Browser Hijacker

By mretzloff
May 7, 2007
Topic Status:
Not open for further replies.
  1. Hello. I'm new here, so if this post if out of place, or anything please let me know :)

    Recently, when I access the web through Mozilla Firefox (2.0.0.2 or whatever the latest is), I occasionally get redirected to Disney's homepage.

    I was told by a friend that it might be a browser hijacker. I ran Ad-aware and Spybot S&D (the latest versions of both). Then I ran Hijack This but had no clue what to delete (I did delete/fix some files that my friend told me to). Nothing worked :(

    Could anyone help me? Thanks!
  2. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    it might have helped if you posted your HJT log
  3. momok

    momok Newcomer, in training Posts: 2,272

    Hi mretzloff and welcome to techspot. =)

    Hope you enjoy your stay here with us.

    Important: Please read this thread HERE before you decide whether to clean or reformat your system.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps to cleaning your computer.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.
    The logs will enable us to understand that much more about the problems on your system.


    Regards,
    Your friendly Momok =)

    This thread is for the use of mretzloff only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. mretzloff

    mretzloff Newcomer, in training Topic Starter Posts: 130

    Please review my Combofix, HJT, and AVG Logfiles

    Here are the files:

    View attachment 17062
    View attachment 17063
    View attachment 17064

    Thank you.

    EDIT: One problem I've been having is that my browser (Mozilla Firefox 2.0.0.2) is redirected to Disney's webpage when I visit various websites (especially MLB-related ones).
  5. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    I have merged your new thread into this one. Please continue to post in this thread.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Run the Ccleaner programme as per step9 of the instructions HERE.

    6. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log and AVG Antispyware log.

    Regards Howard :wave: :wave:

    This thread is for the use of mretzloff only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

    Attached Files:

  6. mretzloff

    mretzloff Newcomer, in training Topic Starter Posts: 130

    How often should I scan? Should I do all this (and the instructions in the pinned thread) once a week?
  7. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Just follow the instructions in my post above and nothing more.

    Regards Howard :)

    This thread is for the use of mretzloff only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. mretzloff

    mretzloff Newcomer, in training Topic Starter Posts: 130

  9. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Threads merged. Please don`t open any more threads for this. Thanks.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of mretzloff only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  10. jobeard

    jobeard TS Ambassador Posts: 13,288   +281

    your AVG needs to have options set as it's reporting NO ACTION TAKEN :(
  11. mretzloff

    mretzloff Newcomer, in training Topic Starter Posts: 130

     
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    .NET Framework Service (.NET Connection Service)<Disable the service name and/or the name in brackets.

    Close the services window.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

    O22 - SharedTaskScheduler: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)

    O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\svchost.exe
    C:\windows\ALCXMNTR.EXE

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let us know how your system is running.

    Regards Howard :)

    This thread is for the use of mretzloff only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  13. mretzloff

    mretzloff Newcomer, in training Topic Starter Posts: 130

    Ok, thanks.

    I do have a few questions:

    1). Should I download one of those firewalls you recommend? If so, should I leave on or turn off Windows XP's firewall?

    2). I've been using the admin (the only account on my comp.). Why do you say not to? How can I create another?

    3). How often should I scan?

    4). When scanning should I use the instructions in your previous post or in the thread "Malicious software...."?

    5). Could you give me a step-by-step instruction guide on what to scan with which programs?

    Thanks for the time and help.
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Yes, you should download and install one of the recommended firewall programmes. It should automatically turn off the Windows firewall.

    All I said, was boot into safe mode under your normal username(NOT THE ADMINISTRATOR ACCOUNT). That`s because some of the stuff on your desktop may not show up under the admin account.

    Once your system is clean, once every week or so should be fine.

    Follow the instructions in my post and post any requested logfiles.

    I can, but at the moment, I`d prefer to get your system cleaned up first.

    Now, follow the instructions in my post above, then post a fresh HJT log as requested.

    Regards Howard :)

    This thread is for the use of mretzloff only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  15. momok

    momok Newcomer, in training Posts: 2,272

    May I add that, it would be wise to actually create and use a limited account with certain system settings restricted? I believe it would actually help make your system safer by using that limited account for doing most of your work/play or whatever you do on your computer. But you can do that after you're done with the cleaning process that Howard shall guide you through.

    To learn how to create a new user account, please see HERE.


    Regards,
    Your friendly Momok =)

    This thread is for the use of mretzloff only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  16. mretzloff

    mretzloff Newcomer, in training Topic Starter Posts: 130

    Here's the fresh HJT logfile:

    View attachment 17333


    As far as my system goes, I've had no redirects lately (my family members also say they've had none).

    Thanks howard and momok.
  17. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    It appears you haven`t install any firewall software. I suggest you do so ASAP.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint
    Symantec
    LiveUpdate

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Viewpoint Manager Service
    Automatic LiveUpdate Scheduler
    LiveUpdate

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ViewpointService.exe
    ALUSchedulerSvc.exe
    LUCOMS~1.EXE

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Viewpoint<Delete the entire folder.
    C:\Program Files\Symantec<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post what should be a final HJT log.

    Regards Howard :)

    This thread is for the use of mretzloff only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  18. mretzloff

    mretzloff Newcomer, in training Topic Starter Posts: 130

    Why delete those programs (I'm just curious)?

    Also, which out of the 3 firewalls you mentioned, would you recommend I get?
  19. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    The Viewpoint programme is not good and should be gotten rid of asap. It is known to put adware on your computer.

    The Symantec stuff is from when you were running Symantec/Norton and is a left over. Again, it needs to go, as it`s just using system resources.

    Any of the firewalls are good, especially Comodo and Zonealarm. Try whichever firewall takes your fancy. If you don`t like it, uninstall and try another one.

    Don`t forget to post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of mretzloff only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  20. mretzloff

    mretzloff Newcomer, in training Topic Starter Posts: 130

  21. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your HJT log is clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of mretzloff only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  22. mretzloff

    mretzloff Newcomer, in training Topic Starter Posts: 130

    Ok. Could you please give me a step-by-step guide on how I should scan every week (such as which programs to run, etc.)? Also, should I post my Combofix, Avenger, HJT, and AVG Antispyware logs in here every week?
  23. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    You need to have your Antivirus and firewall programme running at all times in the background, as they are now.

    There`s no need to post any further logfiles, unless you start having further problems.

    Here`s a list of programmes I recommend to help keep your computer safe.

    Spybot Search & Destroy.

    Ad-Aware se personal.

    Spyware Blaster.

    AVG Antispyware.

    Ccleaner.

    The rest of the programmes you used, such as Combofix/Vundofix/The Avenger etc etc can be gotten rid of and are for specific uses only.

    I recommend you scan your system once a every week or two. Other than that, providing you`re not having any problems, you should be ok.

    You might want to take a look at this thread HERE. It`ll show you how you can keep your computer more secure.

    This is what I do with my system when I do a system scan.

    I make sure that all my antivirus/firewall and antispyware programmes are fully updated. Then, I do a full system scan with my antivirus programme, followed by SS&D, then Ad-Aware and finally AVG Antispyware.

    I don`t visit dodgy websites, nor do I download lots of stuff and I definitely don`t click on anything, unless I know exactly what it is. If you follow these few simple rules, the chances of your system being infected are greatly reduced.

    Regards Howard :)

    This thread is for the use of only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  24. mretzloff

    mretzloff Newcomer, in training Topic Starter Posts: 130

    So in my case I'd these (in order):

    1). Avast!
    2). S&D
    3). Ad-aware SE
    4). AVG Antispyware

    Should I run SpywareBlaster? After 30 days, can I still use AVG Antispyware?

    Thanks :)
  25. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Yes, that`s correct.

    Spyware Blaster only needs updating and doesn`t actually run in the background. Once it`s been updated, just enable all protection and close the programme. See the Spyware Blaster tutorial HERE.

    Regards Howard :)

    This thread is for the use of mretzloff only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.