Grabitfast.net has hijacked my Google home page.Whenever I try to
access the Google home page, Grabitfast.net (a search engine) pops
up.Google is listed in my Internet Explorer Options as my home page.I
can change the home page to some other URL which will work without
hijacking on reboot, but if I enter the Google URL, up pops
Grabit.net.

---

Request for Question Clarification by aht-ga on 23 Feb 2004 23:26 PST

jacksaul-ga:

This behavior is typical of many hijackers. This particular variant is
extremely new, hardly any info on it so far. So, I'm posting this as a
clarification request first, to give you the opportunity to make sure
we can actually remove the problem. First, it's time to go through the
"standard" de-hijacking routines:

1. Download, install, update, and run Spybot spyware remover:

 http://www.safer-networking.org/index.php?page=home

2. Go look at your hosts file (if you don't know where it is, try the
System32/drivers/etc folder of your Windows directory... if you do not
have such a directory, just let me know what your operating system is
so that I can tell you exactly where to look), and see if there is an
entry for "www.google.com" that is forcing your computer to go to the
Grabitfast website instead.

3. Run your anti-virus scanner to see if you may also have become
infected by a virus or some form of malware.

Please let me know if you are able to make any head-way with the above
steps; if not, please report back with the results to each step.

Looking forward to your reply,

aht-ga
Google Answers Researcher

---

Clarification of Question by jacksaul-ga on 24 Feb 2004 07:56 PST

The computer in question is my brother-in-laws and I am referring him
your information.He is running Windows (98 SE).I will forward any info
from you to him and hope to clear up his problem.
thanks
Jack Strom

---

Request for Question Clarification by aht-ga on 24 Feb 2004 08:55 PST

jacksaul-ga:

In Windows 98 SE, the hosts file should be found in the WINDOWS
directory itself. It may be called 'hosts', or 'hosts.sam'. While
Windows 98 SE should only be looking at the 'hosts' version, there
have been times when the hosts.sam file actually ends up being
referred to due to a bug/feature.

If your brother-in-law can open up the 'hosts' or 'hosts.sam' file
using Notepad, he should, at most, find only a single entry (ie. a
line that does NOT start with the '#' character):

127.0.0.1  localhost

If he sees any entry for google.com, he should remove that entry from
the file and save the file again.

In any case, regardless of whether or not he finds an entry, he should
right-click on the file in File Explorer, select Properties, and check
the Read-only checkbox found on the General tab. This will provide
some protection for the future against malicious hijackers.

After he has had the opportunity to download, install, and run Spybot
(remembering to use the 'update' feature inside Spybot to download the
latest signature file first), please let me know if the problem has
been rectified/changed in any way.

As well, after all this is done, I can point you and your
brother-in-law towards several good free-ware/donation-ware programs
(such as Spybot) that will help prevent this from happening again in
the future.

Thanks!

aht-ga
Google Answers Researcher

---

Request for Question Clarification by aht-ga on 25 Feb 2004 18:34 PST

jacksaul-ga:

From what you've described, there's something being run at boot-up
that is doing this.

On a Windows 98 SE machine, this can either be an entry in his
computer's registry, or in the Startup folder on the Start Menu.

Is your brother-in-law comfortable with going into his computer's
Registry? If so, I need him to go into the 'Run' key, as indicated
here:

http://www.winguides.com/registry/display.php/109/

and see if there is anything there that appears to be running
inappropriately on boot-up. As indicated on the above link, the
program may also be launched by the [Load] or [Run] sections of his
PC's win.ini file.

aht-ga
Google Answers Researcher

---

Request for Question Clarification by aht-ga on 25 Feb 2004 18:49 PST

jacksaul-ga:

Actually, due to the lack of info on Grabitfast.net available online,
it's probably better to ask your brother-in-law to provide as much
info as possible.

Please ask him to download
http://www.spywareinfo.com/downloads/tools/HijackThis.exe

and Run it. After he clicks the Scan button, he should click the Save
log button (it's the same button, actually), and save it to a file.
The information will then appear in Notepad. Ask him to copy and paste
the information into an e-mail that he should send to you. Then, if
you can please copy and paste the information into a clarification, it
will help immensely in my being able to provide specific instructions
on how to clear this up once and for all!

Thanks,

aht-ga
Google Answers Researcher

Here's another site you may find helpful:
http://www.spychecker.com/software/antispy.html

Got all of your e-mails and went to the Windows Host file.  There were
about 4 of them, all with a string of porno sites as well as the
google.com sites.  I removed them all and went to properties as
recommended and clicked on the read only thing.  I got the latest
version of Add-a-ware, Spybot and X-block.  I then ran them all and
cleaned my system the best I could.  Google was restored but when I
reboot the system a new host file is added, yes with a string of porno
sites as well as the google.com site.  Is there anywhere else to look
to find out why it's being added on reboot?

Clarification of above comment.Deleting the host file entries clears
up the "browser hijack" until the computer is rebooted.Upon rebooting
a new host file is formed which has all the undesirables in it.What is
causing the rebuilding of the host file? Making the original host file
"read only" has no effect as a new host file is built.