Browser Hijack Firefox and IE

By Smell the Glove
Dec 1, 2006
Topic Status:
Not open for further replies.
  1. I'm having a problem. My browser homepage is getting hijacked and it tries to take me to another website. It happens with Firefox and IE.

    Also the tabs have stopped working on Firefox and having a second window open doesn't seem to work either.

    EDIT - Its worse than I thought!! This might sound crazy but I can't access any other wedsites than this one!! :(

    Any help? PLEASE?

    HJT log file
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:


    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. Smell the Glove

    Smell the Glove Newcomer, in training Topic Starter Posts: 35

    I've tried all that but it still seems to be happening.

    I have attached 2 new logs.
    The first one is run offline and the second online.

    On the second I see this:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206

    Which I think is my problem. I've tried fixing the problem but it keeps coming back.
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    dmdpb.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [dmdpb.exe] C:\WINDOWS\system32\dmdpb.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206<Only fix this, if it doesn`t belong to your ISP.

    85.255.112.206-xbox.dedi.inhoster.com is what the above IP resolves to.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\dmdpb.exe

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and the AVG Antispyware log I asked for.

    Regards Howard :)

    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. Smell the Glove

    Smell the Glove Newcomer, in training Topic Starter Posts: 35

    Ok, so its still not working properly.

    I'm not 100% sure how to save an AVG log so I've attached this: hope its what you wanted?

    Thanks for all the help.
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    I strongly suggest you backup your registry before doing the following.

    Click start/run and type regedit into the run box and press the enter key. Click file, export and save a copy of your registry to wherever you want. Then, if you need to restore your original registry, it`s a simple matter of double clicking the reg file and clicking yes when asked if you want to merge it into the registery.

    Navigate to the following keys and delete them in the righthand pane.

    HKEY_LOCAL_MACHINE\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206

    Post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. Smell the Glove

    Smell the Glove Newcomer, in training Topic Starter Posts: 35

    Do you want me to delete eveything in the right hand box?
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    No, just delete anything to do with NameServer = 85.255.115.83 85.255.112.206

    Regards Howard :)

    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. Smell the Glove

    Smell the Glove Newcomer, in training Topic Starter Posts: 35

    I've done that (I think)

    Here is the new log

    By the way the problem still exists :( I've never had anything this bad before!

    Plus this seems different since my last clean log I had:

    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

    Could it be anything?
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your HJT log is clean.

    Go HERE and follow the instructions for downloading, installing and running AVG Antispyware<Not to be confused with AVG free Antivirus, which is a completely different programme.

    Then post an AVg Antispyware log.

    Regards Howard :)

    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. Smell the Glove

    Smell the Glove Newcomer, in training Topic Starter Posts: 35

    Think I'm having serious problems because none of those links are woking for me.

    I just keep getting "Firefox can't find the server at www.ewido.net." message
     
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Ok, try this LINK instead and scroll down to the bottom of the page for AVG Antispyware.

    See if that helps.

    Regards Howard :)

    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  13. Smell the Glove

    Smell the Glove Newcomer, in training Topic Starter Posts: 35

    Thanks for the AVG Spyware link. it found 10 threats (see attached log). I hope I've deleted these threats.

    However problem still exists.

    I have attached another HJT log.

    As you can see:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206

    Keeps coming back.

    What am I doing wrong?
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Make sure you have the Ccleaner programme as in this thread HERE, you will need to use it as per the instructions later.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    dmzev.exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\1024
    C:\WINDOWS\system32\dmzev.exe
    C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A8B518E1-F216-42D9-9DE2-B0E091.asq

    Run the Ccleaner programme as per the instructions.

    Click start/run and type regedit into the run box and press the enter key.

    Navigate to the following keys and delete them in the righthand pane.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{7caf96a2-c556-460a-988e-76fc7895d284}

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd}

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206

    Click on the fix checked button.

    Close HJT.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Let me know if this has helped.

    Regards Howard :)

    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  15. Smell the Glove

    Smell the Glove Newcomer, in training Topic Starter Posts: 35

    I've done all that and the browser is still being hijacked!!! :(

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206

    Only appears as soon as I log onto the net. If I'm offline its not there.
  16. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Close all browsers.

    Click Start/Run and Type in CMD and Click OK!

    At the Dos Prompt Screen, type in cd\ and hit enter!

    Now type in ipconfig /flushdns and press the enter key. Note the space after the ipconfig command.

    Once it is done, type exit.

    Run HJT and fix the 017 entry.

    Reboot your computer and run HJT again. See if the 017 entry has gone.

    Regards Howard :)

    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  17. Smell the Glove

    Smell the Glove Newcomer, in training Topic Starter Posts: 35

    Its still doing it!! I can't figure out whats up with this damn PC! I appreciate all your help.

    This must be bugging you as much as it is me!!

    What would happen if I deleted the Tcpip registry?

    I'm starting to worry that this hijack could be more sinister than I first thought.
  18. Smell the Glove

    Smell the Glove Newcomer, in training Topic Starter Posts: 35

    Found something interesting. It is only GOOGLE that is being hijacked. My startpage was set as google but I've changed it to something else. Now Firefox goes to my startpage OK but Google is still being hijacked.

    however most other websites it just says "Server not found". In fact this is the only bookmark/favourite website that works on my list.

    Does this information help?
  19. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    It sure is bugging me, but only because I hate it when I can`t fix something. It must be far worse for you.

    Let`s try this.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    When your system reboots, you'll see your desktop and taskbar won't load yet. This is normal, because it is still scanning. Please be patient.
    Afterwards, HijackThis will launch automatically. Please click Scan, and check the following items(if there)

    O4 - HKLM\..\Run: [dmdpb.exe] C:\WINDOWS\system32\dmdpb.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206<Only fix this, if it doesn`t belong to your ISP.

    Click Fix Checked. Close HijackThis, and click OK to proceed.
    This will launch your desktop now.

    Locate and delete the following bold file(if there).

    C:\WINDOWS\system32\dmdpb.exe Let me know if either you can`t find the file or you can`t delete it.


    Finally, please post the contents of the logfile that will open (C:\fixwareout\report.txt), along with a new HJT log.

    Regards Howard :)

    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  20. Smell the Glove

    Smell the Glove Newcomer, in training Topic Starter Posts: 35

    Howard,

    Thanks for all your help, but my laptop has started to act really strange. I've lost sound, can't run iTunes and allsorts of wierd stuff.

    Think I'm going to back everything up and reformat! Can't belive a simple browser hijack could mess up my PC as much as it has done! :(

    Thanks for all your hard work.

    Matt (aka Smell the Glove)
  21. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    In that case, a reformat and reinstall is probably the best way to go.

    I`m sorry I was unable to fix your problem.

    Regards Howard :)

    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  22. smore9648

    smore9648 Newcomer, in training Posts: 757

    If you do a back up then you will save your virsuses/spyware as well
  23. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    That is a possibility, but I hope it`s not the case.

    I`ve been researching this new browser hijacker for the last few hours.

    There`s a possibilty that it`s based on a rootkit.

    Smell the Glove: If you haven`t already started your reformat, please try the following.

    Download and install the Blacklight programme. Run the programme and click on the help button. Read the instructions for running the programme.

    I don`t know if it`ll fix the problem, but it`s worth a try.

    Let me know the results and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  24. Smell the Glove

    Smell the Glove Newcomer, in training Topic Starter Posts: 35

    Hey Howard,

    I've already reformated I'm afraid. Took me bloody hours, lost 10Gb worth of music! d'oh.

    Really appreciate the extra work you put in!

    The hijacker appears to have gone, thank goodness.

    Its been emotional. ;)

    PS - have you managed to find anything new out about the hijacker? Any idea how "nasty" it was?
  25. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Thats a shame, but thanks for letting me know.

    I guess I`ll have to wait until some other poor bugger gets infected with that awful hijacker, before I know whether the Blacklight software will work.

    Regards Howard :)

    This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.