click.gethotresults help

Discussion in 'Technical Support' started by Soulgazer, Aug 23, 2012.

  1. Soulgazer

    Soulgazer Med School applications are hell.

    Infected by an adware virus that prevents me from accessing anything on the internet, and instead just kicks me over to some random ad site. This site was on my favorites bar, so I could use that to bypass the ad/malware. Could someone please check out how to remove this? I have been running scans on Malwarebytes and Mafee, but no luck as of yet. Thanks. From what appears on my browser, the link I get redirected to (which then sends me to a ad link) is (there is more, but I can't see it).
  2. foamy

    foamy Solidarity. Banned

  3. Eagle One

    Eagle One The Mad Professor


    Turn off System Restore.
    Run ComboFix.
    Turn System Restore back on.
  4. Soulgazer

    Soulgazer Med School applications are hell.

    What do you mean, turn off system restore? As in, delete the restore backups?

    Also, would this deal with ilitili?
  5. Eagle One

    Eagle One The Mad Professor

    How to turn off System Restore

    This is usually the best option when a virus has infected system files. System Restore backs up your system files, and if your system files are infected, you're backing up the virus.

    So deactivate System Restore (per the above link) and run ComboFix. If that doesn't work, try the methods in the link foamy posted.
  6. Just thought I'd pop in here and say thanks to Eagle One. I had the same exact problem as the OP and ComboFix seems to have gotten rid of it. Thanks again!
  7. Eagle One

    Eagle One The Mad Professor

    No problem, Legrio. ComboFix is an amazing program. I'm frankly surprised that the guy who made it is still giving it away for free.
  8. Soulgazer

    Soulgazer Med School applications are hell.

    So, sorry to bump this, but now whenever I try to run ComboFix, my computer restarts before ComboFix can finish. I have no idea what is doing this. I know I have svchost.exe*32, but I think Comcofix can usually kill that.
  9. E1701

    E1701 Core High Commander

    Soulgazer, an infection like this can be tough to resolve remotely, but it actually sounds like a fairly direct symptom: your DNS settings have been hijacked.

    There's a few places where that can happen. The most common is generally the references in the hosts file (C:\Windows\system32\drivers\etc), as unmodified Windows uses that as a top level reference for name resolution. That one's easy to check, since you can just go to that folder, find the file called "hosts" and open it with Wordpad... by default on Windows 7, it should be empty except for a commented description of what the file does. Anything below the commented section is being used by Windows. On Windows XP, there's usually a default entry of " localhost" which is just a top level loopback reference. Unless you have some fairly specific or unusual network configuration, you can safely delete any entry that *isn't* the loopback address (on Win 7, hosts is protected, so you'll have to open it with admin rights).

    Another spot the DNS gets hijacked is from the browser itself - that's usually easy to spot, because one browser (usually IE) will redirect your URLs to the bogus site, but another browser works normally. In Internet Explorer, you can usually correct that sort of hijack easily by going to Control Panel > Internet Options > Advanced, and then hitting "Reset" - it'll kick all of the browser settings back to default, including any redirectors that might have been put into the settings. Alternatively, you can go to the "Connections" tab in the Internet Options window, and check under "LAN settings" - some viruses will insert a proxy server that feeds the browser bogus DNS info.

    It's also possible that your actual network adapter was routed to a bogus DNS server - you can check in the network settings, adapter settings - just select the "IPv4" protocol, hit properties, and check to see if your adapter has been manually routed to a DNS server not of your choosing. In most cases, that whole protocol is set to automatic, as in a typical dynamic home network, but if you do port forwarding and use a fixed IP, it may just be the DNS settings that have been hijacked.

    That having been said, the DNS hijack is only a symptom of an actual infection, not the infection itself. If possible, I strongly suggest you load up some anti-malware tools (including ComboFix, which can address these DNS hijacks itself) on to a flash drive (a lot of viruses prevent running fix tools or software in general). Then boot to safe mode, and run the tools directly from the flash drive (running from the drive can circumvent a virus that blocks you from running it locally). I know for a fact that Spybot S&D, HijackThis, ClamWin AV, and CCleaner can be run from an external drive without being installed, as can dedicated fix tools like ComboFix, VundoFix, etc. Additionally, if you can load a good solid AV like Avast on the system while logged in normally, you can run the scan from safe mode, or trigger a boot-time scan. Also, safe mode can allow you (provided you know what to look for) to locate bogus startup programs, malware, and some viruses, and manually delete them. A lot of malware likes to hide in temporary internet files, temp files, and from within application data folders (CCleaner can help with those), or the nastier fake AV's tend to create their own program file directories, which can be safely ripped out in safe mode. Viruses can hide in the same places, but a lot of them like to lurk in the Windows directory, which is why a good AV is preferable to trying to hunt down all of the little bastards manually. :p

    If foamy is right, and it's a rootkit (provided it's not hiding in the MBR), a boot-time virus scan can often rip them out... though sometimes the required fixes, like deleting the rootkit, and then hunting down every single reference to it in the registry, can be more trouble than simply wiping the system.