked C:windows\system32\drivers\etc\host as omega7441 suggested (nothing there).

 

After reboot, I ran HiJackThis again and this one is back again:

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

 

Killed it again, reboot, and it is back.  (Attached is updated log file.)  So do you think this is the culprit?

 

On a different line of thinking, I saw some other discussion board posts about redirect virus, and I saw some people claim that a complete uninstall and reinstall of Firefox did the trick.  I have not done this.  Let me know if you think that would make sense.

 

Thanks!