I think my browsers have been hijacked

Solved/Closed
Report
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013
-
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
-
Hello,


I think I have been hijacked. I cannot go to my home page. There is now this link in it: websearch.just-browse.info with pop ups.

I need the computer for work and this I think is very serious, having read other posts here similar to my situation. I appreciate if somebody can help me.

Many thanks in advance.

24 replies

Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,268
Greetings,

You have no doubt downloaded something which you should not have.

Lets start with this solution and then let me know. If the following does not work fully, we may need to go into surgery.

Download, install and run Malwarebyte which you can find on this site:

https://ccm.net/download/download-105-malwarebytes es-anti-malware

Ensure you make an update.

Boot your computer in safemode

Please request a FULL system scan, which may take from 20 minutes to hours. Do not interfere no matter how long in takes. The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.

If Malwarebyte restarts your system, launch it again to finish the Full scan.

When the scan is completed, delete all items found.

IF your computer is clean and working normally just to be on the safe side

*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.
1
Thank you

A few words of thanks would be greatly appreciated. Add comment

CCM 2821 users have said thank you to us this month

Hello Ambucias,

No success. After 1h and a half, Malwarebytes has detected 1 file; previously it had detected 11. I followed the instructions you gave in another thread that had a similar situation to mine.

The situation is still the same. You're right about the download, it all started searching for something to remove the DRM of an ebook I recently bought in the Penguin site which has modified all my previous settings in relation to file extensions.

And on top of that now when the computer starts a window appears with this notice: "error loading cmicnfg.cpl the specified module could not be found. In the top left hand side there is this name: RUNDLL

I hope all of this can be solved. Do you think is it serious?
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013

Hello,

I'm doing a new complete scan in my PC to see if it can detect something else. The situation is still the same: The computer is very slow and the browsers are still hijacked.

The rundll window is still appearing. Everything is painfully slow.

Can I get some help please.

Thanks in advance


PS:
I hope I had not been misunderstood about the ebook and DRM matter, I'm not a pirate. I only wanted to revert to my original settings on my computer. I searched online and unfortunately I clicked a download that seem perfectly legitimate, I did everything, maybe a bit hastily.
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,268
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a system log.

1. Open this link and download ZHPDiag2 :

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon, it allows to change the language.)

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).

4. Double click on the short cut ZHPDiag on your Destktop.

5. Click on the screwdriver icon and ensure all of the items are checked.

6. Click on the Magnifying glass and run the analysys.

Wait for the tool to finished (maybe a long time)

7. Close ZHPDiag.

8. To transmit the report, click on this link :

https://authentification.site

9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

10. Select the file ZHPDiag.txt.

11. Click on "upload »

12. Copy the url and post it here.

Best regards

Ambucias
Moderator /Security Contributor
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013

Thank you very much Ambucias for your inestimable help.

As I said in my previous post I re-run another Malwarebytes scan, this time it found 1 issue, I deleted it, restarted the computer. I changed the home pages in the browsers and everything seems alright now.

The only thing that is still appearing is the RUNDLL window. Do you still need a diagnose for the RUNDLL issue or there is another solution to that.

Maybe with yesterday's anxiety I deleted something I shoudn't have done.

I'm waiting for your reply.

Once again thanks for your help.
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,268
That would be nice, just to ensure that we have everything.

I will not be able to reply to you for at least 8 hours as I am now login off.

Regards

P.S. I suggest that you don't play around with the machine until we know exactly what the issue is.
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013

Here is the link:

http://speedy.sh/mQ4uk/ZHPDiag.txt

Regards,

PS: Sure I'm going to be careful with the machine!!!
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013

Hello Ambucias

I'm afraid things have not changed. Below is the new url on the home page of my browsers:

http://ww12.certified-toolbar.com -->new url with the same popups.

How frustrating!

I hope you have received the file well.

Regards
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,268
Hold on a minute. Producing a log does not change anything.

I will look at your log now.

Stand-by
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,268
Dear Montserrat

Here it is as I am studying it :

You hard drive memory is at a critical point, you only have 4% memory left. You system may crash.

You Windows must be updated.

You system is full of adware

1. Go to your control panel add/remove program tool and open it:

2. Delete from there all the toolbar applications that you see : crawler, babylon, etc.

3. ZHP Diag created on your desktop an icon ZHP Fix, it looks like a seringe. Open ZHP Fix.

4. Copy the following lines:

O43 - CFD: 19/12/2012 - 00:47:30 - [0] ----D C:\Program Files\BT Broadband Desktop Help => BT Broadband
O43 - CFD: 21/02/2011 - 14:35:27 - [3.270] ----D C:\Program Files\Spybot - Search & Destroy => Spybot - Search & Destroy
O47 - AAKE:Key Export SP - "C:\WINDOWS\system32\rundll32.exe" [Enabled] Orphean Key
M3 - MFPP: Plugins - [Montserrat Arda] -- C:\Program Files\Mozilla FireFox\searchplugins\crawlersrch.xml => Toolbar.Crawler
R3 - URLSearchHook: (no name) - {5E34052D-4D61-4BE4-9B6E-93836198886C} . (.Conduit Ltd. - Conduit Toolbar.) (6.4.0.0) -- C:\Program Files\PPCBully\prxtbPPC1.dll
O2 - BHO: PPCBully - {5e34052d-4d61-4be4-9b6e-93836198886c} . (.Conduit Ltd. - Conduit Toolbar.) -- C:\Program Files\PPCBully\prxtbPPC1.dll
O3 - Toolbar: PPCBully Toolbar - [HKLM]{5e34052d-4d61-4be4-9b6e-93836198886c} . (.Conduit Ltd. - Conduit Toolbar.) -- C:\Program Files\PPCBully\prxtbPPC1.dll
[HKCU\Software\AVG Security Toolbar] => Toolbar.AVGSearch
[HKCU\Software\ConduitSearchScopes] => Toolbar.Conduit
[HKCU\Software\Conduit] => Toolbar.Conduit
[HKCU\Software\Instant Buzz]
[HKCU\Software\Smartbar] => Toolbar.Agent
[HKCU\Software\YahooPartnerToolbar] => Toolbar.Yahoo
[HKLM\Software\AskBarDis] => Toolbar.Ask
[HKLM\Software\Conduit] => Toolbar.Conduit
[HKLM\Software\Instant Buzz]
O43 - CFD: 20/02/2010 - 09:53:54 - [1.824] ----D C:\Program Files\Conduit => Toolbar.Conduit
O69 - SBI: SearchScopes [HKCU] {afdbddaa-5d3f-42ee-b79c-185a7020515b} - (WiseConvert Customized Web Search) - http://search.conduit.com => Toolbar.Conduit
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}] => Toolbar.Crawler
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}] => Toolbar.Crawler
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201f27d4-3704-41d6-89c1-aa35e39143ed}] => Toolbar.Ask
[HKLM\Software\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}] => Toolbar.Conduit
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}] => Toolbar.Crawler
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}] => Toolbar.SweetIM
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] => Toolbar.Skype
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] => Toolbar.Skype
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}] => Toolbar.Conduit
[HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine] => Toolbar.Conduit
[HKLM\Software\Classes\Conduit.Engine] => Toolbar.Conduit
[HKCU\Software\ConduitSearchScopes] => Toolbar.Conduit
[HKCU\Software\instant buzz]
[HKLM\Software\instant buzz]
[HKLM\Software\AskBarDis] => Toolbar.Ask
[HKLM\Software\Classes\Toolband.EB_ExplorerBar] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.IPM_PrintListItem] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PM_Launcher] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PM_PrintManager] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PR_BindStatusCallback] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PR_CancelButtonEventHandler] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.TBToolband] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.UserOptions] => Toolbar.Agent
[HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]:{4B3803EA-5230-4DC3-A7FC-33638F3D3542} => Toolbar.Crawler
C:\Program Files\Conduit => Toolbar.Conduit
C:\Documents and Settings\Montserrat Arda\Local Settings\Application Data\AVG Security Toolbar => Toolbar.AVGSearch
C:\Documents and Settings\Montserrat Arda\Local Settings\Application Data\Conduit
[HKLM\Software\Integral4
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} -- C:\Program Files\Instant Buzz\IBBar.dll (.not file.) => Infection BT (InstantBuzz.Adw)
[HKCU\Software\AppDataLow\SProtector] => Infection PUP (PUP.AdvancedSystemProtector)
[HKCU\Software\PriceGong] => Infection BT (Adware.PriceGong)
O43 - CFD: 20/12/2012 - 20:56:48 - [0.435] ----D C:\Documents and Settings\Montserrat Arda\Application Data\PriceGong => Infection BT (Adware.PriceGong)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("extensions.BabylonToolbar.prtkDS", 0); => Infection BT (Toolbar.Babylon)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("extensions.BabylonToolbar.prtkHmpg", 0); => Infection BT (Toolbar.Babylon)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.startup.homepage", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.keyword.URL", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.scripts.1.domain-blacklist", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.enable", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: SearchScopes [HKCU] {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} [DefaultScope] - (WebSearch) - http://websearch.just-browse.info => Infection PUP (PUP.Mocaflix)
[HKLM\Software\Microsoft\Internet Explorer\extensions\{066040f0-5018-4e15-8aa0-81d36136d989}] => Infection BT (Adware.InstBruzz)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}] => Infection BT (Adware.ShopperReports)
[HKLM\Software\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}] => Infection BT (Adware.SearchSettings)
C:\Documents and Settings\Montserrat Arda\Application Data\PriceGong

5. Click on the Clipboard button at the top and a GO button will appear at the bottom. Click on Go and close ZHP Fix

6. Download the following tool, run it and click on deletion.

https://toolslib.net

(The English text is in the second part of the page)

7. Delete the previous ZHP Diag log, produce a new one and uploaded on Speedyshare for me to check.

Good luck
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013

Hello Ambucias,

I followed all the steps you gave me and here is the link:

http://speedy.sh/TExSS/AdwCleaner-R1.txt

I'm amazed; the majority of things have been installed from my telephone and Broadband provider! I didn't know I had all that stuff from them!
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,268
How is your computer behaving now ?
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013

Very, very slow. Yesterday after several attempts to log off normally I had to shut it down forcefully. I decided to give it a rest longer than normal and when I switched it on today it took ages to open FF and IE

The RUNDULL window still appears at the beginning of the session.

Apart from that everything seems fine.

Did you receive the log alright? What did you see?

Thanks again for your help.
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,268
Yes I did get the log which was the Adwcleaner log, however if you recall and read back, I did I ask you to delete the previous ZHP Diag log, to produce a new one and to upload it on Speedyshare. I still need that log for verification.

Before you do another log...

1. Click on run
2. Type cmd and click ok, a black window will appear
3. Type chkdsk and press enter.

4.Watch carefully and tell me what are the results.
5. Tell me if you still get the rundll error
6. Upload a brand new ZHP Diag log.

Take care
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013

I just uploaded the ZHP Diag log and the "CHKDSK" report. I hope everything is fine now. I don't know yet if I still have the rundll error, this only appears when I switch on the machine.
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,268
So you uploaded it! Where ?
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013

I'm so sorry! I was so tired that I forgot to copy the links ; :(silly me). Here are the links:

http://speedy.sh/6uScN/CHKDSK.txt
http://speedy.sh/adD7R/ZHPDiag.txt
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,268
Dear Silly You;-)

You have overstepped the critical threshold, there is only 5% free space on your hard disk. Do you realize what this means?

In your log, I found a parasite type virus

Please launch ZHP Fix, copy the following, click on the clipboard button and then on the GO button :

M3 - MFPP: Plugins - [Montserrat Arda] -- C:\Program Files\Mozilla FireFox\searchplugins\Web Search.xml

There is a lot of stuff which I would get rid of, but I am not you and I don't know what is the main use of the computer for you. Certainly, there is no room for games. Your harddisk capacity is only 12 Gb.

Chkdsk recoved some system files.

If you still get the rundll error Window, try this:

Click on Run, type cmd click ok
Type sfc/scannow
Press enter, let it run
Close the window

Let me know the results

Best regards

P.S. I will send you my personal address for you to send me a case of stout. God save the Queen !
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013

Yes, I'm not fully conscious of what it means, but I've been struggling for quite a while with this mater. I even remember having posted here in Kioskea something about this. I realize that I have to get rid of a lot stuff, but it happens that every time I do that it seems as if the computer were eating memory, and I got back to the low disc space again.

I wonder if I can remove some windows material that I do not use and also the service packs that have a huge volume. Today I did some cleaning I'm now with 1.27Gb I did the defragmentation and some of the files that could not be defragmented where the ones below and I wonder if I can remove for instance the 3rd one:
...
1,676 114 MB \WINDOWS\Installer\12fd2ce.msp
7,171 167 MB \WINDOWS\Installer\MSI102.tmp
1,370 210 MB \WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
....

I didn't get today the rundll error, but I did what you suggested and this is what it came out:

"Files that are required for Windows to run properly must be copied to the DLL cache.
Insert your Windows XP Home edition CD-Rom now". I didn't do that because I heard that if you do that all your stuff is removed.

Thanks one more time, take care.

PS: Of course you deserve not only a case of stout but two at least!
Posts
47367
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
September 1, 2021
11,268
The stout is very much appreciated, thanks.

The rundll error is probably due to a trace of malware left in the registry. We may need to do some delicate surgery in the registry. To avoid the operation, I would like you to run a full scan with Malwarebyte. Tell me if you get any hits.

As for space, I suggest you run CCleaner:

I would not delete the files you mentioned, perhaps some other time the .tmp file

As I said, I don't know what you use the computer for, so I can't suggest to you what to remove. The service packs are now essential to run some applications, removing them may also cause crashes.

You have Google Chrome and Firefox, do you need and use both ? What about Netscape ?

What about Silverlight ? Do you use it ?

After you run Malwarebyte, you can remove it, you can also delete AdwCleaner

Let me know and take care.

P.S. With the delivery, please add a dozen scones. Thanks