Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser/Search Engine Hijack and Redirect


  • Please log in to reply
16 replies to this topic

#1 Rapesco500

Rapesco500

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 24 July 2009 - 05:29 PM

Hi,

Any browser searches in search engines are being redirected to a variety of rogue sites, This happens with Firefox 3.5 (my default browser) but also Explorer (tried it as a test) and in a variety of search engines, so whatever is doing this is not browser or search engine specific. Bookmarks still work OK, as does pasting web addresses into the address window and pressing Enter.

I have run SpyBot Search & Destroy, Ad-Aware and AntiMalware, none of which have solved the problem.

I have AVG Free, ZoneAlarm and Winpatrol running at all times.

Any advice would be welcomed.

thanx,
Rapesco500

Edited by The weatherman, 24 July 2009 - 05:47 PM.
Moved from HJT to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


m

#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 24 July 2009 - 06:09 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Can you please post us your lastest Malwarebytes log?
Computer Pro

#3 Rapesco500

Rapesco500
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 25 July 2009 - 09:12 AM

Malwarebytes run today, log posted below. Five problems reported, none of which showed up on the previous Malwarebytes scan two days ago. No action taken as yet on reported problems, will wait until instructed before removing.

ps, I am subscribed to the post as recommended



Malwarebytes' Anti-Malware 1.39
Database version: 2498
Windows 5.1.2600 Service Pack 3

25/07/2009 15:24:00
mbam-log-2009-07-25 (15-23-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 146221
Time elapsed: 57 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruixtpluxfc.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruixtpluxfc.dll (Trojan.TDSS) -> No action taken.
c:\program files\speed video splitter\mpgdec.ax (Backdoor.Bot) -> No action taken.
c:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> No action taken.

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 25 July 2009 - 11:21 AM

Hello unfortunately I have bad news:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.



If you wish to continue cleaning: then please remove what Malwarebytes found, reboot, then runa Quick Scan after that
Computer Pro

#5 Rapesco500

Rapesco500
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 27 July 2009 - 03:26 PM

I would like to try and clean the machine with your assistance.

I removed what Malwarebytes found, and have run the scan again - log posted below.



Malwarebytes' Anti-Malware 1.39
Database version: 2498
Windows 5.1.2600 Service Pack 3

27/07/2009 21:39:27
mbam-log-2009-07-27 (21-39-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 146892
Time elapsed: 2 hour(s), 14 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruixtpluxfc.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruixtpluxfc.dll (Trojan.TDSS) -> No action taken.

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 27 July 2009 - 03:31 PM

Ok, next, let's run RootRepeal, it looks like you have a rootkit.

Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro

#7 Rapesco500

Rapesco500
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 29 July 2009 - 03:51 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/29 22:06
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\hjgruicbnylyab.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruidqvdksrq.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruirscxiesm.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruixtpluxfc.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruipjuxdassip.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruisomgseqvri.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiyhoylqsnxs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruietynvxeisv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruiiwuxmftj.sys
Status: Invisible to the Windows API!

Path: c:\windows\system32\drivers\pcouffin.sys
Status: Allocation size mismatch (API: 81920, Raw: 49152)

Path: C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\fr_fr
Status: Locked to the Windows API!

Path: C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\it_it
Status: Locked to the Windows API!

Path: \\?\C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\fr_fr\*
Status: Could not enumerate files with the Windows API (0x00000017)!


Path: C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\fr_fr\License.html
Status: Invisible to the Windows API!

Path: \\?\C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\it_it\*
Status: Could not enumerate files with the Windows API (0x00000017)!


Path: C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\it_it\License.html
Status: Invisible to the Windows API!

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 30 July 2009 - 11:40 AM

Path: C:\WINDOWS\system32\drivers\hjgruiiwuxmftj.sys
Status: Invisible to the Windows API!

Please run Rootrepeal, then right click on this item and select *Wipe File*.

Then please Update Malwarebytes, then run a Quick Scan and post back the log
Computer Pro

#9 Rapesco500

Rapesco500
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 31 July 2009 - 04:35 PM

C:\WINDOWS\system32\drivers\hjgruiiwuxmftj.sys
deleted using Wipe File with Root Repeal, Malwarebytes updated and quick scan run, log below:


Malwarebytes' Anti-Malware 1.39
Database version: 2536
Windows 5.1.2600 Service Pack 3

31/07/2009 22:46:43
mbam-log-2009-07-31 (22-46-36).txt

Scan type: Quick Scan
Objects scanned: 87354
Time elapsed: 1 hour(s), 23 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\hjgruietynvxeisv.tmp (Trojan.TDSS) -> No action taken.
c:\WINDOWS\system32\drivers\hjgruiiwuxmftj.sys (Trojan.Agent) -> No action taken.

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 31 July 2009 - 08:35 PM

Please make sure that you removed those items in the log.

Then after you have removed them through the program:

Please run ATF and SAS:
Credits to Boopme

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#11 Rapesco500

Rapesco500
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 04 August 2009 - 12:30 PM

Ran ATF and SAS in Safe Mode, SAS log posted below. The two found files were quarantined.
(Sorry it's taken a few days but I had to run SAS overnight.)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/04/2009 at 01:06 PM

Application Version : 4.27.1000

Core Rules Database Version : 4033
Trace Rules Database Version: 1973

Scan type : Complete Scan
Total Scan Time : 04:58:27

Memory items scanned : 240
Memory threats detected : 0
Registry items scanned : 6169
Registry threats detected : 0
File items scanned : 58822
File threats detected : 2

Adware.Vundo/Variant-MSFake
C:\WINDOWS\SYSTEM32\ECESQ.DLL
C:\WINDOWS\SYSTEM32\T5RDV.DLL

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:56 PM

Posted 04 August 2009 - 12:34 PM

How are things running now?
Computer Pro

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:56 PM

Posted 04 August 2009 - 02:10 PM

Scan type: Quick Scan
Objects scanned: 87354
Time elapsed: 1 hour(s), 23 minute(s), 23 second(s)


This ia an usually long time for a quick scan with MBAM and normal mode?

Always try to run MBAM in normal mode as it's crippled in safe mode.

Of course if your hard drive was almost full and badly fragmented or you have way too many processes running?

Just thought I would point this out.

:thumbsup:
Chewy

No. Try not. Do... or do not. There is no try.

#14 Rapesco500

Rapesco500
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 06 August 2009 - 03:36 PM

How are things running now?



No more browser hijacks/redirects so everything seems to be OK now. :thumbsup:
Thanks for your excellent, clear advice and patience. :flowers:

#15 Rapesco500

Rapesco500
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 06 August 2009 - 03:45 PM

This is an usually long time for a quick scan with MBAM and normal mode?

Always try to run MBAM in normal mode as it's crippled in safe mode.

Of course if your hard drive was almost full and badly fragmented or you have way too many processes running?

Just thought I would point this out.

:flowers:


The hard drive is about 50% full, recently defragmented and with minimal processes running when running MBAM .... it's just a very old and slow PC, at least in computer terms - but thanks very much for taking the time to post a comment :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users