Gah! #$%&@# Browser Hijacker

When clicking through on the results from a Google search, my browser is getting hijacked. It will jump to the correct page, but then immediately redirect to some crappy “search” site. Hitting the “back” button on the browser will send me to the page I want, so it’s not like it’s the end of the world, but it’s damn annoying. (This happens in both IE and Firefox.)

So far I’ve:[ul]
[li]run Ad-Aware (then downloaded the newest definition files and rerun the scan)[/li][li]run Spybot Search & Destroy (with the newest definition files)[/li][li]run a McAfee virus scan[/li][li]downloaded AVG and run a scan with that (because I was getting sick of McAfee anyway)[/li][li]run the Kaspersky online scanner (suggested in this thread)[/li][li]downloaded and run Microsoft malicious software removal tool[/ul][/li]
Spybot found one potential thing, which I deleted. AVG found another, which I deleted. Kaspersky found another, which I deleted. The others didn’t find anything important. However, the malware is still there.


I had this happen a few months ago. Unfortunately (not being a superuser kinda guy anymore), I had to take it to a repair shop. It cost 200 bucks :mad:

There’s some seriously devious things out there in the last few months.

The latest, bestest, free thing you can download is

It’s the Bee’s Knees.

There’s also Hijack This. You can download the program, run it, and then paste the logfile into the site below for instant analysis.

You most likely will need another non-infected computer to download updates for your AV and spyware removal tools, or to download new ones (such as malwarebytes). Many versions of this nasty are specifically blocking access to updaters and anti-malware sites.

If you can’t get the programs mentioned using the links provided, and don’t have another computer with which to get them, PM me and I’ll send you some alternate links.

Just be careful you are not infected with thelatest permutation of the Virut trojan; look in your task manager for a process named “reader_s”. It infects dozens of legitimate Windows .exe files, and if you run MalwareBytes, it may remove them, rendering your computer unbootable. I’ve had this happen once already. Be sure to back everything up before you attempt to remove this nasty. So far, I have not located a scanner that will remove it safely. The recommended action is, nuke and pave.

Great idea. Tried it, did a full system scan, and it found some “My Web Search” thing. That sounded promising, but I removed it, and my browser is still being hijacked. Scanned again, found nothing, still hijacked. So… ultimately not the answer.

Oops. Forgot to say in the OP that I did that, too. There was nothing in the logfile that wasn’t there two months ago last time I ran HJT. So not that either.

This doesn’t seem to be the case. I downloaded AVG, MalwareBytes, the MS malware program, and Kaspersky without any trouble, and without any problem accessing their sites.

Yikes! No “reader_s” luckily.

A little more info: this is apparently tied to IP, as I get a brief “waiting for etc” in the status bar while the redirect is establishing itself. Dnnno if this is meaningful.

The IP belongs to Google.

OK. If Malwarebytes doesn’t work, move on to SuperAntispyware. I’ve had some very good success with it when Malwarebytes didn’t do the trick.

Before you try that, perhaps run Malwarebytes in Safe Mode? Do you know how to do that?

Boot your computer disconnected from the 'Net. Get your files off. Nuke it and reload.

I got this thing two months ago and that’s where I ended up. My Web Search had completely embedded into the system and was loading trojans in. Here’s a quick test to see if this is happening to you…

  1. Boot off the net.
  2. Do a file search for all .com, .exe, and .sys created or modified in the last few days.
  3. Making sure that none are Windows system files, delete them.
  4. Reconnect and reboot. Work for a while.
  5. Start back at step one - if there are a bunch of new results in the search, then the virus has been reloading itself.

I tried all of the above solutions as well as some others (like PandaScan). None could stop this little bastard.


Did you try running those programs from safe mode?

I had the problem once, it sent me to a fake (looked like google, not google, wouldn’t let me go many other places).

I had to go search through my AIM logs to figure out how I fixed it, it was with hijack this.

Apparently it was spread over AIM, actually, because as soon as I started talking to someone on AIM about what the hell was going on (asked them to look at a few random websites like CNN and the like to see if they were getting the same problem) they were able to see those sites for a minute or two then they got the problem too. Eventually, from my AIM logs, it looks like I used hijackthis and recommended it to them as well.

This happened to me recently and it was pretty annoying. No anti-malware/anti-virus program fixed the problem. Finally I did a system restore from a previous state and that fixed the problem. (Start->Programs->Accessories->System Tools->System Restore)

Some bad stuff going around. A cow-orker just had me look over his laptop. The bastage tricked him into installing it by claiming it was a firefox update. Never could ID it. It somehow blocked malwarebytes from installing. It also locked out sytem restores. It is a company laptop, so I’ll let our IT guy mess with it…he’s really good, and it wouldn’t be good for me to be the one that made things worse.

Yep. The problem is that some of the files it infects are Windows system files, so the damn thing is running even in Safe mode (or least it sure acts like it is).

System Restore is a good tool if and only if you know when you were infected. Otherwise, you’ll just be restoring the virus.

I have had the same problem for a few weeks, and two days ago I downloaded GooredFix.exe. I have not had the problem for the last few days.

Here is this thread about what to do. Basically I just ran option 2 based on some other thread’s recommendation to do so.

However, please feel free to google GooredFix.exe and decide for yourself; I am not sure if 2 days of no problems is enough to say it is fixed, and I am most decidedly an amateur in this. I basically eventually found it by googling phrases like “google searches redirect to Topica”, etc. I did have Virtumonde last month (which should tell you how amateurish I am at protecting my computer), which seems to have caused this recently.

ETA: it was fixed after doing option 2 - I did nothing after that point.

OK. Tried that, and it came up with some low-level stuff (cookies, mostly), but didn’t fix the main problem.

Good idea. I reran both SuperAntispyware and Malwarebytes in Safe mode. Malwarebytes again ID’d MyWebSearch (hmm…), but again the problem is still there.

OK, that’s next on the list.

Well, unless this particular thingy was dormant for some time, it’s just been this last weekend that anything showed up. Is there a downside to setting a system restore to last weekend?

…And that (knock on wood) seems to have worked. We’ll see, but meanwhile thanks to y’all in this thread.