I got a browser hijacker

So a day or two ago I was just casually browsing Youtube and I was re- directed to a website that had something to do with “rmicrodefender,” a title I’ve never seen before. Avast caught whatever this program was in the act and stopped the re- direct and I did a few scans afterwards. One with Malwarebytes and one with Avast. None of the scans found anything other than some hard drive errors (Avast) and I thought it was just some kind of fluke. I ignored it and told myself if it happened again I’d post something here.

MalwareBytes Scan results

===

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.31.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Justice :: JUSTICE-PC [administrator]

1/31/2014 1:02:06 AM
mbam-log-2014-01-31 (01-02-06).txt

Scan type: Full scan (C:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 457341
Time elapsed: 1 hour(s), 11 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

===

aswMBR Log

===

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-02-01 19:27:41

19:27:41.689 OS Version: Windows x64 6.1.7601 Service Pack 1
19:27:41.689 Number of processors: 4 586 0x2A07
19:27:41.690 ComputerName: JUSTICE-PC UserName: Justice
19:27:44.320 Initialize success
19:27:47.093 AVAST engine defs: 14020101
19:29:57.149 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T1L0-5
19:29:57.149 Disk 0 Vendor: ST1000DM003-9YN162 CC4D Size: 953869MB BusType: 3
19:29:57.258 Disk 0 MBR read successfully
19:29:57.258 Disk 0 MBR scan
19:29:57.258 Disk 0 Windows 7 default MBR code
19:29:57.274 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
19:29:57.274 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
19:29:57.290 Disk 0 scanning C:\Windows\system32\drivers
19:30:05.090 Service scanning
19:30:18.599 Modules scanning
19:30:18.599 Disk 0 trace - called modules:
19:30:18.615 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
19:30:18.615 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8007a0d060]
19:30:18.630 3 CLASSPNP.SYS[fffff880015ad43f] → nt!IofCallDriver → [0xfffffa8007454520]
19:30:18.630 5 ACPI.sys[fffff88000f0d7a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T1L0-5[0xfffffa80074a3060]
19:30:19.816 AVAST engine scan C:\Windows
19:30:21.735 AVAST engine scan C:\Windows\system32
19:32:22.261 AVAST engine scan C:\Windows\system32\drivers
19:32:33.571 AVAST engine scan C:\Users\Justice
19:35:02.442 AVAST engine scan C:\ProgramData
19:36:42.812 Scan finished successfully
19:38:05.414 Disk 0 MBR has been saved successfully to “C:\Users\Justice\Downloads\MBR.dat”
19:38:05.414 The log file has been saved successfully to “C:\Users\Justice\Downloads\aswMBR.txt”

===

Were you running Skype when this occurred? Their (along with several others, including Youtube and MSN) ad network has been compromised and is opening browser windows to a similar address. See here.

Don’t take this as saying don’t keep trying to figure out if your computer’s clean, that’s always a good practice.

Hi Looc22,

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Uninstall-List;
QuickScan;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

.

.

Edit:

Btw, Posted OTL log doesn’t show traces of malware. If zoek does not detect any PUP ( like some Adware variant or Toolbar ) we shall need addition insight in what OTL says it’s OK.

I use adblock for Youtube, but I do always have Skype open on my PC. Perhaps this is my issue because according to magna I don’t show signs of Malware.

I have the log attached to this post. Not 100% sure on how replies work on this forum.

Anyhow, the post above on this thread mentions something about an ad compromise. I haven’t opened Skype today, and I haven’t been re- directed. This is curious.

Hi Looc22,

Zoek also doesn’t shows any traces of PUP. While we’re here, let’s allow zoek’s routine action to scan your computer.
This not only go further check the system but it will do more specific actions that will contribute to the better work of the system itself or even solving the problem.

=> Re-run zoek as you did before but this time use the following script:

EmptyCLSID;
AutoClean;

Click on RunScript button and wait until a logreport will open and this shall be after the system reboot.

Then tell me how’s the things now?

Also, feel free to read AxisKiller advice, it’s valid.

Attached the new log.

I haven’t opened Skype today, and I haven’t been re- directed. I wonder if there is a connection between the two, as Axis said.

Hi Looc22,

Nada … your system is malware and PUP free. I shall remove used tools if you agree. I think there is no need for additional (deeper) system look.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

I wonder if there is a connection between the two, as Axis said.
Also, feel free to read AxisKiller advice, it's valid.
;)

Good to know! thanks a ton man, I was really worried about it. I’ll probably be back here if I ever need help with my PC again.