Browserhijaked

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ave292, Aug 4, 2006.

  1. ave292

    ave292 Private E-2

    Hi my browser has being hijacked by this: http[//]xn--3zo1864a/
    I need help please.
    :)
     

    Attached Files:

    Last edited by a moderator: Aug 4, 2006
  2. matt.chugg

    matt.chugg MajorGeek

    Welcome to MajorGeeks

    If you have a malware problem please post in the malware forum which restricts who can answer ensuring you get only qualified advice. I will have an admin/mod move this thread for you.

    What about the other logs ? Bitdefender, Activescan, Hijackthis. DId you run windows defender ?
     
  3. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi and Welcome to Majorgeeks!

    Moved to Malware part of forum........

    Do please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.


    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

      • [*]runkeys.txt - the log from GetRunKey.bat
        [*]newfiles.txt - the log from ShowNew.bat
      • CounterSpy - ONLY IF you were not able to run Windows Defender
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • HijackThis

    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
  4. ave292

    ave292 Private E-2

    Hi thanks for the prompt anwer,
    I have followed the instructions on the how to page some of the logs I have attached allready the two first ones.
    here is the rest of them, I continue to have the same problem should I run hijackthis now?:)
     

    Attached Files:

  5. ave292

    ave292 Private E-2

    Hi yes I run bitdefender & all the other tools you told me to run and it worked! my browser is like it supose to be, sorry I am new to computers & slow to understand, I apreciate all your help every one a BIG thankyou to you all. :)
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your first to logs are empty which is a typical sign that you did not extract all the files from the ZIP files as instructed. Try again.

    Also you did not post the Bitdefender log as requested. You need to follow the directions to get a correct log. All you posted was a log summary which is not useful. Don't run it again. It is unnecessary now.

    And yes the directions Matt gave you already requested a HijackThis log.
     
  7. ave292

    ave292 Private E-2

    Hi thank you for your quik response, I did xtract the ziped files as instructed and that's the result don't ask me what it means I know little about computers,
    In some my broser is beack to normal after doing everything as instructed so I must have done something wright.
    Thanks to all of you for all the help you are great..
    chears. :)
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you saying you are no longer having any problems that you need help with?

    Something is wrong that is stopping GetRunKey and ShowNew form getting logs. If you are sure you extracted all the files from the ZIP file, then you need to run the other step from the download link. It says:

    So run the one from above for your Windows Version and then get new logs from GetRunKey and ShowNew and attach them.
     
  9. ave292

    ave292 Private E-2

    Hi the answer to your question is "yes" my browser is normal again like it was before, but I got warried that I could not get the files you mentioned so I downloaded XPHomeFix & run the Bat files again tthis is what I got see att,
    Thanks to you all.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach anything!
     
  11. ave292

    ave292 Private E-2

    Sory they did not upload properly I will do it again.:)
    Sory Ihave uploaded them but they did not appear on the post!
     
  12. ave292

    ave292 Private E-2

    Hi I will try again.
    Can not attach anything Attachments didn not work.:confused:
     
    Last edited: Aug 8, 2006
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you read and are you following the directions in the below link:

    HOW TO: Attach Items To Your Post

    Make sure you look at response in the Manage Attachments window. Error messages do appear there but they are not real obvious.
     
  14. ave292

    ave292 Private E-2

    Hi yes I read all the instructions and did everything you asked I still get the same result. Now what? I will try again now.:confused:
    This is the error I get now newfiles.txt.txt:
    You have already attached this file in thread : Browserhijaked
    xrkey.txt:
    You have already attached this file in thread : Browserhijaked
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That means you are trying to attach the exact same files with the exact same contents. Thus it means the you still have not gotten GetRunKey and ShowNew to run properly or completety.

    Where did you download the two ZIP files too? Give me the complete path name.
    Then also tell me where you extracted the ZIP files too. And tell me all the filenames that appear in the folder with GetRunKey.bat and with ShowNew.bat

    Also note you are not supposed to be unload any of the temp file froms running GetRunKey. The temp files are all things beginning with x or xr. The only file we want uploaded from GetRunKey is the final output as stated in the directions. And that is runkeys.txt.

    From ShowNew, the output file is newfiles.txt not newfiles.txt.txt
     
  16. ave292

    ave292 Private E-2

    Hi,
    That's right I extracted them to a dir called C:\Pc Cleanup Tools and Extracted them to C:\Pc Cleanup Tools and\CMGTools then run from there and this is the result, the files that appear on that folder are (1) GetRunKey (2) grep (3) locate (4) ShowNew that is all.
    I have renamed the files to see if it would upload but it did not.
    :)
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure I understand your message! What is the full folder path? Is it:

    C:\Pc Cleanup Tools and\CMGTools

    or is it

    C:\Pc Cleanup Tools\CMGTools

    And don't you mean you see: GetRunKey.bat, grep.exe, locate.exe, and shownew.bat

    Open a command prompt window by clicking Start, Run, and enter cmd and click OK.

