Thursday, July 28, 2011

How to Remove a Search Hijacker—for Free

The short answer: Install and run ComboFix. Details below.

I’m usually pretty good at removing viruses and crap from my computer, and I generally avoid using anti-virus software to do it. I’ve got good reasons. First, I’m a control freak, and I can’t stand the idea of something restricting my movements on the web. I don’t even run Windows Firewall. Second, they slow down your computer, and they might just delete stuff that you don’t want them to. Third, I know the Windows Registry like a freaking maniac.

Seriously though, when you do such processor-heavy stuff like video editing or playing Bulletstorm, you don’t want some resource hog hiding in the background, ready to jump up and say stuff like “CNN.COM IS TRYING TO REFRESH ITSELF, BUT DON’T WORRY, WE CLOSED YOUR ENTIRE BROWSER. PROBLEM SOLVED!” Your online Black Ops team will wonder why you suddenly decided to stand still in the middle of a battlefield and get shot to death.

Then there’s the boot-up issue, and this is the main reason I tell people to avoid Norton Antivirus at all costs. For years I’ve nicknamed this bloated software the Black Icy Hand of Death, turning an otherwise fully-functional computer into a crawling zombie who can’t even take commands from its master, spending half its life running a series of processes on every boot to ensure the maximum protection possible. It’s like putting bars on all the windows in your house, then boarding them up, putting 20 locks on your front door and then pushing all your furniture up against it. You’ve gotta take some risks if you want some freedom.

Usually, when I suspect I’ve got a virus, my normal routine goes like this:
  1. Start the Task Manager (Ctrl+Alt+Del) and look for weirdly-named processes
  2. Google those executables to find out if they’re known viruses
  3. If it’s a virus, search both the entire file system and the registry for that file name and delete all references to it
  4. Reboot
This is pretty much all anti-virus software does anyway; they just go about it with a different method. Sometimes the virus isn’t listed in the processes and I’ve got to run Ad-Aware or ClamWin to have it point out the files to me, but then I’ve got to remove them manually from the file system and registry anyway. So it was an especially frustrating week when I noticed a new type of virus I’d never seen before and had no clue how to remove.

The Asshole Search Hijacker

I noticed that my normal Google searches were taking me to suspiciously amateur-looking websites. I googled the IP addresses I was being sent to and discovered that I had what is called a “search hijacker,” also known as a “Google search hijacker,” "Scour Redirect Virus," and other names. But it didn’t stop at Google. It affected Bing, too. Not that I cared about that.

And it wasn’t just Firefox. It was Internet Explorer and Chrome, too. For days I used Ask.com, and not for the usual ironic reasons, but because this search hijacker was ignoring it. I couldn’t find a process. I couldn’t find anything weird in the registry. It was baffling me.

Here’s what was happening: I would do a Google search, and normally, I could just click on results to move on to the linked website like we all do a jillion times a day, every day. But the moment I’d click that link, the URL would be replaced by a hijacked URL, linking me to one of many asshole websites. If I hovered the mouse over the link, it’d look like this:


And then, right-clicking the URL, it would immediately change to this:


For every single result. Here’s a list of IP addresses and domains that I was being redirected to (*WARNING* DO NOT VISIT ANY OF THESE URLS):

  • 65.97.58.37
  • 63.209.69.107
  • 67.214.120.132
  • aicse.com
  • askthecrew.net
  • b00kmarks.com
  • bizzclick.com
  • cpcadnet.com
  • expandsearchanswers.com
  • fibrosearch.com
  • get-search-results.com
  • mylocalheadlines.com
  • scour.com
  • superpages.com
  • yellw.info

I ran ClamWin, and it didn’t find anything. I ran Ad-Aware, and it didn’t fix the problem. I then went on a free anti-virus installing spree, during which time I also used TFC (Temp File Cleaner), Malwarebytes’ Anti-Malware, and SUPERAntiSpyware. None of them solved the problem.

It wasn’t until I installed ComboFix, a curiously low-key program, that the problem finally went away. If you’ve got some variant of search hijacker, this should fix the problem.

Finally, the Details of How to Remove this Stupid Search Hijacker

TFC won’t harm your computer, and it may have helped solve the problem in my case since it removed 7 gigabytes of temp files. If ComboFix doesn’t solve the problem, I’d suggest running TFC first, then running ComboFix again.

So, download and install ComboFix, choosing all the standard options, and then let it run. It’ll close all your browsers without prompting you, so save anything you need before it does this. It’s all text in a box—no fancy graphics here. It could take up to an hour, but it probably won’t, and then it’ll automatically reboot your computer. When the computer boots, don’t do anything until it spits out a text file log. You might want to save that, just in case.

When you see that text file, all should be well. You no longer need to cry yourself to sleep using Ask.com for your web queries. Remember, if this doesn’t work, try running TFC, then ComboFix. Hopefully you’ll be back to normal again.

5 comments:

  1. Hey... I was hit with this exact same bug on my Netbook last week. None of my usual defenses were helping (Malwarebytes, Avast, adaware, Hijackthis etc.). I found this post, gave ComboFix a whirl, and it worked like a charm. It seemed like a pretty intense cleanup, but it did the trick, and even freed up almost eight gigs. Thanks so much for posting this.

    ReplyDelete
  2. Hey, I just want to say thanks. I had the same problem and couldn't figure it out until I found this page. ComboFix appears to have worked!

    ReplyDelete
  3. Terrific, thanx for the post. My urge to kill is behind me now

    ReplyDelete
  4. AnonymousJuly 04, 2012

    Thanks for the advice, gonna try it out right now.

    ReplyDelete
  5. I was not going to get scamed or pay a fortune to have the web re-directing virus 63.209.69.107 removed from my computer. It took a while to find the website www.bleepingcomputer.com with the FREE!! download ComboFix. Then there was the question, should i trust this site???
    I did and loaded down the file (i run windows XP pro), and it worked despite all the allegedly difficult obstacles hard to overcome by virus detection programs. I started trusting the site when I read the comment with the remark "the urge to kill is behind me now" because that's where I was.
    It worked like a chime! good luck!

    ReplyDelete