Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacker - Need Help


  • Please log in to reply
10 replies to this topic

#1 KWK

KWK

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 28 March 2010 - 02:49 PM

Recently I have had problems with my browser being redirected to other sites.
I use Slimbrowser and I do not notice any other changes. Previous to this I could not update Spybot Search and Destoy or Ad-Aware which both do not find anything. There is an error when I try to update. I use Tea Timer as well. I have a router with firewall as well as Avast and Windows Firewall.

I installed Malwarebytes and it would not update either, but found a couple a few things:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.



Avast found this:
3/28/2010 10:58:22 AM SYSTEM 1536 Sign of "Win32:Agent-AJDI [Trj]" has been found in "C:\WINDOWS\system32\Spool\prtprocs\w32x86\00005db7.tmp" file.
I deleted it.

EDIT: Topic moved as logs not posted.

Edited by Budapest, 28 March 2010 - 04:29 PM.


BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:48 AM

Posted 29 March 2010 - 01:35 PM

Manually download the Malwarebytes updates from here and just double-click on mbam-rules.exe to install.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled


Please post a fresh log from MBAM after you update.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#3 KWK

KWK
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 30 March 2010 - 12:51 PM

I cannot download from the link you provided. I keep getting page cannot be displayed and navigation to the webpage was cancelled.

#4 lilkel35

lilkel35

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 30 March 2010 - 01:04 PM

Very new here and not to step on toes of the gurus---try downloading Malwarebytes from filehippo.com (I have a post I'm trying to get help with, but I cannot access any antivirus/security software websites as part of my issue.) If you have a spare "clean" computer, you can download the program and its most recent definitions file to install "manually" and transfer it via thumb drive or CD to your infected computer. You should be able to at least get the program from filehippo

#5 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:48 AM

Posted 30 March 2010 - 01:39 PM

lilkel35 is correct. But, I would recommend just downloading the MBAM rules as the link provides.

Check your Proxy settings in Internet Explorer to make sure malware did not alter them. If so, that can affect your ability to browse or download tools required for disinfection:

* Open Internet Explorer > click Tools > Internet Options > Connections tab.
* Click the LAN Settings... button and uncheck Use a proxy server for your LAN
or change the settings to the proxy you normally use if you previously reconfigured it.
* Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.
* Click Ok and then click Ok again.
* Close Internet Explorer and restart the computer.
* An example of how to do this with screenshots can be found in steps 3-7 under the section Automated Removal Instructions... in this guide..

Check your Proxy settings in Firefox to make sure malware did not alter them:

* Open Firefox, click Tools > Options > Advanced and click the Network Tab.
* Under the Connection section click on the Settings... button.
* Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
* Click Ok and then click OK again.
* Close Firefox and restart the computer.

For other browsers, please refer to How to configure browser proxy settings.

If you find nothing incorrect with your proxy settings then I would like you to go here and read and follow the instructions on how to update/replace your "HOSTS" file.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#6 KWK

KWK
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 30 March 2010 - 01:49 PM

I managed to get version 1.45
I didn't update since updates were not working
Here is the log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/30/2010 11:27:35 AM
mbam-log-2010-03-30 (11-27-35).txt

Scan type: Quick scan
Objects scanned: 107876
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\F5JMWNZTHI (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.118,93.188.161.41 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{68994d16-3b8f-47be-bbcb-046b588f17d4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.118,93.188.161.41 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{68994d16-3b8f-47be-bbcb-046b588f17d4}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.118,93.188.161.41 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e44ed2a9-d663-4276-939d-dfe6c66300c2}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.118,93.188.161.41 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I tried updating and it did update so here is the log after the update:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3934

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/30/2010 11:44:48 AM
mbam-log-2010-03-30 (11-44-48).txt

Scan type: Quick scan
Objects scanned: 107566
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{8ecc055d-047f-11d1-a537-0000f8753ed1} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 KWK

KWK
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 30 March 2010 - 01:54 PM

The proxy setting was uncheck.
Page cannot be displayed and navigation cancelled only happened when trying to go to anti malware or antivirse websites.

#8 KWK

KWK
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 30 March 2010 - 02:51 PM

It appears to be cleaned. I can now update all antimalware and antivirus programs. Webpages and links are now working correctly

I do have another issue I am not sure what it is related to, but when I start up the computer and things load in the task bar there is a sound like new hardware found but there is no icon or other indication what it is.

#9 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:48 AM

Posted 31 March 2010 - 06:53 AM

Glad to hear that your machine is working good now.

Let's make sure we clean out temp files and the like.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

* Save any unsaved work. TFC will close ALL open programs including your browser!
* Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
* Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
* TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
* Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.


As far as the New Hardware sound, I'm not sure as I would be completely guessing.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#10 KWK

KWK
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 31 March 2010 - 02:46 PM

I ran TFC and it cleaned 2,200mb. Most I think were in the recycle bin since I cleaned out some folders and forgot to empty it.

Thank you for your help,
Much appreciated
KWK

#11 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:48 AM

Posted 01 April 2010 - 07:09 AM

You're welcome. Glad I could help.

Happy Computing :thumbsup:
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users