Browser hijacking

Discussion in 'Malware Help (A Specialist Will Reply)' started by zylstra, Mar 10, 2009.

  1. zylstra

    zylstra Private E-2

    My problems started yesterday on my XP machine after my assistant used it. It may or may not have been her. My browser gives errors when attempting to view many sites. For others such as Google it redirects to popups with search ad links.

    I ensured that Windows Installer was set to Not Configured, but SAS, MB, and ComboFix would not run. MGtools, however, could, and I have attached the logs to this post.

    (Why don't you allow 4 attachments per thread for those who can run all the programs?)
     

    Attached Files:

    zylstra, Mar 10, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Why am I not seeing any anti-virus software on this machine?

    Please run both CCleaner and ATF Cleaner by Atribune.

    Now use windows explorer to find and delete:
    C:\WINDOWS\system32\twex.exe

    Disable all browser toolbars and add-ons.

    Install an AV program.

    Run it.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    TimW, Mar 13, 2009
    #2
  3. zylstra

    zylstra Private E-2

    Hahaha, rolleyes, Tim, I'm not a fan of anti-virus. I've been using a Sony VAIO laptop for four years now without any anti-virus or problem. I think this desktop had the Windows firewall turned off and so contracted the malware.

    Anyway, I figured out how to run Malwarebytes. I changed the setup file name to install it, but I didn't try changing the name of the program itself at first. So I did that and it seemed to have worked.

    Thank you for getting back to me though!

    Just FYI, I did run both AVG and Ad-Aware to no avail.
     
    zylstra, Mar 13, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I would still like to see the logs.
     
    TimW, Mar 17, 2009
    #4
  5. zylstra

    zylstra Private E-2

    A new MGlogs.zip? I ran it again. Here it is:
     

    Attached Files:

    zylstra, Mar 17, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to attach the other logs requested in the READ & RUN ME from SUPERAntiSpyware, Malwarebytes, and ComboFix.

    Please delete the below file. MGtools.exe does not belong here. Running it like this could lead to problems and also false detections by other scanning programs.
    C:\Documents and Settings\HP_Administrator\My Documents\Programs\Virus\MGtools.exe



    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll (file missing)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

    After clicking Fix, exit HJT.
     
    Last edited: Mar 20, 2009
    chaslang, Mar 20, 2009
    #6
  7. zylstra

    zylstra Private E-2

    OK, phfewf. Let me know if I did this correctly.

    Thanks!
     

    Attached Files:

    zylstra, Mar 25, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable your AV and AS protection while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now use windows explorer to find and delete:
    c:\windows\system32\UACgsoucnfn.db
    c:\windows\system32\stus.exe
    c:\windows\system32\uactmp.db
    c:\windows\system32\UACknbgrkel.db
    C:\ef6dbbbf4b20278be2631f5865301f6f

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    TimW, Mar 28, 2009
    #8
  9. zylstra

    zylstra Private E-2

    I fixed those three (file missing) earlier. Now I zapped those four files and one folder. Here's the new C:/MGlogs.zip
     

    Attached Files:

    zylstra, Mar 29, 2009
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet......your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Apr 1, 2009
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds