Jump to content

Searches redirected

Recommended Posts

i've been experiencing the same thing. must be something new going around. first noticed it when google search results were being hijacked,about 5-6 days ago. SpyBot found a few things, Lavasoft Ad-Aware gave me a bunch of false positives, TrendMicro Housecall found nothing. i tried a few other solutions from other boards, even the the posts were from 3 years back. didn't help. finally figured out how to work around the redirects and downloaded MBAM...:


Malwarebytes' Anti-Malware 1.46


Database version: 4384

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18928

03 August 10 3:19:19 PM

mbam-log-2010-08-03 (15-19-19).txt

Scan type: Quick scan

Objects scanned: 156011

Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{fa8edcdd-efa2-477b-b00a-7f28f02cd37e} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\hlp.dat (Malware.Trace) -> Not selected for removal.


this is from the last removal i did... on the first one, i actually set the HLP.DAT file for deletion upon reboot (it resists FileASSASSIN). this, unfortunately, led to a quickflash BSoD during reboot and a call to repair startup. so i'm guessing this little botstard is the payload. it doesn't seem to be doing anything in the background, as far as i can tell (with my limited expertise, and a quick look with AdvPortScanner)... just redirecting to fakey web pages that inject more reg hacks. copy/pasting the link location into the address bar (at least with firefox) seems to gets around it.

any other clues on how to remove this file AND the hooks it apparently has in the O/S?

Link to post
Share on other sites


Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

  • 2 weeks later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.