PLEASE HELP WITH BROWSER HIJACKER!! Using HijackThis

Hi there,

I really need some help cleaning my computer. I have what I believe is a browser hijacker. The easiest and most common example I have is when I'm doing an online search. When on google or yahoo, and I have my search results, if I right click and "open in a new tab", the page comes up blank then says "internet explorer cannot display the web page". What it does show in the address bar is: http://cliccker.cn/ followed by about 100 characters. I went on a site that recomended using Hijackthis and then panicked when I had no idea which of the results was the culprit. So I'm listing the results in this forum and hopefully someone in the know can decipher what's going on.

FYI...I have used both AVG antivirus and Spybot Search & Destroy to scan and it has found nothing.

I really appreciate any help you can offer.

Thanks,

Tommy

I also have attached the following logfile in the original text format in case it may be easier for you to view.

 

Please help! Somethings up with my computer.

Hi there. I have been having some serious issues with my computer. I wish I had come to you guys first! It probably would have saved me hours of time and heartache. But, I'm here now, begging for help. The following may be a bit long and tedious, but I want to let you know exactly what's been going on. And yes, I HAVE FOLLOWED THE READ ME FIRST POST!!!




This all started about 2 weeks ago. I had what I believe is a browser hijacker. The easiest and most common example I have is when I'm doing an online search. When on google or yahoo, and I have my search results, if I right click and "open in a new tab", the page comes up blank then says "internet explorer cannot display the web page". What it does show in the address bar is: http://cliccker.cn/ followed by about 100 characters.

Since that time, I have ran almost every scan I can get my hands on: spybot, ad-aware, avg, malawarebytes, trojan remover, Kapernsky (i think it was called), and a couple more I'm sure I'm forgetting. Each scan either found nothing, or in most cases would crash when scanning my windows/system32/config folder. As for my AVG, the resident shield kept finding a trojan, but would not delete it. It finally had over 1000 cases in it's log and I gave up as I was constantly receiving popups asking me to delete it and then telling me it couldn't. A friend suggested I try Bitdefender. I seem to be having the best results with this, although it has not solved the issue. As opposed to the constant popup AVG was giving me, now I only get it about 2-3 times an hour. This has helped me move along more quickly as I began to backup important files from my computer as my helplessness seemed to lead me to the path of "format and start over".

By the way, Bitdefender keeps telling me it has found Trojan.TDss.WQ It's found it about 60 times in 3 days but wont delete it.




MBAM seemed to have been the only scanner that would give me anything. ** I should mention, the scan kept freezing on system32/config. I had to reboot my computer as MBAM would not shut down (even trying to end the process). I reran the scan a 2nd and 3rd time and had to abort it after it found the infection, but before it scanned the config file. The next 3 days, seperate scans said this:

Files Infected:
c:\Windows\System32\kbiwkmmbtpbnys.dll (Rootkit.TDSS) -> Delete on reboot.

The next day, MBAM gave me this:

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Lastly, it said:

Files Infected:
C:\Windows\System32\kbiwkmupvukwbh.dll (Rootkit.TDSS) -> Delete on reboot.




This time, when I rebooted my computer, I got the following message before the startup screen:

LogonUI.exe - Bad Image
globalroot/systemroot/system32/kbiwkmupvukwbh.dll is either not designed to run on windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.

So, my login screen comes up. I log in and get this:

AtBroker.exe - Bad Image
blah, blah, blah (same as above)

then,

Userinit.exe - Bad Image
blah, blah

then,

dwm.exe - Bad Image
blah

then,

explorer.exe - Bad Image
bla

etc, etc, etc.......

I actually wrote down 23 of these error msgs before realizing how much of a fool I was being.

I searched online, the error msg I was receiving. Using the command prompt in safe mode, I deleted the .dll file that was corupt. I no longer got the error msg.





I re-ran MBAM. The scan did not hang in the system32/config folder as previous. This time I got these results:

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmwptswrem (Rootkit.TDSS) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\kbiwkmmbtpbnys.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\kbiwkmbphcttaf.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\kbiwkmvbmucxxq.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\kbiwkmnrpoprsc.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.





So, I finally thought I kicked it, as MBAM successfully got rid of these files. But I keep having issues and I still can't seem to kick. So, I went through your READ ME FIRST post, and done nothing other than follow your steps, and am now providing the logs for review. The only problem I'm having is that Rootrepeal will not complete it's scan. It seems to lag at c:\windows\winsxs\manifests and then shuts down. I've scanned twice and the scan doesn't seem to want to complete. However, I am providing the other 4 logs to you.

I really appreciate your help!