Browser has been hijacked... any help appreciated!

Matt Horgan · Apr 21, 2006

Hi all!

So, I seem to have picked up some sort of browser hijacker. It randomly redirects me in IE from the pages I want to visit (majorgeeks.com, for example) and sends me to annoying cam, ebay or search engine sites.

I've run all the tools you guys have suggested, and I'm attaching my Panda and Hijack This logs. Bitdefender didn't find anything. Panda Active scan is the only tool to have found anything.

Any help you kind folks could give me will be greatly appreciated! This thing is pretty annoying. Let me know if you need any further info from me.

Thanks again,

Matt

chaslang · Apr 21, 2006

You have a Wareout infection!

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.

Click Next, then Install.

Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.

Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

O4 - HKLM\..\Run: [dmrdf.exe] C:\WINDOWS\system32\dmrdf.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CC8B055-286E-443F-9CCA-E3CDAC2B689C}: NameServer = 85.255.116.135,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FF68D03-C5F2-4F13-BA4D-804653ADE000}: NameServer = 85.255.116.135,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{97C0B43B-2FDB-4146-831D-981F0FACC93D}: NameServer = 85.255.116.135,85.255.112.9

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\WINDOWS\SYSTEM32\DRIVERS\zpmodemnt.sys
C:\WINDOWS\system32\dmrdf.exe
C:\Program Files\UnSpyPC <--- delete the whole folder if found

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

Matt Horgan · Apr 21, 2006

Okay... great!

Followed the steps you listed, and my browser seems back to normal with a little testing out.

I've attached the fix report, and a new HJT log.

Thanks so much!!!

Matt

chaslang · Apr 21, 2006

You're welcome. Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

Matt Horgan · Apr 21, 2006

Done and done!

Thanks again!

Is there anything I can do as a way of saying thanks? Like click on some ads or make a Paypal donation or anything like that?

Matt

chaslang · Apr 21, 2006

You're welcome.

Enable your Private Messages and we can discuss it at your option.

Log in or Sign up

Browser has been hijacked... any help appreciated!

Matt Horgan Private E-2

Attached Files:

Activescan.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Matt Horgan Private E-2

Attached Files:

hijackthis.log

report.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Matt Horgan Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member