Browser Hijack

Discussion in 'Malware Help (A Specialist Will Reply)' started by rdjay, Feb 16, 2008.

  1. rdjay

    rdjay Private E-2

    My IE and Firefox have Google set as the "Home" page. When they start a page with random chinese characters appears. Other sites seem to open ok like Yahoo.

    I've tried many suggestions on this site including this thread -http://forums.majorgeeks.com/showthread.php?t=148077 but no change.

    Attached is my Hijackthis log.

    Thanks in advance for your help.

    RdJay
     

    Attached Files:

    rdjay, Feb 16, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
      [*]It will create a folder named HostsXpert in whatever folder you extract it to.
      [*]Run HostsXpert.exe by double clicking on it.
      [*]click the Make Writeable? button.
      [*]click Restore Microsoft's Hosts File and then click OK.
      [*]Click the X to exit the program

    Now please follow the instructions in the below link and attach the requested logs when you finish these instructions. Make sure you uninstall ALL but one antivirus program as you have more than one install (I saw Authentium and Iolo).

    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, Feb 16, 2008
    #2
  3. rdjay

    rdjay Private E-2

    Chaslang,

    I ran Hostxpert as suggested and then went to the Malware removal guide and did the four scans. Attached is the logs from Combofix and MG.

    AVG didn't create a log even though I had set it so it would?? It found and fixed three files:
    Downloader.Apher.y
    TrackingCookie.Atdmt
    TrackingCookie.Tribalfusion

    After running Combofix the browser seemed ok. After finishing all four scans I restarted and the problem is back.

    The only thing I didn't do is remove Authentium. I don't remember ever installing it. It doesn't appear in Add/Remove programs and I went to their website looking for a "removal tool" and couldn't find anything. I don't know how to get rid of hit short of deleting the folder from program files but I'm not sure about that. If you have a suggestion on that it would be appreciated.

    Thanks again for your help.

    RdJay
     

    Attached Files:

    rdjay, Feb 16, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay it appears the Iolo did not write their own antivirus program. They are using Authentium's. They just did not change the registry and file system entries to reflect this properly. Did you purchase this or is it a trial?

    Why do I also see the below from McAfee
    Code:
    2008-02-10 21:29 . 2008-02-10 21:29 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-02-10 20:51 . 2008-02-10 20:58 35,575,089 --a------ C:\sdat5226.exe
    Are you sure you ran HostsXpert exactly as requested? It does not look like it. Did select the option to make the hosts file writeable? Try again. Perhaps try shutting down your Iolo AntiVirus software first.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 3

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Policies\Explorer\Run: [guzymxjcs] guzymxjcs.exe
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O22 - SharedTaskScheduler: (no name) - {CB986542-ECB9-9764-A976-421FDDBA8765} - C:\WINDOWS\system32\EPZKUPA.dll

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    Driver::
DeepFree Update
msepion
msertk
msskye
phy
WinDriver
 
File::
C:\WINDOWS\system32\EPZKUPA.dll
C:\WINDOWS\system32\guzymxjcs.exe
C:\WINDOWS\system32\drivers\msyecp.sys
C:\WINDOWS\system32\DRIVERS\msaclue.sys
C:\WINDOWS\SYSTEM32\DRIVERS\npf.sys
C:\WINDOWS\system32\drivers\WINDRVR.SYS
C:\WINDOWS\system32\drivers\pcihdd2.sys
C:\WINDOWS\system32\DRIVERS\phy.sys
C:\WINDOWS\system32\nzaills.amn
C:\WINDOWS\system32\hhrdxd.dll
C:\WINDOWS\system32\zjydcx.dll
C:\WINDOWS\SYSTEM32\msepion.sys
C:\WINDOWS\SYSTEM32\rdemppw.dll
C:\WINDOWS\SYSTEM32\frsaddk.dll
C:\WINDOWS\SYSTEM32\73312.dat
C:\WINDOWS\SYSTEM32\jemnaw.dll.vir
C:\WINDOWS\SYSTEM32\jemnaw.cfg
C:\WINDOWS\SYSTEM32\hjxr.cfg
C:\WINDOWS\SYSTEM32\3auhad.cfg
C:\WINDOWS\SYSTEM32\qcdl
C:\WINDOWS\SYSTEM32\utgnehz.cfg
C:\WINDOWS\SYSTEM32\niluw.cfg
C:\WINDOWS\SYSTEM32\naixuhz.cfg
C:\WINDOWS\SYSTEM32\bauhgnem.dll.vir
C:\WINDOWS\SYSTEM32\oqnauhc.dll.vir
C:\WINDOWS\SYSTEM32\uohsom.cfg
C:\WINDOWS\SYSTEM32\naijoad.cfg
C:\WINDOWS\SYSTEM32\oqnauhc.cfg
C:\WINDOWS\SYSTEM32\oadnew.cfg
C:\WINDOWS\SYSTEM32\ijougiemnaw.cf
C:\WINDOWS\SYSTEM32\gnolnait.cfg
C:\WINDOWS\SYSTEM32\bauhgnem.cfg
C:\WINDOWS\SYSTEM32\bauhgnem.dll
C:\WINDOWS\SYSTEM32\SET22.tmp
C:\WINDOWS\SYSTEM32\SET23.tmp
C:\WINDOWS\SYSTEM32\SET24.tmp
C:\WINDOWS\SYSTEM32\SET25.tmp
C:\WINDOWS\SYSTEM32\SET26.tmp
C:\WINDOWS\SYSTEM32\SET2A.tmp
C:\WINDOWS\SYSTEM32\SET2B.tmp
C:\WINDOWS\SYSTEM32\SET2C.tmp
C:\WINDOWS\SYSTEM32\SET2D.tmp
C:\WINDOWS\SYSTEM32\SET31.tmp
C:\WINDOWS\SYSTEM32\SET33.tmp
C:\WINDOWS\SYSTEM32\SET35.tmp
C:\WINDOWS\SYSTEM32\SET3A.tmp
C:\WINDOWS\SYSTEM32\SET3D.tmp
C:\WINDOWS\SYSTEM32\smrgdf.exe
C:\WINDOWS\guzymxjcs.exe.hiv
C:\WINDOWS\SYSTEM32\auhad.cfg
C:\WINDOWS\leqpzxvb.dat
C:\WINDOWS\mccckgxs.dat
C:\_uninsep.bat
C:\WINDOWS\Temp\fb_240.lck
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20080217-131931.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20080217-131932.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20080217-131933.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20080217-131913.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20080217-131934.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20080217-131914.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20080217-125703.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20080217-125741.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20080217-131902.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20080217-131911.backup
 
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"guzymxjcs"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{CB986542-ECB9-9764-A976-421FDDBA8765}"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}"=-
"{45AADFAA-DD36-42AB-83AD-0521BBF58C24}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sefnqqx"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 17, 2008
    #4
  5. rdjay

    rdjay Private E-2

    chaslang,

    Thank you very much for your help. Things appear to be working great:).

    To answer your questions.

    I was running McAfee but when my problems started it froze my computer. I deleted and ran the removal tool to get rid of it and then installed the trial of Iolo from a recommendation I read for it in our local newspaper. If it's ok I'll probably keep it or go back to my free version of McAfee from Comcast. If you have any recommendations that would be great.

    Not sure why those two files were still there. I deleted both and they are now gone.

    I believe I ran Hostxpert correctly. Each time I ran it I got an "Error cannot Create file C:\Windows\System32\Drivers\Etc\Hosts?? I tried it once more after all of your suggestions and the error did not appear.

    I've attached the logs as requested. If you see anything else that looks wrong please let me know.

    Is AVG similar to Adaware? I've used Adaware in the past to clean out sypware, I'm curious if this is the same or better?

    Once again THANK YOU for your help.
     

