Hijacked browser

Discussion in 'Malware Help (A Specialist Will Reply)' started by Morgan_Andresen, Oct 25, 2012.

  1. Morgan_Andresen

    Morgan_Andresen Private E-2

    Just to be clear my browser was hijacked like three days ago and I ran a pile of AV products, now it isn't hijacked, but every time I start my computer zonealarm blocks a suspicious "netbios" something or another which is trying to connect to some IP.

    I went through the read and run me first thread and a couple of the scans picked some things up, I followed your instructions and ignored them. I will post all the logs.

    I have already posted about my problem on this other site but its been three days now and they said I should be getting help within two so I'm starting another one here.

    the post is kind of confusing, because the problem was VERY confusing. I figured it out though. It turns out that on the exact same day that my browser got hijacked and I got infected with malware two of my gaming sites and their clients weren't able to connect because the server they ran on, Amazon's, crashed. Pretty terrible luck to get hijacked and have it complicated by Amazon's server crashing for only one day, the same day.

    Anyway here is the link:

    http://forums.techguy.org/virus-other-malware-removal/1073735-browser-connection-hijacked.html

    Okay, I don't see the attachments but I attached all 5 logs. If there is any confusion about Mglogs, I accidentally ran a second scan while trying to find the logs, then I quit it.
     

    Attached Files:

    Morgan_Andresen, Oct 25, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome tom Major Geeks!

    I'm looking at your logs now. While waiting, please run Hitman Pro again and select the below to be removed.
    Code:
       C:\Users\Morgan\AppData\Roaming\Mozilla\Firefox\Profiles\piepb0uv.default\searchplugins\Funmoods.xml (Funmoods)
   HKU\S-1-5-21-1362111985-3589688804-2743915631-1000\Software\Softonic\ (Softonic)
    Then run the below.

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note that JRT will reset your home page to a google default so you will need to restore your home page setting.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Also please provide the exact word for word details on what you are referring to with Zonealarm. Do not paraphrase.
     
    chaslang, Oct 26, 2012
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you knowingly install the below so that new tabs open with localstrike.net and did you add this search engine?
    Uninstall the below very old versions of software:
    Java(TM) 6 Update 33

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [Faked.Drv][FAKED] nwlnknb.sys : c:\winnt\system32\drivers\nwlnknb.sys --> CANNOT FIX

    R3 - URLSearchHook: (no name) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - (no file)

    After clicking Fix, exit HJT.

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Services
avast! Antivirus
avast! Mail Scanner
avast! Web Scanner
 
:Files
C:\ProgramData\zofowoda\zofowoda.dll
C:\Users\new user\AppData\Local\micwmod.dll
C:\Users\new user\AppData\Local\Temp\aez5vk.exe
C:\Users\new user\AppData\Local\Temp\lsass.exe
c:\PROGRA~3\jefotumo\jefotumo.dll
C:\ProgramData\zofowoda
c:\PROGRA~3\jefotumo

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 26, 2012
    #3
  4. Morgan_Andresen

    Morgan_Andresen Private E-2

    "Did you knowingly install the below so that new tabs open with localstrike.net and did you add this search engine?"

    No.

    "Also please provide the exact word for word details on what you are referring to with Zonealarm. Do not paraphrase. "

    It flashes pretty quick I barely have time to read it but Ill quote the zonealarm logs:

    "Alert Events"

    all of the have two checks for alert and log

    Blocked NetBIOS broadcasts

    Blocked outgoing NetBios name requests

    Blocked packets for recent connections

    Blocked non-SYN TCP connections

    Blocked routed packets

    Blocked loopback packets

    Blocked non-IP packets

    Blocked fragmented IP packets

    Other blocked IP packets

    MailSafe violations

    Lock violations


    There is also a "Log Viewer tab" but typing all thats there out is going to be a real pain, so I'll do it if necessary but I'd like to avoid it.

    It basically lists 4 outgoing and 8 incoming bloked actions from 3 source IPs:

    192.168.0.14/15/16 through 9 ports with a variety of destination IPs and 3 ports: 80, 0, 3702, 138 and 137.

    There where 4 protocols attached to these various blocked actions: TCP(flags: AR), a blank space for one, UDP and IGMP (type:34)

    I just finished the Hitman pro deleting of the funmoods thing and I'm about to follow the rest of the steps.
     
    Morgan_Andresen, Oct 26, 2012
    #4
  5. Morgan_Andresen

    Morgan_Andresen Private E-2

    "Did you knowingly install the below so that new tabs open with localstrike.net and did you add this search engine?"

    No.

    I think I already posted a reply with this and quoted bits from my zonealarm logs, hopefully my reply is just waiting to be approved or something and I didn't accidentally close the browser before sending it.

    A weird thing happened when I ran OTM, it ran fine and asked me to restart so I did. Then after the reboot a permissions window came up asking if I wanted to run OTM, the weird thing is that it came up immediately after or when windows was supposed to load, there was a black screen behind it with no desktop loaded. I ran it but nothing happened, there was just a black screen for like 5 minutes. I can tell by my noisy computer that it was running, although not really chugging or anything. After those 5 minutes or so I just shut down the power and turned it back on. The same permissions thing came up but I closed it and windows loaded normally.

    It still gave me the log though so I will attach it along with the JRT one.
     

    Attached Files:

    Morgan_Andresen, Oct 26, 2012
    #5
  6. Morgan_Andresen

    Morgan_Andresen Private E-2

    I forgot a log file and a couple of things so here they are:

    Hows it running? Pretty much the same, I don't have anything actually stopping me from using my computer in any way, but I'm still getting random connections being blocked by Zonealarm, the most recent was:

    "packet sent from "random IP" Blocked "NetBIOS Datagram"

    Also I couldn't find this"

    [Faked.Drv][FAKED] nwlnknb.sys : c:\winnt\system32\drivers\nwlnknb.sys --> CANNOT FIX

    When I did the HJT scan, but I found and deleted the other FunMoods one.

    Sorry for so many replies, and thank you for being so quick with a response.
     

    Attached Files:

    Morgan_Andresen, Oct 26, 2012
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then we will remove them.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://find.localstrike.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://find.localstrike.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://find.localstrike.net/

    After clicking Fix, exit HJT.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Quite typical. Part of the reason you install a firewall. I suggest you turn of the alerts if it bothers you. Everyone running a firewall will see dozens of things being blocked. There are many ports being blocked by default. If you uninstall Steam, BitComet, and DivX, you may see less of them.


    I do however want to run another program because I was trying to clean up left overs from Avast but OTM was not able to do so. So please download and save a copy of combofix.exe and save it directly onto your Desktop folder.

    Then right click on it and select Run As Administrator. Do not disturb it by clicking in the window that opens or it may stall.

    After it finishes, it may reboot your PC. Attach the C:\combofix.txt log that it creates.
    If after running Combofix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
     
    chaslang, Oct 27, 2012
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds