Browser Hijacker - Clickapps1

Discussion in 'Malware Help (A Specialist Will Reply)' started by Legs, Mar 10, 2013.

  1. Legs

    Legs Private E-2

    I have followed this guide and I still have a browser hijacker that will not go away:

    http://forums.majorgeeks.com/showthread.phps=8876025f3b36ff3a2e8eee4bf13768d9&t=230267

    I've enclosed a screenshot of the hijacker, which I have managed to lock down in both Chrome and Firefox using NoScript. Internet Explorer continued to get hijacked, but once I went in and reset it to default, the hijacker went away in IE. When I let it go through the NoScript, it just continues to refresh clickapps1.com over and over, then sends me back there when try to leave it.

    I am pretty sure that I got this hijacker through a codec package from cnet.com last weekend. I was clicking through the install and missed the "Do not install Ask.com" toolbar portion, so I suspect either the codec pack or the ask.com toolbar was infected with this redirect.

    When I rebooted my computer Monday I noticed it when I loaded Chrome. I usually use Firefox, and Firefox was fine due to NoScript, but Chrome was hijacked immediately when I loaded it. I quickly locked down Chrome and checked IE and it was also being hijacked. Initially the clickapps website was up and functional, but by Monday night it was taken down by the host. A google search for clickapps1 on Monday did not reveal ANY mentions of it, but by Tuesday, there was a mention on Yahoo Questions and dozens of "Buy our program to get rid of it" sites. By Wednesday there were even more of them.

    Here are my scans. I welcome any help that you can give me.
     

    Attached Files:

    Legs, Mar 10, 2013
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We still need the logs from running Hitman as well as the MGTools.exe log > C:\MGLogs.zip.
     
    TimW, Mar 10, 2013
    #2
  3. Legs

    Legs Private E-2

    Thank you for the response. Here are the files you requested:
     

    Attached Files:

    Legs, Mar 10, 2013
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not finding it in your logs. Please use windows explorer to find and delete:
    C:\Users\User Name\AppData\Roaming\Microsoft\Windows\Templates\83yy3728y33ttyt84ctwa47c60g41v2j

    Is it only happening with Chrome? While you have Google Chrome open, type this into the address bar and press ENTER: chrome://chrome/settings/

    From here you should be able to remove any settings related to "Clickapps".
     
    TimW, Mar 11, 2013
    #4
  5. Legs

    Legs Private E-2

    I just did as you suggested, and I think I may have found what was changed. I'm posting it here in case others have the issues.

    It actually changed the code inside Chrome to where google.com also loaded clickapps1.com, then set that as my default browser. I had to go in and edit the HTML in Chrome to remove the redirect to Clickapps1.

    Very strange. I'm going to reboot and see if the purge survives the reboot.
     
    Legs, Mar 11, 2013
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let me know. :)
     
    TimW, Mar 12, 2013
    #6
  7. Legs

    Legs Private E-2

    24 hours later, everything seems to be fine. Chrome doesn't redirect and the clickapps1.com script isn't even an option. It avoids detection through the typical scanners by not actually doing anything except reprogramming your defaults in the browsers.
     
    Legs, Mar 12, 2013
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Mar 13, 2013
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds