Hijacked explorer

ms hedgehog · Dec 8, 2008

Hi, foolishly used a utility disk tonight from a friend with a winrar exp on it. Obviously not trustworthy as now I get a fake windows security screen on explorer telling me to buy their antispyware package instead of homepage, and if I try to move away from it I get what looks like oriental text.

Have run the steps suggested and attach logs as required. hoping someone can help me out as not much being found.

system is vista running norton security.

Thanks in advance for any advice, lesson learnt.

chaslang · Dec 11, 2008

Welcome to Major Geeks!

Download HostsXpert and then follow the below steps.

Unzip HostsXpert.zip

It will create a folder named HostsXpert in whatever folder you extract it to.

Run HostsXpert.exe by double clicking on it.

Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).

Click Restore Microsoft's Hosts File and then click OK.

Click the X to exit the program

I strongly recommend that you stop loading BitTorrent DNA at startup. It is leaving your PC open to the world.

What is the below that I see installed?
dj_sf_software_req

Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Open Notepad and copy/paste the text in the below quote box into it:

KILLALL::

Folder::
C:\Users\Hedgehog PC\AppData\Roaming\WinRAR
C:\Program Files\WinRAR
Click to expand...

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\Temp
C:\Users\Hedgehog PC\AppData\Local\Temp
Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

C:\ComboFix.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

ms hedgehog · Dec 12, 2008

A sincere thanks - I think i'm in the clear. I will be a lot less trusting of random software from friends now. I attach logs as requested for the final chackover. Thankyou again.

chaslang · Dec 15, 2008

The last MGlogs.zip file you attach is not a valid ZIP file. Did you try to make this ZIP file yourself? If so, you should not be doing that as the program makes it own ZIP file. Delete the current C:\MGlogs.zip file and then run the C:\MGtools\GetLogs.bat program again and allow it to finish running. Attach the C:\MGlogs.zip file that it creates when it is finished.

Log in or Sign up

Hijacked explorer

ms hedgehog Private E-2

Attached Files:

MGlogs.zip

mbam-log-2008-12-08 (23-40-46).txt

locombofixg.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

ms hedgehog Private E-2

Attached Files:

MGlogs.zip

repairlog.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member