Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hello & want to give greatfeedmill browser hijack help


  • This topic is locked This topic is locked
8 replies to this topic

#1 chewiecool

chewiecool

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 22 October 2009 - 01:33 PM

New user here, and I tried to post a reply to a person who's browser (like mine) was hijacked. It was part of the fake "antivirus pro" software virus which tagged along to I think a .pdf doc I downloaded online. It was after this that fake windows impersonating screens filled my monitor with WARNING! click to scan for viruses etc etc.

Running malware-bytes successfully dealt with the majority of the infection. The balance, a browser hijack whereby all my links on any webpage were directed to a "providefeed.com" or "greatfeedmill.com" link.

Malware bytes detected two reg keys that referenced "calc" at the end in LOCAL_MACHINE & CURRENT_USER CurrentVersion\Run locations, and the following files:

"nsrbgxod.bak"
"ntuser.dll"
"scandisk.dll"

which were to be all deleted after reboot, but never did. The browser hijack continued.

I could not see the above mentioned files in the directories (with show hidden files on) accept for "nsrbgxod.bak" which was always 'in use' hence could not be deleted.

I tried deleting the reg keys manually, but they seemed to be re-written soon after. I changed the variables in the key, those changes stuck for 10-15 seconds before reverting back to the original. Obviously a background program was re-writting them.

I tried closing programs in the task manager to free up "nsrbgxod.bak" so I could delete it but never found the right program until I hit a vital program which said (if I remember correctly) the RPC module has failed and XP will reboot in 60 seconds.. countdown started.... I waited until the coutdown was about 10 seconds then changed the two registry keys above by clicking "modify" and adding an extra character (in this case a 'd' LOL) to the "value" and hitting "OK" .. my computer rebooted once the countdown hit zero. On reboot I got error msgs as the reg keys were now invalid, clicked OK on them.

Magically, now, where malware bytes said the "ntuser.dll" file was located, it showed up and I could delete it.

"nsrbgxod.bak" was also no longer tied up and I could delete it along with the now modified registry keys. Waited 1 min and refreshed the registry "F5" and the keys did not show-up again.

Rebooted without opening my browser (was too scared to check), checked registry, keys gone, checked files, files still gone, checked IE and my browser was hijacked no longer!

So, I know a little of how to get around my comp. but there has to be an easier way to deal with this particular hijack. From what I could find on google via "greatfeedmill.com browser hijack" there isn't much 'cept for a yahoo question and bleepingcomputer.com. Maybe this virus has another name.

I hope this makes it to all who have this problem and a mod can supply a more straight forward fix! :thumbsup:

Update:

I forgot to mention that I also had a reg key called "Rwojorojewujoxuc" with value "rundll32.exe "C:\WINDOWS\awikonej.dll",Startup"

I tried googling awikeone.dll and the name of the reg key but had no results. I assumed it bad and editted the value to read "rundll32.exe "C:\WINDOWS\awikonej.dll",Startupd" just iwth a 'd' on the end. I have yet to delete the reg key until I know that it actually sin't important. But who knows, with the renamed value, it could be part of the virus but now disabled.


EDIT: Moved to a more appropriate forum

Edited by garmanma, 23 October 2009 - 10:44 AM.


BC AdBot (Login to Remove)

 


#2 malch

malch

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 23 October 2009 - 01:42 AM

thank you you are very kind i am desperate with this.
i am going to work now but will try all this when i get home. fingers crossed. many thanks:)

#3 Sticky Money

Sticky Money

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 23 October 2009 - 01:11 PM

Let me know if this works for anyone else. I've got the same hijacker (McAfee cleaned up the rest, but the hijacker remains). I made a post in the HijackThis forum, but they probably won't have time to get to it for another two weeks or so.

#4 Kaoshaman

Kaoshaman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 23 October 2009 - 03:35 PM

I found this posting after I got the greaterfeedmill.com hijack and I got rid it by downloading CCleaner and Malwarebytes. I did a full scan on my registery and cleaned it up with CCleaner then did a full scan with Malwarebytes. No more jacked up browser for me.

And since I couldn't click any links, I had to open the source files on all the websites because I could only do searches, no links. So here:

CCleaner Download:
http://www.ccleaner.com/download/downloading

Malwarebyte Cnet.com Download:
http://download.cnet.com/3001-8022_4-10804...art=dl-10804572

Copy and paste into your browser and those and it should start downloading so you don't have to worry about links to click.

Hope it helps.

