Hi Guys,
Big problem here that I have been unable to sort out hence I am reaching out for help.

I have Avast premier and have had avast for about 4 years or so.

My chrome browser did (and the settings still show) that msn.uk is my default homepage however, I get http://esurf.biz/?ssid=1445297800&a=1008178 showing in my address bar and other random sites appear as well as random sites when I click on other webpages.

My system is rather old, winxp updated to the max with all updates from microsoft, 4 gig of ram, dual core pent 2.4 processor although I feel most of that is irrelevant.

What Happened:
Well I play as a time killer and have for a long time an old game called ‘Red Alert 2’ this was installed from genuine disks that are now unreadable due to age/scratches.

I tried to start the game 3 nights ago and Avast flagged up a threat when the game was started and sent the executable file to quarantine. I restored this file and it would not play with now a message that microsoft has met with some error and do I wish to report this…
So, something has changed on the saved executable file by going to quarantine.
I went online and downloaded the executable file that was scanned and no problems found.
I then tried to play my game but it simply did not start.

After this I went back online to search for issues and found my google chrome browser had been hijacked!

I have tried all sorts to get this put right spybot/spyhunter/emsisoft anti-malware/ccleaner

I have done some searches on http://esurf.biz/?ssid=1445297800&a=1008178 and it recommends using a tool for removal, which unfortunately costs a subscription that I simply cannot afford currently. I have checked google chromes settings as some sites say to change back the homepage but the hompage is still listed as it should be, so something is probably set in the registry. I tried ccleaner to solve this but although it picked stuff up and removed, the ebiz problem is still present.

I have run several complete scans on my system using avast and it picks nothing up at all???
But spyhunter4 picks up tons of problems including trojans/pups and over a thousand suspected cookies… Great I thought, but it will not remove them unless I subscribe.

I assumed that avast would protect my computer especially with having all shields active at all times, and I always scan anything that arrives to pc.

It seems that something has just walked on by and infected my computer.

Does anyone have a cure for this hijacking which is free?

Hi there, Chrome is a very insecure browser as malware authors have now found different ways to corrupt it and Google is not patching the problems

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

I assumed that avast would protect my computer especially with having all shields active at all times, and I always scan anything that arrives to pc.

There is no security program with 100% detection or zero false positives

But spyhunter4 picks up tons of problems including trojans/pups and over a thousand suspected cookies........... Great I thought, but it will not remove them unless I subscribe.

Malwarebytes does it for FREE. Highly recomeded, you may install it when Essexboy is finish cleaning your computer

Many thanks Essexboy for your incredibly quick response, took me a little by surprise there.

I will cease immediately to blacken the names of all essex folk and will embrace their tanning and bright lipstics as the norm

I have installed the scanner and added attachments as per your request.

Thanks for the comments Pondus, yep no security is 100% but with sygate/avast/windows running you tend to get complacent as they do pick up an awful lot of stuff on the fly.
I have probably tried the malware you have mentioned as I have put in at least 5 various programmes the last couple of days, they (for the most part that allow removal) have removed stuff, but not cured the problems I am facing unfortunately.

I have probably tried the malware you have mentioned as I have put in at least 5 various programmes the last couple of days, they (for the most part that allow removal) have removed stuff, but not cured the problems I am facing unfortunately.

If your antivirus and Malwarebytes dont remove it, then you need a Essexboy ;)

OK looks like you have the new one. Farbar is looking for a way to detect this although it does hide very deep in Chrome. He has worked out one element but the other is a bit more difficult

So as it stands nothing can remove or detect it yet (apart from webshield )

Re-install Chrome

1. If you have bookmarks, let’s save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the “Stop and Clear” button and click on the button. At the prompt click on “Ok”
4. Now we need to uninstall chrome via control panel.
   Note: When asked about user data or settings you must remove this also so please check the box.
   5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
5. Import your bookmarks back into Chrome
6. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

THEN

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION BHO: No Name -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> No File BHO: No Name -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> No File BHO: No Name -> {9421DD08-935F-4701-A9CA-22DF90AC4EA6} -> No File Toolbar: HKLM - No Name - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - No File Toolbar: HKU\S-1-5-21-725345543-602609370-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File S4 vsdatant; [X] AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:76650B61 Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Hi Essexboy,
Done all as requested and attached the required file.

The result currently is that google chrome opens much faster and opens the homepage set.
I have restarted pc a few times to see if anything is overwritten on reboot and nothing peculiar has happened as yet.

Shame I lost all my passwords to historical sites visited

There will undoubtedly be some residue on my computer from the original causes to the problems, do you know if/when a fix for this would happen and do you know why the hijacking got past the avast security, (I thought that any hijacking etc were intercepted).

I have read a lot of posts on the internet about this esurf.biz hijacking and it appears that it does make changes to the registry, which as they admit is hard to identify and remove, novice attempts which is the sort of thing I would offer to fix in the registry could be catastrophic to the operating system. Is there anything that you know of that might be either available or soon to be available that would effect any changes necessary.

Thanks for your assistance Essexboy, greatly appreciated.

It is quite complex to explain but I will try

Google has left open the option for any extension to write to the %ProgramFiles%\Google\Chrome\Application[version]\resources.pak file and the normal content is

try{(function(d,u){function k(a){for(var b=0;b<a.length;b++){var e=b,c;c=a[b];if("string"===typeof c)a:{if(!v(c))for(var g=0;gd-g?b&&b(!0):(c["BL_ST_"+a+"_"+e]=d,b&&b(!1),f(c)):(c["BL_ST_"+a+"_"+e]=d,f(c),b&&b(!1))})}function h(a){chrome.storage.local.get("BLGC_STORAGE",function(b){a&&a(b.BLGC_STORAGE)})}function f(a){var b={};b.BLGC_STORAGE=a;chrome.storage.local.set(b,function(){})}function q(a){try{if(0==a.length)return{hostName:""};var b=u.createElement("a");0!=a.indexOf("http")&&(a="http://"+a);b.href=a;return b}catch(e){}return{hostname:a}}function y(a){a=a.toLowerCase();for(var b=0;b