Solved

How do I remove the spyware which directs my browser to superfish.com?

Posted on 2011-02-24
29
2,796 Views
Last Modified: 2013-12-09
Hi, When I am googling for something in Internet Explorer I mysteriously get redirected to a site called superfish.com.  How do I stop this from happening?
0
Comment
Question by:farcuri
  • 13
  • 5
  • 3
  • +4
29 Comments
 
LVL 8

Assisted Solution

by:Sean Scissors
Sean Scissors earned 25 total points
ID: 34972625
Download and install Malwarebytes and HitmanPro. Between those two programs it should clean it up just fine. Also though get something like CCleaner to quickly erase cookies and unwanted temp files.
0
 

Author Comment

by:farcuri
ID: 34972700
I have SpyBot.  Would that be enough to clean it?
0
 
LVL 2

Expert Comment

by:maxxmyer
ID: 34972732
0
 
LVL 8

Expert Comment

by:Sean Scissors
ID: 34972794
@farcuri...no Spybot is probably not enough. Truthfully I wouldn't use Spybot or Ad-Aware. In the past I used to use those and I realize now they do more harm then help. Especially the new Spybot Tea Timer, man that thing slows your comp down and is annoying. All personal opinion of course.
0
 
LVL 2

Expert Comment

by:Mattrw
ID: 34972826
Have you tried add remove programs or deleting the reg entry under HKLM\ Software
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 34973254
Also you might want to check that your hosts file hasn't been altered.  It is located in windows->system32->drivers->etc

and should look something like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Although spybot (if you have used the innoculation option), puts a slew of known malware sites in there starting with the line:

# Start of entries inserted by Spybot - Search & Destroy

I like to use the hosts files hosted here:

http://www.mvps.org/winhelp2002/hosts.htm

BTW, Spybot is good as long as you don't install tea timer.  I personally use it less frequently than I used to and use something like MBAM or Microsoft Security Essentials.  MSE is free and downloadable from microsoft.
0
 

Author Comment

by:farcuri
ID: 34973266
I will try add/remove programs.  I will also try MalwareBytes and HitManPro as EE suggests.
I have not tried deleting the reg entry.
I heard fidgeting with the registry is dangerous.
F
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 25 total points
ID: 34973493
It sounds like your hosts file has been hijacked.  To reset it to default, you could try using something like Hostsxpert:

http://www.funkytoad.com/index.php?option=com_content&id=13

However, if malware has locked your hosts file, it can be a labourious process to reset it.  I helped another questioner with a similar issue last week:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_26804419.html

If the hosts file has been edited, you must reset it before you can browse normally again.

0
 

Author Comment

by:farcuri
ID: 34999567
Hi EE respondents,
I followed your first advice and will share the results here:
I Downloaded MalwareBytes and HitManPro.  I ran both scans.  The Hijacking of my google search results still went on.  I rebooted in Safe Mode and tried again (both scans). Same results.  Then I re-ran MalwareBytes but doing Full Scan instead of QuickScan.  Same results.
I am not at the infected PC right now but some of your next suggestions were download TDSSKiller and Hostsxpert.  I will try that next.  Then I will look at my Hosts file and report any findings.
In the meanwhile, have I helped to narrow down the problem?  Do any of you have any feedback or new suggestions?
Thanks,
F
0
 

Author Comment

by:farcuri
ID: 35007347
Hi Experts,
I took a look at my hosts file located in C:\Windows\System32\Drivers\etc.  It starts with a normal
127.0.0.1 local host but then lists many pages of malware sites beginning with:
# Start of entries inserted by Spybot - Search & Destroy.  I search the sites being blocked for www.google.com but it wasn't among them.  There were many variations of google such as googe.it.
Please suggest what I should try next.
Thanks,
F

0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 35007435
That hosts file is probably okay.  Any computer which has had Spybot run on it and the option to innoculate (forget what the term in spybot is) will have those entries in the hosts file.
0
 

Author Comment

by:farcuri
ID: 35007720
I had this idea and wanted to run it by the experts.  Since the google.com site is the one getting hijacked do you recommend that I uninstall everything on my pc that is associated with Google such as Google Chrome (I don't really use it often) and the Google Toolbar and then reboot into Safe Mode and re-run MalwareBytes and HitManPro scans.  My thought was maybe this might help.  Later I can reinstall Google Toolbar.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 35007883
I generally don't like google toolbar to begin with - so no argument from me.  Have you run Hitmanpro yet?
0
 

Author Comment

by:farcuri
ID: 35008042
Yes,
I Downloaded MalwareBytes and HitManPro.  I ran both scans.  The Hijacking of my google search results still went on
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Expert Comment

by:maxxmyer
ID: 35008204
@ farcuri
After reading your last comments, I have question about the original issue “googling for something in Internet Explorer I mysteriously get redirected to a site called superfish.com.  “
Are you googling from www(dot)google(dot)com or the toolbar? I am also in agreement with tzucker about not being a Google fan. I would remove all google products and there indexes before continuing.
0
 

Author Comment

by:farcuri
ID: 35008803
Hi Maxxmyer,
I know it get's hijacked from the Google Toolbar.  I will have to test it from www.google.com and get back to you (tomorrow).  Also, what do you mean exactly by removing all google products and indexes? How would I remove them?  What are indexes? How would I remove them?
0
 
LVL 2

Accepted Solution

by:
maxxmyer earned 200 total points
ID: 35009039
Hi farcuri, starting in Control Panel add/ remove programs. Uninstall Google products listed, ie Toolbar, Chrome, Search Engine. Starting in your Internet Browser/ Tools/ Options and change the default Homepage to something other than www Google com (if applicable). Starting in iExplorer Browser got the search bar (with magnifying glass) and click the down arrow and Manage Search Providers. Add a search provider other than Google and then Remove Google as a provider.
 During the uninstall, Google will ask if you want to remove indexes.
0
 

Author Comment

by:farcuri
ID: 35009090
Thank you.
Farcuri
0
 

Author Comment

by:farcuri
ID: 35018452
Hi Maxxmyer,
I tried but www.google.com searches also get redirected to superfish.com.
Do you next suggest that I remove all Google products, toolbars, indexes, Searches, Chrome etc.?
Farcuri
0
 

Author Comment

by:farcuri
ID: 35020390
Hi All,
I really am getting tired of this Google hijacking on my PC.  I increased the point value.  Is there anything else I should do ?? Add different zones?
Thanks all for your very good input.
Farcuri
0
 
LVL 23

Expert Comment

by:phototropic
ID: 35020423
Did you get around to resetting your hosts file with Hostsxpert, as I suggested a few posts back?
0
 
LVL 38

Expert Comment

by:younghv
ID: 35020562
In addition to the other posts already made, for Hijacking/re-directs, you might want to start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.

Let us know the results and we can take the next steps.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 35020682
TDSSKiller and Hostsxpert both got mentioned way back at ID: 34999567, but I'm not sure if either of them got run.
0
 

Author Comment

by:farcuri
ID: 35020725
Hi EE,
Thanks for the responses! I will try both suggestions: 1. TDSSKILLER and if that fails 2. Hostsxpert.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35021091
Ouch!
Sorry about that - I must have skipped over the Asker's posts.
<blush>
0
 
LVL 2

Expert Comment

by:maxxmyer
ID: 35027483
Do you next suggest that I remove all Google products, toolbars, indexes, Searches, Chrome etc.?
Farcuri

YES. sorry,   I was out yesterday.
0
 

Author Comment

by:farcuri
ID: 35027600
Hi Experts,
I ran TDSSKILLER.exe.  The scan found no threats.  I have not had a chance to run hostsxpert.  I will and get back to you Friday or Monday.
I have not removed the Google products.  My son is a big Google user and I would do this as a last resort. After removing the infection I would want to reinstall at least the Google toolbar.
0
 
LVL 2

Expert Comment

by:maxxmyer
ID: 35027664
I understand the “google user”. I would suggest that the entire google products be removed - to remove the virus. After which, reinstall the google products wanted.
0
 

Author Comment

by:farcuri
ID: 35057533
I tried both Hostsxpert and TDSSKILLER to no avail.   Fortuneately, when I removed/Unistalled all Google products  my problem was still there. B I went to Search Manager and there I saw there were two entries for SuperFish.com that were enabled.  It had something to do with toolbars.  I disabled them and so far I haven't been hijacked!
Thanks to all!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now