Browser hijacker

rob0 · Sep 16, 2007

Greetings,

I seem to have picked up a broswer hijacker. I have run several spyware programs and virus scanners
and I have gone through the "run first" folder here. I've attached the logs here and will also attach a "Hijackthis"
log after I run it. I do not have logs for counterspy or spybot because those programs found nothing. I should
mention that I ran them before going though the "run first" folder.

This hijacker manifests after I do searches on yahoo or google and they redirect me to various web pages after I click on
on links that the browser dug up. I suspect that the guilty party responsible for this hijacker is
3fn marketing which is connected to 3kaimana.com since I am frequently sent to a kaimanna search page.

rob0 · Sep 16, 2007

here's the last few logs

chaslang · Sep 16, 2007

Welcome to Major Geeks!

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 5
Java 2 Runtime Environment, SE v1.4.2_03
CounterSpy <--- we are finished with this trial program now.

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=explorer.exe "C:\Documents and Settings\Rob Rohrs\Start Menu\Programs\Startup\wincheck.exe\wincheck.exe"
O2 - BHO: (no name) - {FDED1C12-AD76-613C-344C-A3BD5C6415B2} - C:\PROGRA~1\COMMON~1\System\w_3789.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: svchost.exe
O4 - Startup: wincheck.exe
O4 - Startup: w_3789.dll
O4 - Global Startup: googletools.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: w_3789.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.

Check the 'Input script manually' box.

Click on the magnifying glass icon.

Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\Documents and Settings\Rob Rohrs\Start Menu\Programs\Startup\wincheck.exe\wincheck.exe
C:\Program File\Common Files\System\w_3789.dll
C:\Documents and Settings\Rob Rohrs\Start Menu\Programs\Startup\svchost.exe
C:\Documents and Settings\Rob Rohrs\Start Menu\Programs\Startup\wincheck.exe
C:\Documents and Settings\Rob Rohrs\Start Menu\Programs\Startup\w_3789.dll
C:\Documents and Settings\Rob Rohrs\Start Menu\Programs\Startup\googletools.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wincheck.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\w_3789.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\googletools.exe
C:\WINDOWS\browser.exe

Folders to delete:
C:\Documents and Settings\Rob Rohrs\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software
Click to expand...

Now click the 'Done' button.

Click on the traffic light icon and OK the prompt.

You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now attach the below new logs and tell me how the above steps went.

Avenger

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!

rob0 · Sep 17, 2007

All of the symptoms are gone and my browser runs a bit faster. Many thank you’s sir! :cool

Just let me know if there are any other fishy or tenacious items in on these logs and if I have a clean bill of health so I can finish the last items on the list (enable and disable the system restore).

rob0 · Sep 17, 2007

here's the last log

rob0 · Sep 17, 2007

I went ahead and did the finishing touches. It would appear though that I'm not completely out of the woods. As I mentioned, the problems that I had with the hijacker are gone, thanks again. I'm now using spybot, spyblaster, (both of these according to recomendations) and I'm using the realtime spyware protection of spydoctor (because I paid for it and want to get the moneys worth, but I'm not using it's immunize function because I'm using that on spybot... not sure if that part matters).

I've been working on some other problems which I may request help for on other parts of the forum after I try a few things but in the process, I rebooted my computer and I got a prompt from spydoctor which said malicious actions from svchost and damaru (names may not be exact) were blocked. That's all well and good, but it if they are being blocked, I suppose that means they are still on my computer. If they are always going to be blocked, that 's great, but I think I'd rather have them completely off.

I don't have time to run more programs and submit their logs so I'm just giving a heads up if any advice can be given about these sans logs.

chaslang · Sep 17, 2007

It appears that you forgot to install the current version of Sun Java as requested in my previous instructions. You did uninstall the old versions though.

Be careful with your choice of words. You are using Spyware Doctor not SpyDoctor. If you were using SpyDoctor we would have told you to uninstall it.

svchost.exe is a valid system process as long as it is running from c:\windows\system32.

damaru means nothing to me at all without seeing a full filename and path.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.

If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.

