Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacking


  • Please log in to reply
20 replies to this topic

#1 19541963

19541963

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 21 April 2013 - 02:42 AM

Recently while updating a UTube program I have used for years with no problem, this time it gave me a browser hijacking malware now that seems to come back no matter what I do to eliminate it. I use Firefox startpage mainly and can correct it temporarily by using Firefox help but the hijacker

"hxxp:// proxy.allsearchapp.com/app/start/" is persistant and keeps returning. Is there any Anti-Malware program that can get rid of this?? Not being a pc expert I don't want to do it manually for fear of messing up the registry.



Thank you for any suggestions.

Bill S.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,918 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 PM

Posted 21 April 2013 - 06:02 AM

Please download Malwarebytes Anti-Malware mbamicontw5.gif and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A.4. Issues.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • After the scan, make sure that everything is checked and then click the Remove Selected button to remove all the listed malware.
  • When done, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,918 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 PM

Posted 21 April 2013 - 06:03 AM


Check/reset your Proxy settings in Internet Explorer to make sure malware did not alter them. If these settings are altered, it can affect the ability to browse or download tools required for disinfection:
  • Open Internet Explorer > click Tools > Internet Options > Connections tab.
  • Click the LAN Settings... button and uncheck Use a proxy server for your LAN
    or change the settings to the proxy you normally use if you previously reconfigured it.
  • Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.
  • Click Ok and then click Ok again.
  • Close Internet Explorer and restart the computer.
  • An example of how to do this with screenshots can be found in Steps 4-7 under the section Automated Removal Instructions in this guide.
Alternatively, you can press the WINKEY + R keys on your keyboard or click StartBtn.gif > Run..., and in the Open dialog box, type: inetcpl.cpl
Click OK or press Enter. Click the Connections tab and continue following the instructions above.

Check your Proxy settings in FireFox to make sure malware did not alter them:
  • Open Firefox, click Tools > Options > Advanced and click the Network Tab.
  • Under the Connection section click on the Settings... button.
  • Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
  • Click Ok and then click OK again.
  • Close Firefox and restart the computer.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 19541963

19541963
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 21 April 2013 - 01:06 PM

Global Moderator
 
Thanks for your help
 
 
>Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.<
 
I looked for a way to change the name before D/Ling the mbam-setup file from their website but can't find it. Only can change the name after downloading which I did and ran the quickscan in normal mode and also safe mode and came up with no malware indicated. I also shut down my Symantec Endpoint Protection while doing the scan.
 
Last nite after correcting them it all was OK but opening up Firefox and EI this morning it had gone back to the  hxxp:// proxy.allsearchapp.com/app/start/ again so apparently it is still in there somewhere. So far after correcting them today again it still shows browsers where they should be.
 
The Notebook window for the Malwarebytes scan is posted below:
------------------------
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.04.21.04
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Bill :: S.PC [administrator]
 
4/21/2013 12:59:54 PM
mbam-log-2013-04-21 (12-59-54).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215222
Time elapsed: 2 minute(s), 59 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,918 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 PM

Posted 21 April 2013 - 05:27 PM


Please do not post active links to malware or possible malware related sites to include links which may lead to sites where infections have been contracted and spread. I have disabled the one(s) you posted so others do not accidentally click on them.

Please download Junkware Removal Tool thisisujrt.gif and save it to your Desktop.
  • Close all open programs and shut down any protection/security software now to avoid potential conflicts.
  • Double-click on JRT.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log file named JRT.txt will automatically open and be saved to your Desktop.
  • Copy and paste the contents of JRT.txt in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,918 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 PM

Posted 21 April 2013 - 05:28 PM

Try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner. <- This process may may take several hours, that is normal
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    esetsmartinstaller_enu.png

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and Remove found threats.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • Please be patient as the scan can take some time to complete...close all programs and do NOT use the computer while the scan is running.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.
-- Note: If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. Eset's detection rate is high and can include legitimate files which it considers suspicious, a risk tool, a potential unwanted program or a possible threat.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 19541963

19541963
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 21 April 2013 - 06:30 PM

I apologize for posting an active link

 

Here is the results of the JRT.exe scan:

Bill

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.8.7 (04.21.2013:1)
OS: Windows 7 Professional x64
Ran by Bill on Sun 04/21/2013 at 19:12:21.00
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{99079a25-328f-4bd4-be04-00955acaa0a7}



