Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect's all searches.


  • This topic is locked This topic is locked
6 replies to this topic

#1 sideswipe999

sideswipe999

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 28 June 2009 - 06:08 PM

Like many others, I've run into the problem of being directed to "overclick.cn" and then randomly sending me to websites that have nothing to do with what Im searching for. I've downloaded and run quite a few things today, and have attached my HJT, ComboFix, and MBAM reports, hope this is what I needed. My MBAM log was from earlier today, I removed what was found, but it didn't help.

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:11 PM

Posted 28 June 2009 - 09:10 PM

Hello sideswipe999,

Posted Image

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
File::
c:\windows\system32\drivers\hjgruinnxrnpok.sys
c:\windows\TEMP\hjgruinpwmqacupy.tmp
c:\windows\TEMP\hjgruioftkofcapb.tmp
c:\windows\TEMP\hjgruiohthhylepf.tmp
c:\windows\TEMP\hjgruipmefmpwojd.tmp
c:\windows\TEMP\hjgruiqeoyfnedwr.tmp
c:\windows\TEMP\hjgruirpynwdlvqs.tmp
c:\windows\TEMP\hjgruisxhlqbhgya.tmp
c:\windows\TEMP\hjgruiyrbtquxwhm.tmp
c:\windows\TEMP\hjgruiksnrhhnvks.tmp
c:\windows\TEMP\hjgruiyyhbgsqhdl.tmp
c:\windows\TEMP\hjgruiapuymspmcc.tmp
c:\windows\TEMP\hjgruibpwvnkgcrq.tmp
c:\windows\TEMP\hjgruibrftmbdtxx.tmp
c:\windows\TEMP\hjgruichxxblwynu.tmp
c:\windows\system32\hjgruidnfsarim.dat
c:\windows\system32\hjgruinywowatm.dll
c:\windows\system32\hjgruiryfxgebm.dll
c:\windows\system32\hjgruiwgwexvmh.dat

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruidnxmoosp]

Driver::
hjgruinnxrnpok


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 sideswipe999

sideswipe999
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 29 June 2009 - 01:07 AM

Alright, ran it again. Thanks! Just checked and google seems to be working fine now, but I've also attached my new logs, in case this isn't a permanent fix.

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:11 PM

Posted 29 June 2009 - 04:06 AM

Hello,

You're welcome. :)

Glad it's better, but looks like one tried to lock itself away. :thumbup2:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

RegLockDel::

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruidnxmoosp]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\hjgruinnxrnpok.sys"


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 sideswipe999

sideswipe999
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:11 PM

Posted 29 June 2009 - 02:13 PM

Search engines still seem to be working great, thanks! Such a pain yesterday as I was trying to do some research for a paper, and having to cut/paste every single link to do anything was getting quite old heh.

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:11 PM

Posted 29 June 2009 - 03:54 PM

Hello,

Those look great, and I'm glad it's running well. :thumbup2:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Have a read here :http://mvps.org/winhelp2002/unwanted.htm

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:11 PM

Posted 30 June 2009 - 05:43 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users