Spyware, Viruses, & Security forum

General discussion

Browser hijack

by Withtheband / March 30, 2009 12:42 PM PDT

Does anyone know anything about the following? I have been tormented by a browser hijack for over 6 months. This probably is not an important piece, but it's what I was able to grab tonight...I have 'fake' Google, Yahoo, MSN, etc apps, stolen passwords, and I suspect my email accounts are utilized for who knows what around the clock by who knows who. Thanks to anyone who can help me!

mk:@MSITStore:C:\Users\User\Documents\PsTools[1]\Pstools.chm::/PsList.htm

Sysinternals PsTools

html4/loose.dtd another search item

Discussion is locked
You are posting a reply to: Browser hijack
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Browser hijack
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Why don't you give the following a try:
by Marianna Schmudlach / March 30, 2009 2:26 PM PDT
In reply to: Browser hijack

Please download Malwarebytes Anti-Malware (v1.33) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.

* Make sure you are connected to the Internet.
* Double-click on mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

* If an update is found, the program will automatically update itself.
* Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

* Make sure the "Perform Quick Scan" option is selected.
* Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

* Click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad.
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply and exit MBAM.

Notes: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes. Click this link to see a list of programs that should be disabled.



......


Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".

...

Run the F-Secure Online Scanner

http://support.f-secure.com/enu/home/ols.shtml

Note: This Scanner is for Internet Explorer Only!

*Click on Online Services and then Online Scanner
*Accept the License Agreement.
*Once the ActiveX installs, click Full System Scan
*Once the download completes,the scan will begin automatically.
* The scan will take some time to finish,so please be patient.
*When the scan completes, click the Automatic cleaning (recommended) button.

Pls. let us know how you are doing.

Collapse -
Sorry. IE7. I've grabbed email thief
by Withtheband / April 1, 2009 5:48 AM PDT

I'll try to paste it in but I expect this thing to stop me. If so I'll come back with more info.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IGM1NPQS\YH251A02[1].zip

Collapse -
Clean your Temporary Internet Files
by Marianna Schmudlach / April 1, 2009 6:13 AM PDT

The Temporary Internet Files (or cache) folder contains Web page content that is stored on your hard disk for quick viewing. This cache permits Internet Explorer or MSN Explorer to download only the content that has changed since you last viewed a Web page, instead of downloading all the content for a page every time it is displayed. To delete the files in the Temporary Internet Files folder, follow these steps:.

1. Quit Internet Explorer and quit any instances of Windows Explorer.
2. Click Start, click Control Panel, and then double-click Internet Options.
3. On the General tab, click Delete Files under Temporary Internet Files.
4. In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
5. Click OK.

http://support.microsoft.com/kb/260897

Collapse -
Clambake?
by Withtheband / April 1, 2009 12:58 PM PDT

Forgive my atrocious e-ettiquette. This should be the last post. The last idea clearly is not close to thw mark. This may be. I find a large number of folders "LanguageAct(C:(Users/user/appdata/Roaming/SpywareTerminator) in this folder: Computer/Local Disk/Users/User/Searchs/Shares by me. Each of the Users folder is set to 'everyone'. There are a few files in this folder dated 1/23/06 which I assume may have been OK. But I see some starting with a 1/17/08 date beginning with "clam". On 7/23/08 I see a "IE_Home_Page" file....guess that's the last time I had the real thing huh??? Thanks! (I have tried malwarebytes-it sees nothing also).

Collapse -
I have MUCH BETTER INFO
by Withtheband / April 1, 2009 12:26 PM PDT
In reply to: Browser hijack

I THINK the name of this monster may be wincal.exe. C:/program files/windows calendar/wincal.exe. Date mod 1-20-08. 1.20mb. In advanced security setting all permissions are allowed). I had a huge fake folder infrastructure deeply deeply nested of every major app you can think of and it's set up to make me believe that folders are disks or external drives. Anything I attempt to 'capture' by any means (save, print screen, export to thumb, etc. gets intercepted by this ******** in some fashion. There is even a faux version of CNET. (I can't get back to my posts). I can see that my email accounts are being stolen and are being used around the clock. I cannot tell whether my identity is long gone. As yet I have not lost money on financial accounts, but it's obvious my passwords are being changed on all types of accounts (keyloggers, or what). I've found monitoring software on here also - like web*****. I've also been offered 'carrots' like premium MSFT resources for free that I should be paying hundreds of bucks for (Techweb). I just stumble into it...and it's open. More later....I'm no tech neophyte - can't believe this huge malignant mass has sat on this PC (and others) for mos, retailers could not find it, I've put more than half dozen major spyware software programs on it and it chewed them up and created fake versions of THEM (Kaspersky too). Just today I fould my AVG registration email in a spam file from a month ago...hmmm I wonder what that "AVG" that has been taking care of me in the meantime is?

Collapse -
WinCal.exe
by Marianna Schmudlach / April 1, 2009 2:24 PM PDT

wincal.exe

WinCal.exe is a part of Windows Vista.

Default location: %Program Files%\Windows Calendar\WinCal.exe

Useful information about: WinCal.exe

Description: Windows Calendar

Version: 6.0.6000.16386 (vista_rtm.061101-2205)

Size: 967680 (945K)

MD5: 498101B1171AB581C2F545F3854334E4

WinCal.exe is a part of Windows Calendar application.

Windows Calendar is a flexible, easy-to-use tool for planning and managing all of your activities and coordinating your schedule with other people's.

http://www.microsoft.com/windows/products/windowsvista/features/details/calendar.mspx

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?