TechSpot

Browser hijacked by redirector.. system cleaned ala 8 steps.. logs included

By Jonmcw
Jan 10, 2010
  1. Hi.
    I am hoping you can help. I have recently done a fresh install of Win 7 and after a week or so came up with a nasty little bot that has taken control of my browsers (both firefox and ie. I have followed your actions to the letter- in fact I did them again in Safe mode, and still no luck. Here are my logs:

    Help me ObWan...
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Jon, are you still having the problem?

    P2P or 'file sharing Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Piratebay.org for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    O1 - Hosts: 91.121.221.171 thepiratebay.org
    O1 - Hosts: 91.121.221.171 www.thepiratebay.org
     
  3. Jonmcw

    Jonmcw TS Rookie Topic Starter

    Yes, I am still having the issue.

    And I have already uninstalled the p2p system. The p2p system I was using is uTorrent. Piratebay.org is a website - a file listing system only, but then you know that.

    Any other ideas
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, I know what the PirateBay is. Do you?

    More here: http://en.wikipedia.org/wiki/The_Pirate_Bay

    Please note the type of files it 'lists.' A rose by any other name is still file sharing aka P2P.

    Please reopen HijackThis to 'do system scan only.' check each of the following if present. Note:Optional Removals are in green. Read description to decide whether to remove:

    C:\Users\Home Office\Downloads\jxpiinstall-rv.exe>> General-Search File Share Search Engine. See Option 2
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O1 - Hosts: 91.121.221.171 thepiratebay.org>> See Option 1
    O1 - Hosts: 91.121.221.171 www.thepiratebay.org>> See Option 1

    O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)>> AVG v8 toolbar
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll>> See Option 3
    O3 - Toolbar: Nero Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll>> See Option 3

    [O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)>> AVG v8 toolbar
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')>> See Option 2
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    >> See Option 2
    O20 - AppInit_DLLs: ???-?,avgrsstx.dll


    Option1: P2P or File sharing: Piratebay, File search
    Previously explained

    Option 2:
    Add and Remove Local Packs: mctadmin.exe
    http://technet.microsoft.com/en-us/library/dd799277(WS.10).aspx

    Option 3: Foistware. Ask toolbar
    You have the Ask Toolbar installed, I would recommend you uninstall it - decide after taking a look at this article:
    http://www.benedelman.org/spyware/ask-toolbars/

    Close all Windows except HijackThis and click on "Fix Checked."

    If you decided to remove the AskToolbar: (this is frequently pre-checked on a download site. If you don't uncheck it, it will download with the program which is unrelated to the toolbar)

    I am uncertain as to the exact path on Windows 7, but it should be similar to below:

    Uninstall the AskToolbar

    • 1. Close all open Web browsers
      2. From the "Start" menu in Windows, select "Control Panel"
      3. Under the "Programs" icon, select "Uninstall a program" (use Windows Explorer> Local Drive> Programs)
      4. Select the program with the Ask logo and the text "Ask Toolbar" (or our partner’s brand for a custom Toolbar)
      5. Click "Uninstall" and then "Continue" to remove the Toolbar

    If you reopen your Web browser and still see the Toolbar, you may need to restart your computer for the uninstall process to be completed.

    Since you question a Google Redirect, I'd like you to describe what's happening:
    1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
    2. Does a different site load?
    3. Does any site load?
    4. Are the sites the same/different?
    5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?

    Do a rescan with HijackThis and attach a new log on next reply- please include the description answers for me.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...