Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Webbrowser High-jack


  • Please log in to reply
6 replies to this topic

#1 MtnGntx

MtnGntx

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 16 December 2007 - 03:25 PM

Hello all,

I was recently victim to the VIRUS PROTECT scam. Thanks to the posts herein, I believe I successfully removed most of the malware. However, I still have a persistent and sporadic bug that redirects my web search links to a rogue url. Here is an example of an attempt to link to search result from "cod liver oil" :

(http://alfasort.com/search.php?q=cod%20liver%20oil )

The alfasort string is the ubiquitous prefix. I am using Microsoft's Internet Explorer. I am running Kaspersky Internet Security suite.

Can anyone here graciously offer some direction on how to eliminate this annoyance?

Thank you.

WPM

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:15 PM

Posted 16 December 2007 - 04:55 PM

Hello MtnGntx, welcome to the forum.
Need to know exactly what you did ... so Did you do/run these?
How to remove VirusProtect or Virus Protect (Removal Instructions)

Next, please download RogueRemover and save to you Desktop. (compatible with Windows 2000, NT, XP, Vista)

Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover and follow the prompts.
During installation an icon will automatically be created on your Desktop.
If the program does not open after installation, double-click on the RogueRemover icon to launch.
Select "Check for Updates" and click Download if any are found.
Wait for the updates to finish downloading, then Close the update window.
Select "Scan" and follow the onscreen directions to remove anything found.
If nothing is found, exit RogueRemover.
If RogueRemover finds something, it will present a list of detected items.
Click "Remove selected", then Yes at the prompt.
Wait for the removal to complete and then close RogueRemover.
If using Windows Vista, be sure to Run As Administrator

Download and scan with SUPERAntiSpyware, Free for Home Users
Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from HERE.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen.
Reboot into Safe Mode
How to start Windows in Safe Mode

Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Edited by boopme, 16 December 2007 - 05:10 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 MtnGntx

MtnGntx
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 16 December 2007 - 10:55 PM

Hello boopme,

I ran both programs. RogueRemover came up with a single hit which I dutifully deleted. Then SuperAntiSpyware came up with a single hit in files scan. It was an Adware tracking cookie. I deleted it as well. As requested, I checked scan log for SAS to post results, but the log bank was empty...? Sorry I dont have the results for you.

I pulled up my web browser to see if the problem had been resolved. And it hasn't :thumbsup:

Any further suggestions would be greatly appreciated.

Again, I thank you for your time... these malware guys should be hung up by their testacles.

Sincerely,
WPM

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:15 PM

Posted 17 December 2007 - 03:18 PM

Well I think you will need to post a log and have the HJT experts get a deeper look.
Please follow these instructions.
Preparation Guide for use before posting a HijackThis Log
Post that Log HERE,by clicking on New Topic and give it a title.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 MtnGntx

MtnGntx
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 18 December 2007 - 01:15 AM

Boopme,

I will follow through with the above suggestions. Thanks.
I ran the same protocols you described in your first reply. Following you will find the current log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/18/2007 at 00:04 AM

Application Version : 3.9.1008

Core Rules Database Version : 3363
Trace Rules Database Version: 1362

Scan type : Complete Scan
Total Scan Time : 01:04:05

Memory items scanned : 355
Memory threats detected : 0
Registry items scanned : 4772
Registry threats detected : 1
File items scanned : 43460
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\mcnairwp\Cookies\mcnairwp@track.adform[1].txt
C:\Documents and Settings\mcnairwp\Cookies\mcnairwp@dtr[1].txt
C:\Documents and Settings\mcnairwp\Cookies\mcnairwp@www.sexy-access[2].txt
C:\Documents and Settings\mcnairwp\Cookies\mcnairwp@ads.telegraph.co[1].txt
C:\Documents and Settings\mcnairwp\Cookies\mcnairwp@tacoda[2].txt
C:\Documents and Settings\mcnairwp\Cookies\mcnairwp@www.stopzilla[2].txt
C:\Documents and Settings\mcnairwp\Cookies\mcnairwp@www.virprotect[1].txt
C:\Documents and Settings\mcnairwp\Cookies\mcnairwp@enhance[2].txt
C:\Documents and Settings\mcnairwp\Cookies\mcnairwp@clicks.smartbizsearch[1].txt
C:\Documents and Settings\mcnairwp\Cookies\mcnairwp@richmedia.yahoo[2].txt

Trojan.Media-Codec/V4
HKU\S-1-5-21-2102999208-408303454-1867994533-39472\Software\Online Add-on

Trojan.Smitfraud Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F0131243-E952-4F3D-9817-770ACB42A123}\RP100\A0028218.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F0131243-E952-4F3D-9817-770ACB42A123}\RP99\A0027580.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F0131243-E952-4F3D-9817-770ACB42A123}\RP99\A0027581.ICO

Adware.E404 Helper/Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F0131243-E952-4F3D-9817-770ACB42A123}\RP99\A0027639.DLL

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:15 PM

Posted 18 December 2007 - 01:58 PM

Did you Quarantine all these items in SAS ?
And your PC is still not right?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 MtnGntx

MtnGntx
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 18 December 2007 - 03:48 PM

Boopme,

I checked each of the items as presented by SuperAntispyware and proceeded according to the program options to have these items deleted.

The problem still exists.

WPM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users