• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2827
  • Last Modified:

How do I remove the spyware which directs my browser to superfish.com?

Hi, When I am googling for something in Internet Explorer I mysteriously get redirected to a site called superfish.com.  How do I stop this from happening?
0
farcuri
Asked:
farcuri
  • 13
  • 5
  • 3
  • +4
3 Solutions
 
Sean ScissorsProgram Analyst IICommented:
Download and install Malwarebytes and HitmanPro. Between those two programs it should clean it up just fine. Also though get something like CCleaner to quickly erase cookies and unwanted temp files.
0
 
farcuriAuthor Commented:
I have SpyBot.  Would that be enough to clean it?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Sean ScissorsProgram Analyst IICommented:
@farcuri...no Spybot is probably not enough. Truthfully I wouldn't use Spybot or Ad-Aware. In the past I used to use those and I realize now they do more harm then help. Especially the new Spybot Tea Timer, man that thing slows your comp down and is annoying. All personal opinion of course.
0
 
MattrwCommented:
Have you tried add remove programs or deleting the reg entry under HKLM\ Software
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Also you might want to check that your hosts file hasn't been altered.  It is located in windows->system32->drivers->etc

and should look something like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Although spybot (if you have used the innoculation option), puts a slew of known malware sites in there starting with the line:

# Start of entries inserted by Spybot - Search & Destroy

I like to use the hosts files hosted here:

http://www.mvps.org/winhelp2002/hosts.htm

BTW, Spybot is good as long as you don't install tea timer.  I personally use it less frequently than I used to and use something like MBAM or Microsoft Security Essentials.  MSE is free and downloadable from microsoft.
0
 
farcuriAuthor Commented:
I will try add/remove programs.  I will also try MalwareBytes and HitManPro as EE suggests.
I have not tried deleting the reg entry.
I heard fidgeting with the registry is dangerous.
F
0
 
phototropicCommented:
It sounds like your hosts file has been hijacked.  To reset it to default, you could try using something like Hostsxpert:

http://www.funkytoad.com/index.php?option=com_content&id=13

However, if malware has locked your hosts file, it can be a labourious process to reset it.  I helped another questioner with a similar issue last week:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_26804419.html

If the hosts file has been edited, you must reset it before you can browse normally again.

0
 
farcuriAuthor Commented:
Hi EE respondents,
I followed your first advice and will share the results here:
I Downloaded MalwareBytes and HitManPro.  I ran both scans.  The Hijacking of my google search results still went on.  I rebooted in Safe Mode and tried again (both scans). Same results.  Then I re-ran MalwareBytes but doing Full Scan instead of QuickScan.  Same results.
I am not at the infected PC right now but some of your next suggestions were download TDSSKiller and Hostsxpert.  I will try that next.  Then I will look at my Hosts file and report any findings.
In the meanwhile, have I helped to narrow down the problem?  Do any of you have any feedback or new suggestions?
Thanks,
F
0
 
farcuriAuthor Commented:
Hi Experts,
I took a look at my hosts file located in C:\Windows\System32\Drivers\etc.  It starts with a normal
127.0.0.1 local host but then lists many pages of malware sites beginning with:
# Start of entries inserted by Spybot - Search & Destroy.  I search the sites being blocked for www.google.com but it wasn't among them.  There were many variations of google such as googe.it.
Please suggest what I should try next.
Thanks,
F

0
 
Thomas Zucker-ScharffSystems AnalystCommented:
That hosts file is probably okay.  Any computer which has had Spybot run on it and the option to innoculate (forget what the term in spybot is) will have those entries in the hosts file.
0
 
farcuriAuthor Commented:
I had this idea and wanted to run it by the experts.  Since the google.com site is the one getting hijacked do you recommend that I uninstall everything on my pc that is associated with Google such as Google Chrome (I don't really use it often) and the Google Toolbar and then reboot into Safe Mode and re-run MalwareBytes and HitManPro scans.  My thought was maybe this might help.  Later I can reinstall Google Toolbar.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
I generally don't like google toolbar to begin with - so no argument from me.  Have you run Hitmanpro yet?
0
 
farcuriAuthor Commented:
Yes,
I Downloaded MalwareBytes and HitManPro.  I ran both scans.  The Hijacking of my google search results still went on
0
 
maxxmyerCommented:
@ farcuri
After reading your last comments, I have question about the original issue “googling for something in Internet Explorer I mysteriously get redirected to a site called superfish.com.  “
Are you googling from www(dot)google(dot)com or the toolbar? I am also in agreement with tzucker about not being a Google fan. I would remove all google products and there indexes before continuing.
0
 
farcuriAuthor Commented:
Hi Maxxmyer,
I know it get's hijacked from the Google Toolbar.  I will have to test it from www.google.com and get back to you (tomorrow).  Also, what do you mean exactly by removing all google products and indexes? How would I remove them?  What are indexes? How would I remove them?
0
 
maxxmyerCommented:
Hi farcuri, starting in Control Panel add/ remove programs. Uninstall Google products listed, ie Toolbar, Chrome, Search Engine. Starting in your Internet Browser/ Tools/ Options and change the default Homepage to something other than www Google com (if applicable). Starting in iExplorer Browser got the search bar (with magnifying glass) and click the down arrow and Manage Search Providers. Add a search provider other than Google and then Remove Google as a provider.
 During the uninstall, Google will ask if you want to remove indexes.
0
 
farcuriAuthor Commented:
Thank you.
Farcuri
0
 
farcuriAuthor Commented:
Hi Maxxmyer,
I tried but www.google.com searches also get redirected to superfish.com.
Do you next suggest that I remove all Google products, toolbars, indexes, Searches, Chrome etc.?
Farcuri
0
 
farcuriAuthor Commented:
Hi All,
I really am getting tired of this Google hijacking on my PC.  I increased the point value.  Is there anything else I should do ?? Add different zones?
Thanks all for your very good input.
Farcuri
0
 
phototropicCommented:
Did you get around to resetting your hosts file with Hostsxpert, as I suggested a few posts back?
0
 
younghvCommented:
In addition to the other posts already made, for Hijacking/re-directs, you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.

Let us know the results and we can take the next steps.
0
 
phototropicCommented:
TDSSKiller and Hostsxpert both got mentioned way back at ID: 34999567, but I'm not sure if either of them got run.
0
 
farcuriAuthor Commented:
Hi EE,
Thanks for the responses! I will try both suggestions: 1. TDSSKILLER and if that fails 2. Hostsxpert.
0
 
younghvCommented:
Ouch!
Sorry about that - I must have skipped over the Asker's posts.
<blush>
0
 
maxxmyerCommented:
Do you next suggest that I remove all Google products, toolbars, indexes, Searches, Chrome etc.?
Farcuri

YES. sorry,   I was out yesterday.
0
 
farcuriAuthor Commented:
Hi Experts,
I ran TDSSKILLER.exe.  The scan found no threats.  I have not had a chance to run hostsxpert.  I will and get back to you Friday or Monday.
I have not removed the Google products.  My son is a big Google user and I would do this as a last resort. After removing the infection I would want to reinstall at least the Google toolbar.
0
 
maxxmyerCommented:
I understand the “google user”. I would suggest that the entire google products be removed - to remove the virus. After which, reinstall the google products wanted.
0
 
farcuriAuthor Commented:
I tried both Hostsxpert and TDSSKILLER to no avail.   Fortuneately, when I removed/Unistalled all Google products  my problem was still there. B I went to Search Manager and there I saw there were two entries for SuperFish.com that were enabled.  It had something to do with toolbars.  I disabled them and so far I haven't been hijacked!
Thanks to all!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 13
  • 5
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now