Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Google Issue

Posted on 2011-02-14
17
Medium Priority
?
664 Views
Last Modified: 2013-12-06
Cannot get Goodle to remain on Endlish, jumps to Spanish and then Italian.  also when I install Google toolbar, do search, once on search results when clicked on site goes to different sites rather than one trying to access.
0
Comment
Question by:ycguy1117
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
  • +2
17 Comments
 
LVL 52

Expert Comment

by:Carl Tawn
ID: 34888910
Sounds like you have some spyware on your machine that is hijacking you links. Run an anti-virus and spyware removal scan on your machine.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34888982

For Hijacking/re-directs, you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/viruses/solutions?qid=208280684

Let us know the results and we can take the next steps.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34889003
If TDSSKiller does not fix this for you, please take the following steps (in order).

Read my Article here:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_1940-BASIC-MALWARE-TROUBLESHOOTING.html

Download, install, and run
CCleaner (www.ccleaner.com)

Malwarebytes (http://www.malwarebytes.org/mbam.php)
The instructions are included right in that link.

ComboFix
Please download ComboFix by sUBs:(and attach the resulting log) http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run, re-download and rename before saving to your desktop)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and
Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*** NOTE
Please post the logs generated for both Malwarebytes and ComboFix so that we can review the results.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:ycguy1117
ID: 34893138
Here is hijack this log:



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:26:44 PM, on 2/14/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
H:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
H:\WINDOWS\system32\LEXBCES.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\LEXPPS.EXE
H:\WINDOWS\Explorer.EXE
H:\Program Files\LogMeIn\x86\LogMeInSystray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
H:\Program Files\Symantec AntiVirus\DefWatch.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\LogMeIn\x86\RaMaint.exe
H:\Program Files\LogMeIn\x86\LogMeIn.exe
H:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Symantec AntiVirus\SavRoam.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
H:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\LogMeIn\x86\LogMeIn.exe
H:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
H:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (H:\Documents and Settings\USER\Application Data\Mozilla\Profiles\default\1fkxz10s.slt\prefs.js)
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 89.248.160.148 www.google.com
O1 - Hosts: 89.248.160.148 google.com
O1 - Hosts: 89.248.160.148 google.com.au
O1 - Hosts: 89.248.160.148 www.google.com.au
O1 - Hosts: 89.248.160.148 google.be
O1 - Hosts: 89.248.160.148 www.google.be
O1 - Hosts: 89.248.160.148 google.com.br
O1 - Hosts: 89.248.160.148 www.google.com.br
O1 - Hosts: 89.248.160.148 google.ca
O1 - Hosts: 89.248.160.148 www.google.ca
O1 - Hosts: 89.248.160.148 google.ch
O1 - Hosts: 89.248.160.148 www.google.ch
O1 - Hosts: 89.248.160.148 google.de
O1 - Hosts: 89.248.160.148 www.google.de
O1 - Hosts: 89.248.160.148 google.dk
O1 - Hosts: 89.248.160.148 www.google.dk
O1 - Hosts: 89.248.160.148 google.fr
O1 - Hosts: 89.248.160.148 www.google.fr
O1 - Hosts: 89.248.160.148 google.ie
O1 - Hosts: 89.248.160.148 www.google.ie
O1 - Hosts: 89.248.160.148 google.it
O1 - Hosts: 89.248.160.148 www.google.it
O1 - Hosts: 89.248.160.148 google.co.jp
O1 - Hosts: 89.248.160.148 www.google.co.jp
O1 - Hosts: 89.248.160.148 google.nl
O1 - Hosts: 89.248.160.148 www.google.nl
O1 - Hosts: 89.248.160.148 google.no
O1 - Hosts: 89.248.160.148 www.google.no
O1 - Hosts: 89.248.160.148 google.co.nz
O1 - Hosts: 89.248.160.148 www.google.co.nz
O1 - Hosts: 89.248.160.148 google.pl
O1 - Hosts: 89.248.160.148 www.google.pl
O1 - Hosts: 89.248.160.148 google.se
O1 - Hosts: 89.248.160.148 www.google.se
O1 - Hosts: 89.248.160.148 google.co.uk
O1 - Hosts: 89.248.160.148 www.google.co.uk
O1 - Hosts: 89.248.160.148 google.co.za
O1 - Hosts: 89.248.160.148 www.google.co.za
O1 - Hosts: 89.248.160.148 www.google-analytics.com
O1 - Hosts: 89.248.160.148 www.bing.com
O1 - Hosts: 89.248.160.148 search.yahoo.com
O1 - Hosts: 89.248.160.148 www.search.yahoo.com
O1 - Hosts: 89.248.160.148 uk.search.yahoo.com
O1 - Hosts: 89.248.160.148 ca.search.yahoo.com
O1 - Hosts: 89.248.160.148 de.search.yahoo.com
O1 - Hosts: 89.248.160.148 fr.search.yahoo.com
O1 - Hosts: 89.248.160.148 au.search.yahoo.com
O1 - Hosts: 89.248.160.148 www.youtube.com
O4 - HKLM\..\Run: [LogMeIn GUI] "H:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - H:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - H:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - H:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - H:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - H:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - H:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - H:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - H:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 6753 bytes
0
 
LVL 38

Expert Comment

by:younghv
ID: 34893156
@ycguy1117,
There is no need to post and HJT log.
Please follow the recommendations I posted above.
0
 

Author Comment

by:ycguy1117
ID: 34893235
When i try to run combofix, the computer freezes and has to be restarted
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34893279
Did you do a scan with MalwareBytes?
0
 
LVL 38

Expert Comment

by:younghv
ID: 34893288
?ComboFix?

What about TDSSKiller, CCleaner, and Malwarebytes?
DO NOT run ComboFix unless nothing else works.

Please follow the steps outlined and we can try to work you through this problem.
0
 

Author Comment

by:ycguy1117
ID: 34893337
Have tried them all except ccleaner, that is next.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34893380
You tried them but did they complete the scans?
0
 

Author Comment

by:ycguy1117
ID: 34893442
Completed and found nothing
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34893590
I would give the Avira AntiVir Rescue System a try. http://www.avira.com/en/support-download-avira-antivir-rescue-system 

Please post back with the results. I am going to be calling it a day but I will be checking back early AM.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34893601
One more thing. I would remove Symantic, at least for now. It's apparently not helping.
0
 
LVL 27

Accepted Solution

by:
Jonvee earned 2000 total points
ID: 34894392
As you appear to have tried all scanners except ComboFix (it apparantly causes computer freeze), i recommend you try Rkill which is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools:
http://www.technibble.com/rkill-repair-tool-of-the-week/

Then move on to Hitman Pro, a 2nd opinion scanner:
Hitman Pro http://www.surfright.nl/en/hitmanpro

Finally (and only if problem is unresolved) re-try ComboFix, this time ensuring that you disable any realtime Anti-virus, Anti-spyware, or Shields that you may have running.
Then rename ComboFix.exe (as explained earlier) but this time try downloading to another machine, then into a USB memory stick or CD.  
Carry to the infected machine.
You can try this key combination to reach a Run box >>
Windows Logo+R: Run dialog box
Double click "combofix.exe"(or the renamed ComboFix.exe) and follow the prompts.

Please save the ComboFix log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.  This will keep your question length shorter & more manageable.
0
 

Author Comment

by:ycguy1117
ID: 34899109
Have tried these latest fixes, will try and let you know what happens.  Thanks
0
 

Author Comment

by:ycguy1117
ID: 34903076
Everything seems to be working fine.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34907264
Good!     ...and now that you have completed work with ComboFix, please ensure that it is uninstalled, as follows >
Start > Run > then type "ComboFix /Uninstall" (no quotes, and space between x and / )
Then hit enter.
 
This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.   Thank you ...
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question