Google Redirects to Google.nl (Nederland)

Posted on 2010-01-07
Medium Priority
Last Modified: 2013-12-06
I have a user who ended up with some malware after clicking on a Google logo that featured something about the Netherlands. Since that time, her Google home page redirects to Google.nl (Nederland). I have run MalwareBytes on her PC until it's clean (according to MWB, anyway). I have also just run a HJT log (attached). I see that there are several sites listed in this log file that seem suspicious. I don't want to delete anything in error, so could you please direct me in this?

Any assistance provided is much appreciated!
Question by:troypar90
LVL 11

Expert Comment

ID: 26206673
edit the file c:\windows\system32\drivers\etc\hosts with notepad... you need to remove all those google entries as well as others...

the file should look like this:
# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#     rhino.acme.com          # source server
#     x.acme.com              # x client host       localhost

Open in new window


Expert Comment

ID: 26207229
As the other provider stated check the host file
LVL 47

Expert Comment

ID: 26207306
Definitely fix all those 01 google entries... btw, I would fix all those 01 entries

After fixing those entries run ComboFix and attach the log so we can make sure it's clean.
Please download ComboFix by sUBs:
(If it doesn't run, re-download and rename before saving to your desktop)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.


Author Comment

ID: 26293600
Thank you for your posts. I have run Combo Fix, rebooted and then ran Hijack this again. When Hijack This runs, it gives a warning that it cannot access the Hosts file - that it's Read Only. I have tried following the steps that HJT posts (opening the Hosts file, deleting the lines that HJT recommends and then saving it the way they instruct). The problem is that I save the file, reboot and the same hijacking of IE8 occurs. I am away from the user's computer, but will try to get the ComboFix log and post that later today, if possible. I can see the bad lines in the Hosts file, but am unsure how I can repair this. Any advice?
Thank you!

Author Comment

ID: 26293836
ComboFix log file attached (ran 1/11/10)
LVL 47

Accepted Solution

rpggamergirl earned 1000 total points
ID: 26299917
ComboFix had deleted some bad files...

Check the properties of these folders below if you don't recognized them we can delete them. You need to show hidden files and folders first.
c:\documents and settings\All Users\Application Data\WIZVGEJNPNAG
c:\documents and settings\All Users\Application Data\9a3bcaa

Also download HostsXpert and save it to your desktop:

Extract the zip file to your desktop or a permanent folder on your hard drive.
Open the folder and double-click on HostsXpert.exe.
Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
Click "Restore Microsofts Hosts File".
Click "OK" and exit the program.

Author Comment

ID: 26304143
I deleted the files you referenced:
c:\documents and settings\All Users\Application Data\WIZVGEJNPNAG
c:\documents and settings\All Users\Application Data\9a3bcaa

I then downloaded and ran HostsXpert, but got an error upon loading that the Hosts file could not be written to - it is read only. I tried to 'Make Hosts Writable", but that feature was locked. So, I researched a few other threads on EE and found someone with a similar problem. His suggestion was to delete the etc folder (since I cannot manipulate the Hosts file at all) and create a new one. So, I did that (moved the etc folder to the desktop and created a new one in C:\WINDOWS\System32\Drivers. Meanwhile, I downloaded and ran a SpyBot scan. Once I opened IE8, a new Hosts file was generated. I rebooted and upon reboot, I found that IE8 was no longer hijacked. I ran HJT and ComboFix and have attached the log files here.

What do you think? All clean?
LVL 47

Expert Comment

ID: 26310207
Well done...you did a good job!
Glad to know the redirects has stopped.
Logs look clean.

Is the SweetIM toolbar uninstalled? If so also navigate to the program Files folder and delete the folder if still present.
If you didn't purposely installed Viewpoint toolbar I also suggest uninstalling it.

You can then fix these entries below:

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)

If everything is fine now.. you can then uninstall ComboFix.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall


Author Closing Comment

ID: 31674389
Many thanks for your time and effort!

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question