Solved Browser hijacker and random popup windows

[KERMlT]

Not sure when this started but I would get random firefox windows opening then later I realized that links were redirecting me to other sites.

Examples :

http://and2.2763.get-search-results...0kDNfNTYflTNx8VO1AzMwITN4ITM&a=naq6&mr=1&rc=0

redirect to http://local.zubican.com/d/searchabc.php?q=Browser+Redirect&affiliate=and2-2763

http://www.myspace.com/?utm_source=...h&utm_campaign=miva4#pm_cmp=ppc_miva_splash4a

http://ylwbook.iaf.net/businesses/category:browser+redirect/location:Twinsburg,OH/listings.html

1) Avira from the 8-step and ran it.
2) TFC (tempCleaner) and ran it
3) Malwarebytes' Anti-Malware and renamed it 'mab' before running it.
4) GMER and ran it.
5) DDS and ran it.


Went back and did #1, #3, and #4 again before running hijackthis (which I renamed Analyze)
I am limited to 5 file uploads so my second file for Mbam and GER are still saved.

I realize that others are in the same boat and I'll wait my turn. I did run a CMD check once and saved the results. Thanks in advance.

 

[Bobbye]

Welcome to TechSpot! I'll help with the malware.

You are running 2 antivirus programs> Avira and Norton/Symantec. Please remove one of them as multiple AV programs make a system more vulnerable.

While you do that and I finish checking the logs, you need to do the following:
You had a malware infection-DNS Changer-that requires you do a DNS Flush, then reset your router.

Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)
Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer. Run MBAM again.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

=====================================
When you have finished the above: Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=============================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please paste the logs into your next reply. Include any that you did not leave in your first post. You may use more than one post if needed to paste the logs.
Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[KERMlT]

The first two files are the #3 and #4 test results mentioned in my previous post.

Removed the 2 Norton programs from my system that came with the machine

DNS flush though I do not have a router.
I did the same steps with my modem just in case.
[5] shows to run MBAM but doesn't specify quick scan or full scan. I ran a full scan.

Rebooted the computer and received a crash alert. Generic Host Process for Win32 Services.

Downloaded ComboFix to download file (default) and closed everything. I turned off Antivirus and Firewall, no AntiMalware present on this computer (that I know of). Copied a shortcut to desktop since there was no option to save it there. Ran it though it did nothing after the open file security warning.

Figured a step was missing that might be helpful for future systems.

If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Downloaded ComboFix again this time saving it to my desktop. Clicked yes at the first disclaimer then was prompted that the file I clicked on was a duplicate "ComboFix (2)" and stated "You cannot rename ComboFix as ComboFix[2] please use another name, preferbaly made up of alphanumeric characters". Since you told me not to rename it, I stopped here.

I repeated the previous steps again, since it very possible operator error is the factor. This time I ran a quick scan for MBAM during router reset phase. Received the same crash report. Deleted previously downloaded ComboFix before downloading it again. I turned off Antivirus and Firewall. Ran it getting past the open file security warning then nothing again.

 

[Bobbye]

Actually, I use Firefox and my default download location is set to the desktop.

Tools> Options> Main> Downloads> 'Save File is'> set to Desktop.
This is right above 'Always ask'.

Do this please:

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Then set the default location to desktop if you're using Firefox.

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=============================
Follow with the Eset scan please.

Please paste the logs into the next reply. You may use more than one post if needed.

 

[KERMlT]

The other day I read a post by Julio stating that if you use your computer for online banking that you should reformat your computer. I posted something to that effect the other day though it doesn't look like it went through.

I still have the popups (one so far from redorbit) so reformatting hasn't helped. I was hoping to wipe this out before the first of the month since bills are due and I pay everything online.

I went through the steps again and this time it came back clean. After this post I will install the Combo file and run that.

 

[KERMlT]

The scan took only 3 minutes or so.

 

[Bobbye]

You need to take time and read the instructions. Follow them and don't do anything that isn't in them:
1.

[5] shows to run MBAM but doesn't specify quick scan or full scan. I ran a full scan.

Malwarebytes instructions:
#5:

Once the program has loaded, select Perform Quick scan, then click Scan.

2.

Copied a shortcut to desktop since there was no option to save it there

As I told you, the information about the Firefox default download location was wrong.
3. A DNS flush is for the computer. A reset is for a router, not a modem.
4. The problem you had with Combofix was because you copied a shortcut- you found out that didn't work. If you had told me that I would have guided you but instead you try to give it an illegal rename.
5.

running hijackthis (which I renamed Analyze)

Why did you rename it?
6.

Rebooted the computer and received a crash alert. Generic Host Process for Win32 Services.

There is a way to check what caused this, but you didn't give me a chance to tell you about it.
7.

The other day I read a post by Julio stating that if you use your computer for online banking that you should reformat your computer.

