Chinese Browser Hijacker

Discussion in 'Malware Help (A Specialist Will Reply)' started by milman, Dec 13, 2008.

  1. milman

    milman Private E-2

    I am having a problem removing a browser hijacker that keeps setting my home page to a Chinese one. It will also keep opening new IE windows with a number of different specific Chinese web sites. If allowed to, it could open 5 or 6 IE windows. It also keeps trying to install a new language pack. This problem started about a month ago although I cannot seem to correlate it to any specific action or activity at that time.

    I am running Windows XP Home SP3 and Norton Anti-Virus that has current updates. Norton has no idea that anything is wrong.

    At some point I also picked up a RUNDLL32.EXE memory read error on boot-up at some point. This may be only indirectly related because I did not initially have this when the hijacker showed up.

    I have run through the suggested procedures and still have the problem. I am attaching the logs created during these procedures. Thank you for any help you can provide.
     

    Attached Files:

    milman, Dec 13, 2008
    #1
  2. milman

    milman Private E-2

    Here are the other log files I could not attach on my original posting.
     

    Attached Files:

    milman, Dec 13, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    To you create the below policy
    Code:
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)
    Are the below settings that you configured and recognize? If not then add them to the fix down below when running analyze.exe.
    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 10

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [lasassf] c:\svhcsots.exe
    O20 - Winlogon Notify: winkill - C:\WINDOWS\SYSTEM32\winkill.dll
    O23 - Service: Windows Live Safety Center (LiveServer) - Unknown owner - C:\Program Files\Outlook Express\oemiglib.exe (file missing)
    O23 - Service: qikstvis server (qikstvis server) - Unknown owner - C:\WINDOWS\system32\qikstvis.exe
    O23 - Service: Windows Internet Exp1orer - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: wstdin servoi (wstdin servoi yhne-ktsvcis.exe) - Unknown owner - C:\WINDOWS\system32\yihne-tsvcis.exe

    NOTE: HJT may popup an error about the services. Ignore it and click OK to continue.
    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 16, 2008
    #3
  4. milman

    milman Private E-2

    Thank you very much. So far so good. I think your instructions have successfully eliminated this pernicious virus. I will let you know. I have attached the log files you requested. I may still have a problem with the "RUNDLL32.exe" error on bootup. It's possible this could have been caused by my deleting a suspicious file but I'm not sure. I'll have to see what happens. I'll keep you posted. Thanks again!
     

    Attached Files:

    milman, Dec 17, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We have more to do.

    You did not run the Windows Messenger removal program as requsted. Please always complete all steps in the order given. Please do this step now.

    Do you know what the below folder and file are?
    Code:
    2008-10-18 01:28 67 --a------ c:\program files\wod\1935.vbs
    If not then delete the wod folder.



    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 19, 2008
    #5
  6. milman

    milman Private E-2

    First of all, Happy New Year!

    Secondly, I'm sorry it took so long to reply. I had such a hard time finding the thread again and I haven't been checking my emails with any regularity lately so I didn't realize there was more to do.

    I have now run the Windows Messenger removal program. It was just an oversight on my part that I did not run it before. Not sure how I missed that.

    I do not know what the wod folder and VB script file are so I deleted them both as instructed.

    I ran ComboFix using the script in your quotes. The resulting log is attached.

    I ran CCleaner again.

    I ran the MGTools getlog batch file as instructed. The resulting log file is attached.

    I began getting a RUNDLL32.exe application error on startup since starting the this eradication process. Additionally, I also began getting a nvsvc32.exe application error on shutdown. After performing these last steps, these errors now appear to be gone. I did one warm boot and one cold boot and did not see any errors on startup or on shutdown anyway. Things look good!

    Should I toggle system restore at this point?

    Now for a couple more questions if I may. I have Norton Antivirus with an active subscription. It missed all of this. Is there an antivirus program that might work better for me? I understand that it may be unlikely for any one program to catch every threat that's out there. Is there an outline on Major Geeks somewhere on the optimum preventative setup?

    Also, I'm interested in better understanding what is happening by running these various programs in the process of identifying and removing malware such as what I had. Why is it neccessary to use so many different programs. Is it just that each of them is better at identifying some threats than others? Is there any kind of comprehensive explanation of the different steps involved?

    Thank you again for your help.
     

    Attached Files:

    milman, Jan 2, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Happy NY!

    You still are not clean. Do not assume that you are clean just because things appear to be working OK. I will tell you when you are clean. You need to keep coming back until then.

    The infection you have has made it difficult for the tools we use to remove it by choosing some service and file names with spaces in key places making the tools fail to recognize the names. We will need to collect some additional info from the registry in an attempt to create a manual fix where we can bypass this problem.

    Many of the free programs seem to work better.
    It's one of the sticky threads in the forum and we will get to it when we finish removing your malware.

    It is quite simply. Each program finds things that others may miss. Choosing the right tools to use and in what order, gives us the best coverage and helps us to more effectively find and remove malware.

    No! Basically you need to have a great understanding of Windows and of malware and its trends. And you need to have an understanding of all the scanners and specialty tools and what they can do for you.

    Let's continue with your fixes by collecting some additional info so that another fix can be created.


    Now download Registry Search (see the link titled RegSearch Download Link)
    • Extract the files from Regsearch.zip into a folder.
    • Doubleclick regsearch.exe to start the program.
    • In the top 3 boxes under the Enter search strings case independen) and click Ok... option, enter the below three strings (use copy and past)
      • vcxrdf
      • cfrblie
      • cctvnews
    • Then click "OK".
    • Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
    • Attach this RegSearch.txt file.
     
    chaslang, Jan 4, 2009
    #7
  8. milman

    milman Private E-2

    I have downloaded and run the registry scan. The resulting file is attached.

    Thanks
     

    Attached Files:

    milman, Jan 7, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's try this again using this new info. This thing inserted a load a registry keys.



    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now for some redundancy, please copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the same procedure with RegSearch again to get a new log.

    Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.



    Run MGtools.exe then attach the below logs:
    • C:\ComboFix.txt
    • the new RegSearch.txt log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 11, 2009
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds