Hijacked!

Discussion in 'Malware Help (A Specialist Will Reply)' started by craigcomputer, Dec 15, 2007.

  1. craigcomputer

    craigcomputer Private E-2

    Hi, I was working on this HP Desktop when I went to update MS Office 2003, the browser crashed. When I manually brought up Windows Update, IE7 crashed again! I knew it was malware, so I began the MG Read & Run Me First
    I accidentally ran MGtools from the desktop before even running CCleaner, but I ran it again later at the appropriate time (from root of the drive)
    Combofix ran normally.
    SSD installed and updated normally... but.. during the scan, AOL Spyware protection popped up saying it found three baddies, Mirar, ISTBar(Trojan) and Bifrost(Backdoor). I selected for ASP to Allow those instances, thinking that any other selection may interfere with SSD or the later scanners. The SSD scan completed, but did not find those three, only AntivirusDisableNotify. I re-ran the scan, with the same result, only AntivirusDisableNotify.
    AVG Antispyware installed, updated and scanned normally. It found and quarantined Hijacker.Small, the file was C:\Windows\browser.exe . I had selected it to automatically generate a report after every scan, and unchecked "Only if threats are found," but it still did not generate a report.

    Here are the logs.
    After running MGtools as the final step in your process, I entered AOL spyware protection again, told it not to allow Mirar, ISTBar, or Bifrost anymore, scanned again, and removed those three.
    Also, I ran the Norton tool for removing ISTBar. It left a log indicating that it deleted a registry key for a toolbar. I can provide the path of what ASP deleted, or the norton tool log, as requested (or my AVG antispyware quarantine file, for that matter)

    Finally, Office update and Windows update still crash
     

    Attached Files:

    craigcomputer, Dec 15, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs do not show any signs of malware. They only show two things not done while running the READ ME.

    1) You are running Spybot's Teatimer
    2) You did not uninstall Viewpoint Media Player


    Since you also need a Java update, do the below.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment
     
    chaslang, Dec 16, 2007
    #2
  3. craigcomputer

    craigcomputer Private E-2

    OK, a couple things may clear it all up
    1) Spybot's teatimer acted up-- during installation, I unchecked the box to use teatimer. At next restart, it came up anyway. I entered advanced mode and unchecked the box, since that has always disabled it in the past. Next restart though, it came right back again! The only recourse was to kill the startup item, which I did using CCleaner.
    2) I ran Viewpoint's uninstaller, but since I left AOL installed (I have to at the moment), it came right back.

    Ok, I uninstalled the old Java, restarted, and installed the latest.

    On the updates issue, I realize what may have happened. before I tried noticed malware-like symptoms (manual updates crashing) the computer ran automatic updates to windows, including IE7. I know that the reccomendation is not to try updating when malware is present. So maybe what I need to do is roll back the updates, then try reinstalling?
     
    craigcomputer, Dec 21, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may want to try the uninstalling Spybot and then rebooting. Then after reboot, reinstall it and again make sure that the Teatimer option is unchecked.

    Try running this: ViewpointKiller


    Since I don't really see any malware issues, I'm not sure what real malware problems you had to begin with. Sometimes what scanners report are not major issues. You could try rolling back and see what happens. Right now it does not look like an issue for the Malware Forum.
     
    chaslang, Dec 21, 2007
    #4
  5. craigcomputer

    craigcomputer Private E-2

    Thanks for the tips and tools.

    I believe you didn't see any malware issues because AOL Spyware protection quarantined Mirar, ISTBar(Trojan) and Bifrost(Backdoor) all before I ran MGtools (nothing I could do about that.) Also AVG antispyware quarantined the Hijacker.Small.
     
    craigcomputer, Dec 21, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Perhaps! But I still doubt your update issue were due to malware. AOL AS does not find and remove anything of real significance that could be an issue for updates.
     
    chaslang, Dec 21, 2007
    #6
  7. craigcomputer

    craigcomputer Private E-2

    Well thank you sincerely for your help. It is clean and running well now.
     
    craigcomputer, Jan 28, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. You should do the below now.


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
    chaslang, Jan 30, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds