Browser Hijacked?

By ThoroughlyBroke
Dec 8, 2010
  1. Greetings,

    Im attempting to fix my girlfriends computer. Internet Explorer seems to be hijacked. When in clicking links, it constantly redirects her to different webpages.

    I'm in the process of following this:
    UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    she uses avira, spybot and windows firewall. compaq presario, 2.6GHz, i've upgraded the RAM from 512MB to 1G running windows XP.

    step 2: done, everything ran smoothly.

    step 3: kept freezing when i tried to run it. eventually booted in safe mode and it ran fine.

    step 4: computer locked up. ieexplorere crashed and i lost the desktop. had to reboot. could someone explain what GMER is? should i reboot in safe mode and try again?

    step 5: DDS:

    Thanks to any and all replies! I will be checking back momentarily after i've run GMER in safe mode and done some research as to what it actually does (just curiosity)


    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please read all before acting!:

    Welcome to TechSpot! The system has been hit by the Windows Security Suite malware infection. This is a rogue security program from the same family as Antivirus System Pro and Spyware Protect 2009. When installed, the program will be configured to start automatically when Windows starts and when run, will perform a scan and then list a variety of infections that it states resides on your computer. It will not remove, though, any of these infections unless you purchase it. The catch is that the entries being given as infections are actually harmless files that the program itself created to trick you.

    She likely will have seen the alert pictured here: The program creates a new search tool in Internet Explorer, which impersonates Windows Live, and Firefox, which impersonates Google. Both of these search providers will perform searches that look like they are from Windows Live or Google, but are in fact coming from

    When MBAM was run, the following line wasn't' checked, so all entries show No Action Taken
    Be sure that everything is checked, and click Remove Selected.

    To get MBAM to run in Normal Mode:please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

    Malwarebytes is a good tool in the removal of this malware, but we vary the scan some. After you have run randmbam and are ready to run the Mbam scan again:
    • Click Perform Full Scan instead of quick scan. This will take a longer time and when finished, you will get this:
    • Click on Okay and when the screen returns> Click on Show Results
    • Now click on the Remove Selected button
    • MBAM will delete all the files and registry keys and add them to the programs quarantine.
    • If you get a message to reboot, please do so
    • The log after the malware removal displays in Notepad and should be saved to paste into the next reply.
    Thanks to bleeping computer.
    The presence of the singlehop host hijack is also noted. This is Adiv Financial (Stolen Identity) Fraud by a Zombie botnet host:
    Although we can remove the Windows Security Suite entries fairly easily, I think the system has been compromised by the fraudelent singlehop. And because of the potential for Identity Theft, I recommend that the system be fully reformatted and reinstalled.

    All passwords should be changed and any internet financial transactions should be monitored. This should all be done now

    You will find excellent reformat/reinstall instructions here:[/color]
  3. ThoroughlyBroke

    ThoroughlyBroke TS Rookie Topic Starter

    MBAM log after full scan:

    it still redirects every so often. i got her to change all her passwords on her dads computer a couple hours ago and she hasn't used this computer since yesterday. i cannot find her xp boot cd that came with the computer.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, next steps:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Closed due to inactivity.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...