Browser hijack problem

[Roohi]

Hi,

I followed all the steps given in 'Viruses/Spyware/Malware, preliminary removal instructions' post and have attached the 3 log files that I got. When I click on my google search results, random websites such as ebay or anti-spyware websites open up. And also, within 10 - 20 min of starting the computer, my internet explorer as well as firefox lose the net connection. It says 'this page is unavailable', although the net connection itself will be working well. If someone can help me out, I would be extremely grateful!

Also the Panda Antirootkit scan results said that 'No rootkits have been found'

Thanks a lot !

 

[Blind Dragon]

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)
---------------------------------------------------------------------------------------------------------

 

[Roohi]

Hi,

It was already set to 'Obtain DNS servers automatically'. I did the rest and have also attached the 2 log files. Also, after running Fixit, it asked me to 'double left click dnsbak.reg in the Fixwareout folder'. Should I do that ?

Thanks a lot for your help!

 

[Blind Dragon]

Only if you have Internet connection problems should you double click on that.

First of all
Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Run another scan with Hijackthis afterwards and attach the log as well

 

[Roohi]

I have attached both log files.
Thanks !

 

[Blind Dragon]

MBAM says that it quarantined and deleted the infection. However, it is still showing as active and running as a startup in your Hijackthis log.

Did you run this scan with Hijackthis before MBAM by any chance?

If not, boot into safe mode and re-run Malwarebytes' Anti-Malware, using the previous instructions

My guess is that your real-time protection prevented the needed changes to the registry

*Also go to start -> control panel -> add/remove programs and check to see if Winifixer is listed, if it is uninstall it. If not just let me know that it wasn't there.

 

[Roohi]

I have attached the two log files. I had run the other scan first, and then hijackthis. Also, there is no winfixer in the 'add/remove programs' list (I think I deleted it right after it appeared on the computer and I started having browser problems)

Thanks a lot !

 

[Blind Dragon]

looking better, can you show me the Hijackthis log ran from normal mode

 

[Roohi]

log file attached

Thanks!

 

[Blind Dragon]

Are you still having any problems/symptoms

-------------------------------------------------------------------------------------------------
This one is being used by Realtek to gather data about customers, it is considered slyware

Run a scan with hijackthis and put a check next to

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Close all browsers and select fix checked

------------------------------------------------------------------------------------------------------
:Run Kaspersky Online AV Scanner:

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[Roohi]

Everything's been working fine after running the anti-malware scan. But the new scan showed 11 viruses . I have attached the log files.

I am extremely grateful for all your time and help. Thanks a lot!

 

[Blind Dragon]

no problem,

those actually aren't infections.

*delete the quarantined files in Norton and delete smitfruad and those are all gone.

Go to start -> Run -> type in combofix /u
*note the space between
*This will uninstall combofix
*removes vundofix backups
*removes quarentine files
*creates a fresh clean restore point

Remove Hijackthis from Start-> control panel -> add/remove programs
Remove the 3 tools from step 10 (smitfraud, vundofix,virtumondobegone) by dragging to the recycle bin

I recommend you keep
1 anti virus program (AVG not anti spyware)
1 firewall
Spybot S&D, Adaware 2007, 1 additional anti-spyware of your choice

keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

:Set correct settings for files:

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

:clear system restore points:

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

***Also check for windows updates by going to Control Panel -> Windows update

 

[Roohi]

So I followed all the instructions. One question though, Winifixer is still listed as a startup entry in spybot, is that alright? Also, I have windows firewall and norton anti-virus already, will those be sufficient?

Thanks !

 

[Blind Dragon]

Under startups in spybot highlight the entry then click the red X that says delete at the top.

Norton is ok if you like it, I normally prefer something that consumes less system resources and is free

Windows firewall is worthless.

You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo
Kerio
Online Armor
Zonealarm

Keep spybot and MBAM if you like, they are both free