1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

browser hijack and infoseek problems

Discussion in 'Malware Removal' started by hdebo, May 31, 2007.

  1. hdebo

    hdebo Private E-2

    I have some problems with my home page being changed. Norton seems to find and stop infoseek and whatever is happening it is rolling back my date and time a few years. Please help. I had trouble running counterspy and I deleted all it found and could not find the prompt to save the report. I tried to run everything else in your instructions.
    Thanks
     

    Attached Files:

  2. hdebo

    hdebo Private E-2

    here is the rest of the reports.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is this the same PC as in the below thread which you never completed?

    http://forums.majorgeeks.com/showthread.php?t=126461

    It is considered impolite to not complete a thread and even worse, it leaves you susceptable to reinfection.'


    You are using out of date versions of GetRunKey and ShowNew. You must always work from the current on line version of the READ & RUN ME!
     
  4. hdebo

    hdebo Private E-2

    I am sorry for not responding the last thread. It was running fine and it slipped my mind. Again I apoligize. It is the same pc but with different problems. I will include the new reports. Norton keeps blocking something called infosteal.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is that exactly what it says or does it say something else? Also where is it saying it is found?

    Did you get a popup from Symantec when running GetRunKey! It did not run properly! And neither did ShowNew!
     
  6. hdebo

    hdebo Private E-2

    I did not get any popub block when i ran those tests. Should I run them in safe mode? I ran them bolth on normal mode. The thing norton blocked was called infostealer.gampass. It said it just block an intrusion of infostealer.gampass. Every time I shut computer down the reboot my homepage is set to some japanese page www.hao123.com.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! Does your registry editor work? Click Start, Run, and enter regedit and click OK! Tell me what happens!


    So then the below is not something you configured?

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hao123.com/

    Does Symantec give the location or are you saying this is a message from your firewall on an incoming intrusion?
     
  8. hdebo

    hdebo Private E-2

    Regedit will not work it says ic cant access the file or path or device and i may not have permission to access the item. norton blocks it as an intrusion. I did not configure that line you have there.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does c:\windows\regedit.exe exist

    What about c:\windows\system32\regedit.exe

    Also look to see if regedit.com exists in either of the above folders.


    You did not answer my question. Please always answer all questions!

     
  10. hdebo

    hdebo Private E-2

    c:\windows.regedit.exe is there but in the system32 folder it has regedt32.exe

     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shutdown Norton and the do the below.

    Click Start, Run, and enter regedit.exe and click OK! What happens?

    Why do you continue to not answer my question?
     
  12. hdebo

    hdebo Private E-2

    It still wont open with the same response as before. c:\windows\system32\regedit.exe is not there but i see c:\windows\system32\regedt32.exe. I dont see ant regedit.com in either of those folders

     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We can continue once you answer my question that you have not answered since message # 7.
     
  14. hdebo

    hdebo Private E-2

    1. regedit does not work see my last post
    2. I did not configure that line
    3. Symantec does not give a location it only says it blocks an incoming intrusion

     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is the only item I was referring to but I also wanted to know if it is from your firewall since you keep saying incoming intrusion. If it is from your firewall then there is nothing wrong, that is what your firewall is supposed to do.

    Does regedt32.exe run?
     
  16. hdebo

    hdebo Private E-2

    regedt32.exe does not seem to run either.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay you still seem to be missing the concept of answering all questions! In my last message there were to questions. You answered the second but not the first.

    Let me repeat the first!

     
  18. hdebo

    hdebo Private E-2

    I dont know how to answer that question. I have a firewall on my router but I dont know how to tell if that is where it is coming from. I aploligize if you are having a hard time understanding me but I am not very computer savy and doing the best I can.

     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not if it is coming from Norton!

    I understand but you must always try to answer all questions even if the answer is "I don't know". Remember my insight into your problem is only what you tell me since I cannot see anything. The more information (and always be exact) the better. This is the reason I have had to ask all of the questions. I need to zero in on exactly what is going on.

    Please boot into safe mode and log into the user account name Administrator. Then try running regedit.exe. If it does run, then get new logs from GetRunKey and ShowNew. Also do you get warnings from Norton in safe mode while logged in as Administrator.

