Recurring browser hijacking

Status
Not open for further replies.

mojomonkey

Posts: 6   +0
My girlfriend's computer is infected with something I can't seem to get rid of. There were numerous infections when I first got it, including one that had changed the internet connection settings to run through a local proxy at 127.0.0.1:5555.

I had cleaned a bunch from a linux disk and eventually from running Trend Micro's Housecall. Some of the names of virus/spyware that has been removed (names vary, used various programs):
- Trojan_BHO
- Win32:BHO-YE
- Win32:FakeAlert-Ex
- Win32:DNSChanger-v
- HTML:RedirMe-inf
- Troj PDFJS.AH
- TR/FakeXPA.A.48
- HTML/Silly.gen
- Rootkt.TDSSERV-Trace

The only symptom left is that search results are redirected to other sites, and random pages are popped up in new tabs (on Firefox 3.5.5, though she used IE and had similar symptoms). For example, when I came to this forum, http://serw.clicksor.com/newServing/go.php?nid=1&cpx=cpv&uid=3156197415&pid=93033&sid=174611&kw=channel%3AGeneral&af=3&rf=0&curl=http%3A%2F%2Fbadware-exterminator.net%2Ffeatures.php&gw=1&cid=70138&anid=1 popped up) I've run the 8 steps from this forum, which cleaned a lot of the items listed above. She also had spybot installed and that had been run too.

Logs attached. Thanks for any help!
 
You can uninstall SUPERAntiSpyware now (and Spybot S&D too if you still have that installed)

But with that many infections lets just jump right in and run another scan ;)

Combofix:
  • Download Combofix to your desktop.
  • Disable your Antivirus (as Combofix will remove any found malwares)
  • Double click ComboFix & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here
Also restart and then provide a fresh HJT Scan log
 
Thanks for the response. I ran ComboFix and it downloaded/installed MS Recovery Console. It then said it detected rootkit activity and rebooted. Eventually it finished, log attached below. I then restarted and ran Hijack This, that log is also attached.

No popups so far, though I came straight here.
 
It's nearing bedtime in my part of the world so I'll check back in for your reply tomorrow. I guess I'll power this laptop off overnight.
 
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\mlfcache.dat
c:\program files\mozilla firefox\components\nsgkff31_meter4.dll

Folder::
c:\documents and settings\All Users\Application Data\F-Secure
c:\documents and settings\Rachel\Local Settings\Application Data\plwrqi
c:\program files\Common Files\Symantec Shared

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
"c:\\windows\\system32\\notifyf2.dll"=-

Driver::

KILLALL::


Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe


When finished, it will produce a log for you at C:\ComboFix.txt
Please Attach this Combofix log to a new reply
 
Un-install Combofix
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK
  • Any popup errors about Antivirus just ok or close
Note: 1 space after ComboFix in that uninstall command

Download and run TFC by Old Timer http://oldtimer.geekstogo.com/TFC.exe

Clear & Reset System Restore's Cache
Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Restart

How is it running now?
 
Hope this doesn't temp fate, but I have been web browsing for almost 2 hours now without problem. So maybe good now?
 
Thanks for your help :)

Out of curiosity, what was the tipoff to remove the files you told me to? mlfcache.dat seems to be a font cache. Not really, in this case, or was there a way to exploit this?

And nsgkff31_meter4.dll? Looking online it seems to be from the Nielsen Company. She has to run some "Nielsen Netratings" program for work. Was the file infected, or is generally spyware/vulnerable/etc. If the program stops working, she will reinstall it and I assume that file will return. She had been using it for a long time without any problem (that she knew of).

And the plwrqi file/folder?

Thanks again!
 
Yes, sorry. I tend to clean up possible unknowns and not-sures, just in case
If these programs do not work any more then just re-install the program

EDIT

Do note I looked up every file stated including those you mentioned
To me they did not seem required to start with Windows
 
Status
Not open for further replies.
Back