BleepingComputer.com: I have a browser hijacker

hello, I am having a time getting rid of a browser hijacker. Usually I can get rid of this kindof stuff with my spy sweeper of other freeware programs but not this time. I have windows xp, and am running firefox. My homepage has not changed but links generated by search engines (Primarily google) often send me to the wrong links. it doesnt seem to happen in IE. I've uninstalled and reinstalled firefox, though i didnt remove my personal files ie bookmarks. the redirected links are often associated with the original search, for instance i was searching with the keyword baby and the first link i clicked on was an add page asking about what brand of diapers I buy. I've been trying to ignore this problem for a while, but I've had enough and with someones help I'd like to solve this problem. I am yours to command

Welcome to BC.

Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

** If Malwarebytes Anti-Malware results in any error messages, please refer to Fixes for common problems and Error Codes.

hey quietman thank you for your reply. I read about posting in forums and made another similar post in the malware spyware form with a required dds and attached attach.txt file... should I pursue help here or there? I should probably close one of the topics, but I am not sure which one or how to for that matter.

Hello,

It is really hard to say which is the better option. The initial assistance you receive here is quicker than in the HiJack This forum; however, you may need to be referred there after all, and there is no way of knowing that until you have gone through some of the steps that quietman7 has started you on.

Please post back to this thread indicating which topic you prefer to keep active. In the meantime, I shall close the topic in the HiJack This forum to avoid possible confusion. If you decide to continue to receive assistance in this thread, please post back with the logs that quietman7 requested or if unable to please state why.

Orange Blossom

okay thank you orange blossom, I restarted but, i am still infected, I task manager end task the xp deluxe protector, and even if i delete the shortcut on the desktop, it reinstalls it there.

Here is the log:

Malwarebytes' Anti-Malware 1.37
Database version: 2191
Windows 5.1.2600 Service Pack 3

6/24/2009 10:32:15 PM
mbam-log-2009-06-24 (22-32-15).txt

Scan type: Quick Scan
Objects scanned: 97397
Time elapsed: 13 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.

Your Malwarebytes Anti-Malware log indicates you are using an older version of MBAM (v1.37) with an outdated database. Please download and install the most current version (1.38) from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

Update the database through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install.

• alternate mbam-rules.exe download link 1
  
• alternate mbam-rules.exe download link 2

Your database shows 2191. Last I checked it was 2332.

Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.

• XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  
• Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

well guys, I did the doctor thing. Then on the restart I kept getting a blue screen, then a auto shutdown... I was able to boot into safe mode, but unable to connect via my wireless... so i reinstalled my os after backing up a couple files. I think i just let it go to long and tried to ignore it and finally it caught up to me. So thanks anyways for your attempts to help. Can anyone suggest good anti-spyware/malware/antivirus/adware freeware? Not just for detecting but removal as well. I have spy sweeper, but that usually detects 1/2 the time.

thanks

krhonik

Bleeping Computer's Freeware Replacements For Common Commercial Apps
Bleeping Computer's List of Virus & Malware Resources

Tips to protect yourself against malware and reduce the potential for re-infection:

• Simple and easy ways to keep your computer safe and secure on the Internet.
  
• Your Guide To Staying Safe Online.
  
• Hardening Windows Security - Part 1 & Part 2.
  
• Configuring Internet Explorer for Practical Security and Privacy - How to Secure Your Web Browser.
  
• The Antivirus Defense-in-Depth Guide.
  
• Use Task Manager to close pop-up messages to safely exit malware attacks.

• Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

• Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

• P2P Software User Advisories
  
• Risks of File-Sharing Technology

• Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:

• What security risks are associated with USB drives?.
  
• USB-Based Malware Attacks.
  
• When is AUTORUN.INF really an AUTORUN.INF?.

Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

Quote

Microsoft Security Advisory (967940): Update for Windows Autorun