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\complitly
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\datamngr
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\im
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\iminent
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\iminstaller
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\sweetim
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\searchqutoolbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\appid\browserconnection.dll
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\appid\complitly.dll
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\appid\dnsbho.dll
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\appid\scripthelper.exe
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\appid\viprotocol.dll
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\applications\ilividsetup.exe
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\applications\ilividsetupv1.exe
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\protocols\handler\viprotocol
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\scripthelper.scripthelperapi
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\scripthelper.scripthelperapi.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\viprotocol.viprotocolole
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\viprotocol.viprotocolole.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\datamngrui_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\datamngrui_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\ilividsetup_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\ilividsetup_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\ilividsetupv1_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\ilividsetupv1_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\incredibar_installer_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\incredibar_installer_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\incredibartoolbar_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\incredibartoolbar_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\searchqumediabar_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\searchqumediabar_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\setupdatamngr_searchqu_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\setupdatamngr_searchqu_rasmancs
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\searchscopes\{43682B77-B546-4606-A6AD-D81710E1AB36}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\searchscopes\{95AF1862-4577-415E-9E69-FF6EF928B0E7}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\searchscopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\searchscopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\searchscopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}



~~~ Files

Successfully deleted: [File] "C:\end"



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"
Successfully deleted: [Folder] "C:\ProgramData\ytd video downloader"
Successfully deleted: [Folder] "C:\Users\Bill\AppData\Roaming\complitly"
Successfully deleted: [Folder] "C:\Users\Bill\AppData\Roaming\opencandy"
Successfully deleted: [Folder] "C:\Users\Bill\appdata\local\ilivid"
Successfully deleted: [Folder] "C:\Users\Bill\appdata\local\ilivid player"
Successfully deleted: [Folder] "C:\Users\Bill\appdata\local\vghd"
Successfully deleted: [Folder] "C:\Users\Bill\appdata\locallow\datamngr"
Successfully deleted: [Folder] "C:\Users\Bill\appdata\locallow\fast free converter"
Successfully deleted: [Folder] "C:\Users\Bill\appdata\locallow\searchquband"
Successfully deleted: [Folder] "C:\Program Files (x86)\fast free converter"
Successfully deleted: [Folder] "C:\Program Files (x86)\social privacy"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader"



~~~ FireFox

Successfully deleted: [File] C:\user.js
Successfully deleted: [File] "C:\Program Files (x86)\Mozilla Firefox\searchplugins\search_results.xml"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 04/21/2013 at 19:15:54.15
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#8 19541963

19541963
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 21 April 2013 - 10:43 PM

Bleepin' Janitor

 

Ran the ESET scanner and it came up with this:

--------------------------------

C:\Users\Bill\Downloads\Firefox_setup.exe    a variant of Win32/Adware.iBryte.G application    cleaned by deleting - quarantined
F:\Misc. XP only Programs\saa_setup.exe    multiple threats    cleaned by deleting - quarantined
--------------------------------

The XP programs on F: harddrive are OK. They are not installed on this computer but only there for backups for my laptop. Hopefully one of these scans caught the culprit causing the hijack.

 

Thanks for your help again

Bill



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,918 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 PM

Posted 22 April 2013 - 07:04 AM

Let me know then if you have further problems.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 19541963

19541963
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 22 April 2013 - 08:51 AM

Thank you many times over as so far the pc seems to be going to the right browser as of this morning both in Firefox and IE. Best I keep the anti-malware sites you mentioned in mind and watch what programs I do update.

Have a great day

Bill S.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,918 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 PM

Posted 22 April 2013 - 09:47 AM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. Then use %5BB%5DDisk Cleanup[/b] or Disk Cleanup with Sagesets to remove all but the most recently created Restore Point.

Vista and Windows 7/8 users can refer to these links: :thumbup2: Tips to protect yourself against malware infection
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 19541963

19541963
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 22 April 2013 - 08:08 PM

Well it's back again in IE and Firefox after being gone all day. (prxxy.allsearchapp.xxx)  I did make a new restore point and cleaned the out the old ones this morning but apparently this hijacker if buried deeper in there somewhere.

 

What's next .. any ideas?

 

Bill



#13 19541963

19541963
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 22 April 2013 - 08:23 PM

Re: hijacker Initially turning the pc on tonight no web sites were accessed except the start page which went immediately right over to the hijacker. The problem is already internal but where? Is there some way to expose this manually? Bill

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,918 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 PM

Posted 22 April 2013 - 09:38 PM


Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Search button
  • A logfile (AdwCleaner[R2].txt) will automatically open after the scan has finished.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of the logfile is also saved at the root drive, usually C:\AdwCleaner[R1].txt.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,918 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 PM

Posted 22 April 2013 - 09:41 PM

1. Open Firefox, go to the Address Bar and type: about:config
2. Press Enter...There will be a warning about changing advanced settings.
3. Click the box that says "I'll be careful, I promise!"
4. Right-click on any references to proxy.allsearchapp.com and choose 'Reset'.
5. Close Firefox and restart it. The entry should be gone.

If nothing was listed or that did not help, please refer to these instructions to reset all user preferences, toolbars and search engine to their default settings using Firefox Safe Mode.

Reset Internet Explorer settings or use MSFixit.png to automatically reset registry keys and the browser back to the way it was when initially installed.
If you check the Delete personal settings checkbox in Advanced settings, it will reset the home page(s), search providers and Accelerators to their default values. It will also delete temporary Internet files, history, cookies, web form information (passwords) and InPrivate Filtering data.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users