Articles

Browser hijack

May 17, 2009 at 08:51:46
Specs: Windows XP

I'm having problems with an aparent hijack of
my browser: every half an hour or so a new tab
will open, out of the blue, with a simple line
saying: "Please visit XXXXX", pointing to an
adult site that doesn't even exist. I've tried
every anti-spyware, anti-malware and anti-
spybot software I could. None is able to detect
the culprit for the browser tab hijack... by the
way, this happens regardless of the browser,
because I've been using Firefox and now
Chrome... Please help, this thing is driving me
insane.

the address opened by the tab is :
http://buyclickads.com/stats/?VFJDS...

Many thanks,
N.


See More: Browser hijack

Report •


#1
May 17, 2009 at 12:57:05

Try to scan your PC with Malware byte. Post your full scan log here. Don't fix anything till your scan log is reviewed here.

Report •

#2
May 17, 2009 at 15:56:34

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:01 PM, on 5/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper
Corporation\Diskeeper\DkService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
G:\Musica\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\iecodec.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat
2\RocketDock\RocketDock.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\YourWare Solutions\FreeRAM XP
Pro\FreeRAM XP Pro.exe
C:\Program Files\Common
Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Malwarebytes' Anti-
Malware\mbamservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar =
http://us.rd.yahoo.com/customize/ie...
/www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page =
http://us.rd.yahoo.com/customize/ie...
/www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,(Default) =
http://us.rd.yahoo.com/customize/ie...
/www.yahoo.com
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
R3 - URLSearchHook: DefaultSearchHook Class -
{C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program
Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-
947D-C042949C6216} - C:\Program Files\Adobe\/Adobe
Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-
FA578C2EBDC3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-
aa35e39143ed} - C:\Program
Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-
2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-
4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft
Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-
6309F01C5231} - C:\Program
Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper -
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-
4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-
665D8EE6A077} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-
2d9b88305f98} - C:\Program
Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-
0819E2EAAC93} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-
B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe
Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog
Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program
Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program
Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Babylon Client] C:\Program
Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher]
"C:\Program Files\Adobe\Acrobat
9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program
Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO]
C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\V
ERSIO~2.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper]
"G:\Musica\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iBuySoftware]
C:\WINDOWS\system32\iecodec.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-
Aware\AAWTray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program
Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock]
"C:\WINDOWS\BricoPacks\Vista Inspirat
2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program
Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program
Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP
Pro.exe" -win
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program
Files\Common Files\LightScribe\LightScribeControlPanel.exe
-hidden
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program
Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program
Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-73586283-1592454029-725345543-
500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
(User 'Administrator')
O4 - Startup: RocketDock.lnk =
C:\WINDOWS\BricoPacks\Vista Inspirat
2\RocketDock\RocketDock.exe
O8 - Extra context menu item: Append Link Target to Existing
PDF - res://C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppen
dSelLinks.html
O8 - Extra context menu item: Append to Existing PDF -
res://C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppen
d.html
O8 - Extra context menu item: Convert Link Target to Adobe
PDF - res://C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptur
eSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF -
res://C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptur
e.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon -
res://C:\Program Files\Babylon\Babylon-
Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-
8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-
7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-
3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-
58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy
Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-
f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E}
(System Requirements Lab) -
http://www.nvidia.com/content/Drive...
bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://www.update.microsoft.com/win...
ls/en/x86/client/wuweb_site.cab?1231612122965
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
(MUWebControl Class) -
http://update.microsoft.com/microso...
/x86/client/muweb_site.cab?1231612707092
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-
A375-3CB6248B04CD} - C:\Program Files\Microsoft
Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems
Incorporated - C:\Program Files\Common Files\Adobe\Adobe
Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program
Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation -
C:\Program Files\Diskeeper
Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software
Inc. - C:\Program Files\Common Files\Macrovision
Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service
(gupdate1c9861489d782c0) (gupdate1c9861489d782c0) -
Google Inc. - C:\Program
Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google -
C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling
Service (LightScribeService) - Hewlett-Packard Company -
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation -
C:\Program Files\Malwarebytes' Anti-
Malware\mbamservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee,
Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee,
Inc. -
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) -
McAfee, Inc. - C:\Program
Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) -
McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService)
- McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R)
Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SureThing Labelflash service - MicroVision
Development, Inc. - C:\Program Files\Common
Files\SureThing Shared\stllssvr.exe


Report •

#3
May 17, 2009 at 16:06:17

Neoark, thank you so much for your willingness to help!
This is the log I got after an HijackThis scan. Among others,
there is a weird iecodec.exe... but I can track down the
source for this hijack. Chrome is supposed to be ultra safe
against this kind of crap...
Once again, thank you so much! Let me know what you find
out.
N

Report •

Related Solutions

#4
May 17, 2009 at 16:54:32

Have you scanned your drive with antivirus? If so which one?

Report •

#5
May 17, 2009 at 16:58:01

Used McAfee, Malwarebytes, Adaware... none of them seems
to find the problem...

Report •

#6
May 17, 2009 at 17:01:17

Can you please post your AVZ log:

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial


Report •

#7
May 18, 2009 at 22:12:30

Thank you so much for all your help!!!
Here's the link:

http://rapidshare.com/files/2346383...
ml

Hope it works!


