Browser hijack problems

Discussion in 'Malware Help (A Specialist Will Reply)' started by yoshox2000, Dec 29, 2008.

  1. yoshox2000

    yoshox2000 Private E-2

    I have had issues with some form of malware opening up tabs and windows with my Firefox browser for various types of annoying ads. I noticed my Windows Firewall being turned off as well and my system slowing WAY down. I completed the steps in READ & RUN ME FIRST, which eliminated some of the problems, but I would occasionally click on a link while internet browsing and be taken to a completely different page not matching what I clicked on. After a day or two, it seems my system was re-infected and the pop up windows and tabs started again. I may have to watch where I surf more carefully. I went through the steps in READ & RUN ME FIRST again and things SEEM okay and the programs seemed to pick up a lot less malware on my system than the first time I went through the process. However, I want to be absolutely sure my system is clean and I will be far more careful about my browsing habits on this computer from now on. Please help me get my system running in tip top shape. Your help is appreciated and I'll be referring to some of the other resources on this site to keep my computer healthy. Thanks. The logs are attached
     

    Attached Files:

    yoshox2000, Dec 29, 2008
    #1
  2. yoshox2000

    yoshox2000 Private E-2

    This is the MGTools log
     

    Attached Files:

    yoshox2000, Dec 29, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    No you are not quite clean yet. ;)


    I strongly recommend that you not save any files in the Program Files folder. Save you downloads somewhere else. This folder should contain only folders from the installed programs not the downloaded installers.
    Code:
    2008-03-04 00:23 219,952 ----a-w c:\program files\utorrent.exe
2007-02-01 23:02 313,344 ----a-w c:\program files\hjsplit.exe
2007-01-01 01:48 5,971,432 ----a-w c:\program files\Firefox Setup 2.0.0.1.exe
2005-10-12 17:59 7,618,048 ----a-w c:\program files\avwinsfx.exe
2005-09-20 15:53 4,878,136 ----a-w c:\program files\Firefox Setup 1.0.7.exe
2005-03-18 15:29 4,816,320 ----a-w c:\program files\firefoxsetup1.0.1.exe
2004-03-20 23:01 4,217,352 ----a-w c:\program files\DivX511.exe
    ]b]The same logic applies to your Desktop which should be cleaned up. Save only links there. Do not save downloads to your Desktop except on a temporary basis like ComboFix which we need there and will remove later.[/b]

    Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below vey old versions of software:
    J2SE Runtime Environment 5.0 Update 1
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    LiveUpdate 3.0 (Symantec Corporation)
    Spybot - Search & Destroy 1.2

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
    O4 - HKUS\S-1-5-21-3675345140-4168701361-813958858-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
    O15 - Trusted Zone: *.antispyexpert.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.spyguardpro.com (HKLM)
    O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
    O20 - AppInit_DLLs: dumkkm.dll ytpiyd.dll qvkawb.dll
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner!

    Now goto this link Using MGtools and download the new version of MGtools.exe using the black bold print link in the first sentence.


    Run MGtools.exe then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 1, 2009
    #3
  4. yoshox2000

    yoshox2000 Private E-2

    Hi!

    Thanks for the help and the warm welcome! I did what you said and things are running pretty good. Computer is a bit slow, but no more so than it was before I was hit with malware. I probably need to free up hard drive space and read a guide on this site about speeding up PC performance.

    There are a few things I should mention however. I was told that some parts of that old Spybot program could not be removed and had to be removed manually. Also, when running the MGTools analyze program(Hijack This), I did not find these lines:

    O4 - HKUS\S-1-5-21-3675345140-4168701361-813958858-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    Of course, this was after I went and uninstalled Messenger and LiveUpdate like you said

    I also noticed when doing google searches, I will briefly see "waiting for zfsearch"on the bottom of the screen. Is this some lingering form of malware? It's not causing any issues, but I'm concerned about it. I've also seen something called tribalfusion loading up when accessing this site, but I doubt that's malware. Just thought I'd ask though. Other than those things, everything seems to be running properly.

