Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacker


  • Please log in to reply
5 replies to this topic

#1 cableman

cableman

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 14 January 2008 - 11:58 AM

I seem to be having a similar problem. I use netscape navigator for internet use and not the windows internet explorer. I cannot delete the explorer because it has shared files which are needed to run windows correctly so since I don't prefer explorer, I just don't use it.
The problem is that I think that I have some kind of browser hijacker. My internet connection is dsl so it is always available but I don't seem to have my problems until I actually open netscape to browse the internet. Netscape seems to work properly. Sometimes I will get an unwanted pop up ad but hardly ever and nothing I would consider out of the ordinary. What happens is that interner explorer starts opening up on it's own and going crazy with mainly ad pop ups. Sometimes it can seem to be related to a web search I may be doing but it seems to mainly have a mind of its own.
I currently use "XoftSpySE" and "Avast" programs to monitor my computer and I also use norton system works quite frequently to keep things running smooth although I never use norton anti-virus (I have not even installed the anti-virus part of norton).
I have used all kinds of software in the past to try to correct problems and frequently seem to get into more of a mess if I'm not carefull of the software I use. I am fairly sure that I have some kind of browser hijacker but my scans never seem to fix the problem even though I sometimes find malware and trojan horses and clean them out of my system.
Can someone please advise me on how to fix this problem as it is very aggravating as well as a worry to me. I am using windows xp on a dell home computer. Thank you in advance for any help.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:44 PM

Posted 14 January 2008 - 01:58 PM

First off, XoftSpy is a program that was previously listed as a rogue product on the Rogue/Suspect Anti-Spyware Products List because of concerns with False positives, questionable license terms, and the use of aggressive, deceptive advertising, including exploitation of the name "Spybot". It has since been delisted but in my opinion it is not a very effective program compared to others with a proven track record like those mentioned in BC's List of Virus & Malware Resources or one of the other Trustworthy Anti-Spyware Products.

Try running your scans in "Safe Mode". Then perform an Online Virus Scan like BitDefender.
(These require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cableman

cableman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 15 January 2008 - 10:23 AM

Thank you for your response so far. I was origionally impressed with XoftSpySE because of the way it described in detail the virus,worm, trojan horse, etc. and then supposedly fixed it. I didn't realize that it was mostly false positives to make itself look good for me to purchase.
I am still running updated version of Avast and spyware blaster. I also downloaded and ran "ad-warese" and "spybot search and destroy" as suggested by your website and then ran "bit defender online scan" also. I ran this program using internet explorer since this is the browser that seems to be giving me the trouble but I still can't get the problem fixed. Explorer sometimes opens and doesn't even find a website to open a page with. I am not sure if I am supposed to post results of scans here but I'm new and not sure where to post these results so someone may know what I need to do to fix my computer without having to reformat hard drive and reinstall all my programs.Here is what "bit defender" said. I did my best to get the results on here as I didn't really know how to get the results posted.

BitDefender Online Scanner





Scan report generated at: Tue, Jan 15, 2008 - 02:18:37







Scan path: A:\;C:\;D:\;E:\;











Statistics

Time

01:04:28

Files

253416

Folders

4579

Boot Sectors

3

Archives

12946

Packed Files

10145





Results

Identified Viruses

3

Infected Files

5

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

5





Engines Info

Virus Definitions

890208

Engine build

AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins

14

Archive plugins

38

Unpack plugins

7

E-mail plugins

6

System plugins

1





Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions



Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes







Scanned File

Status

C:\WINDOWS\SYSTEM32\ijkkj.bak1

Infected with: Trojan.Vundo.DVS

C:\WINDOWS\SYSTEM32\ijkkj.bak1

Disinfection failed

C:\WINDOWS\SYSTEM32\ijkkj.bak1

Deleted

C:\WINDOWS\SYSTEM32\ijkkj.bak2

Infected with: Trojan.Vundo.DVS

C:\WINDOWS\SYSTEM32\ijkkj.bak2

Disinfection failed

C:\WINDOWS\SYSTEM32\ijkkj.bak2

Deleted

C:\WINDOWS\SYSTEM32\ijkkj.ini

Infected with: Trojan.Vundo.DVS

C:\WINDOWS\SYSTEM32\ijkkj.ini

Disinfection failed

C:\WINDOWS\SYSTEM32\ijkkj.ini

Deleted

C:\WINDOWS\SYSTEM32\o8k0fsv0.tmp=>(Embedded EXE g)

Infected with: Trojan.Dropper.Small.CU

C:\WINDOWS\SYSTEM32\o8k0fsv0.tmp=>(Embedded EXE g)

Disinfection failed

C:\WINDOWS\SYSTEM32\o8k0fsv0.tmp=>(Embedded EXE g)

Deleted

C:\WINDOWS\SYSTEM32\o8k0fsv0.tmp

Update failed

C:\WINDOWS\SYSTEM32\oggktqv0.tmp=>(Embedded EXE g)

Infected with: Backdoor.Program.AP

C:\WINDOWS\SYSTEM32\oggktqv0.tmp=>(Embedded EXE g)

Disinfection failed

C:\WINDOWS\SYSTEM32\oggktqv0.tmp=>(Embedded EXE g)

Deleted

C:\WINDOWS\SYSTEM32\oggktqv0.tmp

Update failed



I hope you can make sense out of that; I had to get it into text form to get it on here. If you can tell me what to do to fix this without having to wipe my drive and reinstall everything it would be great cause everybody knows what a pain it is to have to reinstall everything and get it back to your own preferendes. Thanks for any help. I really do appreciate it, I don't need haircuts anymore, I've pulled it all out by now.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:44 PM

Posted 15 January 2008 - 10:38 AM

As I said, XoftSpySE was originally delisted because of the concerns with false positives. It has since been delisted because the vendor took steps to correct this but I still cannot vouch for its effectiveness.

Your BitDefender scan found and deleted infected files to include vundo.

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 cableman

cableman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 18 January 2008 - 05:04 PM

I have followed your instructions exactly and here are the log results:
First the folder I believe you want the contents posted from "vundofix" is the contents of folder "vundofix.txt" which is as follows:
VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 9:50:04 PM 1/17/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

Secondly I believe that you want to see the scan log results of "superantispyware" which is as follows:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/18/2008 at 01:40 AM

Application Version : 3.9.1008

Core Rules Database Version : 3382
Trace Rules Database Version: 1376

Scan type : Complete Scan
Total Scan Time : 02:22:49

Memory items scanned : 199
Memory threats detected : 0
Registry items scanned : 6209
Registry threats detected : 18
File items scanned : 123252
File threats detected : 13

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Trojan.Rootkit-TnCore
C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP1371\A0131513.SYS

Trojan.Unknown Origin
C:\WINDOWS\QWXLYYBCCM93BG\KQU5SV1FWA6AV0.VBS
C:\WINDOWS\SYSTEM32\WTSSVCC.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\JJJLM.INI
C:\WINDOWS\SYSTEM32\JJJLM.INI2
C:\WINDOWS\SYSTEM32\JJLLM.BAK1
C:\WINDOWS\SYSTEM32\JJLLM.INI
C:\WINDOWS\SYSTEM32\KJJLM.BAK1
C:\WINDOWS\SYSTEM32\KJJLM.BAK2
C:\WINDOWS\SYSTEM32\KJJLM.INI2
C:\WINDOWS\SYSTEM32\KJJLM.TMP
C:\WINDOWS\SYSTEM32\MCRH.TMP

Trojan.ZenoSearch
C:\WINDOWS\SYSTEM32\RM.EXE


I have been a little busy with other things that cut out on my computer time somewhat in the last couple days but after following your last instructions, I don't seem to be having the browser problem of explorer popping open all the time on its own. I will have to do some internet surfing to make sure of a complete fix but I am already sure of some positive results. I am very thankful for your help

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:44 PM

Posted 18 January 2008 - 08:46 PM

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update:
  • Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users