hi guys,

recently my comp began acting weird
i use firefox as my browser, when i search for something, it redirects me to 8.26.70.252
supposedly this is a hijacking virus
i also get redirected to shoppingcove.com and other horrid scam sites
my internet gets really slow and shitty
i googled alot about this problem and tried running some antivirus, but nothing helped
the articles that supposedly remove this crap arent really detailed enough

anyone else had this problem before? any recommendation/suggestions?

thx a lot guys

-ksydfius

Try HijackThis and http://www.hijackthis.de

ch0wch0w's suggestion is great, and in the meantime I would have a look at your host file to see whether anything has been changed. Other than a whole DNS change (hard to do) most hijackers will attempt to change your host file with something that directs you to their site.

In addition - and use these with caution, you can look at anything that was installed in the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Finally, flush any bad DNS entries by closing every window, opening a DOS prompt, and doing an ipconfig /flushdns

Good luck.

If this was facebook, i would definetly put a Like! on dalfor's post

I hope you get rid of this uggly problem bro!
GL!

hess

thx guys for ur quick replies
i am using this page: http://www.bleepingcomputer.com/forums/topic456180.html
for reference in the removal
i have checked my host file, found nothing changed. to block soem of these sites i just added

127.0.0.1 vivofind.com
127.0.0.1 www.shoppingcove.com
127.0.0.1 8.26.70.252
127.0.0.1 searchathon.com
127.0.0.1 click.get-answers-fast.com
127.0.0.1 r.looksmart.com
127.0.0.1 busines-search.in
127.0.0.1 online.travelguidereviewstrip.com
127.0.0.1 answerherefinders.in

(btw there are like 20 more i gotta block)found something in registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
i saw a key called "1652653326" and the key contained the following string:

C:\Users\admin\AppData\Local\Temp\tmph4491487822957383716.tmp

I tried that, but didnt do anything, really.
also i checked here: C:\ProgramData\Microsoft\Windows\DRM
found a file "9C.tmp" looks like some suspicious executable

but in Temp file i found some weird stuff
some file called: "0.8940825961339961" created the day i got infected
it turned out to be an encrypted EXE file so i decrypted it and right now analyzing it
but turns out that its not detected as a virus?
btw while typing this post the "0.8940825961339961" file got deleted somehow???

anyway this is a horrible problem, cant even click on a single link without a redirect

I will also try hijackthis and see what happens

Try downloading this:

http://www.kaspersky.com/antivirus-removal-tool-register

Depending on what you actually have, you may have to run it in safe mode.

Might also be worth doing an nslookup to see what your default DNS server is now set to?

'Malwarebytes Anti-Malware' or 'SuperAntiSpyware' are good for this type of browser hijack.
But watch out for compatability issues with certain AV's.

Try running this Anti-Rootkit Tool:
F-Secure Blacklight

or once you get tired of it all - because let's just face it, you won't be getting all the trash out anyway - do a fresh install. however, there are a few more things i'd do before throwing in the towel:
- install and run ccleaner
- install (a trial version at least) of kaspersky and remember to protect installation process!
- do a +FULL+ virus scan
- open the tools tab in ccleaner, check to see whether there are any hidden registry entries (under startup)
- backup firefox's bookmarks
- reinstall firefox
- import bookmarks from saved file

but, like i said it's probably just better to go for the one-step solution:
- reinstall windows.