Google highjack...

Discussion in 'Malware Help (A Specialist Will Reply)' started by saifloronwatch, Nov 30, 2006.

  1. saifloronwatch

    saifloronwatch Private E-2

    Hi, tried to post on the thread but permissions wouldn't let me. I've had the same problem as Hawklord and found the solution here:

    http://www.daniweb.com/techtalkforums/post278557.html

    Simply allow the DNS server to be selected automatically.

    Hope this helps.

    Paul
     
    saifloronwatch, Nov 30, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The proper fix is to remove the WareOut infection and then reset the DNS setting.

    See this sticky thread: WareOut Removal


    If you don't remove the source, you are only bandaiding the problem and it could come back.
     
    chaslang, Dec 1, 2006
    #2
  3. saifloronwatch

    saifloronwatch Private E-2

    Thanks, I'll try that.

    Paul
     
    saifloronwatch, Dec 1, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. There are many forms of WareOut infections. Some are much worse than others. The bad ones really need that procedure and even then there can sometimes be a few leftover .exe files that need to be manually deleted.
     
    chaslang, Dec 1, 2006
    #4
  5. saifloronwatch

    saifloronwatch Private E-2

    Hi, followed your procedure - seemed to work fine. DNS was still set to Automatic at the end. The report is attached... Do I need to manually delete??

    Rgds

    Paul
     

    Attached Files:

    saifloronwatch, Dec 2, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See that! This procedure found more problems!

    Yes you need to delete the below files:

    C:\WINDOWS\SYSTEM32\CSBNI.EXE
    C:\WINDOWS\SYSTEM32\DMPFW.EXE

    And you need to fix any other associated O17 lines with the 85.x.x.x number from your HJT log. However note, we do not except HJT logs here without our full cleaning procedures (in the READ & RUN ME sticky thread) being followed.
     
    chaslang, Dec 2, 2006
    #6
  7. saifloronwatch

    saifloronwatch Private E-2

    They're tenacious, aren't they!! I ran the procedure (followed the instructions religiously!). AVG found Trojan.Small.fb, but nothing else came up. Here are the MG tools reports and the HJT file. I would be grateful for your thoughts... although I can see that you're incredibly busy!!

    The PC in question is on a home network so I've run the procedure on the other units as well - nothing of note, just PandaScan finding tracking cookies which it labelled as Spyware.
     

    Attached Files:

    saifloronwatch, Dec 4, 2006
    #7
  8. saifloronwatch

    saifloronwatch Private E-2

    This is the set from the next PC - PandaScan found a tracking cookie 'administrator@doubleclick[2].txt' but nothing else.
     

    Attached Files:

    saifloronwatch, Dec 4, 2006
    #8
  9. saifloronwatch

    saifloronwatch Private E-2

    Finally, the set from the laptop... PandaScan found 2 x cookies: 'COOKIES.TXT[.xiti.com/]' and 'cookies-1.txt[.xiti.com/]'. Hope you've got time to have a look.

    Rgds

    Paul
     

    Attached Files:

    saifloronwatch, Dec 4, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach the required CounterSpy logs or the BitDefender logs!

    You did not fix the O17 lines as I indicated! There is also a left over O20 line from uninstall Spy Sweeper which you can fix too.
    After fixing, reboot and attach a new HJT log for this first PC!! Let's work only on one PC at a time to avoid any confusion.

    You need to install a current Sun Java & update your FireFox version on this PC.

    Sun Java Runtime Environment

    Mozilla Firefox
     
    Last edited: Dec 4, 2006
    chaslang, Dec 4, 2006
    #10
  11. saifloronwatch

    saifloronwatch Private E-2

    Re CounterSpy/Bitdefender - sorry!! using my initiative (dangerous) and trying to reduce workload as they didn't find anything... here they are (if you still need them).

    Re O17/20, both fixed and rebooted.

    Firefox and Java updated.

    Rebooted then ran HJT - attached.

    Paul
     

    Attached Files:

    saifloronwatch, Dec 5, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay this PC appears to be clean. Are there any other malware problems with it?

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Dec 5, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now attach the CounterSpy and BitDefender logs for dining room PC and explain what problems it is having.
     
    chaslang, Dec 5, 2006
    #13
  14. saifloronwatch

    saifloronwatch Private E-2

    Initial concerns for the Dining Room PC were 1) because they are networked and I was worried that any infection had spread to all 3, and 2) before they were networked, only the DR PC was connected to the internet and I kept received 'postmaster non-delivery reports' to spam e-mails that I hadn't sent. They were addressed to 'random letters@myusername' - I was concerned that either I had malware or that my server had been hacked. I have been told since that it is simply a spamming technique. Any thoughts?

    I have attached CounterSpy, Bitdefender and PandaScan. The HJT is above. Since then, I have upgraded Firefox and Java.

    I take it from your earlier comments that I should fix the 'missing file' reports in the HJT log.

    Appreciate your help.

    Paul
     

    Attached Files:

    saifloronwatch, Dec 6, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I agree!

    No not always true! HijackThis quite often tells you something is missing when it is not.

    You only have on item in this PC that you should fix with HJT. Fix the below line:
    O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe

    And then look for the below file and delete it if found.
    C:\Program Files\pl.exe

    If this PC is not having any other problems, you should uninstall some of the antispy software. Like CounterSpy and Windows Defender. You have SpywareGuard running and should not keep the others installed.

    Attach the CounterSpy, Bitdefender and PandaScan logs for the laptop.
     
    chaslang, Dec 6, 2006
    #15
  16. saifloronwatch

    saifloronwatch Private E-2

    Dining room fixed. Last files attached. No obvious problems with this machine.
    Paul
     

    Attached Files:

    saifloronwatch, Dec 8, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we just have a few minor tweaks to make on the laptop.

    First uninstall the CounterSpy trial as it is no longer needed and you have AOL Antispyware installed.


    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 9
    Viewpoint Media Player <-- should have been uninstalled in step 0! If it refuses to go away use this: ViewpointKiller

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Now some minor tweaks to improve performance!

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    After clicking Fix, exit HJT.

    If Windows Messenger (the msmsgs.exe file) will not stay gone, use the below to remove it:

    Disable/Remove Windows Messenger


    For all PCs, make sure the below is followed!

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Dec 8, 2006
    #17
  18. saifloronwatch

    saifloronwatch Private E-2

    All done now. Your help has been very much appreciated. Thanks.

    Can I request a final piece of advice ... Having read through all the forum stuff, I have ended up with the following same config on each PC - Zone Alarm firewall, AVG Anti Virus, Spyware Guard, Spyware Blaster and Cyberhawk providing ongoing protection, and the rest (Adaware, CounterSpy, AVG Anti Spy, etc) all disabled but 'on-call' for user initiated scans. I was also contemplating Sandboxie for surfing. Any thoughts??

    Once again, thanks for your help.

    Paul
     
    saifloronwatch, Dec 9, 2006
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall CounterSpy! It is only a 15 day trial that will not work after 15 days anyway. I don't have too much personally experience right now with CyberHawk and Sandboxie but they are getting some good feedback. We do have both available on MGs which means they meet with our approval. You can find them here:

    http://www.majorgeeks.com/Sandboxie_d4993.html
    http://www.majorgeeks.com/Cyberhawk_d5190.html
     
    chaslang, Dec 10, 2006
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds