PDA

View Full Version : Browser HiJack - Help



mbresler
2011-03-21, 22:02
This is a new thread per instructions by Blade81:

[I]Previous post description:

I have some crazy browser redirect thing happening whereby all search results within Google are bouncing me to complete junk sites or to sites which aren't even remotely tied to what I'm looking for: Example I search for maleware security center virus - click on a result and get sent to ADT Security or Outdoor World or Domain Registration sites.

Win7 Home Premium - SP1 (64bit)
IE version 8.0.7601
McAfee Internet Security 2011 (found no infections)
MaleWareBytes (found no infections)
SuperAntiSpyware (found no infections)[I]

To Blade81: My apologies for the previous thread and the subsequent posting of the highjackthis log. I was Only trying to provide log information to assist. The "Read This Before Posting" thread doesn't specify the use of DDS or ERUNT for users on Win7 - because I'm new to this forum, I wasn't sure what to do.

Having said that - the DDS links to download the software are both being blocked by my anit-virus (McAfee Internet Security) I did pull a copy of ERUNT to backup only the system registry.

Spybot SD finds the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start (is not) W=2

and

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start (is not) W=2 (64 bit)

I'll hold off for now and wait to hear back...

Thank you,

-Mike

Blottedisk
2011-03-22, 15:01
Hi mbresler,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


Please follow these steps in order:


Step 1 |Please visit the following and have a look how you can disable your security software.

How to disable your security programs (http://forums.whatthetech.com/index.php?showtopic=96260 )

After disabling your McAfee Suite, download DDS from any of the links below:

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr )
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com )
Link 2 (http://www.forospyware.com/sUBs/dds )

--------------------------------------------------------------------
Save it to your desktop.
Please disable any anti-malware program that will block scripts from running before running DDS.
Double-Click on dds and a command window will appear. This is normal.
Shortly after two logs will appear:
DDS.txt
Attach.txt
A window will open instructing you save & post the logs.
Save the logs to a convenient place such as your desktop.
Post the contents of the DDS.txt report in your next reply.
Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.


Step 2 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif


GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)

http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it

Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).


Step 3 | Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe ) to your desktop.
Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

mbresler
2011-03-23, 14:59
Blottedisk - Thank you for your response - I will perform these actions this evening or tomorrow morning and post an update once complete.

A quick update - I run IObit System Care Pro 3.7 on my PC - the immunication process found a file in \Windows\System32 called bigWOW64.exe file that it classified as Maleware - I let the default quarantine action do it's thing. The hijacking is less but still continues. In addition the Windows System Care issue has returned and no matter what I do, the service will not remain on.

Blottedisk
2011-03-23, 16:45
Hi,


Thanks for the update. Unfortunately I have to inform you that IObit Security 360 is a rogue security program known to cause system problems and that had stolen material from other computer security companies to use in their own program.

IOBit Steals Malwarebytes’ Intellectual Property (http://www.spywareinfoforum.com/index.php?showtopic=126267)
IOBit’s Denial of Theft Unconvincing (http://www.spywareinfoforum.com/index.php?showtopic=126286)


I would therefore recommend you to uninstall IObit 360, as well as refrain from using any software from this company.

T-Tools (http://www.t-tools.nl/) has created a free program that has been designed specifically to remove every last trace of the entries of IObit programs left behind if and when you had decided to uninstall one or more of these programs. You can download BitRemover from here: T-Tools BitRemover (http://www.t-tools.nl/bitremoveren.php)

Save the program to your Desktop and double-click on the program to run it.


The set of instructions I gave you in my last post are just non intrusive scans that will allow me to detect each corner of this infection, in order to gather the necessary information to remove it.

Blottedisk
2011-03-26, 06:03
Hi mbresler,


Are you still with us?

Blottedisk
2011-03-29, 16:06
Due to the lack of feedback, this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please read the guidelines to request assistance (http://forums.spybot.info/showthread.php?t=288 ) and begin a New Topic.