Experiencing browser hijacks

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by goliano, Dec 15, 2005.

  1. goliano

    goliano Corporal

    Experiencing random browser hijacks and popups asking me to install something. Found and removed Pipas.A with Spybot Search & Destroy (which took 5 hours to run) and Trojan.Downloader.Small.Popcorn with Microsoft Antispyware.

    Haven’t noticed anything since, but like I said, it’s random so I’ve attached my hijackthis.log.

    Thanks,
    Goliano
     

    Attached Files:

    goliano, Dec 15, 2005
    #1
  2. goliano

    goliano Corporal

    Did a Webroot Spy Sweeper scan and found and removed the following three Adware: searchtoolbar & idesk, and Trojan Horse: trojan-downloader-ruin.

    New hijackthis.log attached.

    Thanks,
    Goliano
     

    Attached Files:

    Last edited: Dec 15, 2005
    goliano, Dec 15, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    UnSpyPC is junk that should be uninstalled. If it cannot be uninstalled have HJT fix the below line and delete the folder after booting in safe mode.
    O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"

    I would als fix the below two lines with HJT.
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/104786be8fbc25cdec05/netzip/RdxIE601.cab
    O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB

    Are you still having hijacker problems?
     
    chaslang, Dec 15, 2005
    #3
  4. goliano

    goliano Corporal

    Wassup Chaslang!

    Used HJT to fix the 3 lines you listed. After booting to safe mode, I couldn't find "C:\Program Files\UnSpyPC\UnSpyPC.exe". I figure that HJT got rid of it... that's possible, right?

    I haven't noticed any hijacker issues since executing the steps in the tutorial, but it was never a constant thing. It usually happened after clicking a link on a Google search results page. I'll do a few of those and let you know what happens.

    I'll also run Spybot Search & Destroy again to see if it still takes forever to run. As I said in my initial post, it took 5 hours to complete, whereas before it took less than 10 minutes.

    I've attached a new HJT logfile.

    Thanks for your help.

    Peace!
    Goliano
     

    Attached Files:

    goliano, Dec 15, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes HJT may have removed it!

    I'm not sure why Spybot took that look. Let us know what you find this time. Make sure nothing else is running when you try it this time. Did you by any chance change its Scan priority (it's found in Advance Mode under Settings -> Settings -> Scan Priority)? Normal is default.

    You may want to consider running some other tools. Let me know if you are up for that.
     
    chaslang, Dec 15, 2005
    #5
  6. goliano

    goliano Corporal

    Spybot S&D is now running normally and I haven't experienced anymore browser hijacks.

    Sure, I'm up for running some other tools.

    Goliano
     
    goliano, Dec 16, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Run the below and attach the logs:

    Also in a second message attach the results from the below WinPfind scan

    Download WinPFind

    Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

    When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.
     
    chaslang, Dec 17, 2005
    #7
  8. goliano

    goliano Corporal

    I've attached the logs from Ewido and Panda. WinPFind bombed with an "Invalid data type for 'system'" error after running for about 3 minutes and processing:

    (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
     

    Attached Files:

    goliano, Dec 17, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you recognize this URL to be valid for you:

    c:\documents and settings\roweg\favorites\SHOPPING\eBay.url

    It is in your favorites. If not valid then delete it.

    Also use Windows Explorer to delete the below files (if found):
    C:\WINDOWS\hh.ico
    C:\WINDOWS\rdt.ini
    C:\WINDOWS\system32\filesafer23.exe
    So is everything working okay now?
     
    chaslang, Dec 17, 2005
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds