browser hijack

Ok...I've never actually had to ask for help on a virus fix before, but this one is a doozy. ;__;

I'm running Windows XP. There's no real error messages, so I'll just try to describe what's happening. Essentially search results in Firefox are being redirected. And I can't get onto sites such as Lavasoft or anything else that might fix an infection. (I'm on my laptop typing this)

Ad-Aware finds nothing, or at least, not what's causing this. My anti-virus is PCTools, and that also finds nothing. Using a USB stick, I tried to install Spybot Search and Destroy and Spyware Terminator. The latter installs and it says it's detected stuff, but when it finishes the scan, nothing. The former simply won't work.

I also tried to install HijackThis and that won't install at all.

The other weird thing is that it won't boot in Safe Mode. It gets stuck at a blank screen and won't load. There's a ctfmon at startup and I disabled that, but it doesn't seem to have any real effect, other than not loading on the first restart. I've disabled my internet connection on that computer too because I just don't know what it's doing.

I'm totally stumped as to what I should do next... Halp?


Edit: oh, and one other thing. An .exe file with a random name like, pjhjjgm, I'm not for sure on that, asked for internet access before this all happened. I denied it, and shortly thereafter, my whole computer froze. And upon restart, the name of the program was no longer in ZoneAlarm's logs. So that's why I am not positive on the name. I only know it started with 'p', had three 'j's and was basically gibberish.

Edited by raito, 03 December 2008 - 08:18 PM.

Did you try all of these scans in safe mode? Go into safe mode by tapping F8 as the computer starts up.
The file name sounds vaguely familiar...

Did you try all of these scans in safe mode? Go into safe mode by tapping F8 as the computer starts up.
The file name sounds vaguely familiar...

Except it won't boot in safe mode. AT ALL. Which has never happened to me before and is frankly why I'm completely stumped.

Edited by raito, 03 December 2008 - 08:18 PM.

Oh. That could be a problem. So what happens when you try to boot into safe mode? Does it just automatically go to regular mode no matter what you do? Or is there some type of error?

For some drastic advice: I've had a virus before with a weird name that could not be detected. I had to manually search for all recent files and force delete any suspicious thing. Dangerous, I know. Well, it was in My Computer/Windows/system32. Order it by date, go to the most recent files of the list, and see if there's any file with the name you mentioned.

Oh. That could be a problem. So what happens when you try to boot into safe mode? Does it just automatically go to regular mode no matter what you do? Or is there some type of error?

For some drastic advice: I've had a virus before with a weird name that could not be detected. I had to manually search for all recent files and force delete any suspicious thing. Dangerous, I know. Well, it was in My Computer/Windows/system32. Order it by date, go to the most recent files of the list, and see if there's any file with the name you mentioned.

Actually what it does is it just freezes at a black screen, and I end up having to forcibly power it off and then start normally.

So are you saying, just open that Windows folder and look for files modified today? (or that file i mentioned)

Not sure if it matters...but I also ran Fixwareout.

Ok, the file is called pmjjgjhl.exe
And my computer froze when I tried to search for it via Yahoo. I found it in something called ZALog, but NOT the actual file. And I just tried to google it, and no results. o_0

Edited by raito, 03 December 2008 - 08:35 PM.

*sigh* ok, I have some more info. If I go to regedit and search for "coolwebsearch", about four entries turn up. Their data is listed as: coolwebsearch, bagle, .exe and pheasant. The problem is, when I delete them and restart. They're there again the next time I search. I think these things are the root problem. Any idea on how to get rid of them for good?

Edit: disabled nwiz.exe/install and ctfmon at startup. It seemed to solve the problem of coolwebsearch coming back into the registry. I also ran CWShredder, which said it found two variants of CWS. Upon restart, the Spybot S&D Resident detected two attempts to modify the registry to include ctfmon and svchost at startup. Both were listed as parasites in the info.

However, whenever I run CWShredder, an error thing comes up midway through mandating an automatic shutdown and it counts down from 60. It's done this twice. And my web browsers are still being hijacked after the restart.
I just ran it again and this time only one variant of CWS came up, but the same restart thing still happened and various other errors that happened too fast for me to record.


Iono. I give up. I hope there's someone here that's smart enough to figure it out.

Edited by raito, 04 December 2008 - 12:51 AM.

Sorry to keep replying to myself, but I can't stop working on this...

Ok, so using CWShredder to get rid of CWS variants, I was finally able to reboot and it picked up nothing. However, once I connected to the internet. The search result redirection wasn't happening, but it was still very slow and I couldn't connect to any virus/spyware/firewall sites or this site. So I rebooted, and the search redirection was back, so obviously something got picked up and then added on reboot. When I ran CWShredder again, it removed cws.msconfig. So I think I'm right on this assumption. Unfortunately, I don't know what it could be and since most of my spyware removers aren't function quite right and can't update, I'm stumped on how to remove it permanently.

