Browser Hijacker!!!

Viruses and worms
1

Hi, recently i have acquired a browser hijacker :frowning: and i am not sure what to do ???
Do you know how to get rid of a browser hijacker???

I have avast!

2

Yep sure do ;D

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

3

With all due respect to essexboy, I’m of the opinion that running aswMBR.exe to address a browser hijacker is inappropriate in this particular case. That executable is designed to remove a TDL4 infection of the Master Boot Record while a browser hijacker merely influences the way your browser behaves, not the actual operating system.

I would recommend you download Firefox 7.0.1 from http://www.mozilla.org/en-US/firefox/fx/ and use that as your browser because it’s very easy to fix a browser hijack. If you’re using it already, do the following.

  • In the location bar where you normally type in a web address, type about:config and hit Enter.
  • If you see a window which says “This might void your warranty!”, click the button which says “I’ll be careful, I promise” so you can continue with the next step.
  • In the filter at the top, type: keyword.URL to filter out just that setting.
  • Double click it and remove whatever’s in there and replace it with http://www.google.com/search?q= and then click OK.
  • Close the tab.

You can right click the link to google to add in about:config and choose “Copy Link Location” to copy it to the Windows clipboard. Then right click the keyword.URL field and choose “Paste” to paste it in there. Saves you having to type the whole thing.

To reset your home page, do the following.
  • Go to the site you want to set as your home page.
  • Click the orange Firefox button and go to Options | Options | General.
  • Make sure it says Show My Home page in the first dropdown menu.
  • Click the button called Use Current Pages to set the home page to the one you have on the screen and then click OK.

Browser hijackers tend to get installed when the user installs some free utility or other which includes the hijacker. I’ve uploaded a screenshot for you which illustrates how Ask.com takes over your search sessions if you don’t remove the checkmark before clicking “Next”.

4

It is an analysis tool first (only if there is anything found would as user be told to run any fix) of and there are many instances of these hijacks being related to MBR rootkits. It detects more than just TDL4.

So whilst browser hijacks tend to be, is just that tend to be. So it doesn’t hurt to use this as one of a range of analysis tools and that I believe is what essexboy is doing.

I know one thing for sure, he isn’t going to be running something without purpose. You obviously don’t know essexboy having just arrived at the avast forums. He is also one of the teachers at geekstogo and also a moderator on one of their forums.

5

@ essex boy…here are the logs

6

You had a problem running the aswMBR scan (did the avast autosandbox intercept it ?
If so run it again and have the autosandbox allow it to run normally.

Hopefully essexboy will have enough information in the OTL information.

7

Thanks DavidR :slight_smile: … @ essexboy…here is an updated aswMBR scan.

8

You’re welcome.

9

For information TDL3 and TDL4 infections can and do cause redirects and Firefox is no safer that IE. In fact IE9 is a lot safer than firefox in most respects. Other apparent hijackers are zero access (very nasty), conserv.dll and four or five others that have no specific name.

On completion of this run can you let me know if the redirects have stoppped

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2010/03/27 13:32:50 | 000,002,025 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\fcmdSrch.xml O3 - HKU\S-1-5-21-4224829323-2091496230-1813202943-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKU\S-1-5-21-4224829323-2091496230-1813202943-1000\..\Toolbar\WebBrowser: (no name) - {5B291E6C-9A74-4034-971B-A4B007A0B315} - No CLSID value found. O3 - HKU\S-1-5-21-4224829323-2091496230-1813202943-1000\..\Toolbar\WebBrowser: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No CLSID value found. O4 - HKU\S-1-5-21-4224829323-2091496230-1813202943-1000..\Run: [ACBHWSN] C:\Users\Jan\AppData\Roaming\lxbcinpaz.dll () O33 - MountPoints2\{af33459d-7952-11df-94a5-001e3366025b}\Shell\AutoRun\command - "" = D:\Startme.exe [2011/10/14 18:05:22 | 000,092,672 | RHS- | C] () -- C:\Users\Jan\AppData\Roaming\lxbcinpaz.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

10

@essexboy…i ran the fix but when i did it all the icons on my desktop disappeared when i did it (was this supposed to happen? and now there are desktop.ini files???) however, i rebooted and so here is the log of the scan.

11

Thats not a problem nick…

normally OTL terminates all processes before running a fix so thats why your desktop icons dissapeared…essexboy will be back by the night…

12

ok, thanks for that reassurance “mmmmm”! :slight_smile:

13

no problem! :slight_smile:

14

Yes, but you don’t know me either. Users with x1000’s posts always assume that someone who has just arrived on a forum is automatically a dummy.

Browser hijacks in general are caused by the user not paying attention when installing what appears to be a ‘free app’ of some kind or another. As I already illustrated in the screenshot I uploaded, users need to be aware of what they’re doing before clicking the “Next” button.

If a TDSS infection is suspected, it’s simple enough to check because that virus installs its own driver and that can be seen in Device Manager under “Non-Plug & Play Drivers” as TDSSserv.sys (unhide hidden devices first).

Not every browser hijack is due to a virus. The most common cause is simply the free app earning commission by redirecting the user to another search engine. Here’s a list of installers which do just that: http://malwarebulletin.com/2011/02/11/calendar-of-updates/installers-hall-of-shame-unwanted-add-on-via-calendar-of-updates/

15

Hi what probelms are you having at the moment ?

I will add a note about losing the desktop to my canned response

16

I didn’t make that assumption at all and it isn’t an assumption that I make, we all start as a newbie on a forum At no point and we have no idea of what experience they have (so that is an assumption I ‘never’ make based on someone being a newbie), that only becomes apparent after a short time.

At no point did I say that was an assumption I made of you as it was blatantly obvious you do have experience. Though you were happy to discount the unknown experience of essexboy, by ignoring or excluding the point or purpose of the aswMBR scan. So it cuts both ways here.

Which is why we can’t ignore an area where it has happened and we have seen examples of this in the forums.

I’m no malware removal specialist and I’m happy to gain experience from the practical cases within the forums and leave the malware removal to those more experienced than I.

17

@ essexboy…other than when i ran the fix and the icons disappeared…nothing, my browser is no longer redirecting (fingerscrossed) and thats been throughout today, so as far as i can tell you have fixed the problem???

18

I believe so as this was the cause C:\Users\Jan\AppData\Roaming\lxbcinpaz.dll but it is now safely tucked up in quarantine ;D

Lets run a quick sweep for orphans and if all is OK I will tidy you up and remove my tools

Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

19

Hiya everyone, I’m new round these parts, downloaded Avast! roughly 2 weeks back now. I’ve been taking a nosy round the forums, and can I say, I’ve never met so many intelligent people with computer know-how. I definately know where to come if I ever get any computer trouble. You all explain everything really well and make the hard stuff sound easy. Thanx for all this great information! :smiley:

20

I think you missed the point here. Using a utility which is designed to remove a TDL4 infection to address an issue such as a browser hijack is likely taking a sledgehammer to crack a nut.

What should have happened here IMHO is that enquiries should have been made as to which search engine the user was being redirected to and then to take it from there. In this particular case, the culprit was a well-known hijacker installed when the user installs a ‘free’ Firefox app called Facemoods , the latter of which allows the user to add smileys to messages. To remove it, go to the Firefox Add-ons menu, highlight the culprit and then click the “Remove” button. That is all that’s necessary to remove it. More details on the Facemoods site @ http://articles.facemoods.com/english/how-to-remove-facemoods/

By the way, you presumably skipped my opening statement where I said “With all due respect to essexboy…” which I would have thought constituted an acknowledgement of his experience. However, everybody, which includes the ‘experts’ should be capable of learning and in future, I would respctfully suggest ascertaining a bit more detail before applying the ‘one size fits all’ solution.