    In the command prompt window enter the below command to change to the folder where you extracted the files. Just replace it by the correct path if I have the name wrong.

    cd C:\Pc Cleanup Tools\CMGTools

    Now run GetRunkeys.bat by entering the below in the command prompt window:

    getrunkey

    Tell me what happens! Do you see any error messages? If so, tell me the exact word for word error message seen.
     
  18. ave292

    ave292 Private E-2

    Hi OK Maybe I wasen't so calear the DIR that I downladed the progs is this one C:\Pc Cleanup Tools, and the were I xtracted the files is
    C:\Pc Cleanup Tools\CMGTools, I run form there & I got the same result as I got now wich says C:\Pc Cleanup Tools\GMGTools>GetRunkey 'regedit' is not recognized as an internal command, operable program or batch file, & repeats 40 times.
    I hope this helps:)
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay this is new information and is more useful. This means that your PC does not have a valid registry editor file (regedit.exe) or that you may have a malware file named regedit.com intercepting the commands. A .com file will run before a .exe file of the same name.

    Make sure you have enabled viewing of hidden & system files per the READ ME and then run Windows Explorer. Look in C:\windows\system32 and also in C:\windows for regedit.com and if found, delete it. DO NOT delete regedit.exe

    Let me know what you find. If you do find and delete regedit.com, now try to run GetRunKey and ShowNew.


    If the above still does not work, please attach a HijackThis log after following the directions in step 7 of the READ ME.
     
  20. ave292

    ave292 Private E-2

    Hi Here are the Regedit files & where they reside C:\windows regedit.exe,
    & In C:\windows\system32 there are 1 reg.exe, 2 regedt32.exe, 3 regini.exe, 4 REGPLIB.EXE, 5 regsvc.dll, 6 regsvr32.exe, 7 regwiz.exe, 8 regwizc.dll,
    Plus in C:\WINDOWS\ServicePackFiles\i386 there is one regedit.exe
    That is all I can find see if this helps:)
    Ps I found something else in C:\windows this Updreg.EXE
     
    Last edited: Aug 11, 2006
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then it is starting to sound like you may have a problem with your Windows environment variables not being setup properly.

    Click Start, Run, and enter regedit and click OK. Does the registry editor open?

    Now Click Start, Run, and enter set > c:\env.txt and click OK. his creates a file named C:\env.txt that shows your environment settings. Now upload the c:\env.txt file here as an attachment.
     
  22. ave292

    ave292 Private E-2

    Hi, yes regedit it runs OK the second comand des not the mesage is Windows cannot find 'set', Make sure you typed the name correctly, and try againg. to search for a file, click the Start button, and then click Search.
    thats it...Regards:)
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's do it this way.

    Click Start, Run, and enter cmd and click OK. This opens a command prompt window. Now in the command prompt window enter the below command:

    set > c:\env.txt

    This should create a file named C:\env.txt that shows your environment settings. Now upload the c:\env.txt file here as an attachment.

    Also please try extracting all of the files from GetRunKey.zip into the C:\Windows folder. Then try running GetRunKey.bat.
     
  24. ave292

    ave292 Private E-2

    Hi that did work so here it is thanks :)
     

    Attached Files:

    • env.txt
      File size:
      1.2 KB
      Views:
      4
  25. ave292

    ave292 Private E-2

    Here are the two files
     

    Attached Files:

  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Someone has totally messed up you Path environment variable and as such you cannot find any of the Windows system commands from a command prompt or from a batch file.

    You need to add at least the below to the beginning of your Path variable. (Note: each item must be separated with a semicolon.)

    %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This are not the logs we need. Those are intermediate temporary files that GetRunKey creates while collecting all the information it needs. When it finishes, it creates a full log (runkeys.txt) and then deletes the temporary files.
     
  28. ave292

    ave292 Private E-2

    Hi you tell me to ad the line on your last coment to the path, you did not say how remember I know little about computers Sorry. :)
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To Fix the Path Environment variable
    1. Right-click My Computer and select Properties.
    2. Select the Advanced tab.
    3. Click the Environment Variables button.
    4. In the System variables box (the lower part of the form), select the item that says Path.
    5. Then click the Edit button.
    6. In the next form that opens up, you will see a Variable value: box. Put your mouse cursor anywhere in the Variable value box and click once. Then hit the Home key on your keyboard. This will bring you to the beginning of the Path variable value box.
    7. Now insert this text into the front of what is already there: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;
    8. Make sure you have all of the % signs and semi-colons as shown.
    9. Once you have this text added. Click OK to close the Edit form
    10. Then click OK to close the Environment Variables form.
    11. Then click OK to close the System Properties (My Computer) form.
    12. Now Reboot your PC for the change to take effect.
    After reboot, try running GetRunKey and ShowNew. Attach the logs if they now run.

