Recurring browser hijacking

By mojomonkey
Dec 6, 2009
  1. My girlfriend's computer is infected with something I can't seem to get rid of. There were numerous infections when I first got it, including one that had changed the internet connection settings to run through a local proxy at

    I had cleaned a bunch from a linux disk and eventually from running Trend Micro's Housecall. Some of the names of virus/spyware that has been removed (names vary, used various programs):
    - Trojan_BHO
    - Win32:BHO-YE
    - Win32:FakeAlert-Ex
    - Win32:DNSChanger-v
    - HTML:RedirMe-inf
    - Troj PDFJS.AH
    - TR/FakeXPA.A.48
    - HTML/Silly.gen
    - Rootkt.TDSSERV-Trace

    The only symptom left is that search results are redirected to other sites, and random pages are popped up in new tabs (on Firefox 3.5.5, though she used IE and had similar symptoms). For example, when I came to this forum, popped up) I've run the 8 steps from this forum, which cleaned a lot of the items listed above. She also had spybot installed and that had been run too.

    Logs attached. Thanks for any help!
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You can uninstall SUPERAntiSpyware now (and Spybot S&D too if you still have that installed)

    But with that many infections lets just jump right in and run another scan ;)

    • Download [​IMG]Combofix to your desktop.
    • Disable your Antivirus (as Combofix will remove any found malwares)
    • Double click ComboFix & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here
    Also restart and then provide a fresh HJT Scan log
  3. mojomonkey

    mojomonkey TS Rookie Topic Starter

    Thanks for the response. I ran ComboFix and it downloaded/installed MS Recovery Console. It then said it detected rootkit activity and rebooted. Eventually it finished, log attached below. I then restarted and ran Hijack This, that log is also attached.

    No popups so far, though I came straight here.
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Looks lots better :)
    But I'll have to check back later, I must go offline for a bit.
  5. mojomonkey

    mojomonkey TS Rookie Topic Starter

    It's nearing bedtime in my part of the world so I'll check back in for your reply tomorrow. I guess I'll power this laptop off overnight.
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt
    Please Attach this Combofix log to a new reply
  7. mojomonkey

    mojomonkey TS Rookie Topic Starter

    Ran ComboFix with noted script. Results attached.
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Un-install Combofix
    • Click START then RUN
    • Now type Combofix /uninstall in the runbox and click OK
    • Any popup errors about Antivirus just ok or close
    Note: 1 space after ComboFix in that uninstall command

    Download and run TFC by Old Timer

    Clear & Reset System Restore's Cache
    Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
    * Tick on the checkbox - Turn off System Restore on all drives
    * Click Apply
    Turn it back 'On' by unticking the same checkbox & click Apply, and then OK


    How is it running now?
  9. mojomonkey

    mojomonkey TS Rookie Topic Starter

    Hope this doesn't temp fate, but I have been web browsing for almost 2 hours now without problem. So maybe good now?
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Oh, sorry forgot to mention. You are all clear to go now :)
  11. mojomonkey

    mojomonkey TS Rookie Topic Starter

    Thanks for your help :)

    Out of curiosity, what was the tipoff to remove the files you told me to? mlfcache.dat seems to be a font cache. Not really, in this case, or was there a way to exploit this?

    And nsgkff31_meter4.dll? Looking online it seems to be from the Nielsen Company. She has to run some "Nielsen Netratings" program for work. Was the file infected, or is generally spyware/vulnerable/etc. If the program stops working, she will reinstall it and I assume that file will return. She had been using it for a long time without any problem (that she knew of).

    And the plwrqi file/folder?

    Thanks again!
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes, sorry. I tend to clean up possible unknowns and not-sures, just in case
    If these programs do not work any more then just re-install the program


    Do note I looked up every file stated including those you mentioned
    To me they did not seem required to start with Windows
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...