Brower Hijacked & Redirected

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by minor_newbie, Feb 27, 2005.

  1. minor_newbie

    minor_newbie Private E-2

    Hi Majors!

    I would be really grateful for your help! When I attempt to visit certain sites(e.g., amazon, sportsillustrated, espn), my browser is redirected to commerce sites such as shopatshark.com, barnesandnoble, and paragongifts. Sometimes, I can tell from the status bar that an instant before being redirected to the new commerce site some query is fired off to clickserve, linksynergy, or others.

    I have followed the instructions on the posting entitled, "DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal," to the letter and still the problem persists. Here is a history of the scans:

    Trend Micro--scanned and deleted WORM_NACHI.DAM

    Symantec--no viruses, deleted files labeled SecurityRisk.Downldr, Spyware.Apropos, Adware.Adlogix, Adware.Minibug, Adware.Huntbar, Adware.Websearch (checked registry which was already clean, despite having the infected files)

    Stinger-- ran and was clean
    CCleaner--ran with default settings
    Ad-Aware SE--ran with patch and no critical items came up
    Spybot--created registry backup, scan with patch showed no immediate threads
    CWShedder--scan came away clean
    Kill2Me--Look2Me removed if it was present
    AboutBuster--scan revealed no ADS, pages reset done
    HSRemove--scan led to 8 items being removed

    I know y'all are crazy busy, but your help would be most appreciated!
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser and e-mail. Please close these before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT


    We are very busy here at MajorGeeks.Com PhilliePhan, Chaslang or myself with check back when time permits.!
     
  3. minor_newbie

    minor_newbie Private E-2

    Hi bjgarrick! Thanks a lot for getting back to me. Log file is attached. Thanks again!
     

    Attached Files:

  4. PhilliePhan

    PhilliePhan Guest

    First, you need to relocate HJT to a safer folder - C:\Program Files\HijackThis



    Please print out these instructions so that you can operate with All Browser Windows CLOSED.
    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    Now scan with HijackThis and Check the Boxes for the following:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O2 - BHO: SDWin32 Class - {136E6628-9006-4020-A27B-D41AB3545615} - C:\WINDOWS\System32\dfrfi.dll

    O4 - HKCU\..\Run: [e0smRSjqO] wmstprio.exe --> I do not recognize this, do you?

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

    C:\WINDOWS\System32\dfrfi.dll

    wmstprio.exe --> You will need to run a search of your machine for this one. When found, since I am not sure about it, suggest you RENAME it wmstprio.bad rather than delete it.

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    Reboot to Normal Windows and Scan with HijackThis and attach that log.
    Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

    Best luck :)
    PP
     
  5. minor_newbie

    minor_newbie Private E-2

    Hi PP, thanks a lot, the redirecting is no longer occurring! And my browser appears to be loading the correct pages more quickly! You're the bomb!

    Attached is the HJT log. Do you have any other suggestions or items I should fix?

    I am probably going to start using FireFox and need to download antivirus software (my has expired). I was thinking about buying PC-cillin. What do you recommend for antivirus software?

    For the benefit of record and others who may be experiencing similar problems, below are the steps that I followed:

    1. Uninstalled HJT and reinstalled in the safer folder, C:\Program Files\HijackThis, per your instruction.

    2. Confirmed System Restore was OFF; however, I discovered I had improperly set the Viewing of Hidden Files and extensions. So, I made sure all hidden folders and extensions were shown and rescanned with the virus software from the Read First sticky posting in safe mode. No viruses were detected.

    3. Ran HJT in normal mode and fixed the items, per your instruction. I do not know what wmstprio.exe is.

    4. In safe mode with System Restore off and Wiewing Hidden Files/Ext enabled, I deleted C:\WINDOWS\System32\dfrfi.dll.

    5. I searched for wmstprio.exe including in the hidden files, but nothing came up.

    6. I ran CCleaner and Spybot which found DSO Exploit and All-In-One Telcom. I fixed both.

    7. I ran cleanmgr per your instruction.
     

    Attached Files:

  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    PC-Cillin is great, I use Norton AntiVirus 2005, I would recommend PC-Cillin though as it does a better job, however there are several free antivirus programs that offer good protection as well.
     
  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your log is clean! The only suspicious thing I see is the line below.

    Are you familiar with this file?

    O4 - HKCU\..\Run: [e0smRSjqO] wmstprio.exe



    Reset Web Settings & Default Security Settings:


    To Reset Web Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    To Default Security Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

    Next:
    You should see this article on How to Protect yourself from malware!

    Happy Computing :)
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you read message # 4 & # 5????

    Please do not post randomly without reading what has been going on.
     
  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Yes, I did read those before posting. His log was clean like I said. I pointed out the same suspicious thing that PP did in the log.

    So he doesnt know what it is, the file is renamed no longer a threat, the HJT log is clean, user is happy. :)
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! If you read them you would see the minor_newbie already stated
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Minor,

    If you are still having any problems I would suggest the following:

    Make sure you have system restore disabled (per the tutorial).
    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKCU\..\Run: [e0smRSjqO] wmstprio.exe

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to rename the below file to wmstprio.xxx:
    c:\windows\system32\wmstprio.exe

    Locate the file with Windows Explorer and right click on it and selet Rename and just change the .exe extension to .xxx.

    Now reboot your PC in normal mode and post a new HJT log.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds