HELP, my IE is hijacked, my browser keeps getting redirected

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lilone066, Aug 31, 2008.

  1. lilone066

    lilone066 Private E-2

    Hi all, I think my computer is infected by an IE hijack as my IE browser keeps getting redirected to directseek.org, thefreedictionary.com, info.com and random sites like that whenever I try to Google things and click on the website (or when i click on websites, in general). I eventually can still search websites from Google but I have to close the windows the 1st time, and then search & click on it a second time to access it....since the 1st time, the browser always gets redirected.

    ALSO, when I look at my taskmanager, there are several "iexplorer.exe" running even when I have no internet windows open. My internet is much, much SLOWER on my laptop because of this infection (sometimes I have to restart so that the internet works or I just get a blank white screen that is "loading" forever), and I can't shut down my computer quickly because the "DDE server window" pops up continuously, same with iexplorer.exe, and I have to press like 5-10 times before my computer actually shuts down. My laptop refuses to shut down. I tried to follow the post about removing malware that is provided in this forum but it is very hard to do so because I have to open new windows, and due to this infection, my comp can't handle it.

    My Dell Laptop came with McAfee, but when I do a full scan, nothing comes up? Well, McAfee did tell me about having trojans in the "updates.exe" file which I quarantined, and deleted. Yet, I still have this problem! =(

    --I am currently using Windows XP, and IE explorer 7. Below is my Hijack This Log. PLS HELP!! It is much appreciated. THANK YOU SO MUCH.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:46:44 PM, on 8/31/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Edit by chaslang: Inline HJT log removed. READ & RUN ME sticky not followed.
     
    Last edited by a moderator: Aug 31, 2008
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    Is the below something you installed?
    O4 - HKLM\..\Run: [MBBalloon] C:\Program Files\HOTALBUMMyBOX\MBBalloon.exe


    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:

    1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     
  3. lilone066

    lilone066 Private E-2

    SASlog.txt, Combofix results, etc-STILL NEED HELP!! PART 1

    Hi, I have followed all procedures for the "Malware Removal Guide", yet I still have problems. Specifically, whenever I google a website (to find it)/a word, and want to click on it (the website), my IE 7 gets redirected through directseek.org to random sites like info.com, abcjmp.com, etc. I suspect this is a computer hijack. The software has recognized I have malware and I "deleted" all my trojans according to the software I downloaded (Super ANTI Spyware, Malwarebytes, etc) but this problem continues to occur. As a result, my internet is MUCH SLOWER than it used to be, and many "iexplorer.exe" are running (according to my task manager) even when there are NO internet windows open.

    ALSO, whenever I try to shut off my Dell laptop, I get "DDE Server Window" pop-up, saying it needs to be closed and my "iexplorer.exe" windows needing to be closed. I have to click multiple times before my laptop finally does shut down (and sometimes have to wait around 10 minutes or have to restart because nothing is "closing") I checked my DDE server and I changed it to active (for some reason, it was disactive) but I still have this problem. What exactly is wrong?

    I'm not sure whether these problems are related but they are both very worrisome to me.

    Below are my SASlog, Malware and Combo. I will post another message with my other logs. Thanks soo much!!!

    P.S. I am running on a 32-bit so the logs should be complete. I have also deleted "HOTALBUM" from my Program files (the folder) after running all the software since it didn't remove it itself.
     

    Attached Files:

    Last edited: Sep 2, 2008
  4. lilone066

    lilone066 Private E-2

    Re: SASlog.txt, Combofix results, etc-STILL NEED HELP!! PART 2

    Here is the rest of my logs. Thank you again for your time. It is much appreciated.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: SASlog.txt, Combofix results, etc-STILL NEED HELP!! PART 1

    This is not a malware problem. You should read the below and post any further questions on this in the Software Forum.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;892850


    You should have first gone to Add/Remove Programs and uninstalled it if you did not want it installed.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 3
    Java 2 Runtime Environment, SE v1.4.2_03

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {82010030-0911-00E7-7467-99ca3230262a} - C:\Program Files\Common Files\System\kbdiis.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  6. lilone066

    lilone066 Private E-2

    Thank you soo much!:) I think everything is fine now. I no longer get redirected after clicking around on diff. websites to make sure. My internet speed is back to normal.

    As for my other problem concerning the DDE server window, I'll post in the microsoft forums link you gave me and hopefully they'll help me with that.

    I'm not sure if you need these now, but here are my updated logs below.

    Thanks again!
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds