Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser hijack problem, tried everything


  • Please log in to reply
11 replies to this topic

#1 stratoj

stratoj

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 06 July 2010 - 02:16 PM

Ok, I am having a problem with browser hijacking.
Running XP sp3
problem is in internet explorer and Firefox (which is what I use)
It happens on yahoo search or google search.
If I type url in directly, then no problem.
If I do a search for an item, 9 times out of 10 the link will take me to a "fake" ad site of some sort.
I have tried everything I know of and nothing has found or fixed it.
MalwareBytes, Spybot, Windows Defender, AVG, SuperAntiSpyware, Smitfraudfix, Ad-Aware, CCleaner, Vipre, etc.
I am new to this forum, what is my next step to get some help on a fix?
What do I need to run or post on this site for people to see?
Thanks so much for any help!
Jason

one other weird thing going on, one of the svchost.exe in the task manager is going up to around 50% after about a day of the computer being ran?

Edited by stratoj, 06 July 2010 - 02:20 PM.


BC AdBot (Login to Remove)

 


#2 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:44 AM

Posted 06 July 2010 - 02:45 PM

Hi,
Have you tried Eset online scanner at www.eset.com/onlinescan? That can sometimes do the trick.

Regards,
Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#3 stratoj

stratoj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 06 July 2010 - 03:05 PM

I will give it a try, i am getting desperate.
Thanks

#4 stratoj

stratoj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 06 July 2010 - 05:03 PM

well the Eset online you suggested just got finished and found some stuff, 6 items listed as worms.
That is great since none of the other stuff picked up on them, BUT
still having the same hijacking problems.
Anything else?
Do I need to upload anything here for further help?
Thanks

#5 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:44 AM

Posted 06 July 2010 - 08:12 PM

Would you mind showing us the log from Eset's scan? You can find it as a .txt file in the program files directory at c:\program files\eset\eset online scanner. Ad also if you could cut and paste the MBAM log as well. That might show us a little better what you are dealing with and we can better give you a hand.

Regards,
Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#6 stratoj

stratoj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 07 July 2010 - 12:23 PM

sorry it took a day to get back with you. this is my computer at work
here is the Eset log file

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b9deeac919546f46b51439a86a461317
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-06 09:57:42
# local_time=2010-07-06 04:57:42 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=256 16777175 100 0 249371 249371 0 0
# compatibility_mode=512 16777215 100 0 434083 434083 0 0
# compatibility_mode=5889 16768382 100 100 432933 118269085 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=280826
# found=6
# cleaned=6
# scan_time=5125
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv3.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv4.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv5.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b9deeac919546f46b51439a86a461317
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-06 10:04:39
# local_time=2010-07-06 05:04:39 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=256 16777175 100 0 254909 254909 0 0
# compatibility_mode=512 16777215 100 0 439621 439621 0 0
# compatibility_mode=5889 16768382 100 100 438471 118274623 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=379
# found=0
# cleaned=0
# scan_time=5

__________________________

Here is the Mbam log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/3/2010 1:01:00 PM
mbam-log-2010-07-03 (13-01-00).txt

Scan type: Quick scan
Objects scanned: 113253
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_____________________

Hope this helps!
Thanks

#7 stratoj

stratoj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 08 July 2010 - 12:10 PM

Turning off java has seemed to fix the problem. (makes it better anyway)
I am sure that is just a workaround, and the problem still needs fixed.
Just thought that info might help someone help me.
Thanks

Edited by stratoj, 08 July 2010 - 01:03 PM.


#8 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:44 AM

Posted 08 July 2010 - 05:46 PM

That's interesting. Which version of Java did you have? because sometimes if Java is not working correctly, it can lead to a whole host of other issues such as programs crashing that rely on it. and it appears that all that was found from eset's scan was some stuff that sbybot S&D had already quarentined for you. I still wonder how in the world you got the Bagle worm, and one more thing. Did you open any emails with archives attached to them that you didn't expect? if so, that's where that came from. Try getting the latest update of Java and that might just take care of the issue if shutting off the version you have seems to work around it.

hope this helps,
Regards,
Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#9 stratoj

stratoj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 09 July 2010 - 10:42 AM

Chromebuster, I was mistaken the disable Java seemed to help the situation, but now fixed still.

Enders, I did what you said, but no luck, my browser is still being hijacked???

Thanks guys, i am up for any ideas! lets please keep trying

#10 grayfish

grayfish

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 09 July 2010 - 12:28 PM

I too was having the same redirect problem. I went to add/delete progams, noted I
had 2 Java versions and deleted the older version.
I then went to control panel, clicked Java icon, clicked settings in temp internet files
and clicked delete files. I then restarted my computer and have had no redirects after
10 or so searches.
Fingers crossed!

#11 stratoj

stratoj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 09 July 2010 - 01:28 PM

Grayish, thanks for the tip.
I did just that, but it did not fix my problem.
Still having redirects!
This is starting to worry me.
The last thing I want to do is have to dump everything and start over.
I have so many liscensed programs to reload with serial numbers and what not it would
take days.

Thanks to all for the help and please keep it coming.

#12 stratoj

stratoj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 10 July 2010 - 01:54 PM

OK, good news, ran the TDSSKiller and I think my problem is solved.
No redirects in the last few hours!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users