MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 08-31-08, 22:14
lilone066 lilone066 is offline
Private E-2
 
Join Date: Aug 2008
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Question HELP, my IE is hijacked, my browser keeps getting redirected

Hi all, I think my computer is infected by an IE hijack as my IE browser keeps getting redirected to directseek.org, thefreedictionary.com, info.com and random sites like that whenever I try to Google things and click on the website (or when i click on websites, in general). I eventually can still search websites from Google but I have to close the windows the 1st time, and then search & click on it a second time to access it....since the 1st time, the browser always gets redirected.

ALSO, when I look at my taskmanager, there are several "iexplorer.exe" running even when I have no internet windows open. My internet is much, much SLOWER on my laptop because of this infection (sometimes I have to restart so that the internet works or I just get a blank white screen that is "loading" forever), and I can't shut down my computer quickly because the "DDE server window" pops up continuously, same with iexplorer.exe, and I have to press like 5-10 times before my computer actually shuts down. My laptop refuses to shut down. I tried to follow the post about removing malware that is provided in this forum but it is very hard to do so because I have to open new windows, and due to this infection, my comp can't handle it.

My Dell Laptop came with McAfee, but when I do a full scan, nothing comes up? Well, McAfee did tell me about having trojans in the "updates.exe" file which I quarantined, and deleted. Yet, I still have this problem! =(

--I am currently using Windows XP, and IE explorer 7. Below is my Hijack This Log. PLS HELP!! It is much appreciated. THANK YOU SO MUCH.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:44 PM, on 8/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Edit by chaslang: Inline HJT log removed. READ & RUN ME sticky not followed.

Last edited by chaslang; 08-31-08 at 22:43..
Reply With Quote
Sponsored links
  #2  
Old 08-31-08, 22:41
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,668
Thanks: 62
Thanked 7,790 Times in 4,224 Posts
Default Re: HELP, my IE is hijacked, my browser keeps getting redirected

Welcome to Major Geeks!


Is the below something you installed?
O4 - HKLM\..\Run: [MBBalloon] C:\Program Files\HOTALBUMMyBOX\MBBalloon.exe


Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

  • If something does not run, write down the info to explain to us later but keep on going.
  • Do not assume that because one step does not work that they all will not.
Notes:

  1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
  2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #3  
Old 09-01-08, 23:50
lilone066 lilone066 is offline
Private E-2
 
Join Date: Aug 2008
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default SASlog.txt, Combofix results, etc-STILL NEED HELP!! PART 1

Hi, I have followed all procedures for the "Malware Removal Guide", yet I still have problems. Specifically, whenever I google a website (to find it)/a word, and want to click on it (the website), my IE 7 gets redirected through directseek.org to random sites like info.com, abcjmp.com, etc. I suspect this is a computer hijack. The software has recognized I have malware and I "deleted" all my trojans according to the software I downloaded (Super ANTI Spyware, Malwarebytes, etc) but this problem continues to occur. As a result, my internet is MUCH SLOWER than it used to be, and many "iexplorer.exe" are running (according to my task manager) even when there are NO internet windows open.

ALSO, whenever I try to shut off my Dell laptop, I get "DDE Server Window" pop-up, saying it needs to be closed and my "iexplorer.exe" windows needing to be closed. I have to click multiple times before my laptop finally does shut down (and sometimes have to wait around 10 minutes or have to restart because nothing is "closing") I checked my DDE server and I changed it to active (for some reason, it was disactive) but I still have this problem. What exactly is wrong?

I'm not sure whether these problems are related but they are both very worrisome to me.

Below are my SASlog, Malware and Combo. I will post another message with my other logs. Thanks soo much!!!

P.S. I am running on a 32-bit so the logs should be complete. I have also deleted "HOTALBUM" from my Program files (the folder) after running all the software since it didn't remove it itself.
Attached Files
File Type: txt mbam-log-09-01-2008 (22-39-25).txt (2.1 KB, 2 views)
File Type: txt SASlog.txt (2.4 KB, 4 views)
File Type: txt combolog.txt (14.5 KB, 4 views)

Last edited by lilone066; 09-02-08 at 00:04..
Reply With Quote
  #4  
Old 09-01-08, 23:55
lilone066 lilone066 is offline
Private E-2
 
Join Date: Aug 2008
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: SASlog.txt, Combofix results, etc-STILL NEED HELP!! PART 2

Here is the rest of my logs. Thank you again for your time. It is much appreciated.
Attached Files
File Type: zip MGlogs.zip (66.5 KB, 3 views)
Reply With Quote
  #5  
Old 09-02-08, 10:57
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,668
Thanks: 62
Thanked 7,790 Times in 4,224 Posts
Default Re: SASlog.txt, Combofix results, etc-STILL NEED HELP!! PART 1

Quote:
Originally Posted by lilone066 View Post
ALSO, whenever I try to shut off my Dell laptop, I get "DDE Server Window" pop-up, saying it needs to be closed and my "iexplorer.exe" windows needing to be closed. I have to click multiple times before my laptop finally does shut down (and sometimes have to wait around 10 minutes or have to restart because nothing is "closing") I checked my DDE server and I changed it to active (for some reason, it was disactive) but I still have this problem. What exactly is wrong?
This is not a malware problem. You should read the below and post any further questions on this in the Software Forum.

http://support.microsoft.com/default.aspx?scid=kb;en-us;892850


Quote:
Originally Posted by lilone066 View Post
I have also deleted "HOTALBUM" from my Program files (the folder) after running all the software since it didn't remove it itself.
You should have first gone to Add/Remove Programs and uninstalled it if you did not want it installed.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {82010030-0911-00E7-7467-99ca3230262a} - C:\Program Files\Common Files\System\kbdiis.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below quote box into it:
Quote:
KILLALL::

File::
C:\Program Files\Common Files\System\kbdiis.dll
C:\Documents and Settings\Szewei\wn789.exe

Folder::
C:\Program Files\Enigma Software Group

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82010030-0911-00E7-7467-99ca3230262a}]
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-
Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • C:\ComboFix.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #6  
Old 09-02-08, 18:38
lilone066 lilone066 is offline
Private E-2
 
Join Date: Aug 2008
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: HELP, my IE is hijacked, my browser keeps getting redirected

Thank you soo much! I think everything is fine now. I no longer get redirected after clicking around on diff. websites to make sure. My internet speed is back to normal.

As for my other problem concerning the DDE server window, I'll post in the microsoft forums link you gave me and hopefully they'll help me with that.

I'm not sure if you need these now, but here are my updated logs below.

Thanks again!
Attached Files
File Type: txt CombofixNEWLOG.txt (14.3 KB, 1 views)
File Type: zip MGlogs.zip (64.9 KB, 2 views)
Reply With Quote
  #7  
Old 09-02-08, 21:53
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,668
Thanks: 62
Thanked 7,790 Times in 4,224 Posts
Default Re: HELP, my IE is hijacked, my browser keeps getting redirected

You're welcome. Your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:
  1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /u
      • Notes: The space between the combofix" and the /u, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    • Delete the C:\combofix folder from combofix (if it exists)
  3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  6. Go to add/remove programs and uninstall HijackThis.
  7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
  8. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  9. After doing the above, you should work thru the below link:
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirected browser or Pop up jrcrook Malware Removal 6 04-06-07 17:36
IE browser redirected marrober9 Malware Removal 23 12-13-06 19:19
Browser Redirected ssgrob Malware Removal 1 04-27-06 13:27
Brower Hijacked & Redirected minor_newbie Malware Removal 10 02-27-05 23:25
Redirected links (hijacked), can't solve it. eddie Malware Removal 12 06-02-04 10:29


All times are GMT -5. The time now is 00:38.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger