Spyware, Viruses, & Security forum

General discussion

Help please! Browser Hijacked

by Jimanyyy / December 13, 2008 12:21 AM PST

Hi there,

Ok this started a few days ago. I'll try to include as much information as I've noticed so far & hopefully someone can help me.

When I search google for something i'll get my desired list of results. However when clicking on one of those links, most of the time the page will popup in a new tab - The title will change to 'Redirecting' with www.abcjmp.com/xxx as the host - Then it will redirect to a profile on www.perfspot.com. It mostly redirects to perfspot, but sometimes it sends me to another search engine...either way - just as annoying.

This happens on both IE and firefox.

When I try clicking tools -> options -> before I can change any settings firefox will instantaneously close.

Alot of the time when I go to type in a url -> same result, firefox closes.

Copying/pasting url's into the address bar will work, however it seems as though any host with "spyware" or other such terms in the name will automatically bring up "This page cannot be displayed", sometimes with a 3rd party search engine, other times just the default firefox error message.

System Restore -> I've tried this, but it seems to be disabled somehow, I can choose my date where I want to restore to, but when it comes to the final "Next" to click before commencing, clicking the button does nothing.

Prior to this my main firewall has been Zonealarm. Since becoming infected I've tried downloading some antivirus programs to help me, Ad-aware is the only one which has installed properly & has been able to run so far.

Super AntiSpyware Professional gives a microsoft error when I try opening it, asking me if I wish to send them the data. Spybot search & destroy doesn't appear to do anything when I load it, as does HijackThis. Avg & TrendMicro return errors while trying to install.

Also, this got onto msn and sent a (probably malicious) link to a few contacts.

Ad-aware was able to find some infected files, those are as follows;

AdvertBar
WhenU.DesktopToolbar
WhenU.SaveNow
Tracking Cookie
MRU Object

I have removed them, but they appear in subsequent scans too so I don't think they're being permanently deleted.

I am running XP Home. If there is any other information you require to solve this then please ask & I will provide.

Any help would be greatly appreciated. Thank you!

Discussion is locked
You are posting a reply to: Help please! Browser Hijacked
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Help please! Browser Hijacked
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Give the following a try.......
by Marianna Schmudlach / December 13, 2008 12:56 AM PST

Please download Malwarebytes Anti-Malwareand save it to your desktop.
alternate download link 1
alternate download link 2

* Make sure you are connected to the Internet.
* Double-click on mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

* If an update is found, the program will automatically update itself.
* Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates,
manually download them from here
and just double-click on mbam-rules.exe to install.
Alternatively, you can update through MBAM's interface from a clean computer,
copy the definitions (rules.ref) located in
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

* Make sure the "Perform Quick Scan" option is selected.
* Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top.
It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully.
Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

* Click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad.
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply and exit MBAM.

Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


And IF you are not able to download these tools on your machine, please use a friend or family member's computer and download the Malwarebytes tool and it's manual update from the link below.. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "Your name.exe", then copy the installer file and the update file to a CD or flash drive.. Transfer the file to the problem machine, then install the "Your Name.exe" file, then run the update to get the program current.. After that, run a full system scan and delete anything it finds.

Malwarebytes Download Link (Clicking on the links below will immediately start the download dialogue window.)
http://www.besttechie.net/tools/mbam-setup.exe

Malwarebytes Manual Updater link
http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Collapse -
thanks
by Jimanyyy / December 13, 2008 1:42 AM PST

Thank you Marianna for your help.

Unfortunately I was not able to install the software to perform the scan.

I tried all 3 download links you gave me and firefox said "Page cannot be displayed" on all, despite the pages loading on another laptop for me. The malware seems pretty clever in detecting & blocking self threats.

I was able to search for & obtain the software off this website but nothing happens when I try opening the exe file. Even when I have process manager open and double click the file, no new processes appear. I cannot even see the process being opened before it's quickly being killed. I tried installing in safe mode (w/networking) also but it tells me I am not able to open it in safe mode.

Collapse -
Did you RENAME the MBAM.exe ?
by Marianna Schmudlach / December 13, 2008 1:48 AM PST
In reply to: thanks

Did you download and rename the mbam-setup.exe installer ? Did you ALSO go to the MBAM folder ( C:\Program Files\Malwarebytes' Anti-Malware) and rename the "mbam.exe" file within the folder?
Last but not least, did you then doubleclick on the "renamed mbam.exe" in order to run it?

You also could try:

Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
Highlight that driver and right click on it and select DISABLE
Now RESTART your computer.
Download a copy of Malwarebytes but DO NOT run it yet.
Rename the downloaded installer file to any generic name such as your own name but keep the .EXE extension on the file and run it.
Once the program is installed go to the UPDATE tab and try to update the program if you can.
Then go to the SCANNER tab and run a Quick Scan and allow MBAM to fix anything found.

Collapse -
Wow, this is great, I am repairing the same problem
by Jolendd / December 13, 2008 2:05 AM PST

I have my friends computer next to mine and am attempting to repair the exact same problem, I too have been unable to run Mbam and am in the process of trying to get it working as well. I will follow this same string if that is ok with all........thanks

Collapse -
Thanks!
by Jimanyyy / December 13, 2008 2:09 AM PST

Thank you so much Marianna, your advice is much appreciated, renaming the .exe file worked. When I installed it the 1st time it would not run, but i renamed it again and installed it again (renaming the installation directories also) and everything worked without a hitch.

It must restart my laptop to delete the files it could not delete just now. I will check back afterwards. Thank you again! Happy

Here is the logfile;

Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 2

12/13/2008 6:04:30 PM
mbam-log-2008-12-13 (18-04-30).txt

Scan type: Quick Scan
Objects scanned: 49281
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jsdf768wude.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jsdf768wude.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\TDSScfub.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoeqh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmaxt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-72124057-2353350644-3832879046-1006\Dc14\VnrBlock21.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSc19b.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvcrt2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Arthur!\Local Settings\Temp\TDSS78bb.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Arthur!\Local Settings\Temp\TDSS7ca3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSb9cb.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Arthur!\Local Settings\Temp\TDSS905a.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.

Collapse -
Fixed!
by Jimanyyy / December 13, 2008 2:19 AM PST
In reply to: Thanks!

And one more for good luck Happy

Thanks a MILLION!!!

Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 2

12/13/2008 6:17:03 PM
mbam-log-2008-12-13 (18-17-03).txt

Scan type: Quick Scan
Objects scanned: 49098
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Collapse -
(NT) Great Job ! Thanks for posting back :)
by Marianna Schmudlach / December 13, 2008 2:22 AM PST
In reply to: Fixed!
Collapse -
Thanks very much........
by Jolendd / December 13, 2008 3:43 PM PST

After following the suggested fix and following the instructions "EXACTLY" the Malwarebytes ran fine and found 17 errors needing repairing, it detected, fixed and got the computer running great, actually it runs better than it has in a long time. I suspect that some or the malware had been present in the background for a long time.
Again, thank you very much for the assistance.

Collapse -
Super - glad to hear :)
by Marianna Schmudlach / December 14, 2008 1:12 AM PST

You Are Very Welcome Happy

I would suggest downloading and installing SpywareBlaster:

Why SpywareBlaster?
Spyware, adware, browser hijackers, and dialers are some of the most annoying and pervasive threats on the Internet today. By simply browsing a web page, you could find your computer to be the brand-new host of one of these unwanted fiends!

Download: http://www.javacoolsoftware.com/spywareblaster.html

Happy Holidays !

Collapse -
Spywareblaster
by Jolendd / December 14, 2008 2:26 AM PST

Thank you so much Marianna, your advice is much appreciated, You have made a suggestion to try/use Spywareblaster. A question, I have used Spybot Search & Destroy with great success, what is your opinion of that software?

John

Collapse -
Spybot Search & Destroy
by Marianna Schmudlach / December 14, 2008 2:40 AM PST
In reply to: Spywareblaster

My personalopion...... after many years using Spybot S&D I have uninstalled it and installed MalwareBytesAntiMalware and I am very happy with it and I am not looking back.

download Malwarebytes' Anti-Malware : Here or Here

Collapse -
in my opinion it does not work
by k_abuki / April 11, 2009 8:30 AM PDT

hello there !
i have a toshiba a135-s4467 laptop (running vista)

i installed malwarebytes' anti-malware
did a quik scan and found and removed win32.zafi.b
i was so happy to fix my pc
but what do you know. the infection came back
if i run a scan it says that there are no infection or nothing
at the same time the popup keeps appearing saying that i am infected
do you have an idea of what can be wrong
please help thank you

Collapse -
This is what I get after cleaning up with Mbam....
by BadgerBlitz / December 29, 2008 6:07 AM PST

I have cleaned with scans several times and I still get this showing up. Any help would be greatly appreciated.

Thank you

_____________________________________________________________

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

12/29/2008 3:39:02 PM
mbam-log-2008-12-29 (15-39-02).txt

Scan type: Quick Scan
Objects scanned: 61173
Time elapsed: 1 hour(s), 14 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Collapse -
Need for special tools.......
by Marianna Schmudlach / January 27, 2009 2:33 PM PST
Collapse -
Msiexec.exe /V -Reinstall the Windows Installer
by ebiedebie / January 27, 2009 12:36 PM PST

hey marianne
welp from this link we talked about earlier

http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=320206&messageID=2963374#2963374

i read what RAID0 wrote...
i tried method one - my reg was fine.
Drive:\Windows\System32\Msiexec.exe /V is correctly in my REGISTRY
so i kept going & started puter in SAFEMODE
it said to run "msiexec /regserver" so i did & it said that wasnt correct...or didnt exist (cant member exact)
SO i tried method 2
to run - cmd (dos)
my command prompt is c:/documents & settings/ev(my log on name)
WELL i press "c:/" and it wont let me get to just C
so i typed "attrib -r -s -h c:\windows\\system32\dllcache" like said
and it said didnt exit or invalid

so BOTH attempts are scratched out... i (googled)&went to that available for download from the Microsoft Download Center - but its saying for win2000? i got xp
anyways, what am i doing wrong? and am i going to have to buy that PCHELPER type software to make my registry work right? i really dont want to resort to that. (i am low in funds.)
thanks for your time once again!

Collapse -
Re: Msiexec.exe /V -Reinstall the Windows Installer
by Marianna Schmudlach / January 27, 2009 2:09 PM PST

Question: Do you have Office installed?

Do you have the exact error message? - that "could" it make it perhaps "easier" to find.

Do you remember, which program you installed last? When did your problem start?

Could it be, is has "something" to do with your Norton ?

Have a look at this thread:

http://forums.techguy.org/windows-nt-2000-xp/546316-xp-home-error-1500-another.html

"Something" must have gotten "stuck" Sad


You also could try this:

# For Windows XP:

1. Press Ctrl+Alt+Delete. The Windows Task Manager appears.
2. Click the Application tab.
3. Look for an entry related to a program installation. This might include words, such as "install," "installer," or "MSI."
4. If found, highlight the entry, and then click End Task. If a second dialog box appears, then click End Task in the second box. Close the dialog box.
5. Try the installation again.

Stay calm, cool and collected Wink

Collapse -
ctrl+alt+delte WORKED this time....
by ebiedebie / January 28, 2009 10:48 AM PST

so, i disabled all msi/mis type processes ( i had like 6 of them!!!! ) in the process tab...
ok, i DID this before... but THIS TIME it turned off my NORTON!
GUESS WHAT!!!?!?!?! I was able to INSTALL ALL the exe files!
AMAZING! i think it was divine intervention yet again LOL i just got back from bible study & prayed about it! THANK YOU MARIANNA! *HUG*
I will try harder to not bother you so much or mess up my PC unintentionally again! LOL

Collapse -
WooHoo - I am soooooooo happy for you :)
by Marianna Schmudlach / January 28, 2009 1:47 PM PST

You Are Very Welcome and Happy SAFE Computing Happy

Collapse -
Your registry might be damaged
by librarian7 / January 29, 2009 10:05 PM PST

Your command prompt will not work if your registry is damaged in the areas you are trying to work. Try a hard drive disc (check) usually the D- drive. Then start over.

Collapse -
cannot connect to network
by bill1020 / February 17, 2009 1:29 PM PST

ok i was in the same boat as all of you and down loaded the malware software and things were ok. now my laptop will not connect to the home network, have not tried on others. but will not connect via wifi or cat5 cable and ethernet. any one have any suggestions?

Collapse -
TSDSS.serv removal - Thank you! - Me too!
by Apple Crisp / December 15, 2008 6:09 PM PST

I can't believe I found this thread. Mariana, you are a life saver. I have searched and searched and tried this and that and have only been able to run my computer on XP Pro on Safe Mode (with networking) for over a week. Fortunately, I have a laptop and just kept my searches and attempts at malware removal going.

I have been unable to run ANY anti-malware software. I already had Malwarebytes installed from before, but I could not run it. I also could not even download it again as any pages in either IE or Firefox that have anything to do with malware were hijacked when I tried to click over from Google or other search engines. So I downloaded some of the software on my laptop then used my flash drive to copy them onto my sick desktop. But I was still unable to install or run any of them. I was able to run CCleaner and did that a couple times during this whole process. I also could run HijackThis and did so a couple times, but it didn't take care of the issues. My start-up is extremely lean, and I researched everything listed, so I believe it was okay. I did remove a few listings just in case.

I tried renaming Anti-Malware to be able to run it, and it did not work. I tried a few times. Then I went to your second suggestion - running devmgmt.msc and diabling TDSSserv.sys. Talk about instant success. I couldn't believe it - XP Pro started up normally! I knew I was on the way to pc health. Right away my Avast! anti-virus was at work and found two dll's associated with Fasec [Trj] and the TDSS trojan.

Then I renamed my Anti-Malware install file and - yes! - it opened and installed - and then ran! I have just run the quick scan and it found 9 more instances of the TDSS trojan.

Let me tell you, this TDSS trojan is terribly, terribly nasty. Another symptom was that anything I clicked on to run, anything - not just the anti-malware software - prompted the Windows - No Disk error. It screwed up most administration policies. With some things I could keep clicking through till they worked, but many would not work at all.

I think I'm in good shape now. I just KNOW that disabling TDSSserv.sys is what got me here. I don't know how to thank you.

I have just done more research and see that the TDSSserv malware is a variant of the "Clb Driver/Troj/NtRootK-DR malware" and that it's important to make sure that it is not only disabled but completely removed. It can "come back." Since Malwarebytes picked up 9 instances of the trojan, it seems like a good start - they may have updated recently to get more on this one. But I also read that SuperAntiSypyware is important to run for this one also, and I have just done that. Guess what?!! It went much deeper. It picked up 29 instances of this malware.

In view of this, if anyone is having a problem with this malware, finish up with SuperAntiSpyware.

Thank you again so much, Mariana. Your information was the big breakthrough for me.

Collapse -
(NT) Great Job ! Thanks for posting :)
by Marianna Schmudlach / December 16, 2008 12:50 AM PST
Collapse -
Thank You Mariana
by brunziej / January 10, 2009 8:53 AM PST

I was able to clean my affected labtop with your wonderful advice. Thank you so much. Below is the log:

Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 3

1/10/2009 6:08:28 PM
mbam-log-2009-01-10 (18-08-28).txt

Scan type: Quick Scan
Objects scanned: 83098
Time elapsed: 1 hour(s), 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Jon\Application Data\Google\sysspc.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common\helper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Application Data\Google\sysspc.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Jon\Application Data\Google\ocboo1892823.exe (Trojan.FakeAlert) -> Delete on reboot.

Collapse -
Did you reboot your computer?
by Marianna Schmudlach / January 10, 2009 1:39 PM PST
In reply to: Thank You Mariana

As you HAVE to reboot your computer to get rid of:

C:\Documents and Settings\Jon\Application Data\Google\sysspc.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Jon\Application Data\Google\ocboo1892823.exe (Trojan.FakeAlert) -> Delete on reboot.

Run MBAM once again to see IF it is still clean.

Great Job and You Are Very Welcome Happy

Collapse -
did u rename the MBAM.exe?
by 1hsad / December 17, 2008 10:42 AM PST

since i was able to run the program i figured i didnt have to rename it. so i looked ahead to 'could also try'

i was able to run devmgmt.msc, browse to the non-plug and Play Drivers, but could not see TDSSserv.sys.. am i looking for that exactly?

i am having the same problem with my browser being hijacked..

Collapse -
As you were able to run MBAM.......
by Marianna Schmudlach / December 17, 2008 1:35 PM PST

what did the program find? Did you update MBAM before running?

Could you pls. c\p your MBAM log.

Collapse -
log report
by 1hsad / December 18, 2008 7:06 AM PST

since i cant sign into cnet on my computer, ive scanned it and saved it to this comp, but its not letting me copy and paste it to this post.

the MBAM is up to date, it picked up registry keys infected (10), registry values infected(2), registry data items(6) infected folders files,registry data items infected (6), files infected (28), folders infected (14)

i ran MBAM again after it had restarted, and it showed up 0 for everything..

when i open internet explorer the address automatically goes to runonce.msn.com/runonce3.aspx. When i click on the home button it takes me to my home page.

it wont let me update internet explorer or sign into cnet or hotmail account.

now when the computer starts up, theres an error saying SQL SERVER. sqlboot.dll error, saying the file has been corrupted or tampered with, please uninstall and re-run set up... is it this simple to fix the error, and if so do u know where i go?

thnak u for ur reply

Collapse -
runonce.msn.com/runonce3.aspx.
by Marianna Schmudlach / December 18, 2008 10:16 AM PST
In reply to: log report

Have a look IF this thread will help you:

http://groups.google.com/group/microsoft.public.internetexplorer.general/browse_thread/thread/70c71bd6f2c3c983

re: now when the computer starts up, theres an error saying SQL SERVER. sqlboot.dll error, saying the file has been corrupted or tampered with, please uninstall and re-run set up...

I can only imagine, you still have some kind of malware on your computer..

give the following a try:

Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".

Collapse -
thank u for ur help
by 1hsad / December 20, 2008 6:20 AM PST

Thank you very much Marianna. I was able to use one of the links that helped me get rid of the runonce.msn.com prob.. and i thank you. although i still couldnt sign into any accounts. I still had the sql problem, so i gave up and rang microsoft.

but i want to thank you for your patience and help. There is also one other thing i'd like to know. Is Avast! a great product? i purchased error smart and avast! in attempts to fixing my computer. But since i have the SuperAntiSypware on my computer, do i need avast!? i have asked error smart for my money back, and not sure if i should keep Avast!? any advise for me please?

Collapse -
Error Smart.....
by Marianna Schmudlach / December 20, 2008 8:03 AM PST
In reply to: thank u for ur help

is neither an Anti Virus program nor an Anti Malware Program !

http://www.errorsmart.com/?hop=rd55gh

SuperAntiSpyware is an anti Malware program, NOT an Anti Virus program.

Yes, you should keep Avast as an Anti Virus program. If you want, you also could give Avira AntiVir Personal - FREE Antivirus a try instead of Avast.

Download here: http://www.free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html

After you fixed and cleaned your computer, were you now able to run MalwareBytes Anti Malware?

Did the info of Microsoft help you to fix your sql problem?

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.