Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer Hijacked


  • Please log in to reply
4 replies to this topic

#1 lauren h

lauren h

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 22 December 2007 - 04:36 PM

While browsing through Internet Explorer 7 today, that browser was hijacked (i think) by a malicious website by the name of PerformanceOptimizer. i won't post the link here unless asked, since i don't want anyone else getting infected. This website took over IE completely..it took me to its website (i can't go to any other sites in IE) and brought up a popup that attempts to download something if i try to close it. IE claims to have stopped that download, but who knows? the site is one of those fake sites that claims it has detected severe security threats, and wants to optimize PC performance.

i'm using Opera to type this right now. i've run AVG anti-virus (it found 2 viruses that weren't there yesterday), spybot s&d (nothing), ad-aware (nothing), and SUPERantispyware (still scanning but no luck so far). i'm running Windows XP service pack 2, with SuSe Linux as a dual boot (although i don't have my root password for Linux, so that's a lost cause at the moment). i haven't gone into Safe Mode yet because with a dual-boot i'm not really sure when to start pressing F8.

any help removing this malware would be greatly appreciated. thanks for your time.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 PM

Posted 23 December 2007 - 07:21 AM

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.

Thern perform an Online Virus Scan like BitDefender.
(These require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 lauren h

lauren h
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 27 December 2007 - 05:19 PM

sorry for the delay.

this is the contents of the txt file:
VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 1:16:36 PM 12/27/2007

Listing files found while scanning....

No infected files were found.

and here's the Bitdefender report:
BitDefender Online Scanner



Scan report generated at: Thu, Dec 27, 2007 - 15:29:30





Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;







Statistics

Time
01:23:44

Files
384876

Folders
7743

Boot Sectors
5

Archives
16668

Packed Files
20713




Results

Identified Viruses
3

Infected Files
5

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
5




Engines Info

Virus Definitions
884490

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-6edf6581.zip=>vmain.class
Infected with: Exploit.Java.Gimsh.B

C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-6edf6581.zip=>vmain.class
Deleted

C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-6edf6581.zip
Updated

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\3IFY3UL2\gnida[1].swf
Infected with: Trojan.Downloader.SWF.Gida.A

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\3IFY3UL2\gnida[1].swf
Disinfection failed

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\3IFY3UL2\gnida[1].swf
Deleted

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\HORYWTO3\gnida[1].swf
Infected with: Trojan.Downloader.SWF.Gida.A

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\HORYWTO3\gnida[1].swf
Disinfection failed

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\HORYWTO3\gnida[1].swf
Deleted

C:\Program Files\Uninstall My Search Bar.dll
Infected with: Trojan.Dloader.CE

C:\Program Files\Uninstall My Search Bar.dll
Disinfection failed

C:\Program Files\Uninstall My Search Bar.dll
Deleted

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP760\A0078898.dll
Infected with: Trojan.Dloader.CE

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP760\A0078898.dll
Disinfection failed

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP760\A0078898.dll
Deleted




i hope this helps. thanks for helping me so far

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:19 PM

Posted 28 December 2007 - 08:46 AM

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Also let me know how your computer is running now.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 lauren h

lauren h
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 29 December 2007 - 05:08 PM

My computer is running on a GRUB dual-boot. When would i start pressing F8? after the Compaq screen flashes, or after I've told my computer to go into Windows?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users