YAYYYYYYYYYYYYYY! I GOT RID OF IT!!! NO MORE "GREATFEEDMILL" CRAP!!
I wish I had a more cut-and-dry method to post, but I don't really know what happened. Sorry for the long post, but I'm firmly a believer in "the more info the better"... must be the engineer in me. Here's how it went:
1.) I had the problem with "greatfeedmill.com" attached to the beginning of every link I clicked (see earlier posts). The only way I could get to this here website was by right-clicking the links, going to Properties, and trying to get the real web address out of the "greatfeedmill" mess that the link was pointing to, and pasting that into the address bar. The sad thing is that a lot of links (including some scanner download links) are too messed up to find the real web address.
2.) Downloaded and ran Malwarebytes (good choice, see Kaoshaman's earlier post for download)
which found a lot of infected files, one of which was that "nsrbgxod.bak" file in my C:\users\me\appdata\local\temp folder (even now I strongly believe "nsrbgxod.bak" was one of the files behind this mess, and that an evil registry key was created that would keep bringing the .bak file to life upon booting)
. For some reason,when I'm in the C:\users\me folder, I can't see the appdata folder, so I have to type it in manually... go figure. Malwarebytes kept trying to delete "nsrbgxod.bak" but it wouldn't die, since it was always "file in use", not even with the "delete upon reboot" option.
3.) Followed Kaoshaman's advice and downloaded and ran CCleaner (good choice, see Kaoshaman's earlier post for download)
. This got rid of outdated/invalid keys, and I was hoping this would see the evil registry key and get rid of it. Somehow the evil registry key slipped by though.
4.) Cursed A LOT and wished every bad thing upon the creator of the browser hijacker trojan thingie, and went to sleep (I highly recommend this step, you'll feel better).
**At some point, I downloaded Unlocker (good choice, http://www.technologystory.net/2009/03/10/...e-file-in-use/)
and used it to unlock "nsrbgxod.bak", which was successful and then I deleted that evil file. IMPORTANT: If you have Vista, download the Unlocker app with the boxes checked only for "windows explorer extension" (Unlocker Assistant does not work for Vista and I heard bad news about the ebay add-on thingy, something about it being detected as malware). Then, all you have to do it right-click the .bak file and pick the wand icon for "Unlock". The only problem is, "nsrbgxod.bak" kept coming back every time I rebooted, since the evil registry key (not sure which one it was though) kept resurrecting it.
5.) Turned on the computer this morning and tried bigbillyvegas's advice and went to go run that Microsoft online scanner, except it didn't even get as far for me as it did for bigbillyvegas. It got to "Installing Scan Tools: 8 of 11: 60%" and then McAfee started going berkerk!!! My comp got really slow and choppy, and McAfee kept saying every 5 seconds:
McAfee has automatically blocked and removed a Trojan.
About this Trojan
Detected: Generic.dx!gfi (Trojan), Generic.dx!gfi (Trojan), Generic.dx!gfi (Trojan)
This trojan kept popping up, and I even looked in the folder but only found calc.exe, the calculator application.
6.) At this point, the online scan window closed out somehow, and when I tried to run it again, I got error 0x0C67... or something like that. So, I went to the "forum" page that the scan page was suggesting, and searched for that error code in the forum, but I couldn't open any of the forums due to greatfeedmill, and I couldn't guess the real site address from the Properties of the link.
7.) The whole time, McAfee was blabbing about that Generic.dx!gfi trojan and I couldn't tell if the choppiness of the computer performance was due to the trojan or due to McAfee freaking out about it. So I opened the Task Manager and tried closing a bunch of the rundll.exe items that were under my username, but none of them would close.
8.) Pissed off, I restarted my comp and the whole Generic/McAfee mess started up again and I couldn't even move the mouse around smoothly. So I looked in the C:\users\me\appdata\local\temp folder again and found that, surprise, "nsrbgxod.bak" was back and causing havoc. Somehow, this time I was able to delete it, and then I rebooted.
9.) This is where it gets really weird: when my comp rebooted, I opened Task Manager when the desktop came up but stuff was still booting up, and "RunDLL" was the only application there. This could be normal, but I thought this was strange, since the good versions of rundll seem to be all in lower case usually. Before I could do anything, another window popped up saying something like:
Specified module could not be found"
I recognized this ntuser.dll from chewiecool's post and figured that somehow the mystery evil registry key was trying to use ntuser.dll to cause more trouble, but the link was broken, or something. I don't know, I'm not a computer expert. So I hit "ok" and the RunDLL disappeared from the Task Manager. So it started to look like I cut the vampire's head off, and now it was time to burn the body (Necroscope reference. great book by the way).
10.) Then I ran CCleaner and it found a couple of bad registry keys, like something about a .bak extension; but the one I was really interested in was one concerning ntuser.dll. It was in "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and it was complaining about a missing reference. So it looked like ntuser.dll was hiding before, but somehow I revealed it and CCleaner took the opportunity to kill it while it was revealed.
11.) After rebooting and running CCleaner again, it found some bad stuff again including the .bak file, but nothing about the ntuser.dll. So now I was metaphorically burning the vampire body, since the head (ntuser.dll) was destroyed.
12.) I think I found "nsrbgxod.bak" again, but it couldn't be resurrected again and I deleted the thing.
13.) That's it. Now internet links don't all point to greatfeedmill.comIN SUMMARY:
1.) Download and run Malwarebytes anti-malware tool as often as possible during your efforts.
2.) Download and run CCleaner ; I used it on the internet/cookies category once, and the rest were only for the registry key category. Beware, it got rid of my internet password cookie, so I had to remember what my wireless password was.
3.) Reboot often.
4.) Run the Microsoft Online Scanner. It may get interesting at this point.
For Windows XP http://onecare.live.com/site/en-us/default.htm
For Windows Vista or Windows 7http://onecare.live.com/site/en-us/sandbox/default_scan.htm
5.) Alternate between running Malwarebytes and CCleaner, and hopefully your problem will be solved.
Sorry again for the long post, but I want to give you guys as much potentially helpful info as possible, since I know how evil this hijacker is. Thanks to all who posted on this topic, and thanks to the guys before me that listed the links that I have included here for completeness.
Let me know if this works for you guys!