If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

rob0 · Sep 19, 2007

spyware doctor keeps blocking trojan.du

rob0 · Sep 19, 2007

spyware doctor keeps blocking trojan.dumaru. It generally traces the file to a folder and in spyware doctor, it is called svchost.exe, but when I go to the file, it is called wincheck.exe. I'll delete it but the next time I log on, it comes back. upon startup, I often get a dialogue box that tells me that windows is trying to open a file type .dll. When I select "open with another program" (out of curiosity) it identifies this file as w_3789.dll. This file is found in the folder with wincheck.exe. I would delete it but I'm a little warry as I've regretted deleting stuff in the past.

rob0 · Sep 19, 2007

upon startup, I also get a window that says windows failed to open wincheck.exe

rob0 · Sep 19, 2007

Well, here's my last (or perhaps second to last) update on this problem. I've cleared googletools.exe, svchost.exe and/or wincheck.exe out of 3 areas on my computer, that is the startup folders in documents and settings for 3 users (myself, another person, and the "all users" folder). I've logged off and started a couple of times and the messages haven't yet come back from spyware doctor claiming that malicious events were blocked from trojan.dumaru. However, I still get a dialogue box claiming that windows could not open w_3789.dll and I always get a dialogue box that simply says that windows couldn't find svchost.exe or wincheck or googletools.exe and it claims that it couldn't find these in the folders I cleared them out from (but I got that box even before I deleted those items. (also, when I deleted those items, I did it from safe mode). I might do a little more looking around majorgeeks for more info on those items. I will probably delete all of the w_3789.dll files but I thought I should wait for this advice.

rob0 · Sep 19, 2007

sorry for all these posts. I'm posting as I go.

chaslang · Sep 19, 2007

We deleted all of those files you are mentioning back in message number 3. If you still have any of those files around, tell me exactly where they are. The could just be the backups created during our deletion process and that would mean you did not do what I requested in message # 7.

Also if you are still getting messages about missing files, post a HijackThis log and a log from GetRunKey for the user account where these dialogue box messages are occurring.

rob0 · Sep 20, 2007

here are the logs for the first user account.

rob0 · Sep 20, 2007

here's for the second account

rob0 · Sep 20, 2007

currently, the main file that is generating the "cannot find" dialogue box is C:/documents and settings/Rob Rohrs/start menu/programs/startup/wincheck.exe/wincheck.exe

chaslang · Sep 20, 2007

Do the below for BOTH user accounts.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=explorer.exe "C:\Documents and Settings\Rob Rohrs\Start Menu\Programs\Startup\wincheck.exe\wincheck.exe"
O4 - Startup: w_3789.dll
O4 - Global Startup: w_3789.dll

After clicking Fix, exit

Now logout of this account ( Do not use switch user! ). Then log into the other account and repeat the above.

Now reboot in normal mode

Now attach the below new logs (one set for each account) and tell me how the above steps went.

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!

rob0 · Sep 20, 2007

Here's the logs for the first account.

rob0 · Sep 20, 2007

Here's the logs for the second account.

Everything looks pretty good. There are no more dialogue windows upon startup.

Startup is not as fast as I would like it to be (and was in the not too distant past) but I'm going to work on other issues which I don't suppose are all the result of the malware such as the registry which I have never cleaned.

Also, ever since working through these issues, we've lost the ability to use links in outlook. That might have been the result of something dumb I did prior to coming to this forum. If you don't have any idea about that, I'll probably post that question on one of the software forums.

chaslang · Sep 20, 2007

You're logs are clean!

rob0 said: ↑

Startup is not as fast as I would like it to be (and was in the not too distant past)
Click to expand...

This is due to all the junk you are loading! Waaaaay too many toolbars and other unnecessary stuff. Uninstall all this junk.

Did you buy this RegistryBooster 2? If not, uninstall it too.

You have pile on unncessary stuff starting up that you need to decide whether you really need or not since only you really know what you use. My opionion would be to remove most of it but that is not a topic for this forum. I will suggest that you have HJT fix the below unnecessary startups which will help:

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Click to expand...

I repeat the rest of the startups are up to you to research. Some are know resource wasters especially the junk from your ISP like these:
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

rob0 said: ↑

Also, ever since working through these issues, we've lost the ability to use links in outlook. That might have been the result of something dumb I did prior to coming to this forum. If you don't have any idea about that, I'll probably post that question on one of the software forums.
Click to expand...

Yes this would be the best thing to do.

If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.

If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.

If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

rob0 · Sep 20, 2007

I believe that takes care of all of our business. Thank you so much for your time and effort.

chaslang · Sep 21, 2007

You're welcome. Surf safely!

Browser hijacker

rob0 Private E-2

Attached Files:

rob0 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rob0 Private E-2

Attached Files:

rob0 Private E-2

Attached Files:

rob0 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rob0 Private E-2

rob0 Private E-2

rob0 Private E-2

rob0 Private E-2

rob0 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rob0 Private E-2

Attached Files:

rob0 Private E-2

Attached Files:

rob0 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rob0 Private E-2

Attached Files:

rob0 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rob0 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member