The option to reformat is always available to the member. With some types of infections, we recommend doing that right away. With others, we can clean the system. It depends on what the malware is and the extent of the infection.
==================================
You are going through this too quickly. Slow down, read the instructions- do only what you are told- if there is a problem, ask me about it. you can't just slap a new name on the programs or copy shortcut.
==================================
Did you run the Eset online scan? Log?
=================================
Remove whatever HijackThis you had and renamed- program and log and install and run the following
Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

I am writing some script for entries to be moved in Combofix. You can run Eset and HJT while I'm doing that. Please follow the directions, don't rename or change anything.

 

[KERMlT]

So really of all the 7 examples that you typed for failure to follow instruction, only #1 and #3 apply.

1. My first post MBAM was run in quick scan. The second log was run in full scan. I apologize for the confusion since I couldn't print the instructions and was getting 4 hrs of sleep over the past few days. Not a lot of time when you work 60 hrs a week and have to deal with computer problems at home.

2. The information I put in quotations was not from anything you stated. I took the time to figure out why I was not given the option to download to my desktop and posted that information in quotes. I also mentioned that you can inform future members of this to eliminate the same problem. The instruction you gave me two days after I fixed the problem is not a relevant example.

3. I should have been more clear on my response. Since you didn't mention anything in your next response, I assumed you understood that I did the DNS flush and I informed you that I did not have a router. For future reference, you could tell members "If you have a router, please follow these steps to reset it". No blood, no foul.

4. Redundant since this was the same issue as number 2.

5. That was on my very first post and before you decided to reply. I followed momok's advice from https://www.techspot.com/vb/topic80663.html and added the hijackthis log to the mix. Since this was prior to your interest in the matter, I'm not sure why you are questioning it or even using this as an example.

6. It was an alert. If it was important enough, you could have told me to rescan and then follow steps after the alert. You had no instructions to 'wait for further notice if you receive any alerts' and is also not an example.

7. The reformat was a last resort type of move. After reading that post, I realized that the virus might not have been my only concern. Plus with the removal of 'clutter' from my computer, the scans were faster and less problematic. I can see how not finding errors may make finding the problem more difficult. Though not having the minor junk giving pause and concentrating on the main issue seems to be the turning point in the war. This is actually an example of following instructions.

Next time you have a problem like this, send me a private message. I didn't take this personal though I hope these clarifications helps you later on when you go through the steps with other members. Semper Fi.

 

[KERMlT]

Eset NOD32 Online AntiVirus instructions number 6 would have been more clear with :
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan for potentially unwanted applications" in Advanced Settings is checked.

10. A logfile is created and located at C:\Program Files\ESET\EsetOnlineScanner\log.txt. Please include this on your post.

11. Check or leave unchecked the box to "uninstall application on close"

HijackThis was removed with the format. Continuing on to the next step...

 

[KERMlT]

The link you gave me goes to a website that has two versions of the program. Version 2.0.4 has two links associated with it, one the installer (HiJackThis.msi) and the other is the executable program (HijackThis.exe). The other version is Version 2.0.3 (Beta) and only has the installer link (HijackThis.msi) available. Awaiting further instructions since neither option will download "HJTInstall.exe" .

 

[Bobbye]

HijackThis: http://free.antivirus.com/hijackthis/. Choose HJTInstall, v2.0.4.

The site shows : HijackThis downloads: IInstaller | Executable> you choose the Installer.

You have question the direction of everything I have asked you to do. If you slowed down and read the directions, you would have seen they were indeed there:
HijackThis says Installer
Mbam says Quick Scan
Eset say don't check for removal.

This is not a war. I am not a Marine. Possibly you are under stress- if so, I'm sorry for that. Your have mentioned both Julio and Momok yet the thread directions are clear. Follow the directions please.

The Eset log is clean.

 

[KERMlT]

Slow down, read the instructions- do only what you are told- if there is a problem, ask me about it.

You have question the direction of everything I have asked you to do.

I am instructed to do so by you. The reason why I question it is because the instructions aren't clear enough. I have given examples of what to include to make it more clear though I doubt you will do so for future members.

Perhaps you think I should be a mind reader.

1. You gave me instructions to reset my router assuming I had one.

2. Instructions stated to save to desktop but you assumed I could designate where to save it or in your case assumed I had the same set up as you did.

3. Eset instructions you gave make no mention as to uninstall or leave it installed.

4. You assume that the latest link would download "HJTInstall.exe" but it doesn't. Either take the time to check out the links you give to members or deal with the discrepancies.

I realize you are not a soldier because they would have been a bit more professional. A private message could have cleared this up but you decided to post your rant on the forum. You do not seem to take criticism very well despite the numerous times I offered to correct the poorly worded directions.

I have admitted fault in two of the before mentioned items but the others are petty or not of my doing. If this quibbling continues, I may opt to scan your replies until you have further instructions.

Since my reformat everything has come back clean. The redorbit popup I experienced was from one forum discussion site I visited before and does not appear to be linked to the virus. It appears that everything is coming back clean.

 

[KERMlT]

As instructed....

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:50:56 AM, on 9/28/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.rd.yahoo.com/messenger/client/?http://mail.yahoo.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

--
End of file - 3234 bytes

 

[Bobbye]

No changes are needed in HijackThis. Since the problem has been resolved, you can remove all of the tools we used and the files and folders they created.

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin