I think my browsers have been hijacked Solved/Closed

Question

Hello, 

Configuration: Windows XP / Firefox 17.0
I think I have been hijacked. I cannot go to my home page. There is now this link in it: websearch.just-browse.info  with pop ups.

I need the computer for work and this I think is very serious, having read other posts here similar to my situation. I appreciate if somebody can help me.

Many thanks in advance.

Ambucias · Answer

Greetings,

You have no doubt downloaded something which you should not have.

Lets start with this solution and then let me know.  If the following does not work fully, we may need to go into surgery.

Download, install and run Malwarebyte which you can find on this site: 

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware 

Ensure you make an update.

Boot your computer in safemode

Please request a FULL system scan, which may take from 20 minutes to hours.  Do not interfere no matter how long in takes.  The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.

If Malwarebyte restarts your system, launch it again to finish the Full scan. 

When the scan is completed, delete all items found.

IF your computer is clean and working normally just to be on the safe side 

*Turn off system restore and wait 30 seconds, 
*Turn it back on and create a new restore point. 

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed. 
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process. 
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.

askatu · Answer

Hello Ambucias,

No success. After 1h and a half, Malwarebytes has detected 1 file; previously it had detected 11. I followed the instructions you gave in another thread that had a similar situation to mine. 

The situation is still the same. You're right about the download, it all started searching for something to remove the DRM of an ebook I recently bought in the Penguin site which has modified all my previous settings in relation to file extensions.

And on top of that now when the computer starts a window appears with this notice: "error loading cmicnfg.cpl the specified module could not be found. In the top left hand side there is this name: RUNDLL

I hope all of this can be solved. Do you think is it serious?

askatu · Answer

Hello,

I'm doing a new complete scan in my PC to see if it can detect something else. The situation is still the same: The computer is very slow and the browsers are still hijacked.

The rundll window is still appearing. Everything is painfully slow.

Can I get some help please. 

Thanks in advance


PS:
I hope I had not been misunderstood about the ebook and DRM matter, I'm not a pirate. I only wanted to revert to my original settings on my computer. I searched online and unfortunately I clicked a download that seem perfectly legitimate, I did everything, maybe a bit hastily.

Ambucias · Answer

To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a system log. 

1. Open this link and download ZHPDiag2 : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon, it allows to change the language.)

2. Save the file on your Desktop. 

3. Double click on ZHPDiag.exe and follow the installation instructions. 

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step). 

4. Double click on the short cut ZHPDiag on your Destktop. 

5. Click on the screwdriver icon and ensure all of the items are checked.

6. Click on the Magnifying glass and run the analysys. 

Wait for the tool to finished (maybe a long time) 

7. Close ZHPDiag. 

8. To transmit the report, click on this link : 

https://authentification.site 

9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt). 

10. Select the file ZHPDiag.txt. 

11. Click on "upload » 

12. Copy the url and post it here.

Best regards

Ambucias
Moderator /Security Contributor

askatu · Answer

Thank you very much Ambucias for your inestimable help. 

As I said in my previous post I re-run another Malwarebytes scan, this time it found 1 issue, I deleted it, restarted the computer. I changed the home pages in the browsers and everything seems alright now.

The only thing that is still appearing is the RUNDLL window. Do you still need a diagnose for the RUNDLL issue or there is another solution to that. 

Maybe with yesterday's anxiety I deleted something I shoudn't have done.

I'm waiting for your reply.

Once again thanks for your help.

Ambucias · Answer

That would be nice, just to ensure that we have everything.

I will not be able to reply to you for at least 8 hours as I am now login off.

Regards

P.S. I suggest that you don't play around with the machine until we know exactly what the issue is.

askatu · Answer

Here is the link:

http://speedy.sh/mQ4uk/ZHPDiag.txt

Regards,

PS: Sure I'm going to be careful with the machine!!!

askatu · Answer

Hello Ambucias

I'm afraid things have not changed. Below is the new url on the home page of my browsers:

http://ww12.certified-toolbar.com -->new url with the same popups.

How frustrating! 

I hope you have received the file well.

Regards

Ambucias · Answer

Hold on a minute.  Producing a log does not change anything.

I will look at your log now.

Stand-by

Ambucias · Answer

Dear Montserrat

Here it is as I am studying it :

You hard drive memory is at a critical point, you only have 4% memory left.  You system may crash.

You Windows must be updated.

You system is full of adware

1. Go to your control panel add/remove program tool and open it:

2. Delete from there all the toolbar applications that you see : crawler, babylon, etc.

3. ZHP Diag created on your desktop an icon ZHP Fix, it looks like a seringe.  Open ZHP Fix.

4. Copy the following lines:

O43 - CFD: 19/12/2012 - 00:47:30 - [0] ----D C:\Program Files\BT Broadband Desktop Help    => BT Broadband  
O43 - CFD: 21/02/2011 - 14:35:27 - [3.270] ----D C:\Program Files\Spybot - Search & Destroy    => Spybot - Search & Destroy  
O47 - AAKE:Key Export SP - "C:\WINDOWS\system32\rundll32.exe" [Enabled] Orphean Key    
M3 - MFPP: Plugins - [Montserrat Arda] -- C:\Program Files\Mozilla FireFox\searchplugins\crawlersrch.xml    => Toolbar.Crawler  
R3 - URLSearchHook: (no name) - {5E34052D-4D61-4BE4-9B6E-93836198886C} . (.Conduit Ltd. - Conduit Toolbar.) (6.4.0.0) -- C:\Program Files\PPCBully\prxtbPPC1.dll  
O2 - BHO: PPCBully - {5e34052d-4d61-4be4-9b6e-93836198886c} . (.Conduit Ltd. - Conduit Toolbar.) -- C:\Program Files\PPCBully\prxtbPPC1.dll  
O3 - Toolbar: PPCBully Toolbar - [HKLM]{5e34052d-4d61-4be4-9b6e-93836198886c} . (.Conduit Ltd. - Conduit Toolbar.) -- C:\Program Files\PPCBully\prxtbPPC1.dll  
[HKCU\Software\AVG Security Toolbar]    => Toolbar.AVGSearch  
[HKCU\Software\ConduitSearchScopes]    => Toolbar.Conduit  
[HKCU\Software\Conduit]    => Toolbar.Conduit  
[HKCU\Software\Instant Buzz]  
[HKCU\Software\Smartbar]    => Toolbar.Agent  
[HKCU\Software\YahooPartnerToolbar]    => Toolbar.Yahoo  
[HKLM\Software\AskBarDis]    => Toolbar.Ask  
[HKLM\Software\Conduit]    => Toolbar.Conduit  
[HKLM\Software\Instant Buzz]  
O43 - CFD: 20/02/2010 - 09:53:54 - [1.824] ----D C:\Program Files\Conduit    => Toolbar.Conduit  
O69 - SBI: SearchScopes [HKCU] {afdbddaa-5d3f-42ee-b79c-185a7020515b} - (WiseConvert Customized Web Search) - http://search.conduit.com    => Toolbar.Conduit  
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]    => Toolbar.Crawler  
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]    => Toolbar.Crawler  
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201f27d4-3704-41d6-89c1-aa35e39143ed}]    => Toolbar.Ask  
[HKLM\Software\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}]    => Toolbar.Conduit  
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]    => Toolbar.Crawler  
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}]    => Toolbar.SweetIM  
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}]    => Toolbar.Skype  
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}]    => Toolbar.Skype  
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}]    => Toolbar.Conduit  
[HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine]    => Toolbar.Conduit  
[HKLM\Software\Classes\Conduit.Engine]    => Toolbar.Conduit  
[HKCU\Software\ConduitSearchScopes]    => Toolbar.Conduit  
[HKCU\Software\instant buzz]  
[HKLM\Software\instant buzz]  
[HKLM\Software\AskBarDis]    => Toolbar.Ask  
[HKLM\Software\Classes\Toolband.EB_ExplorerBar]    => Toolbar.Agent  
[HKLM\Software\Classes\Toolband.IPM_PrintListItem]    => Toolbar.Agent  
[HKLM\Software\Classes\Toolband.PM_Launcher]    => Toolbar.Agent  
[HKLM\Software\Classes\Toolband.PM_PrintManager]    => Toolbar.Agent  
[HKLM\Software\Classes\Toolband.PR_BindStatusCallback]    => Toolbar.Agent  
[HKLM\Software\Classes\Toolband.PR_CancelButtonEventHandler]    => Toolbar.Agent  
[HKLM\Software\Classes\Toolband.TBToolband]    => Toolbar.Agent  
[HKLM\Software\Classes\Toolband.UserOptions]    => Toolbar.Agent  
[HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]:{4B3803EA-5230-4DC3-A7FC-33638F3D3542}    => Toolbar.Crawler  
C:\Program Files\Conduit    => Toolbar.Conduit  
C:\Documents and Settings\Montserrat Arda\Local Settings\Application Data\AVG Security Toolbar    => Toolbar.AVGSearch  
C:\Documents and Settings\Montserrat Arda\Local Settings\Application Data\Conduit
[HKLM\Software\Integral4
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} -- C:\Program Files\Instant Buzz\IBBar.dll (.not file.)    => Infection BT (InstantBuzz.Adw)
[HKCU\Software\AppDataLow\SProtector]    => Infection PUP (PUP.AdvancedSystemProtector)
[HKCU\Software\PriceGong]    => Infection BT (Adware.PriceGong)
O43 - CFD: 20/12/2012 - 20:56:48 - [0.435] ----D C:\Documents and Settings\Montserrat Arda\Application Data\PriceGong    => Infection BT (Adware.PriceGong)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("extensions.BabylonToolbar.prtkDS", 0);    => Infection BT (Toolbar.Babylon)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("extensions.BabylonToolbar.prtkHmpg", 0);    => Infection BT (Toolbar.Babylon)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");    => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");    => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");    => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.keyword.URL", "");    => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");    => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");    => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");    => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.enable", "");    => Infection PUP (PUP.SweetIM)
O69 - SBI: SearchScopes [HKCU] {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} [DefaultScope] - (WebSearch) - http://websearch.just-browse.info    => Infection PUP (PUP.Mocaflix)
[HKLM\Software\Microsoft\Internet Explorer\extensions\{066040f0-5018-4e15-8aa0-81d36136d989}]    => Infection BT (Adware.InstBruzz)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}]    => Infection BT (Adware.ShopperReports)
[HKLM\Software\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}]    => Infection BT (Adware.SearchSettings)
C:\Documents and Settings\Montserrat Arda\Application Data\PriceGong  

5. Click on the Clipboard button at the top and a GO button will appear at the bottom.  Click on Go and close ZHP Fix

6. Download the following tool, run it and click on deletion.

https://toolslib.net

(The English text is in the second part of the page)

7. Delete the previous ZHP Diag log, produce a new one and uploaded on Speedyshare for me to check.

Good luck

askatu · Answer

Hello Ambucias,

I followed all the steps you gave me and here is the link: 

http://speedy.sh/TExSS/AdwCleaner-R1.txt

I'm amazed; the majority of things have been installed from my telephone and Broadband provider! I didn't know I had all that stuff from them!

Ambucias · Answer

How is your computer behaving now ?

askatu · Answer

Very, very slow. Yesterday after several attempts to log off normally I had to shut it down forcefully.  I decided to  give it a rest longer than normal and when I switched it on today it took ages to open FF and IE

The RUNDULL window still appears at the beginning of the session. 

Apart from that everything seems fine.

Did you receive the log alright? What did you see?

Thanks again for your help.

Ambucias · Answer

Yes I did get the log which was the Adwcleaner log, however if you recall and read back, I did I ask you to delete the previous ZHP Diag log, to produce a new one and to upload it on Speedyshare.  I still need that log for verification.

Before you do another log...

1. Click on run
2. Type cmd and click ok, a black window will appear
3. Type chkdsk and press enter.

4.Watch carefully and tell me what are the results.
5. Tell me if you still get the rundll error
6. Upload a brand new ZHP Diag log.

Take care

askatu · Answer

I just uploaded the ZHP Diag log  and the "CHKDSK" report. I hope everything is fine now. I don't know yet if I still have the rundll error, this only appears when I switch on the machine.

Ambucias · Answer

So you uploaded it!  Where ?

askatu · Answer

I'm so sorry! I was so tired that I forgot to copy the links ; :(silly me). Here are the links:

http://speedy.sh/6uScN/CHKDSK.txt
http://speedy.sh/adD7R/ZHPDiag.txt

Ambucias · Answer

Dear Silly You;-)

You have overstepped the critical threshold, there is only 5% free space on your hard disk.  Do you realize what this means?

In your log, I found a parasite type virus

Please launch ZHP Fix, copy the following, click on the clipboard button and then on the GO button :

M3 - MFPP: Plugins - [Montserrat Arda] -- C:\Program Files\Mozilla FireFox\searchplugins\Web Search.xml    

There is a lot of stuff which I would get rid of, but I am not you and I don't know what is the main use of the computer for you.  Certainly, there is no room for games.  Your harddisk capacity is only 12 Gb.

Chkdsk recoved some system files.

If you still get the rundll error Window, try this:

Click on Run, type cmd click ok
Type sfc/scannow
Press enter, let it run
Close the window

Let me know the results

Best regards

P.S. I will send you my personal address for you to send me a case of stout.  God save the Queen !

askatu · Answer

Yes, I'm not fully conscious of what it means, but I've been struggling for quite a while with this mater. I even remember having posted here in Kioskea something about this. I realize that I have to get rid of a lot stuff, but it happens that every time I do that it seems as if the computer were eating memory, and I got back to the low disc space again.

 I wonder if I can remove some windows material that I do not use and also the service packs that have a huge volume. Today I did some cleaning I'm now with 1.27Gb I did the defragmentation and some of the files that could not be defragmented where the ones below and I wonder if I can remove for instance the 3rd one:
...
1,676           114 MB          \WINDOWS\Installer\12fd2ce.msp
7,171           167 MB          \WINDOWS\Installer\MSI102.tmp
1,370           210 MB    \WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
....

I didn't get today the rundll error, but I did what you suggested and this is what it came out:

"Files that are required for Windows to run properly must be copied to the DLL cache.
Insert your Windows XP Home edition CD-Rom now". I didn't do that because I heard that if you do that all your stuff is removed.

Thanks one more time, take care.

PS: Of course you deserve not only a case of stout but two at least!

Ambucias · Answer

The stout is very much appreciated, thanks.

The rundll error is probably due to a trace of malware left in the registry. We may need to do some delicate surgery in the registry. To avoid the operation, I would like you to run a full scan with Malwarebyte.  Tell me if you get any hits.

As for space, I suggest you run CCleaner:

I would not delete the files you mentioned, perhaps some other time the .tmp file

As I said, I don't know what you use the computer for, so I can't suggest to you what to remove.  The service packs are now essential to run some applications, removing them may also cause crashes.

You have Google Chrome and Firefox, do you need and use both ? What about Netscape ?

What about Silverlight ?  Do you use it ?

After you run Malwarebyte, you can remove it, you can also delete AdwCleaner

Let me know and take care.

P.S. With the delivery, please add a dozen scones.  Thanks

askatu · Answer

Well, I'm here again. On Friday night I had to switch off the computer abruptly because it started to burnt. I disconnected it completely from the power, I cleaned it and left to rest for several days. Then I installed Microsoft Security Essentials, deleted many things. I thought everything was fine. But IE is hijacked completely. 

This is what I got when I open it: 

http://runonce.msn.com/runonce3.aspx 

I didn't realize I had Silverlight and honestly I don't know what it is. The Google Chrome was installed when I upgraded FF. I would rather not have the Google Chrome but I thought I could do nothing.

I hope all this saga has soon an end.

Can I remove the IE?

(I haven't forgotten the stouts and will come with scones of course!)

Ambucias · Answer

Okay, load me up with a new ZHP Diag,

Do you still get the rundll error ?

Removing IE is ill advised, it's part of Windows.

When you use CCleaner, check the Windows uninstall files in the advanced section, you should gain lots of Mb's.

What do you mean "it started to burnt" ?

askatu · Answer

Good evening Ambucias,

Here is the new link http://speedy.sh/xsjrF/ZHPDiag.txt

It's been a while of not getting the rundll error I think it had something to do with the sound system. I searched on the internet, and I can't remember what I did exactly, something with the regedit comand in run I then deleted a file, but it has been so stressful this last days that I cannot remember exactly all the steps I took to remove it.

The burning thing it was just a week ago today. I was just working on the computer when a strong burning smell came from the machine, and I just switched it off thinking well that's it, the end. But it's still fine and doing a good job.

Now if I could get rid of that annoying thing on the IE browser that would be wonderful.

Once again, many many thanks for your help.

Ambucias · Answer

Greetings again Monteserrat,

I really don't know what you are doing with this computer, but your memory status has gone beyond the critical point, in fact it's just on verge of jamming.

Please launch ZHP Fix, copy and paste the following lines (using the clipboard) and click on GO

O3 - Toolbar: (no name) - [HKLM]{CCC7A320-B3CA-4199-B1A6-9F516DD69829} Orphean Key    => Toolbar.AVGSearch
O69 - SBI: SearchScopes [HKUS\.DEFAULT] {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (Yahoo! Search) - https://us.search.yahoo.com/    => Toolbar.AVGSearch
O69 - SBI: SearchScopes [HKUS\S-1-5-18] {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (Yahoo! Search) - https://us.search.yahoo.com/    => Toolbar.AVGSearch
[HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}]    => Toolbar.Conduit
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]    => Toolbar.AVGSearch
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]    => Toolbar.AVGSearch
[HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]    => Toolbar.AVGSearch
[HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]    => Toolbar.AVGSearch
[HKLM\Software\Classes\Toolband.EB_ExplorerBar.1]    => Toolbar.Agent
[HKLM\Software\Classes\Toolband.IPM_PrintListItem.1]    => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PM_Launcher.1]    => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PM_PrintManager.1]    => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PR_BindStatusCallback.1]    => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PR_CancelButtonEventHandler.1]    => Toolbar.Agent
[HKLM\Software\Classes\Toolband.TBToolband.1]    => Toolbar.Agent
[HKLM\Software\Classes\Toolband.UserOptions.1]    => Toolbar.Agent

Close it

You have stuff there about Kaspersky, you don't need it.

What is this ?

C:\Program Files\CartyStudios Corporation      
C:\Program Files\CommentKahuna      
C:\Program Files\PowerfulPDF      
C:\Program Files\Sigil      
 C:\Program Files\Solar Accounts      
 C:\Program Files\Traffic Travis v3      
C:\Program Files\WFX Website Builder      
  C:\Program Files\Whisper Technology      
  C:\Program Files\Common Files\SBSolutions      
 C:\Documents and Settings\Montserrat Arda\Start Menu\Programs\Accessories      
  C:\Documents and Settings\Montserrat Arda\Start Menu\Programs\Administrative Tools      
 C:\Documents and Settings\Montserrat Arda\Start Menu\Programs\RSS Announcer      
 C:\Documents and Settings\Montserrat Arda\Start Menu\Programs\Startup      

If you don't know, I suggest you remove.

You system is now virus free, all you need is space.

Good luck

I think my browsers have been hijacked

24 responses

Similar discussions

Subscribe To Our Newsletter!