Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help! browsers hijacked & weirdness abounds


  • This topic is locked This topic is locked
10 replies to this topic

#1 SKInouye

SKInouye

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Los Angeles, CA
  • Local time:01:58 AM

Posted 04 February 2010 - 10:03 PM

sad.gif Here are my symptoms:

mad.gif Google and Yahoo search results redirected to spam site in Firefox, IE, Chrome and Safari -- often see the website c.enhance.com referenced

mad.gif Not able to download files from the Internet & files are getting flagged by Norton Internet Security 2010 and blocked, like the DSS and Root Appeal downloads. Can fix temporarily by resettting Control Panel>Internet Options>Security to default.

mad.gif Windows no longer recognizes me as an administrator, but I can make changes to things like msconfig


Steps already taken:

Ran SuperAntiSpyware and now I am clean

Ran Malwarebytes' Anti-Malware and now I am clean

Ran HijackThis and deleted entries that I did not recognize


Results:

All the steps above helped, but the problems are not gone. What does this mean????


Please find attached the DSS and RootAppeal logs. Let me know what else you need.



PS I am a newbie on the forum, please bear with me!

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:58 AM

Posted 12 February 2010 - 03:16 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log

Thanks

unite.jpg


#3 SKInouye

SKInouye
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Los Angeles, CA
  • Local time:01:58 AM

Posted 15 February 2010 - 11:57 PM

Hi Syler,

Since I last posted my logs, my bleeping spouse got a hold of my laptop and did a system restore (wiped out my programs but kept my data). I wanted to mention this before I follow the steps that you outlined in your response to see if you need me to start at a different point.

The system restore did resolve the problem with my browsers being hijacked and restored my ability to download files again, but I still get the admin error that I mentioned previously and Norton Internet Security seem to be actively blocked several attacks.

Please advise. I promise to keep the bleeping spouse away from my computer!

PS Is there a way to get email notifications when a reply is posted? I thought I had that turned on but I did not get a notification when you posted.

Edited by SKInouye, 16 February 2010 - 12:04 AM.


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:58 AM

Posted 16 February 2010 - 11:15 AM

Hi SKInouye,

QUOTE
my bleeping spouse got a hold of my laptop and did a system restore


When you say system restore do you mean a format and reinstall of the OS or just an actual system restore, which is something different?


To get notifications, click on the Options button near the top of the page and select track this topic then choose notification type, sometimes
the reminders can be unreliable, not much I can do about that you will just have to keep an eye on the thread.

unite.jpg


#5 SKInouye

SKInouye
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Los Angeles, CA
  • Local time:01:58 AM

Posted 17 February 2010 - 02:44 AM

Here is the dialog box from the System Restore option my spouse used:

QUOTE
System Recovery

The PC Recovery program, in the normal default mode of operation, recovers applications, drivers and the operating system to their factory-shipped condition. Accordingly, after PC recovery finishes, you need to re-install and reconfigure any applications that you installed yourself (including upgrades or revisions to the factory-shipped version of any applications.)

However, the PC recovery, in this normal default mode of operation, will not delete any DATA FILES that you created
.


This program ran from a protected partition of my hard drive. This is a feature factory installed on my HP laptop.

I hope this answers your question.

Edited by SKInouye, 17 February 2010 - 02:46 AM.


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:58 AM

Posted 17 February 2010 - 06:18 AM

Please go ahead and run Rsit which I posted instructions for in my first post, you can leave Gmer.

QUOTE
Windows no longer recognizes me as an administrator, but I can make changes to things like msconfig


What do you mean by this, do you get administrator errors when trying to do certain thing? if so what is the error message?

QUOTE
Norton Internet Security seem to be actively blocked several attacks


Is it blocking files or IP addresses, can you tell me what it is showing it's blocking?

unite.jpg


#7 SKInouye

SKInouye
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Los Angeles, CA
  • Local time:01:58 AM

Posted 18 February 2010 - 03:21 AM


QUOTE
Windows no longer recognizes me as an administrator, but I can make changes to things like msconfig.


I get this error message: An Accessed Denied error was returned while attempting to change a service. You may need to log on an Administrator account to make the specified changes.

But I am logged on an Administrator account!

Interesting enough, it lets the changes go through even though Windows gives me an error message.

I have three users that are administrators on my computer, me, my husband and an alternate user profile. I go into Control Panel>User Accounts and everyone there is designated as an administrator. Switching it on and off doesn't seem to resolve the problem.

I read somewhere online that it might be registry damage from my recent malware infestation. One online source said I needed to use a program called SubInCAL to repair it: http://blogs.msdn.com/astebner/archive/200.../04/739820.aspx


QUOTE
Norton Internet Security seem to be actively blocked several attacks.


I have attached a .txt file with all the high, medium and low alerts I have received since 2/6/10. I think that Norton was blocking an IP address prior to the system recovery and I do not have this information now. Sorry.



Please also find attached my Rsit logs as well.

Attached Files



#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:58 AM

Posted 18 February 2010 - 11:32 AM

Their seems to be a few suggestions of how to fix the administrator error, I think you would be best posting in the XP forum about this problem
once we have finished here.

The Norton logs don't suggest anything bad, it just looks like a few warning from Nortons over eager tamper protection, let's get a second
opinion with another scanner though.


You have Viewpoint installed, Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 18 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, Aclick on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

unite.jpg


#9 SKInouye

SKInouye
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Los Angeles, CA
  • Local time:01:58 AM

Posted 20 February 2010 - 05:36 PM

Viewpoint - removed

JRE 6 Update 18 - installed and old versions removed

Kaspersky results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, February 20, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, February 20, 2010 08:32:33
Records in database: 3593408
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 233010
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 06:44:47

No threats found. Scanned area is clean.

Selected area has been scanned.

Edited by SKInouye, 20 February 2010 - 05:36 PM.


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:58 AM

Posted 21 February 2010 - 03:27 PM

Your logs look fine to me.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Cleaning and creating restore points
  • Click Start, right click My Computer and select properties.
  • Select the System Restore tab then check the box "Turn off System Restore".
  • Click Apply then Ok, then restart your computer
  • Now follow these steps again, but instead of checking "Turn off System Restore" Uncheck it.
Now that you have cleaned out you restore points you need to set a new restore point
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Select "Create a restore point" then click Next.
  • Type a name under Restore point description then click Create.
Additional instructions can be found here if needed.

Note: This does not need to be done on a regular basis.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler

unite.jpg


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:58 AM

Posted 24 February 2010 - 10:54 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users