Problems with Hijacked Browser

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. HJT must also be installed and run properly.

Is the below default setting valid for you:
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s


Please run the steps below.

- Open Control Panel and select Add/Remove programs and uninstall WeatherBug

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You forgot to attach your HJT log.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {D6FE2742-6BAC-495F-9F0E-256B9DFB4511} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclips.com/platypus/miniclipGameLoader.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2684de16483edeaf0805/netzip/RdxIE601.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O18 - Filter: tœ†5?òJDÆR - {F414A84D-2183-4C65-9EF5-67C98DA9F141} - (no file)
O18 - Filter: tœ†5?òçEÆR - {F294FB85-5C60-48BC-9069-BC12AC955044} - (no file)
O18 - Filter: tœ†5?ò‚EÆR - {F1AA1926-EE11-4FDA-9AAB-57BDA8AE3EC6} - (no file)

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

This is not a browser hijack. You are just not connecting.

What websites does this happen on?
Does it happen if you connect using IP addresse instead of URL's?
For example:

www.majorgeeks.com is the URL for Majorgeeks

67.19.72.100 is the IP address for Majorgeeks

 

What do you mean you had to wait until you had the problem again?

Are you saying you only have this problem once in awhile?

Did you Reset Web Settings as in my first message? I did not see www.majorgeeks.com appear as your home page!

Give the below a run too.


Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

 

This does not sound like malware. But one thing I would try to see if it also as a problem, is another browser. We recommend using this anyway.

Try Mozilla FireFox in place of Internet Explorer and see if the same thing happens.

 

What kind of connection to the internet do you have (dial-up, cable, DSL, etc)?
Do you use a router? If so, what kind?

Who is your ISP?

 

That's a DSL to Ethernet modem. I assume this means you do not use a router.

Next time it happens, instead of rebooting your PC. Try:

Clicking Start, Run and enter ipconfig /flushdns then click OK

If no luck, Reset Web Settings!

If no luck, power cycle your DSL modem.

If no luck, we may want to try running a trace route or a simple ping of an IP address that you cannot get to at the time to see how far it gets.

When this happens are all sites non-accessible?

 

Okay! Right now this does not sound like a malware problem to me. Sounds more like a potential hardware problem.

 

There is a space between ipconfig and /flushdns

But if power cyclying your modem worked, I would pursue potential problems with you ISP. Doing that forces your DSL modem to retrain and it has to reassign your PC connection to their DHCP server. Sounds like they have a problem somewhere. Is it possible that it is just the DSL modem, yes! They do get rather hot.

 

Spyware will not impact the DLS modem. If rebooting it resolves the problem, I would suspect that it is something related to your connections setup. Like possible losing you IP address. Goto your command prompt again and type the below command.

ipconfig /all

Paste the results back here in a message.

 

You need to open a command prompt window. Click Start, Run and enter cmd and click OK.

Now enter the command. Right clicking on the top of menu bar will give you options you can use to Mark and then Copy (for copying and pasting back here).

 

Okay next time your problem occurs, try the below commands (from a command prompt window) but wait about 15 seconds inbetween each one:

ipconfig /release Loca*

ipconfig /renew Loca*

Let me know what happens?

 

Also, in the mean time let's do the below scan.

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report. And tell me if you are still having any problems.

 

Try compressing it into a ZIP file and attach the ZIP.

 

You're welcome!

It only found a load of cookies which are not real problems.

 

Okay! Also take a look at the LED on your Ethernet card. In fact even look at it right now so you are familiar with how it normally looks. You may have multiple LEDs. One of them should indicate the status of the link. Others may indicate things like the connection speed like 10Mb or 100Mb. Check this later too when the problem occurs to see if there is any change in what the LEDs show.

 

Odd but good! Maybe your call to your ISP did more then they revealed???