« previous next »
Pages: [1]

Author Topic: Damn browser hijacked.  (Read 3648 times)

Damn browser hijacked.
on: March 31, 2008, 22:42:38 PM
For the past few days whenever I click a link from a google search I get directed to hrena.com or something similar.

Ive tried absolutely everything I can think of to get rid the malware. I run daily AV tests, Spybot/Adaware weekly, etc etc.

Nothing seems to work, Ive tried Trend online scan, Avast! & AVG scans, various different anti-spyware solutions, and nothing is getting rid of the thing.

Any suggestions?
Logged
Damn browser hijacked.
Reply #1 on: March 31, 2008, 22:58:54 PM
tools/internet options/advancted tab

1) restone advanced settings button
and
2) reset button

;)
Logged

  • Offline Beaker

  • Posts: 3,803
  • Hero Member
Re:Damn browser hijacked.
Reply #2 on: March 31, 2008, 23:03:33 PM
Counterspy is usually pretty good.  http://sunbelt-software.com

I would also run Hijackthis and use http://www.hijackthis.de to double check your HJT results.  COme back if neither of them work.  
Logged
Damn browser hijacked.
Reply #3 on: April 01, 2008, 00:01:14 AM
Counterspy wont install on XP64, any other suggestions?
Logged

  • Offline Beaker

  • Posts: 3,803
  • Hero Member
Damn browser hijacked.
Reply #4 on: April 01, 2008, 00:07:27 AM
Quote from: White Giant
Counterspy wont install on XP64, any other suggestions?


odd installed on mine.  tried spy sweeper?
Logged
Damn browser hijacked.
Reply #5 on: April 01, 2008, 00:16:24 AM
wait.....


isnt theres list somwhere so when you type in a url it sends you straight to the ip address of the site instead of through the dns servers.....

I cant remember what its called....

but i bet thats it :o

(hopefully someone else will read this and know what its called!)
Logged

  • Offline Shakey

  • Posts: 495
  • Sr. Member
Re:Damn browser hijacked.
Reply #6 on: April 01, 2008, 01:26:08 AM
It could be your hosts file:

Operating System + Location on Hard Drive

Linux/Unix
/etc/hosts

Windows 3.1/95/98/ME
c:\windows\hosts

Windows NT/2000/XP Pro
c:\winnt\system32\drivers\etc\hosts or c:\windows\system32\drivers\etc\hosts

Windows XP Home
c:\windows\system32\drivers\etc\hosts

Apple
System Folder:Preferences and in the System Folder itself.

Open it up in notepad, and if youre not sure copy+ past it here.
Logged
Re:Damn browser hijacked.
Reply #7 on: April 01, 2008, 07:54:10 AM
Quote from: Shakey
It could be your hosts file:

Operating System + Location on Hard Drive

Linux/Unix
/etc/hosts

Windows 3.1/95/98/ME
c:\windows\hosts

Windows NT/2000/XP Pro
c:\winnt\system32\drivers\etc\hosts or c:\windows\system32\drivers\etc\hosts

Windows XP Home
c:\windows\system32\drivers\etc\hosts

Apple
System Folder:Preferences and in the System Folder itself.

Open it up in notepad, and if youre not sure copy+ past it here.


Cant post it here, get a board error :

Quote
An error has occurred.

For detailed error information, please see the HTML source code, and contact the forum Administrator.

com.mysql.jdbc.MysqlDataTruncation: Data truncation: Data too long for column post_text at row 1


Anyways, the host file is huge, lots of addresses added by Spybot apparently.

Trying Spy Sweeper now.

*edit - Spy Sweeper is not compatable with 64-bit operating systems.

/sigh.
Logged
Damn browser hijacked.
Reply #8 on: April 01, 2008, 08:10:39 AM
HiJackThis log, seems normal to me?

Quote
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:15 AM, on 01/04/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SysWOW64\brsvc01a.exe
C:\WINDOWS\SysWOW64\brss01a.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\Globe Software\StatBar\StatBar.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe
C:\Program Files (x86)\Motherboard Monitor 5\MBM5.EXE
C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\regsvr32.exe
C:\PROGRA~2\Grisoft\AVG7\avgcc.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Documents and Settings\White Giant\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2b9320fe-1dd2-11b2-b6bf-c9ecd926de81} - C:\WINDOWS\abozcrkf.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files (x86)\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [EntaTool] "C:\Documents and Settings\White Giant\Desktop\EnT\EntaTool.exe" /hide
O4 - HKLM\..\Run: [nybuvorw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\nybuvorw.dll"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [StatBar] C:\Program Files (x86)\Globe Software\StatBar\StatBar.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User LOCAL SERVICE)
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User LOCAL SERVICE)
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User NETWORK SERVICE)
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User NETWORK SERVICE)
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User SYSTEM)
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User SYSTEM)
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User Default user)
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User Default user)
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra Tools menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra Tools menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra Tools menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204655044798
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5CAC014-A0F8-4F4F-88CE-4921E7255D64}: NameServer = 195.74.102.146,195.74.102.147
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\SysWOW64\brsvc01a.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: O&O Defrag - Unknown owner - C:\WINDOWS\system32\oodag.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: w32tm - Unknown owner - C:\WINDOWS\w32tm.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 8578 bytes
Logged

  • Offline Beaker

  • Posts: 3,803
  • Hero Member
Damn browser hijacked.
Reply #9 on: April 01, 2008, 09:05:47 AM
Quote from: White Giant
HiJackThis log, seems normal to me?
#

have you run it through the analyser on hijackthis.de ?
Logged

  • Offline bear

  • Rutabaga
  • Posts: 6,324
  • Global Moderator
  • Hero Member
Re:Damn browser hijacked.
Reply #10 on: April 01, 2008, 09:11:13 AM
 MSIE :disappointed:

 FF  + noScript :rock:


anyway if you cannot post your hosts file, do a search in it for a hrena.com entry.
Logged
Damn browser hijacked.
Reply #11 on: April 01, 2008, 10:29:35 AM
Quote from: Beaker


have you run it through the analyser on hijackthis.de ?


Yep, everything was fine except for one service, which is disabled anyway.

Quote from: bear
anyway if you cannot post your hosts file, do a search in it for a hrena.com entry.


Done, and nothing found.


Ive tried a program called SUPERAntiSpyware (awful name I know), it found some stuff that nothng else did and removed it. Will report back.
Logged
Damn browser hijacked.
Reply #12 on: April 02, 2008, 09:53:02 AM
Qucik update, SUPERAntiSpyware seems to have solved the problem! :)
Logged

  • Offline bear

  • Rutabaga
  • Posts: 6,324
  • Global Moderator
  • Hero Member
Damn browser hijacked.
Reply #13 on: April 02, 2008, 12:01:43 PM
Sounds good for a free antispyware !
Logged
Pages: [1]
« previous next »

0 Members and 1 Guest are viewing this topic.