TechSpot

Browser Redirection

By saleekr
Mar 31, 2008
  1. Ok, so i open my browser today (firefox) and i notice that when i google something and i click on the various links i keep getting redirected to spam stuff.
    (go.click or ad.something) i tried running spybot and adaware, but it just won't kick it.

    Unfortunately i left this pc up and open when i went on a trip and i guess my son had fun...

    Can someone help me here?

    I'm on Windows Vista Home Premium Edition
    32 bit OS
    i was googling around for help and got the info to run hijack this, so that report is also attached.

    Anyone able to point me on the right track.
     

    Attached Files:

  2. pimpmypc

    pimpmypc TS Rookie Posts: 111

  3. kritius

    kritius TS Guru Posts: 2,084

    Create an uninstall list
    • Launch Hijackthis
    • Click the Open the Misc Tools section button
    • Click the Open Uninstall Manager button.
    • Click the Save list button.
    • attach this log into your next reply

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
     
  4. saleekr

    saleekr TS Rookie Topic Starter

    ok

    so i ran kaspersky, eset, then malwarebyte and they all came up as finding nothing.

    i'm attaching the uninstall list, the malwarebytes log and the updated hyjack list.

    is anyone seeing anything?
     
  5. kritius

    kritius TS Guru Posts: 2,084

    Please do these steps in order,

    Next please follow these instructions. Your version of Hijackthis is out of date AND installed in wrong folder

    First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log into your reply.

    Disable Teatimer
    Please disable Teatimer as it may interfere with the fix.
    First:
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.
    Once your log is clean you can re-enable those settings in TeaTimer.

    Do you know what these are?
    926plv32
    DropBox



    Go to add/remove programs and uninstall the following,
    Ask Toolbar
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3


    BitComet 0.93, LimeWire PRO 4.16.2 are installed on your computer and I see that it's running. While BitComet 0.93, LimeWire PRO 4.16.2 are clean P2P program, there's no guarantee that the files downloaded are. Please refrain from using them while cleaning your computer to prevent getting more infections.

    A list of clean and infected P2P programs can be found at Malware Removal and Spyware Info.

    The risks of using a P2P program are stated in this Sourceforge website and Information Week article.

    Please also read Malware Removal's Guide on P2P Programs.

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll (file missing)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary
     
  6. pimpmypc

    pimpmypc TS Rookie Posts: 111

    run the microsoft malicious tool i posted on top and let me know how it works out.
     
  7. saleekr

    saleekr TS Rookie Topic Starter

    sigh

    @pimpmypc
    the Microsoft scan comes back clean

    @kritius

    i followed all your steps and rebooted and it's still doing the same.
    The only difference is that now it's redirecting to a blank page or an error page.

    sigh!!!

    here is my new hijack log
     
  8. kritius

    kritius TS Guru Posts: 2,084

    Disable Teatimer
    Please disable Teatimer as it may interfere with the fix.
    First:
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.
    Once your log is clean you can re-enable those settings in TeaTimer.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    C:\Windows\system32\mfpmp.exe

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Delete Files on Reboot
    • Start Hijackthis
    • Click on the Config button
    • Click on the Misc Tools button
    • Click on the button labeled Delete a file on reboot...
      A new window will open asking you to select the file that you would like to delete on reboot.
    • Navigate to each file and click on it once, and then click on the Open button.
      C:\Windows\system32\mfpmp.exe
    • You will now be asked if you would like to reboot your computer to delete the file.
    • Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.

    Navigate to here,
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    Rename HijackThis.exe to saleekr.exe

    Download and Run ComboFix
    • Download this file from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply along with a fresh HijackThis log.
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...