IE Browser being hijacked

[griffjoh]

Looks like I have been infected by a hijack virus/trojan. When clicking on links in google searches, or links in pages being viewed the browser is directed to places like heavy.com, nextag, megasearch, etc. In viewing other threads I attempted quite a few of the fixes recommended for those folks.

- Removed all spurious software, in control panel -> add or remove programs or windows components.
- Installed and ran AVG 8
- removed google toolbar, yahoo toolbar
- Attempted to run a number of the online scanners (Kapersky, bitdefender, pandasecurity), all fail to either download the virus databases, or when they do run they fail and indicate to try again. It's like they cannot communicate with their mother ships to download the software and definition libraries.

Next I downloaded hijackthis and combofix. Ran both and have attached the logfiles to this thread.

Any help would be appreciated.

 

[nobardin]

Go here https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ and follow the steps in order. Please do not skip any.

After doing the above stated, please post and let us know if the issue is resolved or not and we will go from there.

 

[griffjoh]

Thanks nobardin,

Attached are the files requested.

 

[Bobbye]

I am assisting in checking the logs.
Mbam found and fixed some malware entries.SAS founr large number of Tracking Cookies. You need to have SAS delete them. See the images here. Click to enlarge any if needed, check to Remove the Tracking Cookies:

Then Reset Cookies:

Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Update Java:

Your version of Java is now outdated. Java vulnerabilites are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Adobe:

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php
Click on ‘Get it Free button

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

SAS Background Agent Application by Broderbund Software
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE>> dssagent.exe is a process authored by Broderbund and is spyware. This product pops up un-solicited advertisements as well as analyses computer usage, which is sent back to the companies servers.

WINDOWS\system32\devldr32.exe>> Added by an unidentfied VIRUS! Note - this is not the legitimate Creative Labs devldr32.exe file

C:\WINDOWS\System32\GEARSec.exe>>
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
(Installed by Apple Quicktime package - iPod/iTunes CDRW support. Can be disabled if you only require Quicktime playe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
Running online BitDefender AV scan- Stop
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

Related to Symantev/Norton AV:

O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

Stop this online scans while cleaning:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
[/QUOTE]
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot. into Safe Mode:
Start> Rub> msconfig> Selective Startup> Startup tab> UNCHECK the following:
All Except Adobe Reader except v9. If using FiroxIt Resder, uninstall=-All

Reboot into Normal More> Run HijackThis scan and attach new log.

 

[griffjoh]

Hey Bobbye,

Thank you. Remedial actions taken, new hijackthis log file attached.

 

[nobardin]

After reviewing your new log, the only thing I see that needs to be taken care of (if I didn't miss anything) is

O23 - Service: Gear Security Service (GEARSecurity) - Unknown owner - C:\WINDOWS\System32\GEARSec.exe (file missing)

Thank you Bobbye for the assistance with this. I do apologize for not being able to get back to this thread in a timely fashion.

 

[Bobbye]

Okay, you're welcome.

Perhaps if the problem is resolved the cleaning programs should be removed and restore points dropped?

* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)

* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

And this: Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

Please let us know if you need further help.

 

[griffjoh]

Hey Bobbye and nobardin,

It's been 3 days with no problems after following your instructions; thanks.

I moved the gearsec.exe and gearsec.dll files out of the windows\system32 directory in safe mode. I stll have them as a backup just in case they are not the culprits. Had to do it this way as hijackthis was unable to clean it up. The file was always active in RAM, and no matter how many times I ran hijackthis, gearsec.exe always came back on the list.

Thanks again for all of your help.
-griffjoh

 

[Bobbye]

gearsec.exe always came back on the list.

You're going to have to change the Startup type for the Service:

Start> Run> services.msc. right click on Gear Security Service (GEARSecurity) > Properties> change Startup type to Disabled if you're not going to use it, or to Manual if you only want it to start as needed.

Have a look here for more on this:
http://forums.techguy.org/all-other-software/278528-gearsecurity-service.html

The link for the file transfer wouldn't work for me.

 

[griffjoh]

Bobbye,

I left the services entry alone, since I use Audible as mentioned by Tom Vaughn on the techguy forum.

Next I poked aroung on the GEARSEC ftp site with linux/wget and found the Installer here:

ftp://198.65.117.42/updates/windows/drivers/archive/jul_11_08

Will install and report back.

Thanks again,
-griffjoh

 

[Bobbye]

Give us an update when you have one.