Kaoshaman

#5 Sticky Money

Sticky Money

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 24 October 2009 - 12:56 PM

I already ran both of them. And McAfee. And Ad-Aware. Didn't work for me. :thumbsup:

#6 ARMcKay

ARMcKay

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 24 October 2009 - 06:03 PM

I also experienced this as an after effect of the Security Tool malware. After manually removing the Security Tool junk I was left with a "greatfeedmill" redirect. Editing the registry and getting those two locations to not re-write was difficult and much trial and error. I got them one at a time and never found the the specific critical process you did. I would edit the registry key (also adding "d" for good luck - hey, it worked for you) and after getting both of the keys changed I too could eliminate the nsrbgoxd file. I had to run malwarebytes to get rid of the ntuser.dll, but scanning afterwords I think I am clean. THANK YOU for posting this - I wouldn't have gotten to here without your help. Let's hope this eradicates it!!

#7 spanky!

spanky!

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 31 October 2009 - 01:18 AM

@chewiecool and ARMcKay:

Thanks for posting your experiences. I have a very similar situation, but Malwarebytes got rid of all the bugs except "nsrbgxod.bak". When I scan my comp with Malwarebytes now, it only comes up with "nsrbgxod.bak", and none of the registry keys that it did before, and of course "nsrbgxod.bak" doesn't end up getting deleted upon reboot. My question to you is:

What, specifically, were the registry keys you had to modify? I don't see a CurrentVersion under LOCAL_MACHINE or CURRENT_USER. Maybe the only thing left on my computer is "nsrbgxod.bak"? So whereas you modified the registry keys to free up "nsrbgxod.bak", I don't have/know which registry keys to do it too, since Malwarebytes only shows "nsrbgxod.bak" as a threat now.

Please help! I would greatly appreciate it. And if I ever get my hands on the person that created this browser hijack: :thumbsup: Not literally, though. Just a metaphor for my rage...

#8 bigbillyvegas

bigbillyvegas

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 31 October 2009 - 07:38 AM

Wow. What a mess this greatfeedmill hijacker is. My fix required three easy things to do...a Microsoft online scan, Startup control panel and Malwarebytes. The hijack is remedied after the first step. Steps 2 and 3 are for cleanup.

1. Run the online scan. You need to paste both lines of the link directly into your browser if you are currently having the hijack problem:

For Windows XP
http://onecare.live.com/
site/en-us/default.htm

For Windows Vista or Windows 7
http://onecare.live.com/
site/en-us/sandbox/default_scan.htm

I ran the scan utilility for about 20 minutes or so and I think it only got to 2% complete. This is O.K. I clicked Cancel and it then showed me what the problems were. Select the boxes to repair ALL of the files it identifies (one of which is calc.dll). Once it is done cleaning/repairing, reboot your PC.

After reboot, calc.dll and ntuser.dll are still trying to run but are failing since the files are gone.

2. Download and run startupCPL_EXE.zip

For all Windows
www.mlin.net//files/startupCPL_EXE.zip

I downloaded and ran the standalone version. I've used this program before and it is fantastic. Go through the tabs, then right-click and delete the references to calc

3. Run Malwarebytes and remove any other issues.

http://download.cnet.com/
Malwarebytes-Anti-Malware/
3000-8022_4-10804572.html
?part=dl-10804572&subj=dl&tag=button

Note that if you run Malwarebytes first (before doing the online scan), it will find the problem files, but is unable to remove them even after a reboot, so you are left in a hijacked state.

My PC is fixed, so let me know if this works for you too!

#9 spanky!

spanky!

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 31 October 2009 - 04:43 PM

YAYYYYYYYYYYYYYY! I GOT RID OF IT!!! NO MORE "GREATFEEDMILL" CRAP!!

I wish I had a more cut-and-dry method to post, but I don't really know what happened. Sorry for the long post, but I'm firmly a believer in "the more info the better"... must be the engineer in me. Here's how it went:

1.) I had the problem with "greatfeedmill.com" attached to the beginning of every link I clicked (see earlier posts). The only way I could get to this here website was by right-clicking the links, going to Properties, and trying to get the real web address out of the "greatfeedmill" mess that the link was pointing to, and pasting that into the address bar. The sad thing is that a lot of links (including some scanner download links) are too messed up to find the real web address.

2.) Downloaded and ran Malwarebytes (good choice, see Kaoshaman's earlier post for download) which found a lot of infected files, one of which was that "nsrbgxod.bak" file in my C:\users\me\appdata\local\temp folder (even now I strongly believe "nsrbgxod.bak" was one of the files behind this mess, and that an evil registry key was created that would keep bringing the .bak file to life upon booting). For some reason,when I'm in the C:\users\me folder, I can't see the appdata folder, so I have to type it in manually... go figure. Malwarebytes kept trying to delete "nsrbgxod.bak" but it wouldn't die, since it was always "file in use", not even with the "delete upon reboot" option.

3.) Followed Kaoshaman's advice and downloaded and ran CCleaner (good choice, see Kaoshaman's earlier post for download). This got rid of outdated/invalid keys, and I was hoping this would see the evil registry key and get rid of it. Somehow the evil registry key slipped by though.

4.) Cursed A LOT and wished every bad thing upon the creator of the browser hijacker trojan thingie, and went to sleep (I highly recommend this step, you'll feel better).

**At some point, I downloaded Unlocker (good choice, http://www.technologystory.net/2009/03/10/...e-file-in-use/) and used it to unlock "nsrbgxod.bak", which was successful and then I deleted that evil file. IMPORTANT: If you have Vista, download the Unlocker app with the boxes checked only for "windows explorer extension" (Unlocker Assistant does not work for Vista and I heard bad news about the ebay add-on thingy, something about it being detected as malware). Then, all you have to do it right-click the .bak file and pick the wand icon for "Unlock". The only problem is, "nsrbgxod.bak" kept coming back every time I rebooted, since the evil registry key (not sure which one it was though) kept resurrecting it.

5.) Turned on the computer this morning and tried bigbillyvegas's advice and went to go run that Microsoft online scanner, except it didn't even get as far for me as it did for bigbillyvegas. It got to "Installing Scan Tools: 8 of 11: 60%" and then McAfee started going berkerk!!! My comp got really slow and choppy, and McAfee kept saying every 5 seconds:

"
McAfee has automatically blocked and removed a Trojan.

About this Trojan
Detected: Generic.dx!gfi (Trojan), Generic.dx!gfi (Trojan), Generic.dx!gfi (Trojan)
Location: C:\Windows\system32\calc.dll
"

This trojan kept popping up, and I even looked in the folder but only found calc.exe, the calculator application.

6.) At this point, the online scan window closed out somehow, and when I tried to run it again, I got error 0x0C67... or something like that. So, I went to the "forum" page that the scan page was suggesting, and searched for that error code in the forum, but I couldn't open any of the forums due to greatfeedmill, and I couldn't guess the real site address from the Properties of the link.

7.) The whole time, McAfee was blabbing about that Generic.dx!gfi trojan and I couldn't tell if the choppiness of the computer performance was due to the trojan or due to McAfee freaking out about it. So I opened the Task Manager and tried closing a bunch of the rundll.exe items that were under my username, but none of them would close.

8.) Pissed off, I restarted my comp and the whole Generic/McAfee mess started up again and I couldn't even move the mouse around smoothly. So I looked in the C:\users\me\appdata\local\temp folder again and found that, surprise, "nsrbgxod.bak" was back and causing havoc. Somehow, this time I was able to delete it, and then I rebooted.

9.) This is where it gets really weird: when my comp rebooted, I opened Task Manager when the desktop came up but stuff was still booting up, and "RunDLL" was the only application there. This could be normal, but I thought this was strange, since the good versions of rundll seem to be all in lower case usually. Before I could do anything, another window popped up saying something like:

"Error: C:\Windows\system32\config\SYSTEM~1\ntuser.dll
Specified module could not be found"

I recognized this ntuser.dll from chewiecool's post and figured that somehow the mystery evil registry key was trying to use ntuser.dll to cause more trouble, but the link was broken, or something. I don't know, I'm not a computer expert. So I hit "ok" and the RunDLL disappeared from the Task Manager. So it started to look like I cut the vampire's head off, and now it was time to burn the body (Necroscope reference. great book by the way).

10.) Then I ran CCleaner and it found a couple of bad registry keys, like something about a .bak extension; but the one I was really interested in was one concerning ntuser.dll. It was in "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and it was complaining about a missing reference. So it looked like ntuser.dll was hiding before, but somehow I revealed it and CCleaner took the opportunity to kill it while it was revealed.

11.) After rebooting and running CCleaner again, it found some bad stuff again including the .bak file, but nothing about the ntuser.dll. So now I was metaphorically burning the vampire body, since the head (ntuser.dll) was destroyed.

12.) I think I found "nsrbgxod.bak" again, but it couldn't be resurrected again and I deleted the thing.

13.) That's it. Now internet links don't all point to greatfeedmill.com


IN SUMMARY:

1.) Download and run Malwarebytes anti-malware tool as often as possible during your efforts.
(http://download.cnet.com/3001-8022_4-10804...art=dl-10804572)

2.) Download and run CCleaner ; I used it on the internet/cookies category once, and the rest were only for the registry key category. Beware, it got rid of my internet password cookie, so I had to remember what my wireless password was.
(http://www.ccleaner.com/download/downloading)

3.) Reboot often.

4.) Run the Microsoft Online Scanner. It may get interesting at this point.
For Windows XP
http://onecare.live.com/site/en-us/default.htm
For Windows Vista or Windows 7
http://onecare.live.com/site/en-us/sandbox/default_scan.htm

5.) Alternate between running Malwarebytes and CCleaner, and hopefully your problem will be solved.


Sorry again for the long post, but I want to give you guys as much potentially helpful info as possible, since I know how evil this hijacker is. Thanks to all who posted on this topic, and thanks to the guys before me that listed the links that I have included here for completeness.

Let me know if this works for you guys!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users