TechSpot

IE Browser being hijacked

By griffjoh
Nov 22, 2008
  1. Looks like I have been infected by a hijack virus/trojan. When clicking on links in google searches, or links in pages being viewed the browser is directed to places like heavy.com, nextag, megasearch, etc. In viewing other threads I attempted quite a few of the fixes recommended for those folks.

    - Removed all spurious software, in control panel -> add or remove programs or windows components.
    - Installed and ran AVG 8
    - removed google toolbar, yahoo toolbar
    - Attempted to run a number of the online scanners (Kapersky, bitdefender, pandasecurity), all fail to either download the virus databases, or when they do run they fail and indicate to try again. It's like they cannot communicate with their mother ships to download the software and definition libraries.

    Next I downloaded hijackthis and combofix. Ran both and have attached the logfiles to this thread.

    Any help would be appreciated.
     
  2. nobardin

    nobardin TS Rookie Posts: 256

    Go here http://www.techspot.com/vb/topic58138.html and follow the steps in order. Please do not skip any.

    After doing the above stated, please post and let us know if the issue is resolved or not and we will go from there.
     
  3. griffjoh

    griffjoh TS Rookie Topic Starter

    Thanks nobardin,

    Attached are the files requested.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am assisting in checking the logs.
    Mbam found and fixed some malware entries.SAS founr large number of Tracking Cookies. You need to have SAS delete them. See the images here. Click to enlarge any if needed, check to Remove the Tracking Cookies:

    Then Reset Cookies:
    Update Java:
    Adobe:
    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
    C:\WINDOWS\System32\GEARSec.exe>>
    O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    (Installed by Apple Quicktime package - iPod/iTunes CDRW support. Can be disabled if you only require Quicktime playe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    Running online BitDefender AV scan- Stop
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

    Related to Symantev/Norton AV:
    Stop this online scans while cleaning:
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    [/QUOTE]
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot. into Safe Mode:
    Start> Rub> msconfig> Selective Startup> Startup tab> UNCHECK the following:
    All Except Adobe Reader except v9. If using FiroxIt Resder, uninstall=-All

    Reboot into Normal More> Run HijackThis scan and attach new log.
     
  5. griffjoh

    griffjoh TS Rookie Topic Starter

    Hey Bobbye,

    Thank you. Remedial actions taken, new hijackthis log file attached.
     
  6. nobardin

    nobardin TS Rookie Posts: 256

    After reviewing your new log, the only thing I see that needs to be taken care of (if I didn't miss anything) is

    Thank you Bobbye for the assistance with this. I do apologize for not being able to get back to this thread in a timely fashion.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, you're welcome.

    Perhaps if the problem is resolved the cleaning programs should be removed and restore points dropped?

    * Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
    And this: Clear your existing System Restore points and establish a new clean restore point:
    Please let us know if you need further help.
     
  8. griffjoh

    griffjoh TS Rookie Topic Starter

    Hey Bobbye and nobardin,

    It's been 3 days with no problems after following your instructions; thanks.

    I moved the gearsec.exe and gearsec.dll files out of the windows\system32 directory in safe mode. I stll have them as a backup just in case they are not the culprits. Had to do it this way as hijackthis was unable to clean it up. The file was always active in RAM, and no matter how many times I ran hijackthis, gearsec.exe always came back on the list.

    Thanks again for all of your help.
    -griffjoh
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're going to have to change the Startup type for the Service:

    Start> Run> services.msc. right click on Gear Security Service (GEARSecurity) > Properties> change Startup type to Disabled if you're not going to use it, or to Manual if you only want it to start as needed.

    Have a look here for more on this:
    http://forums.techguy.org/all-other-software/278528-gearsecurity-service.html

    The link for the file transfer wouldn't work for me.
     
  10. griffjoh

    griffjoh TS Rookie Topic Starter

    Bobbye,

    I left the services entry alone, since I use Audible as mentioned by Tom Vaughn on the techguy forum.

    Next I poked aroung on the GEARSEC ftp site with linux/wget and found the Installer here:

    ftp://198.65.117.42/updates/windows/drivers/archive/jul_11_08

    Will install and report back.

    Thanks again,
    -griffjoh
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Give us an update when you have one.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...