Browser hijacking - Maxthon and Firefox

I have run Rkill and Anti-Malaware on my Xp drive in safe mode. I have also run Spybot and SuperAntispyware (all in Safe Mode). They have found and eliminated all of the trojans and viruses - BUT, my browser is still hijacked when I turn on the computer.

I have run AFT (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) and cleaned up all of the temp files. I used the EasyCleaner to clean out the other temp files that might have been left over.

In Normal startup:
As soon as windowsXP loads, Maxthon browsers opens up (it is a browser shell that runs on the IE). It is always the same set of websites. I can close it, but it opens up periodically on its own.
With Firefox, when I click a link, 25% of the time, it does not take me to that link, but hijacks me to another link.

* I used EasyCleaner and there isn't anything in the start up that would cause this.

I should note that I am running a dual boot xp/win 7 - and the hijack AFFECTS BOTH of the Operating systems.

In Safe mode :
The browser DOES NOT automatically start. So, that is tells me that the virus isn't loaded.

Also, I had heard that running the Windows Recovery wasn't the best idea, so I am trying to avoid this route.


Here is the Hijack This! log from Safe mode

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:59:32 PM, on 7/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode

Edit by chaslang: Inline HJT log removed. READ & RUN ME FIRST. Malware Removal Guide sticky not followed.

 

Thank you for the reply. I did read through some of it originally and I had tried what was stated there before in an effort to get rid of this. My issue I thought might be unique because I am running a dual boot system where the google hack is on both OS's - and this maxthon hack which brings up the browser each time windows boots up.

I will read through it again and follow the instructions fully.

 

Maxthon Browser keeps opening on its own!!

I think I have fixed the problem with Firefox google redirecting, but my original problem of the MAXTHON Browser opening on its own is still giving me issues. I went through this :
http://forums.majorgeeks.com/showthread.php?t=230267

but I am still having the issue. Any ideas?

Here is the problem : Maxthon (a shell of IE) continues to open, not matter what I do when I boot the computer. This does not happen in Win 7 (dual boot) because I do not have Maxthon load there...

 

Ok, following the steps and instructions - this is run in NORMAL mode XP.
I run Rkill to start. This is the only way I can stop the Maxthon browser from popping up during the following steps. The curious thing is that, Rkill does not say that there is anything terminated when it finishes, but Maxthon does not pop up after that.

I thought I would put down each step so others can have a look.
AFT -Firefox, IE deleted files. Opera doesn't have anything to delete it says.
Java - flushed - wondered if I should uncheck the "keep temp files on this computer"?
Firefox - in the newest version, it only has "Clear your recent History" and "Remove individual Cookies" - it does not have "Clear Now". I cleared all the cookies and as otherwise stated.
IE - With IE, the new version is different, but has DELETE and then give check boxes for cache, etc what you want to delete. I checked them all and deleted.
DNS - flushed the cache

Ran the Gooredfix and have the log ready.

When I run tdsskiller.exe, nothing happens. I renamed it as per the instructions and it still does not run.
I am presently running HouseCall to see if this can find something. Yesterday, I ran HouseCall for a few hours and it find a virus. but my internet shut down before it could complete the scan.

GooredFix by jpshortstuff (03.07.10.1)
Log created at 10:34 on 06/07/2011 (David)
Firefox version 5.0 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{FBCB1676-10D0-4A5A-AD60-EE875FCE90C8} -> Success!
Deleting C:\Documents and Settings\David\Local Settings\Application Data\{FBCB1676-10D0-4A5A-AD60-EE875FCE90C8} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{511654F1-A563-4EE3-A66F-36BE1B110574} -> Success!
Deleting C:\Documents and Settings\David\Local Settings\Application Data\{511654F1-A563-4EE3-A66F-36BE1B110574} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [02:15 30/04/2007]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [01:08 17/10/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [05:41 17/01/2009]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [00:30 14/09/2010]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [22:20 03/10/2010]
{D6D05E6F-D5C1-4e03-8E33-73F92B05E262} [16:04 15/05/2011]

C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\f8x4uzcl.David March 19 2010\extensions\
optimizegoogle@optimizegoogle.com [16:46 11/12/2010]
{02450954-cdd9-410f-b1da-db804e18c671} [03:22 25/01/2011]
{20a82645-c095-46ed-80e3-08825760534b} [22:40 14/05/2010]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [20:54 21/06/2011]
{d47a9f51-8281-43fa-f450-f28ef8735e9a} [00:23 27/01/2011]
{d5ea4520-61a1-11da-8cd6-0800200c9a66} [02:15 22/06/2010]

C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\q55q1jcz.default\extensions\
artur.dubovoy@gmail.com [23:10 01/03/2010]
checkplaces@andyhalford.com [02:49 19/03/2010]
dlembed@aeruder.net [18:16 25/08/2008]
firebug@software.joehewitt.com [23:39 16/03/2010]
firefox-ext@youtubekeep.com [02:49 19/03/2010]
max@subfighter.com [01:08 22/02/2010]
VacuumPlacesImproved@lultimouomo-gmail.com [16:51 17/03/2010]
YoutubeDownloader@PeterOlayev.com [02:49 19/03/2010]
{20a82645-c095-46ed-80e3-08825760534b} [16:35 02/09/2009]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [18:34 17/03/2011]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [23:39 16/03/2010]
{c50ca3c4-5656-43c2-a061-13e717f73fc8} [19:32 20/11/2009]
{DDC359D1-844A-42a7-9AA1-88A850A938A8} [05:21 20/02/2010]

C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\xpe8qeob.david\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [15:32 17/03/2010]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [18:34 17/03/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [13:03 21/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:30 14/09/2010]

-=E.O.F=-

 

Ok fair enough, but how come I can't run the kdsskiller program?
I will continue after housecall is finished and try step 5.

 

Ok, I am going through all of the steps again. This time I tried it in Safe Mode (it did not specify that I can remember whether it mattered or not). I did all the steps and went onto step 5, but not I need to uninstall Java and cannot download the runtime environment without the internet, so I am rebooting in normal mode so I can get the internet back.

Lastly, a question - when in Safe Mode, I don't have any issue of the Maxthon Browser showing up or starting itself up. What is this an indication of?
AND, I thought I should note that I have several computer connected to the router and none of the others are affected as this one is.

Thanks again for all of your patience and help - I do finally understand why you must get frustrated when you painstakingly put all of the instructions in order and people like me don't follow them exactly. My apologies.

Going to uninstall Java runtime next and follow the rest of the steps.

 

Ok, when I rebooted after uninstalling Java (as per the instructions), I cannot install the new Java Runtime that I previously downloaded. It tells me that it is:

unable to download 1.6.0-26-b03.xml

So, I suspected that the internet might be down. I ran Firefox to see and this is what appeared:

The Proxy Server is Refusing Connnections

This is a recent event and I have seen it before, if I click TRY AGAIN, it will connect to the internet. But I am wondering if this is the root of the problem?

 

I cannot install the new version of Java runtime. I am connected to the internet, I can surf the web, but it tells me :

Download failed : from =/jre1.6.0_26-c to=C\documents and settings\David\applications data\sun\java\jre1.6.0_26\jre1.6.0_26-c.msi

I am not sure if I use a proxy to connect to the internet. I looked at the link you sent (most of it is the old version of IE and Firefox and even Chrome) but I think I figured it out.
Chrome's CHANGE PROXY SETTING takes me to IE connection. I didn't think that Chrome was a shell of IE?

 

Ok, I am going to continue working as per the instructions.

I am on the Combo Fix stage and found it stops installing at "outfolder folder C:\32788R22FWDIN" (I know this because I clicked on DETAIL in the installation box and it shows me the progress bar along with which part it is working on).

When it stopped installing the first time, it sat for 30 minutes (uninterrupted) and then the computer froze. I rebooted and tried again, this time it sat again (same place installation - if you click on details) and sat for another 25 minutes, but this time it did not freeze at all. I did read that you are not supposed to touch anything or click on anything during this time, but I thought at 25 minutes and it being 1:00am, that I would try again the next day (being on the computer for 2 days straight is starting to wear me down).

I noticed this morning that there is a new file folder called :

32788R22FWJFW on my hard drive. Should I delete this before trying to start combofix again?

PS - I requested information about Combofix on bleepingcomputers because of it not installing and the files I wanted to delete that it created. I thought they were the "authors" of the software, so I asked them on bleepingcomputer but they asked me to stay in this forum.

Continuing onto 'Rootrepeal' and 'MGtools' next.

 

It did not fix the redirection problems - just tried googling Major Geeks and it redirected me to some spam site. Here are the logs:

Again, Combofix did not install completely, so there is no log.

Thank you again for the time. I have to say, there have been points where I just would have formatted and started over. Hopefully I can get this thing eliminated.

 

Yes, it claims it is a fake Master Boot Record.
I have the WinXP CD
Here is the log. Thank you for your time, I know it is the weekend!

 

Is this going to erase my drive? I don't want to start the process and find out that I went too far with it...

 

I don't think I have an admin password, but it tells me I do. Can't get past this point in the Recovery Console. Any suggestions? I followed the instructions and hit 'enter' when I thought there wasn't any password. Then I hit "admin" and that didn't work either.

 

Ok, got to the command prompt:

c:\windows

Typed fixmbr

It says
"This computer appears to have a non-standard or invalid MBR
Fixmbr may damage your partition tables if you proceed
This could cause all partitions on the current hard drive to become inaccessible
IF you are not having problems accessing your drive, do not continue"

Is this is what is expected?

 

Forgot this part at the bottom of the screen:

Are you sure you want to write a new MBR?

 

How is the FIXBOOT command different than the FIXMBR command?

 

cancel post

Trying to delete post. Please cancel this one.

 

Ok, I wrote the new MBR (I guess) - log is attached.
It only took about one second and was done. Maybe that is normal.

Another thing I found very strange. When I used the XP CD to tried and run the REPAIR, when I got to the screen that asked me to pick a drive and then type a password, it wouldn't accept any password that I had picked. I tried about 10 times (rebooting each time, and in some cases rebooting normally and changing the password again and again), but the only thing that seemed to work was the ENTER key. Is this normal?

Lastly and most importantly, I have Win 7 boot as well. I know that it has the same redirection problems, but I haven't run anything on it as of yet (except an occasional malware and spybot). I don't want to reinfect my system (and it seems that Winxp did just that to my Win7), so how should i proceed with fixing Win7 now? I am afraid to boot to Win7 because it might affect my fixMBR with Win xp?

Any, after about 20 minutes that Maxthon browser did not pop up, so some success! I haven't tried Mozilla yet.

 

Ok, presently running Combofix.

It asked me to install Recovery Console. I did.

It went through the 50 stages.

It asked me to delete some folders in my c:\document and settings\David...
and I did .

It is now asking me "Are you sure you want to remove the folder "windows" and move it to the recycle bin?"

Now, I am a little worried, because the tutorial on Combofix did not go into this much detail. Should I do this?

 

Ok, here are the logs. Ran everything, didn't have any issues with programs running.
I ran

• photoshop
• mozilla
• chrome

Please advise on how to proceed. Again, thank you for everything...

 

Ok, here goes the logs.

 

MGtools - MGclean.bat - ran DOS in a flicker, hardly saw it, so not sure if it worked or not.

System restore flush - there is already a check mark ON for the system restore (following the instructions here) - so should I uncheck it, and then recheck it and then uncheck it again?
http://forums.majorgeeks.com/showthread.php?t=31668

 

Ok, I did the system restore uncheck, check and reboot - BUT, I am getting this now, using Anti-vir.

Begin scan in 'C:\System Volume Information\_restore{96A452B5-369C-4F10-940D-980699AFEE2C}\RP3\A0000274.exe'
C:\System Volume Information\_restore{96A452B5-369C-4F10-940D-980699AFEE2C}\RP3\A0000274.exe
[DETECTION] Is the TR/Buzy.1177.3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4dbd877c.qua'.

I am not sure why this is still here, but it could be from a backup drive that I have been using to backup my entire drive (it has no OS on it, just used for storage).

I am not experiencing anything with the browser problem anymore (that was fixed), but now experiencing this issue. Did I go wrong somewhere? Can a trojan be inside a backup drive that has no OS on it? Maybe in the autorun feature of USB plug and play?