Report •

#8
May 19, 2009 at 02:44:26

Check the add-ons you've got in IE and disable unknown BHO's

Report •

#9
May 19, 2009 at 03:39:34

Run this script in AVZ like before:


begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelBHO('{3041d03e-fd4b-44e0-b742-2d9b88305f98}');
 DelBHO('{201f27d4-3704-41d6-89c1-aa35e39143ed}');
 QuarantineFile('speh.sys','');
 QuarantineFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll','');
 DeleteFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll');
 DeleteFile('speh.sys');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

You computer will restart after it restarts check and see if problem still exists.

--------------------------------------------
To Private Message me Click Here


Report •

#10
May 19, 2009 at 22:46:41

Nope... it didn't work!
I'm going insane with this. Every half hour or so a new tab or
window (if the browser is not opened) will pop out with the
stupid message.
Please help me...

N


Report •

#11
May 20, 2009 at 05:43:33

Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post or upload it to rapidshare.

--------------------------------------------
To Private Message me Click Here


Report •

#12
May 21, 2009 at 15:10:33

Once again, thank you so much for all your help!

Here is the link for the Combofix log:

http://rapidshare.com/files/2357453...



Report •

#13
May 21, 2009 at 15:31:00

Run this script in AVZ like before your computer will reboot:


begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\sccfg.sys','');
DeleteFile('C:\sccfg.sys');
QuarantineFile('c:\windows\system32\drivers\16375948.sys','');
DeleteFile('c:\windows\system32\drivers\16375948.sys');
BC_ImportAll;
ExecuteSysClean;
ExecuteRepair(14);
ExecuteRepair(15);
BC_Activate;
RebootWindows(true);
end.

After reboot check and see if you still have the same problem. If you still have problem rerun combofix and post a new log again.

--------------------------------------------
To Private Message me Click Here


Report •

#14
May 21, 2009 at 18:02:44

nop... still does the same... the problem remains...

Report •

#15
May 21, 2009 at 18:19:08

1) Run this script in AVZ:


begin
CreateQurantineArchive('c:\quarantine.zip');
end.

2) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok.

4) Post screen shot of the problem and posts them.

--------------------------------------------
To Private Message me Click Here


Report •

#16
May 23, 2009 at 16:20:29

Here is the screen shot you requested. Hope it helps:

http://img40.imageshack.us/img40/39...
g


Many thanks,
N


Report •

#17
May 23, 2009 at 16:21:47

Sorry, broken link.
Here is the screen shot:

http://yfrog.com/14screenshot001zqbj


Report •

#18
May 23, 2009 at 16:27:36

Does it only happens in one web browser chrome? Have you tried firefox, IE?

--------------------------------------------
To Private Message me Click Here


Report •

#19
May 23, 2009 at 17:28:42

Yes, it happens in all of them: Firefox, IE, Chrome... all of
them. It will open whatever browser is set as default.

Report •

#20
May 23, 2009 at 17:45:41

Please follow these steps in order:

1) Download and run full scan with SuperAntispyware, fix what it detects: http://www.superantispyware.com/dow...

At the end of the scan post the scan log.

2) Run this script in AVZ. Your computer will reboot:

begin
SetAVZPMStatus(True);
RebootWindows(true);
end.

Note: After reboot follow Response Number 6. But make sure you have your default browser open in background and your your browser is hijacked, before you follow response Number 6.

--------------------------------------------
To Private Message me Click Here


Report •

#21
May 24, 2009 at 12:39:59

Thanks for the log can you please post Response Number 20 1) log.

--------------------------------------------
To Private Message me Click Here


Report •

#22
May 24, 2009 at 12:43:25

Sorry about that...
Here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/23/2009 at 10:11 PM

Application Version : 4.26.1002

Core Rules Database Version : 3908
Trace Rules Database Version: 1853

Scan type : Complete Scan
Total Scan Time : 00:40:08

Memory items scanned : 564
Memory threats detected : 0
Registry items scanned : 6248
Registry threats detected : 0
File items scanned : 23350
File threats detected : 1

Trojan.Unclassified
C:\WINDOWS\SYSTEM32\MPFSERVICEFAILURECOU
NT.TXT


Once again, thank you so much for all your effort!


Report •

#23
May 24, 2009 at 12:55:00

Run this script in AVZ your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DeleteService('catchme');
 StopService('catchme');
 TerminateProcessByName('c:\windows\system32\iecodec.exe');
 QuarantineFile('C:\WINDOWS\system32\iecodec.exe','');
 QuarantineFile('C:\DOCUME~1\NGJ\LOCALS~1\Temp\catchme.sys','');
 DeleteFile('C:\DOCUME~1\NGJ\LOCALS~1\Temp\catchme.sys');
 DeleteFile('C:\WINDOWS\system32\iecodec.exe');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After reboot Follow these steps:

1) Run this script in AVZ:


begin
CreateQurantineArchive('c:\quarantine2.zip');
end.

2) A file called quarantine2.zip should be created in C:\. Upload both it to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

--------------------------------------------
To Private Message me Click Here


Report •

#24
May 24, 2009 at 13:58:36

Thanks for the files. Problem Fixed or still exist?

--------------------------------------------
To Private Message me Click Here


Report •

#25
May 24, 2009 at 14:26:21

still soon to tell... the think pops up every hour or so.
I will let you know for sure.
An once again, thank you so much for all your help and
patience! You have been amazing!

Report •

#26
May 24, 2009 at 14:30:59

Please Check you private message and send me rest of the files.

--------------------------------------------
To Private Message me Click Here


Report •

#27
May 24, 2009 at 15:44:43

Problem Solved. No problem. Sorry it took a while as this adware/spyware wasn't detected by any of the antivirus/spyware programs yet.

--------------------------------------------
To Private Message me Click Here


Report •


Ask Question