IBM Thinkpad R40 Browser Hijack

I have been fixing a friend's ibm laptop with a bad browser hijack. Have run all of the software based on Majorgeeks instructions for xp< I made one mistake though which was turning off system restore at the start of the process. attached are my logs.

It still hijacks from search results although wont hijack direct entered sites...some denial of service also.

Bill

 

ok will attach that after I re run all the tests again. Had to totally disable avg as the new version does not have a switch to disable. It was running constantly in hte background so I temporarily uninstalled it. The combofix log will be attached as soon as I figure out how to attach...now where is the link?

Ahaa advanced does the trick... Once I redo the steps will repost the logs again


\\Bill

 

Ok, following Dr. Moriarty's notation on incorrect following of the steps, I went back and checked and re performed all the steps, including a temporary uninstall of AVG 9.0. Step by Step, logs attached. THought I had it beat, first search inside google search box, produced no interference, however, the evil redirect started again. This originally was an "internet security 2010" install problem and efforts seem to have fallen flat.

Logs attached help !!!! next message for sas log

 

here is my sas log. The browser redirects to various financial and similar sites...the last was a search of wikipaedia which had me end up offered a chance to download anti malware program.

Bill

 

Dr. Moriarty,

Thanks for the reply. I attach the logs. No restart yet but browser hijack still in play. A search in the browser search toolbar on bing produced results that were accurate, however on selecting and clicking on one of the results, I was redirected to the fanciest of sites for domain names and other unsolicited info. A click on majorgeeks as a result produced similar forays into cyberspace. Should I power off after all of this besides the automatic off by combofix?

One point to note after I dropped the text document onto combofix, it automatically started running. I then allowed it to update per your instructions and also allowed it to restart as noted.

Logs attached

Step by step responses to your inquiries below.




Hello, mindworks - please do not install any other software while we are still working with you unless instructed. Once we have given you the all clean and final instructions you will be free to install what you want.

**OK, I went a little crazy after the original fixes didnt work. I will leave it alone.**

Is your download (but NOT installed) version of Spyware Doctor.exe that you have here - C:\Program Files the "purchased" software version or just a useless trial that won't fix what it finds anyway? If just a trial, you may as well delete it.

**It was a trial and was deleted.**

These files do not belong in C:\Program Files or any subfolder within it. Downloads should not be saved here.


Quote:


avg_fr~1.exe Feb 24 2010 80328144 "avg_free_stf_en_90_730a1834.exe"
bhblas~1.exe Feb 26 2010 402564 "bhblastersetup.exe"
bhr450~1.exe Feb 27 2010 3139687 "bhr4.5.0.471.exe"
ccsetu~1.exe Feb 28 2010 1154064 "ccsetup229_slim.exe"
hjtins~1.exe Feb 26 2010 812344 "HJTInstall.exe"
javase~1.exe Feb 26 2010 923936 "JavaSetup6u18.exe"
pcd5se~1.exe Feb 27 2010 40905192 "pcd5setup_4329.exe"

*THese were deleted*

Comment: For Windows XP, you need to upgrade your installed RAM memory to atleast 1GB for better performance. I will suggest that to the owner for improved performance.

Quote:
Total Physical Memory -------- 768.00 MB
Available Physical Memory --- 365.35 MB

I strongly recommend that you clean up this account's Desktop immediately leaving only links.[ C:\Documents and Settings\MCE\Desktop ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

*All of these will be removed and cleaned up after I fix the HJ.
*

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

*Ran the program.*

Quote:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)

*Looked for these and couldnt find them, wonder if they might have been a casualty of my craziness after the first post instructions failure. or possibly deleted them and then wondering if I did it right, went back, checked again and not there. Sorry for the confusion.*

After clicking Fix, exit HJT.

Step 2:
Now we need to use ComboFix.
Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

*It is on the desktop.*

If it is not on your Desktop, the below will not work.
Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.

*Had to uninstall avg...can find no disable button.*

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

*It did update*

Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Quote:
KILLALL::

Driver::
PLSRemoteSvc

File::
c:\windows\system32\emp101.exe
C:\WINDOWS\SYSTEM32\PLSRemote.exe

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

*Created notepad doc and dropped onto combofix.exe and it automatically started upon doing so*

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

*All browsers were closed*

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.

*It did not ask*

Now use your mouse to drag CFscript.txt on top of ComboFix.exe


Follow the prompts.
When it finishes, a log will be produced named c:\combofix.txt
I will ask for this log below

*Log attached, it did state that one file it was looking for could not be found?*

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 3:
Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

*ran it*

Step 4:
Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Please attach the C:\MGlogs.zip file to your next reply.
log attached

* Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

seems possibly to have morphed again?


mindworks - Bill
dr.m

 

I realized I may not have uploaded the proper combofix log.... here is the one you were asking for, apologies. THought I was being thorough...c'est la vie.

Bill

 

http://www.getsysteminfo.com/read.php?file=ce240c91d1bb57256dc0a97256c3e0e7

here is the link and logs. I again disabled the avg by uninstall. The online scanner foundPrdView variant of win32 injector

 

All I recall is that there were 9 items found, 1 was in restore folders, at least they were the ones being scanned at the time when the notation showed. It called it variant of injector ayf trojan.Is there a way that I can generate this list, e.g. running it without fixing the items found?

Another thing, after I completed all of your tasks on Sunday last week and restarted, I reinstalled avg to prtotect prior to going back online. I ran it , maybe I shouldn't have; it also found trojans, many of them, although it got held up in trying to remove or quarantine them. It removed some and wouldnt others. I think it was 32 of 40.

I then left it alone after trying to empty the virus vault.

I just re-ran the browser tonight after all of the latest tests, sweeps which I ran last night, it was too late last night. Browser still takes me on a tour of the far reaches of the internet redirecting me from a search for browser hijack from google or bing to other than that selected. Majorgeeks will run directly from the browser window but not when selected from a browser search.

Bill

 

Hi Dr. M.

Started running the programs and realized I still had avg in. Ran tdss killersuper antispyware last night then stopped. These two logs will be attached to next message. These 4 log attachments were resulting from runs I just performed after removing avg again.

 

here are the two before removing avg

Thanks for the help..
Bill

 

I followed your steps to a tee and now the browser works exactly as it should search for majorgeeks brings up just that .

Thanks very much for your patience and your assistance.

Kindest regards

Bill