Browser Hijack Firefox and IE

[Smell the Glove]

I'm having a problem. My browser homepage is getting hijacked and it tries to take me to another website. It happens with Firefox and IE.

Also the tabs have stopped working on Firefox and having a second window open doesn't seem to work either.

EDIT - Its worse than I thought!! This might sound crazy but I can't access any other wedsites than this one!!

Any help? PLEASE?

HJT log file

 

[howard_hopkinso]

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Smell the Glove]

I've tried all that but it still seems to be happening.

I have attached 2 new logs.
The first one is run offline and the second online.

On the second I see this:

O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206

Which I think is my problem. I've tried fixing the problem but it keeps coming back.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

dmdpb.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [dmdpb.exe] C:\WINDOWS\system32\dmdpb.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206<Only fix this, if it doesn`t belong to your ISP.

85.255.112.206-xbox.dedi.inhoster.com is what the above IP resolves to.

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\dmdpb.exe

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and the AVG Antispyware log I asked for.

Regards Howard

This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Smell the Glove]

Ok, so its still not working properly.

I'm not 100% sure how to save an AVG log so I've attached this: hope its what you wanted?

Thanks for all the help.

 

[howard_hopkinso]

I strongly suggest you backup your registry before doing the following.

Click start/run and type regedit into the run box and press the enter key. Click file, export and save a copy of your registry to wherever you want. Then, if you need to restore your original registry, it`s a simple matter of double clicking the reg file and clicking yes when asked if you want to merge it into the registery.

Navigate to the following keys and delete them in the righthand pane.

HKEY_LOCAL_MACHINE\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206

Post a fresh HJT log after doing the above.

Regards Howard

This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Smell the Glove]

Do you want me to delete eveything in the right hand box?

 

[howard_hopkinso]

No, just delete anything to do with NameServer = 85.255.115.83 85.255.112.206

Regards Howard

This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Smell the Glove]

I've done that (I think)

Here is the new log

By the way the problem still exists I've never had anything this bad before!

Plus this seems different since my last clean log I had:

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

Could it be anything?

 

[howard_hopkinso]

Your HJT log is clean.

Go HERE and follow the instructions for downloading, installing and running AVG Antispyware<Not to be confused with AVG free Antivirus, which is a completely different programme.

Then post an AVg Antispyware log.

Regards Howard

This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Smell the Glove]

Think I'm having serious problems because none of those links are woking for me.

I just keep getting "Firefox can't find the server at www.ewido.net." message

 

[howard_hopkinso]

Ok, try this LINK instead and scroll down to the bottom of the page for AVG Antispyware.

See if that helps.

Regards Howard

This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Smell the Glove]

Thanks for the AVG Spyware link. it found 10 threats (see attached log). I hope I've deleted these threats.

However problem still exists.

I have attached another HJT log.

As you can see:

O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206

Keeps coming back.

What am I doing wrong?

 

[howard_hopkinso]

Make sure you have the Ccleaner programme as in this thread HERE, you will need to use it as per the instructions later.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

dmzev.exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\1024
C:\WINDOWS\system32\dmzev.exe
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A8B518E1-F216-42D9-9DE2-B0E091.asq

Run the Ccleaner programme as per the instructions.

Click start/run and type regedit into the run box and press the enter key.

Navigate to the following keys and delete them in the righthand pane.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{7caf96a2-c556-460a-988e-76fc7895d284}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd}

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206

Click on the fix checked button.

Close HJT.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Let me know if this has helped.

Regards Howard

This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Smell the Glove]

I've done all that and the browser is still being hijacked!!!

O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206

Only appears as soon as I log onto the net. If I'm offline its not there.

 

[howard_hopkinso]

Close all browsers.

Click Start/Run and Type in CMD and Click OK!

At the Dos Prompt Screen, type in cd\ and hit enter!

Now type in ipconfig /flushdns and press the enter key. Note the space after the ipconfig command.

Once it is done, type exit.

Run HJT and fix the 017 entry.

Reboot your computer and run HJT again. See if the 017 entry has gone.

Regards Howard

This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Smell the Glove]

Its still doing it!! I can't figure out whats up with this damn PC! I appreciate all your help.

This must be bugging you as much as it is me!!

What would happen if I deleted the Tcpip registry?

I'm starting to worry that this hijack could be more sinister than I first thought.

 

[Smell the Glove]

Found something interesting. It is only GOOGLE that is being hijacked. My startpage was set as google but I've changed it to something else. Now Firefox goes to my startpage OK but Google is still being hijacked.

however most other websites it just says "Server not found". In fact this is the only bookmark/favourite website that works on my list.

Does this information help?

 

[howard_hopkinso]

It sure is bugging me, but only because I hate it when I can`t fix something. It must be far worse for you.

Let`s try this.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, you'll see your desktop and taskbar won't load yet. This is normal, because it is still scanning. Please be patient.
Afterwards, HijackThis will launch automatically. Please click Scan, and check the following items(if there)

O4 - HKLM\..\Run: [dmdpb.exe] C:\WINDOWS\system32\dmdpb.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{B957393B-24EE-4298-8BF8-C6D10234850E}: NameServer = 85.255.115.83 85.255.112.206<Only fix this, if it doesn`t belong to your ISP.

Click Fix Checked. Close HijackThis, and click OK to proceed.
This will launch your desktop now.

Locate and delete the following bold file(if there).

C:\WINDOWS\system32\dmdpb.exe Let me know if either you can`t find the file or you can`t delete it.


Finally, please post the contents of the logfile that will open (C:\fixwareout\report.txt), along with a new HJT log.

Regards Howard

This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Smell the Glove]

Howard,

Thanks for all your help, but my laptop has started to act really strange. I've lost sound, can't run iTunes and allsorts of wierd stuff.

Think I'm going to back everything up and reformat! Can't belive a simple browser hijack could mess up my PC as much as it has done!

Thanks for all your hard work.

Matt (aka Smell the Glove)

 

[howard_hopkinso]

In that case, a reformat and reinstall is probably the best way to go.

I`m sorry I was unable to fix your problem.

Regards Howard

This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[smore9648]

If you do a back up then you will save your virsuses/spyware as well

 

[howard_hopkinso]

That is a possibility, but I hope it`s not the case.

I`ve been researching this new browser hijacker for the last few hours.

There`s a possibilty that it`s based on a rootkit.

Smell the Glove: If you haven`t already started your reformat, please try the following.

Download and install the Blacklight programme. Run the programme and click on the help button. Read the instructions for running the programme.

I don`t know if it`ll fix the problem, but it`s worth a try.

Let me know the results and post a fresh HJT log.

Regards Howard

This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Smell the Glove]

Hey Howard,

I've already reformated I'm afraid. Took me bloody hours, lost 10Gb worth of music! d'oh.

Really appreciate the extra work you put in!

The hijacker appears to have gone, thank goodness.

Its been emotional.

PS - have you managed to find anything new out about the hijacker? Any idea how "nasty" it was?

 

[howard_hopkinso]

Thats a shame, but thanks for letting me know.

I guess I`ll have to wait until some other poor bugger gets infected with that awful hijacker, before I know whether the Blacklight software will work.

Regards Howard

This thread is for the use of Smell the Glove only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.