    Also create the env.txt file again as in message # 23 and attach this new copy here.
     
  30. ave292

    ave292 Private E-2

    Hi I did as you asked and run GetRunKey and ShowNew and the same result as yesterday 19 files as previous and 1 newfiles.txt with nothing like before sorry. :)
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not complete my instructions! I asked for a new env.txt file to be posted.

    Also please download the newest version of ShowNew and attach a new log from it. Attach it no matter what you see in it.
     
  32. ave292

    ave292 Private E-2

    Hi Sorryyyyyyyyy,
    Here it is, Idownloaded the new version of ShowNew do I run it?
    Regards :)
     

    Attached Files:

    • env.txt
      File size:
      1.3 KB
      Views:
      1
  33. ave292

    ave292 Private E-2

    Ps:. Here is the new ShowNew results. see att.
    Regards :)
     

    Attached Files:

  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    My instructions told you to add the new information to the BEGINNING of the Path line. You added it towards the end. I had said to hit the Home key when in that box and that would bring you to the beginning of the line. Also I said the semi-colons were important and you left one out. You also added an extra C:\

    Here is what you have and I'll put in bold what I asked you to add:

    Path=C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\BITWARE\

    In red, you will see where you left out the semicolon after the c:\ and this was the extra info to that you did not need

    But the C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;
    should have been right after the Path=

    Make sure there are no spaces. It should look like:

    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\BITWARE\

    When you insert

    %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;

    It translates into the below when printed
    C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;

    It is important to enter it like I gave you! You do not want to type out c:\windows\system32
     
  35. ave292

    ave292 Private E-2

    Ok I entered exactly what as you asked and here is the result see att. :)
     

    Attached Files:

  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now you got it! ;) See what a difference a Path can make! :D

    Okay! Now that we have that fixed can you please attach a HijackThis log per the directions in step 7 of the READ ME. Make sure your run MSconfig and select Normal Startup before you run HijackThis. This is mentioned in the link given in step 7 of the READ ME.
     
    Last edited: Aug 17, 2006
  37. ave292

    ave292 Private E-2

    Hi That is good news thanks & hereis the hijackthis log see att.
    Regards. :)
     

    Attached Files:

  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I see you have all of the below installed:
    CounterSpy
    Spyware Doctor
    Trend Micro

    Are any of the above paid versions or are they all free versions? If they are free uninstall them, if any are paid versions, tell me which. We must get you down to one program like this and you have the three above and also you have Windows Defender. That makes four at the current time.

    You need did not select Normal Startup like I requested in message number 36 and also as was requested in step 7 of the READ ME. You must run MSconfig now and select Normal Startup and then you must attach a new HJT log and a new GetRunKey log. Please make sure you follow directions to avoid further delays in get your problems resolved.

    Did you install the below? Is this part of MSN?
    Windows Desktop Search
     
    Last edited: Aug 19, 2006
  39. ave292

    ave292 Private E-2

    Hi yes they are The free kind I was desperate trying to get rid of the spyware I have deleited them all now as you asked & I did follow the instructions on step 7 and than my computer would not start it got to the windows boot screen and kept re-starting it self so I started in safe mode and restore it to the previous point sorry I forgot to mentioned that part where do I go from here?, look if you dont want to help me anymore I understand it must be frustrating for you to have to put up with some one like me that knows nothing about computers thanks for helping anyway.
    I did install Windows Desktop Search I think I did not sure
     
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.com.au/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Link...URLToolBarShow
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896?Search Page??
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896?Search Page??
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://oca.microsoft.com/resredir.as...2.00010300.2.0
    O3 - Toolbar: (no name) - {D79559E8-9991-41C5-AA2B-A96EC766F43F} - (no file)
    O3 - Toolbar: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop (overwrite the previous file). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\CoreVorbis-uninstall.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  41. ave292

    ave292 Private E-2

    Hi I performed all the steps you asked, Everything is running very smoothly.
    I want to thank you sicerely. :)
    Ps:. Here is the HJT Log see att.
    Tanks again.
     

    Attached Files:

  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
  43. ave292

    ave292 Private E-2

    everything "is working fine".
    Thank oyu all the best.
     
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds