HiJacked Browser with URL suffix of Handcrafted2.asp

I've got a bad problem which will not allow me to go to various sites and produces a URL with the suffix of "Handcrafted2.asp". I was able to get to this site but when I clicked a link on a page here in the forum which was
How to disable system restore the Browser comes up in the URL line with http://www.majorgeeks.com/handcrafted2.asp and takes me to a bogus page which has some ad info, etc and may have a pic of binoculars on it. I'm at the point where many times now I also get bogus 'Server Not Found' errors. This occurs on IE7 and Firefox. I may not be able to get to all the stuff I need to fix because of it. So if I can't get to proper site I'm doomed.

I've done many scans with A2Squared, SuperAntiSpyware, AVG, TrendMicro HouseCall, etc. At times it seems to lessen in severity but always comes back like a nasty hidden Trojan. I've got HiJack This, but found nothing.

Interestingly, a Google search of 'Handcrafted2.asp' comes up with a ton of hits where there is a URL in the text with the Handcrafted2.asp suffix. This makes me think this problem has to be known.

Any thoughts would be appreciated. Thanks

 

I'm able, for some reason, to always get to GMAIL and then by email links get to the Forum. When at Forum most links will work, but a couple did get hijacked as most all of mine do. Even my Email gets blocked with error as well as all my Favorites either with a 'Server Not Found' or hijack to a bogus page.

Did the following:

Checked ADD/REMOVE for any JAVA. None found.
Ran CCLEANER OK.
Ran SuperAntiSpyWare OK (no updates due to problem). Log Attached.
Performed 'Repair Broken Network Connection' OK. Restarted.
Could not install SpyBot S&D. (Due to Problem)
Error Opening http://www.safer-networking/upallocator.php
The Server returned Status Code 404.
NOTE: On previous days when I had it installed, it found an item called SpywareBot which turned out to be an empty folder which I think was created by SpyBot S&D itself but it had no bearing on problem. Most of the time no items found.

NOTE: On previous days had ran ASquared OK. No items Found.
NOTE: On previous days had ran Trend Micro Housecall OK. No items found.
All this when at times I could get into the web. Only items found sometimes were minor cookies.

Ran MalWare Byes OK (no updates due to the problem). No items found. Log attached.
Could not get a link on forum to work so could not download ComboFix.exe.
I may have to go to another machine to get it.

All of my machines are infected. My main and three others via wireless router. One machine is Vista and never gets the bogus page but only the 'Server Not Found' or email failure indications.

Should I go ahead and try to run MGTools or find a way to get ComboFix.exe first?

Thanks.

 

Went ahead and ran MGTools. Log attached.

Will try and borrow a system to get ComboFix if it is still needed.

This is a bad problem and appreciate the help.
Thanks.

 

Thanks for your assistance. This is the weirdest frustrating problem. It seems to vacilate in severity. Yesterday AM when I sent the last log attachment, I could not go anywhere without getting errors or the hijack unless going to forum via Gmail. In the afternoon I booted up and it appeared everything was back to normal as I could get to email and the web. Today, it is back but so far only with the HiJack bogus page symptom on a Firefox Home page. It progresses in time to become a nightmare where nothing works. This occurred last weekend as well. I had been cleaning with HiJackThis. It looked like it was fixed, but then returned on Monday and progressed to the nightmare state.

In answer to your questions. It doesn't matter whether or not you use the address bar or go with favorites it will fail both ways. Had cleared cache previously with no effect, but will go do it again. Also, had tryed clearing Temp files, history, etc. several times. Now will go disable addons. I do not know what the module DZSAVEME.exe is. Will go rename it to a xxx suffix and see what happens.

Also, on my Vista Laptop which was experiencing the problems of bogus server errors and bogus email errors but NOT the hijack, it came back to life after using HijackThis to remove an 013 entry. It had 'Gopher' in it. Now, I'm only turning one machine on at a time to test as I have no clue as to how all this started. The other machines are WINXP Home systems.

Would it be helpful to obtain and send the bogus page so you can see it?

Thanks

 

Thanks for your assistance.

I think I may have found out what the problem is: ZLOB (Dns Changer).

Check out:

http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html

I'm leaving Router out for a while to prove. So far so good on main machine.

I need something to clean out this Malware which is purportedly placed on machines using wireless Router. Will then reset Router password, etc.

This explains why scans didn't pick up anything.

Do you have anything? What do you think?

Thanks

 

Thanks for your assistance. I know about the reset, however I can change the name and password without going thru all the setting changes. I'll deal with that once I can find and clean out the Trojan variant which got to me. I need to find what is on the machines which were on the Router.

I would think someone has found this bugger by now, because when you do a Google search for Handcrafted2.asp a ton of hits come up showing that suffix.

I've got my Main machine doing good so far because it's not attached to the Router and it is using the ISP's DNS server. I can get by for a while without the other machines having a connection.

I really need to find this Trojan which has to be on one or more of the machines which were attached to the router. I'm leaving the Router out til I can fix machines which are infected. This proves the premise of a hijacked router.

Where do I go to find this problem's resolution? Thanks.

 

Thanks for your assistance.

I have updated Router firmware (it had some security changes included) and changed the Router Admin Password, upped it to WPA2 security and now have the Router back online.

Will bring machines up on the Router gracefully to see what happens. My biggest concern is not knowing what got on one of the machines to cause all of this, and if it is still around and whether or not it can get to the Router settings again (if indeed, that was the issue). I'm pretty sure the Router was at the center of this. I guess it's possible all the HiJackThis changes may have cleaned off something. This thing has been so confusing not sure what did any good.

I guess there is not much else to do but wait and see and hope someone else comes up with the root cause. Any other thoughts you might have will be appreciated. Thanks.