Browser Hijack Just Won't Go Away

I am having incredible difficulty getting rid of a browser hijack infection. In surfing I foolishly activated a fake internet search engine that asked me to input the search terms I was looking for, and it seems to have installed something on my system that I cannot get rid of with Malwarebytes, Kapersky, SuperantiSpyware and Norton Antivirus, etc..

I have been going at this for 4 days straight to new use until I found your site, and hoping someone can save me so that I don't have to reinstall Windows and lose all my programs.

It seems that every time I clean something, including running Malwarebytes and Norton antivirus in SAFE mode, the infection remains or reappears again. When I do a google search I will get search results, and when I click on a site like wikipedia it will go to that site, but if I click on a topic that has possible affiliate products I will be sent to a page of sponsored links or some other web browser such as 7search, etc.

I have attached the following logs
Combofix
SuperAntispyware
Rootrepeal
MBAM <- a trojan.bho virus continually pops up in this scan after deleting it

If someone can tell me what to do I would appreciate it as I'm at my wit's end, and Norton in conjunction with Malwarebytes are not removing this.

 

I have also run these reports, too:

Goredfix
MBRCheck
RootRepeal

 

Hi and welcome to Major Geeks, wbodri!

I will be analyzing your logs, please be patient as there is a lot of of information to review

 

From Add/Remove Programs (via Control Panel), please uninstall the below:

• J2SE Runtime Environment 5.0 Update 12
• Java(TM) 6 Update 19
• Java(TM) 6 Update 3
• Java(TM) 6 Update 4
• Java(TM) 6 Update 7

Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Note: This is actually Trend Micro HiJackThis - v2.0.4
Choose Do a system scan only and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

Note: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

Are these ports you opened up?

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

KillAll::

File::
C:\Documents and Settings\Owner\kdoxjapxzp.tmp
C:\Documents and Settings\Owner\desktop\kdoxjapxzp.tmp
C:\WINDOWS\system32\305988348
C:\WINDOWS\system32\3813128c
C:\WINDOWS\system32\atmfd32.dll
C:\WINDOWS\system32\mchgrcoi32.dll

FileLook::
C:\Documents and Settings\Owner\824700-14.cbr

Folder::
C:\Documents and Settings\Owner\Local Settings\Application Data\bfcmnimbe
C:\Documents and Settings\Owner\Local Settings\Application Data\ghjknupps
C:\Documents and Settings\Owner\Local Settings\Application Data\hesomvlos
C:\Documents and Settings\Owner\Local Settings\Application Data\nvuioqflt

DirLook::
C:\Documents and Settings\Owner\Local Settings\Application Data\Installer2980
C:\Documents and Settings\Owner\Local Settings\Application Data\Installer2844

Driver::
00000037

Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A0402224-1C6B-4D7F-85DA-3FA1DA0239FB}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

RegLock::
[HKEY_USERS\S-1-5-21-1177238915-448539723-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{216B03D3-0B54-2B9A-4274-DD5613573141}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eamiocjjib"=hex:66,61,67,62,6c,64,67,6b,63,68,68,63,00,31
"dabblfcj"=hex:64,62,61,68,66,6d,6f,62,6c,64,62,70,64,63,68,63,66,69,67,6c,6b,
6a,6d,69,63,63,69,63,63,67,6d,63,66,63,70,6b,65,61,6b,6a,00,00
"iaegppnmpanfcfpgjj"=hex:6a,61,6c,6e,64,6d,6d,6b,6d,67,6d,6a,64,6f,6b,6c,70,64,
69,70,00,00
"haogfohajjlboleo"=hex:6a,61,6c,6e,64,6d,6d,6b,6d,67,6d,6a,64,6f,6b,6c,70,64,
69,70,00,f0

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Could you please get this file: 824700-14.cbr into a zipped file and attach it for me in your next post? To do this, see the below:

On your keyboard, press the Windows key + R at the same time and paste in the following:

This brings up the Run dialog box for Windows XP
Now paste in the following:

Press ENTER
log retrievable @ C:\collect.zip
Attach collect.zip to your next message. (How to attach items to your post)

Please go to virustotal and upload the following files for analysis, and let me know the results.

• C:\Documents and Settings\Owner\824700-14.cbr

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

Now install the current version of Sun Java from: Sun Java Runtime Environment

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

*** Let me know how the PC is running after you have completed these steps! ***​

 

Browser Hijack Seems to Have DIsappeared

Sorry for the delay - since my computer has been out, I haven't been on to the web. I got your instructions, tried to follow them to the letter and Viola! The Browser Hijack seems to be gone! My computer works again! My programs are saved!

I am so thankful for your help and kindness! Words cannot express my Thanks. Where do I send you a box of cookies or something?

Now to answer some of your questions, as some things did go strange with the debug, I must report the following as you asked:

(1) You asked if I opened up these ports - No, I'm no computer person who would know how to do this or that I should do this, so if this isn't normally opened up by a program on my system, it wasn't me. Should these be closed and if so, how do I do so?
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21:TCP"= 21:TCP:FTP
"21:UDP"= 21:UDP:FTP2

(2) When I tried the procedure to produce collect.zip, no file ever appears on the C drive -- for some reason the command is not working in the Run dialog box. So I cannot attach it since it is not there and a comouterwide search found nothign either. I've tried copying the command several times, but I don't think the command is working.

The count from VIRUSTOTAL is 0/44 (0%) but the 824700-14.cbr file has a production date of 10/8/2008.

(3) The other files you asked for are attached.

Once again, Thank you from the bottom of my heart for generously offering your time and skills to a difficult task on behalf of people like me.

 

Glad to hear it

I think it may be something used by one of the Adobe applications you have installed. If you're not experiencing any problems, I would leave these entries alone. Your latest logs are clean.

No worries, does not look like it was malware related. I just wanted to make sure.
Only thing left to do is download and install the current version of Sun Java from Sun Java Runtime Environment

You're welcome, surf safely

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Many Thanks Once again

10,000 kowtows once again for your help and assistance. You didn't have to volunteer any help to us folks and you do, tirelessly, time and again, and I thank you from the bottom of my heart. You saved me time, money, effort, anxiety, ... Priceless assistance! Thank you, thank you, thank you!

 

Re: Many Thanks Once again

You're welcome