Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacked with redirects to greatfeedmill.com


  • Please log in to reply
16 replies to this topic

#1 JanCH

JanCH

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 24 October 2009 - 12:58 AM

Hello,

I have been infected with a browser hijacker, and most links on the internet are redirected to "greatfeedmill.com". It started yesterday after I got infected with "Security Tool", but that I could remove with Malwarebytes anti spyware. This however I haven't been able to remove with Malwarebytes, SUPERAntiSpywarePro, or Spybot Search and Destroy. If I try to boot in safe mode Windows crashes with a BSOD and Stop message.

I'm running Windows XP Pro with SP2.

Help would be much appreciated!

Jan

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 25 October 2009 - 05:03 PM

Download this file and save it to your desktop:

http://download.bleepingcomputer.com/grinler/rkill.scr

Double-click the file to run it. A command window will open briefly. Then run a quick scan with Malwarebytes. Post the Malwarebytes log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 JanCH

JanCH
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 25 October 2009 - 07:35 PM

Thank you Budapest for your reply.

I did this, without having MBAM remove the items it found.

The log is below:

[codebox]Malwarebytes' Anti-Malware 1.41
Database version: 3033
Windows 5.1.2600 Service Pack 2

10/25/09 17:27:04
mbam-log-2009-10-25 (17-26-58).txt

Scan type: Quick Scan
Objects scanned: 84993
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\ntuser.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.
[/codebox]

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 25 October 2009 - 07:38 PM

Have Malwarebytes remove everything found. Reboot and run rkill.scr then the Malwarebytes scan again. Post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 JanCH

JanCH
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 25 October 2009 - 08:10 PM

I did this.

Below is the log, after removal, and after reboot as you said:

[codebox]Malwarebytes' Anti-Malware 1.41
Database version: 3033
Windows 5.1.2600 Service Pack 2

10/25/09 18:07:01
mbam-log-2009-10-25 (18-06-53).txt

Scan type: Quick Scan
Objects scanned: 84968
Time elapsed: 8 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\ntuser.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.
[/codebox]

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 25 October 2009 - 08:26 PM

Have Malwarebytes remove those items. Boot into Safe Mode and run a scan with SUPERAntiSpyware (if you can boot into Safe Mode).
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 JanCH

JanCH
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 25 October 2009 - 08:48 PM

I did this, but can not boot to Safe Mode. I get STOP message:

STOP: 0x0000007B (0xF78A2528, 0xC0000034, 0x000000000, 0x00000000)

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 25 October 2009 - 08:55 PM

Open SUPERAntiSpyware and go Preferences > Repairs tab. Scroll down to "Repair broken SafeBoot key" and run the fix. Then see if you can boot into Safe Mode.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 JanCH

JanCH
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 26 October 2009 - 10:04 AM

I did the following, as per your instructions, which seems to have taken care of the problem:

1. In SUPERAntiSpyware go to Preferences > Repairs. Do "Repair broken SafeBoot key".

2. Run rkill.scr.

3. Run MBAM quick scan and remove found items.

4. Boot into Safe Mode.

5. Run SUPERAntiSpyware in Safe Mode and remove all items except for those you know are legitimate.

6. Boot into normal mode and verify with MBAM and otherwise that the problem is taken care of.

So, this procedure could possibly work for others as well with the same problem. Interestingly enough, when running the SUPERAntiSpyware scan in Safe Mode, it didn't find any of the bad items that MBAM found before, but for some reason it got taken care of anyway.

Thank you Budapest for your help!

Jan

Edited by JanCH, 26 October 2009 - 10:13 AM.


#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 26 October 2009 - 04:11 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java or JS2E entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 JanCH

JanCH
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 26 October 2009 - 06:19 PM

I did these things.

The only such entry is Java ™ 6 Update 3 from Sun Microsystems, version 1.6.0.30.

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 26 October 2009 - 06:23 PM

That Java entry is out of date. You should remove it and then get the latest from here:

http://java.com/en/download/index.jsp
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 JanCH

JanCH
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 26 October 2009 - 06:48 PM

I understand that it's out of date.

But I rarely use Java.

Is it OK if it sits there until I have reason to upgrade?

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 26 October 2009 - 06:59 PM

One of the main reasons they update the Java runtime environment is to patch any security issues they find, so it always pays to have the latest version.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 JanCH

JanCH
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 26 October 2009 - 07:10 PM

I see. I didn't realize Java could be a security issue for the end user.

So, I will upgrade then.

Thank you!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users