    I had a question too about reformatting hard drives and re-installs. I saw a guide about that on this site. Is this the sort of thing that people should do once in a while? Or is it just a last resort for people with badly infected computers?. Just curious. Waiting for your reply. Thank you for the help
     

    Attached Files:

    yoshox2000, Jan 2, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Goto Add/Remove programs and uninstall the below:
    BullGuard
    Search Assistant - My Web Search

    This is likely due to all the things you are running. Many of them are not necessary; however they are also not malware so it's up to you to determine what you need and don't need. Things you should investigate are in the below box. The first two have been known to be resource hogs.
    Your logs show no signs of this. Yes it is considered malware: http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Zfsearch&threatid=4004192

    What browser are you using when this occurs? What browser addons do you have? Does it occur when you do a search on Yahoo?



    Should only be done when really necessary unless you like doing things like below and also have the abilities to do this:

    • you have to backup all you own data, settings, configurations etc and first you have to know what/where all of these are. And you have to have the medium (burnable media, second hard drive, tape drive [yuck] )
    • then you must make sure you have the necessary disks to reinstall not just your OS but all other software you use especially protection before going online
    • then delete your partitions, recreate partitions, format, reinstall the OS
    • now reinstall all your software especially protection
    • get online (requires some setup and config that novices have problems with)
    • download updates for OS
    • download updates for protection software
    • download updates for all other software
    • tweak all software back the way you like it. Including Desktop settings, icons etc.
    • create all the folders that you use for everything in your normally routines
    • re-load from your backups to get data back, to get settings, Favorites,.....etc back
    • now over the next two weeks you will realize that you forgot to backup some stuff and also you will keep finding something else that you need to reinstall.
     
    chaslang, Jan 7, 2009
    #5
  6. yoshox2000

    yoshox2000 Private E-2

    You know it seems I've lost track of how many things run on this computer. I'll look into those programs you mentioned. The zfsearch thing would pop up when doing google searches on Mozilla Firefox(and still does). Interestingly enough, I find no signs of it while using google on Internet Explorer(which I think I updated recently). I've been using Internet Explorer exclusively as a result of this(even though I know Firefox is suppossed to be better). I'm not really sure about what browser add-ons I might have. If you mean Toolbars and things like that, none to my knowledge.

    About SearchAssistant-My Web Search, I'm sorry I forgot to mention it earlier, but when removing programs under the READ & RUN first thread, I was unable to remove it. A window pops up that looks like some kind of program trying to run. It comes up blank however(all white)and on the blue horizontal bar at the top it says res://C:\PROGRAM~1\MYWEBS~1\SrchAstt\1.bin\mwssrcas.dll/101

    It's as if the uninstall procedure is unable to start. Also, when trying to uninstall BullGuard, nothing really happens. The Add or Remove Programs window disappears for like a split second while my mouse pointer shows the hour glass, then it re-appears and BullGuard is still there.

    Let me know if there is anything else you need to know. Also, I'm going to go ahead and download a firewall from this site. It seems the only one working for me right now is the Windows one, which isn't very good according to this site. I'm wondering if I should ditch AVG Free Edition for my antivirus as well. I read something here about people having issues with it.

    Thanks for your help, looking forward to your next reply
     
    yoshox2000, Jan 7, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try applying the method used in the below link but just replace all things related to Yoog with zfsearch. Let me know what you find.

    Yoog Removal

    Toolbars are one form of addon. You will see info about managing addon's in the Yoog Removal link give above.

    Run CCleaner and select Tools. The on the Uninstall form, locate each of these programs and select them (one at a time) and then click the Delete button on the right side of the Window. Did that work? Check Add/Remove Programs.

    Are you having any other malware problems?
     
    chaslang, Jan 12, 2009
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds