Facebook hijacked my homepage in Firefox, problems after installing Avast.

Hi all,

I would appreciate any help or advice regarding this problem i am experiencing with Avast (program version 6.0.1125).

Around a week ago my pc was infected with the horrid Ms Removal tool virus and a the Antimalware Doctor virus. These two viruses hijacked my machine, i was not able to open any files or the web, because i was bombarded with several threatening messages to purchase their fake anti-virus software. I googled from another machine and found some help tips here: http://au.answers.yahoo.com/question/index?qid=20110410235423AA3tAag

  1. Locate and left click “Start” Button.

  2. Then left click “My computer”

  3. In the “My Computer” address bar copy and paste this file C:\Documents and Settings\All Users\Application Data\ then press “Enter” on your keyboard.

  4. Locate a randomly named file for example “hGdKHt0842”, “GfdKHt0842” or anything else that looks familiar to the following examples.

  5. Once file is located Right click on that file and click “Rename”. Rename the file by copying and pasting C:\ProgramData\virus\virus1.exe

  6. Then close all applications and “Restart” your computer.

  7. Once restarted “MS Removal” should not pop up at this point.

  8. Then redo steps 1, 2 & 3. And then go ahead and Delete the renamed file C:\ProgramData\virus\virus1.exe

  9. Empty your recycle bin.

10 . And WALA!! your PC is restored.

I was grateful that after following these instructions, i could now access my files and the internet without those ridiculous threatening pop upsn so i installed Malwarebytes’ Anti-malware and ran a scan. I also asked someone for advice from another site and they told me to run Combofix to make sure my machine is free of viruses. I did this and everything seemed fine again, however i noticed that even though i was only using firefox, the ie browser suddenly would start opening by its self, advertising Groupon and other random sites. I was concerned, thinking there is a problem with ie, so i go to add/remove programs in control panel and i remove ie. I cant be bothered with the hassle of ie playing up now that ive removed the virus (or at least i thought i removed the virus). Later i notice that new tabs start opening up even in firefox by themselves! Im still able to use my PC at this point. Again following advice from someone on youtube, i was advised to install Avast antivirus. I installed and ran a scan, i dont want to go into detail with posting the log but basically there was a virus or several in my temp folder, this is an example of what Avast would bring up C:\Documents and settings\Administrator\Local Settings\temp\0.6004251575328295.exe is infected by win32:Aleuron-ACM…
After the scan completed i connected to the internet, Avast displayed pop ups saying there were viruses detected or problems with the svchost.exe file from the win32 folder
Also there were lots of pop ups saying it had blocked Malicious URL’s, when these URLs were not even malicious. I could not even open the forum/homepage for Avast or anything relating to Avast and any page that has some sort of antivirus is being blocked by Avast even until now. Also i’d like to add that my CPU was very high at 100% and not dropping.

I googled this problem and came across this http://forums.techguy.org/virus-other-malware-removal/986224-nasty-virus-avast-detects-svchost.html

I followed advice from this site and installed tdss killer from http://support.kaspersky.com/viruses…?qid=208280684
The scan detected a virus in the rootkit (sorry im not very technical, i think thats what it was called) Anyway it removed it and restarted my PC. My CPU dropped from 100% to max of 88% and lowest 40%, so i noticed much improvement. Also i did not receive any pop ups regarding malicious URLs whereas i was receiving them almost every 5 minutes. However i still cannot connect to other sites, like Avast or Antivirus sites and just sites that will give me advice regarding this problem. All of these sites are being blocked. As well as this, since installing Avast, my homepage in Firefox is set to Facebook. I have tried changing this several times through tools, options, General and then in Home page, i change the facebook address to google and i click on OK. But i re-open Firefox and it still opens up to the Facebook home page. Has my homepage been hijacked by some sort of virus pretending to be facebook??

So basically, i can now use my PC and access only certain webpages, i dont receive any pop ups and when i scan using Avast or Malwarebytes’ Antimalware, the scan doesnt bring up any viruses but i feel suspicious why facebook has hijacked my home page and why i cant open the Avast website other web pages.

Any help would be appreciated and im sorry if ive posted in the wrong place!

Thank you,

Sereena

I also asked someone for advice from another site and they told me to run Combofix to make sure my machine is free of viruses.

Bad advice. here’s why

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

here’s what the publisher says ( sUBs )
http://www.techsupportforum.com/1829551-post6.html

=================

Attach here last Combofix.txt log. If you dont have it…

delete your copy of ComboFix and download fresh onefrom here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix.
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Post log reports ( ComboFix.txt) back to topic.

Thanks Magna86 for your reply, the last Combofix log was on 16/05/11
I dont know if you need a more recent log because since running combofix, i also installed Avast and then ran TDSSkiller.

Your Mashine is infected.

Please download fresh copy of ComboFix,disable your AntiVirus program and run the tool.
attach here fresh CF log.

note:

c:\documents and settings\Administrator\My Documents\ComboFix.exe

Run ComboFix from Desktop.

Hi,

I ran combofix and i have attached the log report.

Many thanks,

sereena

@sereena , just to let you know that you have installed on your system some complex malware. :smiley:

Do the following…

Open notepad and copy/paste all text present inside the code box below:


KillAll::

Folder::
c:\documents and settings\Administrator\Application Data\Ywcoce

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9190:TCP"=-

Driver::
errf
AMService
jnlpdpeaz
krfntdy
rtlwm

NetSvc::
jnlpdpeaz
rtlwm

File::
c:\windows\system32\drivers\aabgcg.sys
c:\windows\TEMP\qjgi\setup.exe

Firefox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kwjbn76x.default\
FF - prefs.js: keyword.URL - hxxp://www.scanquery.com/?tmp=nemo_results_removelink&prt=ScnqryPB&keywords=

Rootkit::
c:\windows\system32\cacaw.dll

FileLook::
c:\windows\system32\bootcfgt.dll


Save this as CFScript.txt

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Hi Magna,

I followed your instructions a little late because i was away for a few days.

When i dragged the CFSscript into comofix, a message popped up saying this:
“Current date is 2011-05-24. Combofix has expired.
Click Yes to run in REDUCED FUNCTIONALITY mode
Click No to exit.”

I have clicked on Yes, i hope that was the right thing to do, im waiting for combofix to complete its scan so i can post the report.

I have the log report, it didnt take that long. It did say that access was denied when ‘FIND 3M’ was at the top of the combofix window. I dont know if Avast had something to do with this, because although i disabled it, it started interfering and saying that it needed to open the file in ‘sandbox’?

Many thanks,

sereena

My apologize for not replied to your post :-[

Delete the current version of Combofix.
Download fresh copy of Combofix from here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Disable your AntiVirus. Run Combofix. Click on I agree.
When the tool is finished, it will produce a log report for you. Attach here fresh Combofix.txt log

Hi Magna86,

How do i delete the old combofix? If i put it in trash and empty the trash that wont be enough would it? Im sure there was some command i came across to delete it, but i cant find it.

Also when i disable Avast, it still interferes with my installation of combofix, its annoying!!

Thanks,

Sereena

I just deinstalled the graphics drivers completely and reinstalled them after. The problem remains. Doesnt seem to be a driver-problem. Any ideas?

You should bump your post. :smiley:
Delete it normal. Right click >> delete.

Download fresh Copy of Combofix and Run it. attach here fresh Combofix.txt log.
We will remove this malware :wink:

Hi Magna,

Im so glad you replied!! :slight_smile: I was trying to send you a message but the site wouldnt allow me to :cry:

I ran Combofix and have attached the log.

Many thanks,

Sereena

Run this tool:
Norton/Symantec uninstaller.
info:
http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

Download tool:
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

Just like before,delete old Combofix and download fresh Combofix.

Do not Run Combofix!!!

Open notepad and copy/paste the text present inside the code box below:


KillAll::

Snapshot::

Driver::
errf
AMService
jnlpdpeaz
krfntdy
rtlwm

File::
c:\windows\system32\drivers\aabgcg.sys
c:\windows\TEMP\qjgi\setup.exe
c:\windows\system32\cacaw.dll

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,ea,89,80,2b,5a,03,4a,bd,a3,dc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,ea,89,80,2b,5a,03,4a,bd,a3,dc,\

[HKEY_USERS\S-1-5-21-725345543-1123561945-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,cc,f1,8a,27,59,c5,41,9f,f1,c0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6a,cc,f1,8a,27,59,c5,41,9f,f1,c0,\

Save this as CFScript.txt

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will will re-run.
When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Hi Magna,

I followed your instructions and attached the log but there was no mention of scan completed in the log so i feel like avast interfered near the end because it kept saying it wanted to open the combofix file in sandbox and i kept opting to open it in ‘normal’ instead of sandbox.

I wonder do i need run combofix again ???

Thanks, :slight_smile:

Sereena

Log is not complete but it looks much better. :smiley:
Do you have any problems now?

Run Norton/Symantec Uninstaller tool to remove traces…
http://www.sevenforums.com/tutorials/78961-av-uninstallers.html

Thanks Magna,

I ran norton removal tool again this morning, i restarted my machine and then wasnt able to log back in :-\ The hand icon hovered on the space for the password but wouldnt allow me to type anything so i restarted it and thank god, i was able to log back in! Everything seems to be working fine but im concerned as to why facebook is still stuck to my homepage in both IE and Firefox but not in google chrome. In IE and Firefox, i have tried to set my homepage to google in internet options but it wont change, it still comes back as facebook when i re-open my browser. Is this the virus? Should i run Combofix again?

Sereena

Should i run Combofix again?

Do not Run Combofix! :smiley:

Is this the virus?
We will check ...

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:
     1. DDS.txt
     2. Attach.txt

Save both reports to your desktop.
Attach DDS.txt ; Attach.txt ; C:\ComboFix.txt back to topic.

Hi Magna

Earlier i removed firefox and reinstalled it, i didnt copy over any bookmarks or any information when it asked me if i wanted. And facebook has gone from my homepage! :smiley:

I changed my home page with ie again and now its fine. All seems to be working well but im hoping that this final step will confirm that there are no hidden viruses left behind.

I have attached yesterdays combofix log, the D.D.S and Attach txts.

Thank you

Sereena :slight_smile:

OK, this logs looking good …We have removed the malware.
Logs seems clean and there is no traces of malware.

It is necessary to uninstall Combofix
Start >> Run

Combofix /Uninstall

Enter.

If you want you can do additional check with Malwarebytes.
If find something,remove it…If not, you can keep it for future scanning because the program has been verry good with your AntiVirus.

Download program Malwarebytes’ Anti-Malware
Double-click the installation.
At the very beginning to verify that these options are ticked:

Update Malwarebytes’ Anti-Malware
Launch Malwarebytes Anti-Malware

Then click Finish.

Select option Perform Quick Scan and click Scan .
Upon completion of the process click OK Show Results:
the list of detected malware to verify that the marked all the items and click Remove Selected.