Also, I still cannot boot in 'safe mode'. So again, I restarted in normal mode. This time it got to the desktop and then basically froze. I had to shut off internet again to make it load everything. And Spybot S&D detected another attempt to change a startup program. CWShredder found nothing. I was also able to install Spyware Blaster and get updates. I still can't get updates for Spybot S&D or Ad-Aware though.
___________________________________________________


So I guess what I'm asking now is, I feel like I'm going in circles. There's something that gets me as soon as I get on the internet, and then it loads stuff at startup. I can keep removing it, but it keeps coming back.

BIG QUESTION. I see now, looking in my registry, under Windows, down to Internet Settings, in Zone Map - Domains, I have a CRAPLOAD of websites, like gambling and porn. I've never been to these sites, so I can only assume it's been added by the thing. CAN I DELETE THIS WHOLE FOLDER? It's huge, srsly.

Edited by raito, 04 December 2008 - 01:59 PM.

Wow, that's a huge amount of information for me to take in...

Also, I'm guessing you backed up all of your personal files, just in case?

Woah, what are you doing just randomly editing the registry? I really don't suggest doing that, because it could render your computer completely useless.
For the Zone Map Domains thing, that is likely to be normal. I've noticed it on my computer, too, and I think that it is the list of websites blocked by default by IE. There is a small chance that it could be harmful, however.

As for the file pmjjgjhl.exe, there are no results in yahoo, and the only ones in google are the posts you made in this forum and some other forum. And what I meant in the Windows folder thing was trying to look at all files that were created recently, not necessarily modified recently. If there's anything with weird names that are created very recently, delete it. That is, if you want to take the risk.
Something like nwix.exe/install apparently has no harmful virus-like effects, although deleting it does not do any harm, either. Do you just use msconfig for the startup items? I think it would be better to use something like the advanced mode in Spybot S&D, which also gives a description on some startup items.

Did spyware blaster find anything? How about installing something like Malwarebytes Anti-Malware?

With such an extreme case that you cannot even go into safe mode, which is definitely out of my range of help, you may even have to revert to reinstalling Windows XP.

Wow, that's a huge amount of information for me to take in...

Also, I'm guessing you backed up all of your personal files, just in case?

Woah, what are you doing just randomly editing the registry? I really don't suggest doing that, because it could render your computer completely useless.
For the Zone Map Domains thing, that is likely to be normal. I've noticed it on my computer, too, and I think that it is the list of websites blocked by default by IE. There is a small chance that it could be harmful, however.

As for the file pmjjgjhl.exe, there are no results in yahoo, and the only ones in google are the posts you made in this forum and some other forum. And what I meant in the Windows folder thing was trying to look at all files that were created recently, not necessarily modified recently. If there's anything with weird names that are created very recently, delete it. That is, if you want to take the risk.
Something like nwix.exe/install apparently has no harmful virus-like effects, although deleting it does not do any harm, either. Do you just use msconfig for the startup items? I think it would be better to use something like the advanced mode in Spybot S&D, which also gives a description on some startup items.

Did spyware blaster find anything? How about installing something like Malwarebytes Anti-Malware?

With such an extreme case that you cannot even go into safe mode, which is definitely out of my range of help, you may even have to revert to reinstalling Windows XP.

I've edited the registry before on small stuff, and I figured for deleting coolwebsearch, it didn't seem to have any ill effects anyway. I think you're right about the Domain thing though. I think those are banned sites or smth. The pmjjgjhl thing is really boggling, because I can't find it anywhere but in Zone Alarm's logs where it blocked access. But it doesn't seem to be on my computer anymore.

I have Spybot S&D, but only a few features seem to work. How would I go about getting into that mode you referred to? I have only used Msconfig so far... And yeah, I just recently tried to install MBAM, and it was blocked, and when I renamed the setup file, it SEEMED to install, but then froze up at the end, and I can't open it or use it in any way. And no, Spyware Blaster doesn't seem to find anything, though it seems to work.

So yeah, I srsly have no idea how to even FIND this thing at this point. It blocks just about anything that might be helpful.

Edited by raito, 04 December 2008 - 09:25 PM.

What do you mean by froze up at the end?

What do you mean by froze up at the end?

When it says "finishing install" and the progress bar is almost full, it just freezes and eventually goes into 'not responding' and has to be closed via the task manager.

Uninstall MBAM and try to reinstall it again and see what happens. Please post back and tell if it installed this time. If you want to check if it opens, go ahead as well.

Edited by scff249, 04 December 2008 - 10:08 PM.

Uninstall MBAM and try to reinstall it again and see what happens. Please post back and tell if it installed this time. If you want to check if it opens, go ahead as well.

The uninstall freezes too. I tried both from the Control Panel and the MBAM uninstaller from the Start Menu. Neither works. I also tried installing it again in another location and same result.

I figured something wouldn't work.

I'll contact someone to help you with this problem.