# Browser hijack

May 17, 2009 at 08:51:46
Specs: Windows XP

 I'm having problems with an aparent hijack of my browser: every half an hour or so a new tab will open, out of the blue, with a simple line saying: "Please visit XXXXX", pointing to an adult site that doesn't even exist. I've tried every anti-spyware, anti-malware and anti-spybot software I could. None is able to detect the culprit for the browser tab hijack... by the way, this happens regardless of the browser, because I've been using Firefox and now Chrome... Please help, this thing is driving me insane.the address opened by the tab is :http://buyclickads.com/stats/?VFJDS...Many thanks,N.

See More: Browser hijack

#1
May 17, 2009 at 12:57:05

 Try to scan your PC with Malware byte. Post your full scan log here. Don't fix anything till your scan log is reviewed here.

Report •

#2
May 17, 2009 at 15:56:34

Report •

#3
May 17, 2009 at 16:06:17

 Neoark, thank you so much for your willingness to help!This is the log I got after an HijackThis scan. Among others, there is a weird iecodec.exe... but I can track down the source for this hijack. Chrome is supposed to be ultra safe against this kind of crap...Once again, thank you so much! Let me know what you find out.N

Report •

Related Solutions

#4
May 17, 2009 at 16:54:32

 Have you scanned your drive with antivirus? If so which one?

Report •

#5
May 17, 2009 at 16:58:01

 Used McAfee, Malwarebytes, Adaware... none of them seems to find the problem...

Report •

#6
May 17, 2009 at 17:01:17

 Can you please post your AVZ log:1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as AdministratorYou should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.begin ExecuteStdScr(3); RebootWindows(true); end. Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Report •

#7
May 18, 2009 at 22:12:30

 Thank you so much for all your help!!!Here's the link:Hope it works!

Report •

#8
May 19, 2009 at 02:44:26

 Check the add-ons you've got in IE and disable unknown BHO's

Report •

#9
May 19, 2009 at 03:39:34

 Run this script in AVZ like before:begin SetAVZGuardStatus(True); SearchRootkit(true, true); DelBHO('{3041d03e-fd4b-44e0-b742-2d9b88305f98}'); DelBHO('{201f27d4-3704-41d6-89c1-aa35e39143ed}'); QuarantineFile('speh.sys',''); QuarantineFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll',''); DeleteFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll'); DeleteFile('speh.sys'); BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); end. You computer will restart after it restarts check and see if problem still exists.--------------------------------------------To Private Message me Click Here

Report •

#10
May 19, 2009 at 22:46:41

 Nope... it didn't work! I'm going insane with this. Every half hour or so a new tab or window (if the browser is not opened) will pop out with the stupid message.Please help me...N

Report •

#11
May 20, 2009 at 05:43:33

Report •

#12
May 21, 2009 at 15:10:33

 Once again, thank you so much for all your help!Here is the link for the Combofix log:http://rapidshare.com/files/2357453...

Report •

#13
May 21, 2009 at 15:31:00

 Run this script in AVZ like before your computer will reboot:begin SetAVZGuardStatus(True); SearchRootkit(true, true); QuarantineFile('C:\sccfg.sys',''); DeleteFile('C:\sccfg.sys'); QuarantineFile('c:\windows\system32\drivers\16375948.sys',''); DeleteFile('c:\windows\system32\drivers\16375948.sys'); BC_ImportAll; ExecuteSysClean; ExecuteRepair(14); ExecuteRepair(15); BC_Activate; RebootWindows(true); end. After reboot check and see if you still have the same problem. If you still have problem rerun combofix and post a new log again.--------------------------------------------To Private Message me Click Here

Report •

#14
May 21, 2009 at 18:02:44

 nop... still does the same... the problem remains...

Report •

#15
May 21, 2009 at 18:19:08

 1) Run this script in AVZ:begin CreateQurantineArchive('c:\quarantine.zip'); end. 2) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file. 3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok.4) Post screen shot of the problem and posts them.--------------------------------------------To Private Message me Click Here

Report •

#16
May 23, 2009 at 16:20:29

 Here is the screen shot you requested. Hope it helps:Many thanks,N

Report •

#17
May 23, 2009 at 16:21:47

 Sorry, broken link.Here is the screen shot:

Report •

#18
May 23, 2009 at 16:27:36

 Does it only happens in one web browser chrome? Have you tried firefox, IE?--------------------------------------------To Private Message me Click Here

Report •

#19
May 23, 2009 at 17:28:42

 Yes, it happens in all of them: Firefox, IE, Chrome... all of them. It will open whatever browser is set as default.

Report •

#20
May 23, 2009 at 17:45:41

 Please follow these steps in order:1) Download and run full scan with SuperAntispyware, fix what it detects: http://www.superantispyware.com/dow...At the end of the scan post the scan log.2) Run this script in AVZ. Your computer will reboot:begin SetAVZPMStatus(True); RebootWindows(true); end. Note: After reboot follow Response Number 6. But make sure you have your default browser open in background and your your browser is hijacked, before you follow response Number 6.--------------------------------------------To Private Message me Click Here

Report •

#21
May 24, 2009 at 12:39:59

 Thanks for the log can you please post Response Number 20 1) log.--------------------------------------------To Private Message me Click Here

Report •

#22
May 24, 2009 at 12:43:25

 Sorry about that...Here is the log:SUPERAntiSpyware Scan Loghttp://www.superantispyware.comGenerated 05/23/2009 at 10:11 PMApplication Version : 4.26.1002Core Rules Database Version : 3908Trace Rules Database Version: 1853Scan type : Complete ScanTotal Scan Time : 00:40:08Memory items scanned : 564Memory threats detected : 0Registry items scanned : 6248Registry threats detected : 0File items scanned : 23350File threats detected : 1Trojan.Unclassified C:\WINDOWS\SYSTEM32\MPFSERVICEFAILURECOUNT.TXTOnce again, thank you so much for all your effort!

Report •

#23
May 24, 2009 at 12:55:00

 Run this script in AVZ your computer will reboot:begin SetAVZGuardStatus(True); SearchRootkit(true, true); DeleteService('catchme'); StopService('catchme'); TerminateProcessByName('c:\windows\system32\iecodec.exe'); QuarantineFile('C:\WINDOWS\system32\iecodec.exe',''); QuarantineFile('C:\DOCUME~1\NGJ\LOCALS~1\Temp\catchme.sys',''); DeleteFile('C:\DOCUME~1\NGJ\LOCALS~1\Temp\catchme.sys'); DeleteFile('C:\WINDOWS\system32\iecodec.exe'); BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); end. After reboot Follow these steps:1) Run this script in AVZ:begin CreateQurantineArchive('c:\quarantine2.zip'); end. 2) A file called quarantine2.zip should be created in C:\. Upload both it to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file. --------------------------------------------To Private Message me Click Here

Report •

#24
May 24, 2009 at 13:58:36

 Thanks for the files. Problem Fixed or still exist?--------------------------------------------To Private Message me Click Here

Report •

#25
May 24, 2009 at 14:26:21

 still soon to tell... the think pops up every hour or so.I will let you know for sure.An once again, thank you so much for all your help and patience! You have been amazing!

Report •

#26
May 24, 2009 at 14:30:59

 Please Check you private message and send me rest of the files.--------------------------------------------To Private Message me Click Here

Report •

#27
May 24, 2009 at 15:44:43

 Problem Solved. No problem. Sorry it took a while as this adware/spyware wasn't detected by any of the antivirus/spyware programs yet.--------------------------------------------To Private Message me Click Here

Report •