    Then come back here and attach the logs if they were obtained.
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What are the below files from in your root folder?
    Code:
    "C:\"
    112166~1.css  May 29 2007        1725  "1180482443f55.css"
    112461~1.css  May 29 2007         292  "1180482438f36.css"
    112956~1.css  May 29 2007        8443  "1180482443f53.css"
    112c5f~1.css  May 29 2007       16173  "1180482436f34.css"
    112d56~1.css  May 29 2007       16173  "1180482443f54.css"
    112d65~1.css  May 29 2007         388  "1180482442f48.css"
    11315e~1.css  May 29 2007         388  "1180482447f71.css"
    113169~1.css  May 29 2007        1725  "1180482448f75.css"
    113267~1.css  May 29 2007         460  "1180482452f95.css"
    11327b~1.css  May 29 2007        1725  "1180482450f89.css"
    113959~1.css  May 29 2007        8443  "1180482448f73.css"
    113a5b~1.css  May 29 2007         388  "1180482450f83.css"
    113a6b~1.css  May 29 2007       16173  "1180482450f87.css"
    113d59~1.css  May 29 2007       16173  "1180482448f74.css"
    113e67~1.css  May 29 2007         388  "1180482452f98.css"
    113e6b~1.css  May 29 2007        8443  "1180482450f88.css"
    118048~1.css  May 29 2007         388  "1180482426f7.css"
    118048~2.css  May 29 2007         388  "1180482436f32.css"
    118048~3.css  May 29 2007        1725  "1180482436f35.css"
    118048~4.css  May 29 2007        8443  "1180482436f33.css"
    11e9b2~1.css  May 29 2007         388  "1180482461f133.css"
    11eca0~1.css  May 29 2007       16173  "1180482453f103.css"
    11eca4~1.css  May 29 2007        1725  "1180482453f104.css"
    11ecac~1.css  May 29 2007        8443  "1180482453f102.css"
    11fb1b~1.htm  May 29 2007        1439  "1180482440f40.html"
    11fcaf~1.css  May 29 2007        2734  "1180482454f108.css"
    What is the below files for?
    Code:
    "C:\WINDOWS\"
    downlo~1.ini  May 29 2007          23  "DownloadStudio.INI"
    Delete the below file.
    C:\WINDOWS\IDMan.INI
     
  21. hdebo

    hdebo Private E-2

    regedit was not able to run in safemode under administrator or any other account. I dont get any norton popups in safemode. It does not look like it is even runnung in safemode. I dont know where all those files in the C: came from. Also I dont know where C:\WINDOWS\"
    downlo~1.ini May 29 2007 23 "DownloadStudio.INI" came from either. I deleted C:\WINDOWS\IDMan.INI as you instructed.
    I rebooted into normal mode and I am not getting that norton intrusion popup now.
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Delete all the other files I mentioned too!

    Then run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hao123.com/

    After clicking Fix, exit HJT.

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


    Now reboot in normal mode

    Now attach the below new logs and tell me how the above steps went.

    1. ShowNew
    2. HJT


    Make sure you tell me how things are working now!
     
  23. hdebo

    hdebo Private E-2

    ok i deleted all the files you wanted me to delete. here are the two scans you requested. right now everything seems to be working fine. i still cannot run regedit tho, i dont know if that is a problem we have to fix. Thanks for all the help you are providing.
     

    Attached Files:

  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The fact the regedit will not run is a sign that other things are wrong. It may not be malware related but something is wrong. It would be good to find out what.

    OKay download the belowl MGTools.zip file! Extract all of the files from it into the folder where you install ShowNew. This will put a new version of ShowNew.bat and GetRunKey.bat into your ShowNew folder. This is okay. They will both run fine from this folder. Try running these new versions to see if you can get complete logs! Run GetRunKey.bat first and wait for it to finish (runkeys.txt text should pop up in notepad). Then close this notepad window. Then run ShowNew.bat.

    MGTools.zip


    These versions subsitute in a replacement command to use since you cannot run the Window Registry Editor.
     
  25. hdebo

    hdebo Private E-2

    Here is the new scans. What can I do to try to get regedit to run?? You know have me worried I might crash.
     

    Attached Files:

  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are your copies of Sunbelt CounterSpy and iHateSpam something you purchased or are they free trials? If trials, uninstall now.

    Is your copy of Norton legit?

    What is the below that just showed up? It is not valid for any Norton products to be located here. Delete this file!
    Code:
     
    "C:\WINDOWS\Temp\"
    symlcsv1.exe  Jun  1 2007       31864  "symlcsv1.exe" 
    I do not see any issues in your logs and I wondering if you have configure something in Norton that is blocking execution of regedit (and maybe other tools too). You should check to make sure you have not down this. If you don't know how to do that, I recommend that you do the below test:
    • physically disconnect your cable to the internet
    • uninstall ALL of your Norton Software including Live Update
    • then reboot
    • now see if you can run regedit
    • then reinstall Norton (or use another antivirus application)
    • reconnect to the internet
    • come back here and tell me the results.
     
  27. hdebo

    hdebo Private E-2

    I deleted that line you wrote anduninstalled counterspy as it was trial version. I hate spam is full purchased copy. A friend installed norton for me so I dont know if it is legit. I explored my computer and I found a regedit that works. It is located in C:\windows\system32\dllcache. Is there some way to move it to where it is supposed to be??
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually no this is illegal. It was license to be used by your friend on his/her PC only. Unless he/she has uninstalled it and transferred the original copy and license to you.

    Copy it into your c:\windows folder
     
  29. hdebo

    hdebo Private E-2

    I cant copy regedit t othe windows folder. It wont let me overwrite the file already there. I dont know if he did the norton that way so when I find out I will delete it if he did it illegally.
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try it in safe mode or try renaming the regedit.exe file that is currently there to regedit.old. There is no reason why you should not be able to overwrite this file. It is not normally in use and it is not protect.

    There is really nothing to find out. Did he give you the box and the original CD with the serial number? If not, it is not yours and it was not legal.

    You should uninstall it anyway as I previously suggested since it may possible be the cause of the problems you are having. At this point, all I can say is you have no apparent remaining malware and you issues seem to be related to what you are running or due to problems with in your OS, or settings/configurations that you have setup (either knowingly or by using various protection software).
     
  31. hdebo

    hdebo Private E-2

    It wont let me rename regedit.exe or copy it from the c:\sys32\dllcache location where it is working. Also what is a good antivirus program I can get to take the place when I delete norton.
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure you are logged into an account with Administrator priviledges? Are the file sizes and dates of the regedit.exe in C:\windows and in C:\windows\system32\dllcache the same?

    AVG Free Edition
     
  33. hdebo

    hdebo Private E-2

    The dates and sizes are the same. I tried to log in as Admin in normal and safe mode with the same results.
     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then it is the same file anyway and probably does not need to be copied.

    The Administrator account does not appear in normal boot mode. It only appears in safe mode. However other accounts with admin priviledges will appear in normal boot mode and in safe mode.

    Still looks like your problems are due to what you are running or have configured since no malware appears to be present. I will have you run one more tool to look for rootkits but after that you will have to try uninstalling ALL of your Norton/Symantec protection software to make sure it is not something you have inadvertantly setup. Sounds like you may have a policy to block using regedit.

    Now please download F-Secure's BlacklightBeta
    • Download fsbl.exe and save it to the Desktop.
    • Once saved... double click fsbl.exe to install the program.
    • Click accept agreement and Click scan
    • This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please attach the BlackLight log.
     
  35. hdebo

    hdebo Private E-2

    I ran the test and it found no problems. Here is the attached log.
     

    Attached Files:

  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well that just confirms what I have been saying thus far and that is that your problems do not appear to be due to malware.
     
  37. hdebo

    hdebo Private E-2

    The computer is running fine except for the regedit. I want to thank you for the help you provided and if you can recommend a good antivirus program so I can get rid of the Norton.

    Thanks again
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Recommendations are in the link given in the below final steps for you. But I already gave you a link for an antivirus application back in message # 32.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds