I've reached the end of the line, you guys are my last hope.
Anybody knows how to get rid of this damn virus? It redirects search
pages to google and other sites, like goingonearth.com
Already tried Avira, MalwareBytes, the MS scanner (msert), Spybot,
Combofix (the virus mucks it up by changing folder names and permissions
and it won't run) and also the hosts file (nothing there). Autoruns doesn't
show anything suspicious either.
It even makes it impossible to search for removal solutions on the web,
it redirects all results with "goingonearth" to an unrelated site which
offers no solutions whatsoever.
I know chances are I will need to reformat and reinstall Windows but
thought I should give one last try here.
Thanks in advance.
For the record, it's not a virus, it's a browser hijack trojan.
Nitpicky, I know. Just call them both malware and let the purists sort
it out.
MBAM (MalwareBytes AntiMalware) should do it, but there are some steps
that aren't obvious unless you've been around this stuff.
Do a fresh download of MBAM's install file on a clean computer (to make
sure you have the latest version and defs) and rename it to something
like "skunk.exe" (just the filename, not the .exe part)
Transfer it to the infected pooter, preferably onto the hard drive.
Start said victim pooter in SAFE mode, on the "Administrator" titled
account, and install MBAM. DO NOT GO ONLINE.
Reboot, again in SAFE as "Administrator" and run it, DO NOT GO ONLINE.
Reboot again as normal and see if the browser is "yours" again, not
GoingOnEarth's.
Let MBAM update itself, then run it again in normal mode just to be safe.
Why the extra steps? Doing all this in SAFE mode bypasses the "hooks"
that the trojan uses to avoid stopping/blocking any cleaning attempts.
I added a couple "just because".
The renaming is done in case the malware is looking for (and blocking)
filenames specific to known malware-stomping application.
Putting the install file on the hard drive is just a butt-cover in case
you can't access a thumbdrive or optical drive in SAFE mode.
As for the permissions issue, there's no way of knowing if MBAM fixed
it or not until you try to access those files/folders.
Taking ownership with "bare Windows" is a pain, whether the bad
ownership is caused by malware or just another random Windows "feature".
A simple registry tweak can add "Take Ownership" as a right-click menu
item in Windows Explorer, and I do it on all Winboxes I deal with unless
it's a corporate machine. That way you can fix that problem as soon as
you find it, no matter what the cause.
Search for "Take ownership right click", it's no big secret and it's all
over the web. Don't worry if they are talking about Win 7, Vista or XP,
it's the same for all.
--
"Shit this is it, all the pieces do fit.
We're like that crazy old man jumping
out of the alleyway with a baseball bat,
saying, "Remember me motherfucker?"
Jim “Dandy” Mangrum