Get to know the Zune HD>>
Spyware, viruses, & security : Help please! Browser Hijacked
Help please! Browser Hijacked
by Jimanyyy - 12/13/08 8:21 AMHi there,
Ok this started a few days ago. I'll try to include as much information as I've noticed so far & hopefully someone can help me.
When I search google for something i'll get my desired list of results. However when clicking on one of those links, most of the time the page will popup in a new tab - The title will change to 'Redirecting' with www.abcjmp.com/xxx as the host - Then it will redirect to a profile on www.perfspot.com. It mostly redirects to perfspot, but sometimes it sends me to another search engine...either way - just as annoying.
This happens on both IE and firefox.
When I try clicking tools -> options -> before I can change any settings firefox will instantaneously close.
Alot of the time when I go to type in a url -> same result, firefox closes.
Copying/pasting url's into the address bar will work, however it seems as though any host with "spyware" or other such terms in the name will automatically bring up "This page cannot be displayed", sometimes with a 3rd party search engine, other times just the default firefox error message.
System Restore -> I've tried this, but it seems to be disabled somehow, I can choose my date where I want to restore to, but when it comes to the final "Next" to click before commencing, clicking the button does nothing.
Prior to this my main firewall has been Zonealarm. Since becoming infected I've tried downloading some antivirus programs to help me, Ad-aware is the only one which has installed properly & has been able to run so far.
Super AntiSpyware Professional gives a microsoft error when I try opening it, asking me if I wish to send them the data. Spybot search & destroy doesn't appear to do anything when I load it, as does HijackThis. Avg & TrendMicro return errors while trying to install.
Also, this got onto msn and sent a (probably malicious) link to a few contacts.
Ad-aware was able to find some infected files, those are as follows;
AdvertBar
WhenU.DesktopToolbar
WhenU.SaveNow
Tracking Cookie
MRU Object
I have removed them, but they appear in subsequent scans too so I don't think they're being permanently deleted.
I am running XP Home. If there is any other information you require to solve this then please ask & I will provide.
Any help would be greatly appreciated. Thank you!
Give the following a try.......
by Marianna Schmudlach
- 12/13/08 8:56 AM
In reply to: Help please! Browser Hijacked by Jimanyyy
Please download Malwarebytes Anti-Malwareand save it to your desktop.
alternate download link 1
alternate download link 2
* Make sure you are connected to the Internet.
* Double-click on mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
* If an update is found, the program will automatically update itself.
* Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates,
manually download them from here
and just double-click on mbam-rules.exe to install.
Alternatively, you can update through MBAM's interface from a clean computer,
copy the definitions (rules.ref) located in
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
* Make sure the "Perform Quick Scan" option is selected.
* Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top.
It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully.
Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
* Click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad.
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply and exit MBAM.
Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
And IF you are not able to download these tools on your machine, please use a friend or family member's computer and download the Malwarebytes tool and it's manual update from the link below.. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "Your name.exe", then copy the installer file and the update file to a CD or flash drive.. Transfer the file to the problem machine, then install the "Your Name.exe" file, then run the update to get the program current.. After that, run a full system scan and delete anything it finds.
Malwarebytes Download Link (Clicking on the links below will immediately start the download dialogue window.)
http://www.besttechie.net/tools/mbam-setup.exe
Malwarebytes Manual Updater link
http://www.malwarebytes.org/mbam/database/mbam-rules.exe
thanks
by Jimanyyy - 12/13/08 9:42 AM In reply to: Give the following a try....... by Marianna Schmudlach
Thank you Marianna for your help.
Unfortunately I was not able to install the software to perform the scan.
I tried all 3 download links you gave me and firefox said "Page cannot be displayed" on all, despite the pages loading on another laptop for me. The malware seems pretty clever in detecting & blocking self threats.
I was able to search for & obtain the software off this website but nothing happens when I try opening the exe file. Even when I have process manager open and double click the file, no new processes appear. I cannot even see the process being opened before it's quickly being killed. I tried installing in safe mode (w/networking) also but it tells me I am not able to open it in safe mode.
Did you RENAME the MBAM.exe ?
by Marianna Schmudlach - 12/13/08 9:48 AM
In reply to: thanks by Jimanyyy
Did you download and rename the mbam-setup.exe installer ? Did you ALSO go to the MBAM folder ( C:\Program Files\Malwarebytes' Anti-Malware) and rename the "mbam.exe" file within the folder?
Last but not least, did you then doubleclick on the "renamed mbam.exe" in order to run it?
You also could try:
Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
Highlight that driver and right click on it and select DISABLE
Now RESTART your computer.
Download a copy of Malwarebytes but DO NOT run it yet.
Rename the downloaded installer file to any generic name such as your own name but keep the .EXE extension on the file and run it.
Once the program is installed go to the UPDATE tab and try to update the program if you can.
Then go to the SCANNER tab and run a Quick Scan and allow MBAM to fix anything found.
Wow, this is great, I am repairing the same problem
by Jolendd - 12/13/08 10:05 AM In reply to: Did you RENAME the MBAM.exe ? by Marianna Schmudlach
I have my friends computer next to mine and am attempting to repair the exact same problem, I too have been unable to run Mbam and am in the process of trying to get it working as well. I will follow this same string if that is ok with all........thanks
Thanks!
by Jimanyyy - 12/13/08 10:09 AM In reply to: Did you RENAME the MBAM.exe ? by Marianna Schmudlach
Thank you so much Marianna, your advice is much appreciated, renaming the .exe file worked. When I installed it the 1st time it would not run, but i renamed it again and installed it again (renaming the installation directories also) and everything worked without a hitch.
It must restart my laptop to delete the files it could not delete just now. I will check back afterwards. Thank you again! 
Here is the logfile;
Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 2
12/13/2008 6:04:30 PM
mbam-log-2008-12-13 (18-04-30).txt
Scan type: Quick Scan
Objects scanned: 49281
Time elapsed: 4 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\jsdf768wude.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\jsdf768wude.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\TDSScfub.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoeqh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmaxt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-72124057-2353350644-3832879046-1006\Dc14\VnrBlock21.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSc19b.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvcrt2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Arthur!\Local Settings\Temp\TDSS78bb.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Arthur!\Local Settings\Temp\TDSS7ca3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSb9cb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Arthur!\Local Settings\Temp\TDSS905a.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.
Fixed!
by Jimanyyy - 12/13/08 10:19 AM In reply to: Thanks! by JimanyyyAnd one more for good luck
Thanks a MILLION!!!
Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 2
12/13/2008 6:17:03 PM
mbam-log-2008-12-13 (18-17-03).txt
Scan type: Quick Scan
Objects scanned: 49098
Time elapsed: 5 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
(NT) Great Job ! Thanks for posting back :)
by Marianna Schmudlach - 12/13/08 10:22 AM
In reply to: Fixed! by Jimanyyy
Thanks very much........
by Jolendd - 12/13/08 11:43 PM In reply to: (NT) Great Job ! Thanks for posting back :) by Marianna Schmudlach
After following the suggested fix and following the instructions "EXACTLY" the Malwarebytes ran fine and found 17 errors needing repairing, it detected, fixed and got the computer running great, actually it runs better than it has in a long time. I suspect that some or the malware had been present in the background for a long time.
Again, thank you very much for the assistance.
Super - glad to hear :)
by Marianna Schmudlach - 12/14/08 9:12 AM
In reply to: Thanks very much........ by Jolendd
You Are Very Welcome
I would suggest downloading and installing SpywareBlaster:
Why SpywareBlaster?
Spyware, adware, browser hijackers, and dialers are some of the most annoying and pervasive threats on the Internet today. By simply browsing a web page, you could find your computer to be the brand-new host of one of these unwanted fiends!
Download: http://www.javacoolsoftware.com/spywareblaster.html
Happy Holidays !
Spywareblaster
by Jolendd - 12/14/08 10:26 AM In reply to: Super - glad to hear :) by Marianna Schmudlach
Thank you so much Marianna, your advice is much appreciated, You have made a suggestion to try/use Spywareblaster. A question, I have used Spybot Search & Destroy with great success, what is your opinion of that software?
John
Spybot Search & Destroy
by Marianna Schmudlach - 12/14/08 10:40 AM
In reply to: Spywareblaster by Jolendd
My personalopion...... after many years using Spybot S&D I have uninstalled it and installed MalwareBytesAntiMalware and I am very happy with it and I am not looking back.
download Malwarebytes' Anti-Malware : Here or Here
in my opinion it does not work
by k_abuki - 4/11/09 3:30 PM In reply to: Spybot Search & Destroy by Marianna Schmudlach
hello there !
i have a toshiba a135-s4467 laptop (running vista)
i installed malwarebytes' anti-malware
did a quik scan and found and removed win32.zafi.b
i was so happy to fix my pc
but what do you know. the infection came back
if i run a scan it says that there are no infection or nothing
at the same time the popup keeps appearing saying that i am infected
do you have an idea of what can be wrong
please help thank you
This is what I get after cleaning up with Mbam....
by BadgerBlitz - 12/29/08 2:07 PM In reply to: (NT) Great Job ! Thanks for posting back :) by Marianna Schmudlach
I have cleaned with scans several times and I still get this showing up. Any help would be greatly appreciated.
Thank you
_____________________________________________________________
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2
12/29/2008 3:39:02 PM
mbam-log-2008-12-29 (15-39-02).txt
Scan type: Quick Scan
Objects scanned: 61173
Time elapsed: 1 hour(s), 14 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Need for special tools.......
by Marianna Schmudlach - 1/27/09 10:33 PM
In reply to: This is what I get after cleaning up with Mbam.... by BadgerBlitz
I just saw a log at the MalwareBytes AntiMalware forum with the same infection. Several special tools are needed... so, I would suggest:
download HJT from here:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/qsg
and also a Quick Start Guide.
Post your HJT log at Malwarebytes AntiMalware:
http://www.malwarebytes.org/forums/index.php?s=bb1840995abdc6b1919cac715f744ad2&showforum=7
You will have to register to be able to post.
Good Luck !
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
