Oh, I so love being a "computer expert" at Christmas

[Lucio]

It's my own fault really, I should have just kept my mouth shut instead of going "oh I'm sure it's a quick fix".

Turns out it's not...

Basically there's *something* on this laptop that occasionally hijacks search engine results and redirects them to randomjunk or porn pages.

So far I've tried the following

F-Secure Blacklight rootkit inspection
Malwarebytes
Microsoft Security Essentials
Hijackthis, and then running the log through hijackthis.de's analyzer, including manually deleting the registry entries that it couldn't remove.


The only thing that stops the behaviour is running in safe mode, so I'm sure something that's engaging on startup is causing it, but so far not managed to find exactly what it is. Any ideas on what else I can try?

[Blaineoliver]

I would try adaware and spybot search and distroy.

[Georgy291]

better idea, go to start run (xp) or in the search at the bottom vista / 7 then type in "msconfig"

you should see a new window poping up, go to start up, and there you have a list off all the things are loaded up when windows loads up, untick everything they you have no idea what it is dont worry unticking too many things wont harm anything. and then re start hopefully that will fix it....ot atleast works with me most times

[Ulti]

Yup msconfig is the way to go. It also makes startup much faster too and cleaner without all those junk programs you installed but never used popping up.

[shadowmaster]

+ 1 to the above, if that does not work I would do a format and reinstall, simply and easy

[MrM]

If Spybot fails, then I'm afraid this will be challenging. Some malware still has to be removed manually despite all of these available programs.

Your first step should be to try an alternative browser. You say it hijacks search engine results, assuming this is Internet Explorer, confirm that this doesn't happen in Firefox. Assuming this works, this also gives you a nice workaround to present to your relatives until it is fixed.

Your second step is to go back through hijackthis and double check that things like localhost are all in order. Check the Internet Explorer settings to confirm that the network settings aren't re-reouting traffic.

If all appears in order, then go through msconfig and the services tab of Task Manager. Google anything that appears remotely suspicious. Look for misspellings of common services. Symantec's website normally has great instructions for manual removal if you do find it this way.

If all that fails to lead to results, then your best bet is to go through the System32 folder via Date Modified. Ask your relatives roughly when this started happening and try and see if there were any suspicious file modifications or creations on this date.

[Perfectionist]

tbh just move the individual's personal files over to an external HD then bootnuke it and reinstall OS and software, they probably have loads of crap they never use anyway if they are the kind of person to get these kind of things (e.g. no knowledge of personal security). Afterwards they'll be all wow my system is so much faster.

Probably faster in the long run too. Also with Windows there's so many ways to embed stuff behind the whole uninstall/msconfig kind of thing you'll never be sure otherwise.

[nibbler]

Reinstall now is quicker surely, done in 2 hours instead of 2 days looking for something that avoids having to reinstall.

[MrM]

Reinstall now is quicker surely, done in 2 hours instead of 2 days looking for something that avoids having to reinstall.

Remember that typical PC users will have an OS going for years accumulating programs, not necessarily backed up and the original install CDs could be lost. It may not necessarily be the easiest option.

[lodore]

first off try autoruns and process explorer
a repair maybe easier depending on how much software on the computer and how much data to backup.
start process explorer go to view select columns. go to process image, tick verify signer,image path and company and click on ok. now go to options and click on verify image signatures.
most of the legit processes should be signed so it will be easier to tell what process is the malware.
for any your unsure about check the process image section on the right of the process and it will tell you where its running from.
terminate the malware process/processes and delete it from startup using msconfig or autoruns.
remember if the OS is vista or 7 run process explorer as administrator.
did you reset all the internet settings to default and check the hosts file?
how does the computer connect to the internet?

[pipTheGeek]

I would go with msconfig to edit startup items first. If that fails then I would go with a re-install, assuming that their machine was in a state where it can be re-installed and they haven't lost all the media.

Does anyone mind if this thread becomes tales of christmas tech support?

My christmas tech support challenge is a friend bought their son an Acer Aspire One D250. Then spilt a wkd in it. They were reasonably quick at pooring the drink back out of the laptop. It still boots, but pressing keys just results in beeps. Sadly I don't know how to get the keyboard out and there appears to be screws under it.

[razer121]

haha i had this...wow 4 times mate is the pc on windows 7?? cos it only happened to me since i had windows 7, really odd and i was in firefox, to be honest i tryed everything everyone is telling you, which does catch alot of it...but it still remains there, personaly? i think you should reinstall ive had to

[MrM]

My christmas tech support challenge is a friend bought their son an Acer Aspire One D250. Then spilt a wkd in it. They were reasonably quick at pooring the drink back out of the laptop. It still boots, but pressing keys just results in beeps. Sadly I don't know how to get the keyboard out and there appears to be screws under it.

Can you boot to Windows? If it's simply a keyboard issue you can hold out hope it will dry, but if it's beyond that I'm afraid options are going to be extremely limited.

[nibbler]

I'm getting scared of windows 7 because this is all I head about on it

[lodore]

I would go with msconfig to edit startup items first. If that fails then I would go with a re-install, assuming that their machine was in a state where it can be re-installed and they haven't lost all the media.

Does anyone mind if this thread becomes tales of christmas tech support?

My christmas tech support challenge is a friend bought their son an Acer Aspire One D250. Then spilt a wkd in it. They were reasonably quick at pooring the drink back out of the laptop. It still boots, but pressing keys just results in beeps. Sadly I don't know how to get the keyboard out and there appears to be screws under it.

Hello,
since its a new laptop find out what the warranty from acer is like. if you wish to replace the laptop keyboard yourself then read the following.
replacing a laptop keyboard is quite easy.
the best way is to download the service manual from the acer website for the laptop and then follow the guidance which should be the same as i have written below:
1. open the screen fully so its completely flat open.
2.Along the row where the power button is there is a section on the right hand side where you can carefully put a screwdriver in. you carefully place in a screwdriver and undo the clips by sliding the screwdriver along.
3.you may need to place the screw driver in to the left hand side to undo a few clips.
4. take the panel off.
5. undo the two screws securing the keyboard in place.
6. carefully lift up the keyboard and carefully unplug the laptop cable (if there is a cable)

[12GaugeShotty]

It's my own fault really, I should have just kept my mouth shut instead of going "oh I'm sure it's a quick fix".

Turns out it's not...

Basically there's *something* on this laptop that occasionally hijacks search engine results and redirects them to randomjunk or porn pages.

So far I've tried the following

F-Secure Blacklight rootkit inspection
Malwarebytes
Microsoft Security Essentials
Hijackthis, and then running the log through hijackthis.de's analyzer, including manually deleting the registry entries that it couldn't remove.


The only thing that stops the behaviour is running in safe mode, so I'm sure something that's engaging on startup is causing it, but so far not managed to find exactly what it is. Any ideas on what else I can try?

Delete the Temp files, all of them. Check your startup in MSCONFIG. Make sure everything in there is legit. Disable (uncheck) everything that isn't OS essential.