Google Redirects to (Nederland)

Posted on 2010-01-07
Last Modified: 2013-12-06
I have a user who ended up with some malware after clicking on a Google logo that featured something about the Netherlands. Since that time, her Google home page redirects to (Nederland). I have run MalwareBytes on her PC until it's clean (according to MWB, anyway). I have also just run a HJT log (attached). I see that there are several sites listed in this log file that seem suspicious. I don't want to delete anything in error, so could you please direct me in this?

Any assistance provided is much appreciated!
Question by:troypar90
    LVL 11

    Expert Comment

    edit the file c:\windows\system32\drivers\etc\hosts with notepad... you need to remove all those google entries as well as others...

    the file should look like this:
    # Copyright (c) 1993-1999 Microsoft Corp.
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    # For example:
    #          # source server
    #              # x client host       localhost

    Open in new window

    LVL 1

    Expert Comment

    As the other provider stated check the host file
    LVL 47

    Expert Comment

    Definitely fix all those 01 google entries... btw, I would fix all those 01 entries

    After fixing those entries run ComboFix and attach the log so we can make sure it's clean.
    Please download ComboFix by sUBs:
    (If it doesn't run, re-download and rename before saving to your desktop)

    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:

    Author Comment

    Thank you for your posts. I have run Combo Fix, rebooted and then ran Hijack this again. When Hijack This runs, it gives a warning that it cannot access the Hosts file - that it's Read Only. I have tried following the steps that HJT posts (opening the Hosts file, deleting the lines that HJT recommends and then saving it the way they instruct). The problem is that I save the file, reboot and the same hijacking of IE8 occurs. I am away from the user's computer, but will try to get the ComboFix log and post that later today, if possible. I can see the bad lines in the Hosts file, but am unsure how I can repair this. Any advice?
    Thank you!

    Author Comment

    ComboFix log file attached (ran 1/11/10)
    LVL 47

    Accepted Solution

    ComboFix had deleted some bad files...

    Check the properties of these folders below if you don't recognized them we can delete them. You need to show hidden files and folders first.
    c:\documents and settings\All Users\Application Data\WIZVGEJNPNAG
    c:\documents and settings\All Users\Application Data\9a3bcaa

    Also download HostsXpert and save it to your desktop:

    Extract the zip file to your desktop or a permanent folder on your hard drive.
    Open the folder and double-click on HostsXpert.exe.
    Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
    Click "Restore Microsofts Hosts File".
    Click "OK" and exit the program.

    Author Comment

    I deleted the files you referenced:
    c:\documents and settings\All Users\Application Data\WIZVGEJNPNAG
    c:\documents and settings\All Users\Application Data\9a3bcaa

    I then downloaded and ran HostsXpert, but got an error upon loading that the Hosts file could not be written to - it is read only. I tried to 'Make Hosts Writable", but that feature was locked. So, I researched a few other threads on EE and found someone with a similar problem. His suggestion was to delete the etc folder (since I cannot manipulate the Hosts file at all) and create a new one. So, I did that (moved the etc folder to the desktop and created a new one in C:\WINDOWS\System32\Drivers. Meanwhile, I downloaded and ran a SpyBot scan. Once I opened IE8, a new Hosts file was generated. I rebooted and upon reboot, I found that IE8 was no longer hijacked. I ran HJT and ComboFix and have attached the log files here.

    What do you think? All clean?
    LVL 47

    Expert Comment

    Well did a good job!
    Glad to know the redirects has stopped.
    Logs look clean.

    Is the SweetIM toolbar uninstalled? If so also navigate to the program Files folder and delete the folder if still present.
    If you didn't purposely installed Viewpoint toolbar I also suggest uninstalling it.

    You can then fix these entries below:

    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)

    If everything is fine now.. you can then uninstall ComboFix.
    To uninstall Combofix:
    Go to Start > Run and 'copy and paste' next command in the field:

    ComboFix /Uninstall


    Author Closing Comment

    Many thanks for your time and effort!

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Suggested Solutions

    PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
    The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now