    Attached Files:

    rdjay, Feb 17, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Trials are only trials for a short period. If you don't purchase after the trial period, they are not useful. Personally I would not use either of these. My final instructions will give you some free very good tools to use.

    Okay that is why it looked like it was not run. It did not work.

    I assume you mean AVG Antispyware. It is many many times better than Ad-Aware.


    Uninstall Java 2 Runtime Environment, SE v1.4.2 which I did not notice last time.


    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now delete the below file:
    C:\Program Files\Internet Explorer\SET3E.tmp

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the new C:\MGlogs.zip

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
    Last edited: Feb 22, 2008
    chaslang, Feb 17, 2008
    #6
  7. rdjay

    rdjay Private E-2

    chaslang,

    All seems ok.

    I did the next steps and here is the log file.

    I'm now heading into the final steps to clean up. I think I'll uninstall Iolo and install one of the recommended anti virus programs recommended.

    Thanks again for all the help. Please let me know if you see anything else in the logs.

    RdJay
     

    Attached Files:

    rdjay, Feb 18, 2008
    #7
  8. rdjay

    rdjay Private E-2

    chaslang,

    I've downloaded AVG Antivirus and am attempting to install it.

    I get a message that another antivirus program is on my computer and should be removed.

    I've had Norton (long ago) and McAfee recently I uninstalled and used their removal tools. I had Iolo System Mechanic on a trial and did uninstall it but can't find any removal tools.

    I've done a windows "search" and removed anything with Iolo in it. Also ran Ccleaner and cleared out the registry settings with Iolo in them.

    AVG still doesn't want to install.

    Any ideas?

    Thanks, RdJay
     
    rdjay, Feb 19, 2008
    #8
  9. rdjay

    rdjay Private E-2

    Anyone have any ideas?
     
    rdjay, Feb 20, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should read all of the sticky threads especially this one: Don't Bump! It Only Hurts You!!!

    The last 2 posts you made cause two days of additional delay in getting a response.

    The last MGlog.zip file you attach was before any attempts you made at uninstalling your Iolo antivirus program. If you wish I could check to see if anything remains now that would cause issues with AVG but you will have to redownload and install/run MGtools.exe and attach a new log since I assume by now you followed my instructions and deleted it.

    It is possible that you did not get all of Iolo uninstalled. Are both of the below gone from Add/Remove Programs?
    Authentium AntiVirus SDK - 2
    iolo technologies' System Mechanic Professional 7
     
    chaslang, Feb 22, 2008
    #10
  11. rdjay

    rdjay Private E-2

    chaslang,

    Sorry about the second post. Your responses were so fast the first few times I guess I got spoiled :) and thought maybe the last one got missed. I've not done much in forums and didn't know what "bump" was. Won't happen again.

    Both Authentium and Iolo have been uninstalled and do not appear in the add/remove programs.

    I went ahead and installed AVG even though it said to remove my previous version of an anti virus. It seems to be working fine but I'm pretty sure some remnant of Iolo remains.

    Logs are attached. Thanks again for your help.

    Regards, RdJay
     

    Attached Files:

    rdjay, Mar 2, 2008
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download LSP - Fix

    Run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the ifw_xfilter.dll file (in the “Keep
    section) to select it.

    Then, Select the >> button to move ifw_xfilter.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.
    If it is already in the Remove section, just click Finish.


    Now let's remove a service left over from Iolo.
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to iolo FileInfoList Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run C:\MGtools\analyse.exe which is really HijackThis, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteioloFileInfoList into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT and reboot if it tells you it needs to.
    After reboot, run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 5, 2008
    #12
  13. rdjay

    rdjay Private E-2

    chaslang,

    I did the steps listed and attached the logs.

    All seems to be working great now.

    Thanks for your help.

    RdJay
     

    Attached Files:

    rdjay, Mar 9, 2008
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Now let me repeat my final instructions that I previously gave in message # 6.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
    chaslang, Mar 10, 2008
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds