• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos1

Browser Hijack Virus

Hi I have Norton 360, but it seems my computer is infected with a browser / Google search hijacking virus.  The symptom is that clicking on a Google search link  brings me to a bogus site like www.comparedby.us .  I was hoping that there would be some generic solution to this, but I can't seem to find that.  Can you help?  Thanks!

   - bogue12

Replies

Kudos0

Re: Browser Hijack Virus

Hi bogue12:

Have you cleared your browser cache and temp files?  You can also try Malwarebytes free version.  Download it, install, update and run a full scan.  You will be able to post the log by using the "add attachments" link below the message window. Save the log to Notepad before attaching as a .txt file.

If that doesn't work, it may provide more information about what to do next.

http://www.filehippo.com/download_malwarebytes_anti_malware/

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Browser Hijack Virus

Thanks for your reply.  I previously installed Malwarebytes and recently did a quickscan, and it found nothing.  I am running a full scan now.  In the mean time, I have attached the log file from hijackthis.

Thanks!

File Attachment: 
Kudos0

Re: Browser Hijack Virus

Hi bogue

Don't forget to update Malwarebytes before doing the scans with it. That program updates quite often.

Success always occurs in private and failure in full view.
Kudos0

Re: Browser Hijack Virus

Hi bogue

I can tell you this much. You have very old Java and Adobe files running on your computer. Both of those sites update their programs quite often for security reasons.

Success always occurs in private and failure in full view.
Kudos1

Re: Browser Hijack Virus

O4 - HKLM\..\Run: [Nkaqiyixev] rundll32.exe "C:\WINDOWS\utajevoherajo.dll",Startup

 

I don't have a qualified reader available online at the moment, and I am not one.  This seems to be the only item that requires further investigation.  It is coming up as unknown on Google searches.  It is in your startup file.  You could go to msconfig and disable it to see if that prevents the redirect without disabling anything important. If there is no issue and it stops the redirect, you can then pull Hijackthis back up and click fix.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Browser Hijack Virus

OK, the Malwarebytes full scan took a while.  Indeed it did find some bad files (located in system restore) which are now removed.  Also, I unchecked utajevoherajo in system start-up, as you suggested.  My symptoms (redirected search links) have been intermittent historicall, and so I am not ready to say everything is OK yet.  I will get back to you in 24 hours or when I see the problem again, which ever comes first.

Thanks!


Kudos1

Re: Browser Hijack Virus

Run HiJackThis and check (mark) the following:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [Nkaqiyixev] rundll32.exe "C:\WINDOWS\utajevoherajo.dll",Startup
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

Then select "Fix checked " from the main menu.  Restart your system and see if the redirects are still happening.

Win7 x32 SP1
Kudos0

Re: Browser Hijack Virus

Some of the recent infections I am seeing on customer computers is that the host file has been modified by the viruses and add re-directors to it. To check it go to C:windows\system32\drivers\etc\host It will ask what you want to open it with, just tell it wordpad or similar. If there is anything below the commented section (the parts with # at the start of the line), delete them. Really it would be safe to delete everything in there most of the time. If your not sure copy and paste what is in there to a reply in this thread.
Kudos1

Re: Browser Hijack Virus

First, thank you all for your help.  I was about to declare victory, but late today I got another redirect.  It is intermittent, this thing.  Often the redirect is to comparedby<dot>us.  Anyway, before I got the redirect again, I fixed the bad filed from the Malwarebytes scan (as I mentioned before), fixed the HiJackThis files that dbrisendine suggested, and even checked C:windows\system32\drivers\etc\host as omega7441 suggested (nothing there).

After reboot, I ran HiJackThis again and this one is back again:

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

Killed it again, reboot, and it is back.  (Attached is updated log file.)  So do you think this is the culprit?

On a different line of thinking, I saw some other discussion board posts about redirect virus, and I saw some people claim that a complete uninstall and reinstall of Firefox did the trick.  I have not done this.  Let me know if you think that would make sense.

Thanks!

File Attachment: 
Kudos0

Re: Browser Hijack Virus

I just realized that HiJackThis cannot remove this:

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

Just tried running HiJackThis after booting in Safe Mode, and that did not help.

Kudos0

Re: Browser Hijack Virus


delphinium wrote:

O4 - HKLM\..\Run: [Nkaqiyixev] rundll32.exe "C:\WINDOWS\utajevoherajo.dll",Startup

 

I don't have a qualified reader available online at the moment, and I am not one.  This seems to be the only item that requires further investigation.  It is coming up as unknown on Google searches.  It is in your startup file.  You could go to msconfig and disable it to see if that prevents the redirect without disabling anything important. If there is no issue and it stops the redirect, you can then pull Hijackthis back up and click fix.

There is a reason for that

" [Random] rundll32.exe "C:\WINDOWS\[random].dll",Startup"

Google searches won't give results or correct results for the file if the file name has a completely random name. 

Quads

Kudos0

Re: Browser Hijack Virus

Hi.  I still can't get rid of

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

Hijackthis see it but can't get rig of it.  I wonder if the is a method of getting rid of this with regedit.  What do you think?

I am assuming this getting rid of this will solve the problem.  But another line of thinking is that I could uninstall and reinstall Firefox.  Other boards point to that is a possible solution to the redirect virus.  What do you think?

Thanks!

Kudos0

Re: Browser Hijack Virus

Hi.  I just tried something called GooredFix.exe, and it may have solved the problem.  It seems there is a redirect virus specific to Firefox, and this app finds and solves the problem.  My problem has been quite intermittent, and so I do not want to declare victory yet.  I will post again in 24 hours.

In the mean time, I still have

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

and that has me worried since everyone says it is bad, and I can't get rid of it with HiJackThis.  If anyone has any suggestions on a method of removal, please let me know.

Thanks!

Kudos0

Re: Browser Hijack Virus

Hi bogue

You may want to try and remove that entry by going into safe mode and then try to remove it by using HiJackThis and see if that will work.

Success always occurs in private and failure in full view.
Kudos0

Re: Browser Hijack Virus


floplot wrote:

Hi bogue

You may want to try and remove that entry by going into safe mode and then try to remove it by using HiJackThis and see if that will work.


The Person has already tried Safe Mode with Hijackthis as seen in this post


Quote:

I just realized that HiJackThis cannot remove this:

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

Just tried running HiJackThis after booting in Safe Mode, and that did not help.


There are entries that Hijackthis won't remove, usually people who are new to Hijackthis don't realise.

Quads

Kudos0

Re: Browser Hijack Virus

Hey, Quads.  Is there another method for removing the things the HiJackThis finds but can't remove?  Like maybe regedit?  If I knew where to look... Do you?

   - bogue

Kudos0

Re: Browser Hijack Virus

Advanced tools with scripts would remove it,  

It look at it in the registry look for any of these entries


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\AutorunsDisabled

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\AutorunsDisabled

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\AutorunsDisabled


Quads

Kudos0

Re: Browser Hijack Virus

Hi Quads:

OK, I do not have anything in these two locations:


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\AutorunsDisabled

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\AutorunsDisabled

But I do have some stuff here:


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\AutorunsDisabled

What I have actually looks begign:

In folder intu-help-qb1, there is

 - (Default), REG_SZ,  Intuit Help System Asunc Pluggable Protocol (v1) for QuickBooks

 - CLSID, REG_SZ, {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3}

and in folder skype4com, there is

 - (Default), REG_SZ,  Skype4COM Pluggable Protocol

 - CLSID, REG_SZ, {FFC8B962-9B404DFF9458-1830C7DD7F5D}

However, I do have something that looks fishy here:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\mk\

In a folder called *, there is

 - (Default), REG_SZ,  (value not set)

 - CLSID, REG_SZ, {9D148291-B9C8-11D0-A4CC-0000F80149F6}

What do you think?  Should I just delete the Name-Space Handler folder using regedit?

Kudos0

Re: Browser Hijack Virus

No deleting entries in regedit not knowing what they are or belong to is dangerous

In Regedit highlight / select "My Computer" at the top

In the edit menu, select "Find"

In the "Find What" Box, type "AutorunsDisabled" and press Enter  if it finds 1 entry or more than 1, you can press F3 to carry on searching

Kudos0

Re: Browser Hijack Virus

Hi Quads:

I did that regedit search.  There are several hits for AutorunsDisabled.  None of them look any fishier than others.  If there something I should look for, or should I list them here?  Or do you think this could be a red herring?  In other words, is "O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)" a definite problem, or might it actually be OK?

Thanks!

   - Bogue

Kudos0

Re: Browser Hijack Virus

Has your other problems disappeared?? (Fix)

Some AutorunsDisabled are there as a setting to stop Autorun Malware,

Although I don't have any AutorunsDisabled in my registry

Quads 

Kudos0

Re: Browser Hijack Virus

Regarding AutorunsDisabled, here's what I have:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AutorunsDisabled
HKEY_CLASSES_ROOT\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance\AutorunsDisabled
HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\AutorunsDisabled
HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers\AutorunsDisabled
HKEY_CLASSES_ROOT\Directory\shellex\DragDropHandlers\AutorunsDisabled
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\AutorunsDisabled
HKEY_CLASSES_ROOT\PROTOCOLS\Handler\AutorunsDisabled

Regarding the search redirect problem, I may be in the clear, but I want to give it a little while longer, because my probelm was intermittent.

Kudos0

Re: Browser Hijack Virus

This is the one Hijackthis is finding

HKEY_CLASSES_ROOT\PROTOCOLS\Handler\AutorunsDisabled

But is a pluggable Protocol, but in this case not associated with a  CLSID 

If everything is OK, no redirects etc. I would just leave them

Quads

Kudos1

Re: Browser Hijack Virus

HI.

Well I have have several days now to confirm that I no longer have the browsers hijack problem.

Just for the record (in case anyone is searching and finds this thread), my problem was that when I searched in Google and clicked on one of the search result links, sometimes (maybe one in 10? 20?) my browser would redirect to some bogus page.  On several occasions that bogus page was www.comparedby.us.  I am running Windows XP SP3, and my browser of choice is Firefox. 

Norton 360 did not find anything.  Malwarebytes found some things, but apparently unrelated.  HijackThis also found some things, but apparently also unrelated.

The solution was GooredFix.exe which can be found here: http://jpshortstuff.247fixes.com/GooredFix.exe  It turns out that I had a bogus and somehow invisible Firefox add-on that was responsible for the redirect.  I had seen on some other boards people with the same symptoms as me who solved their problem by uninstalling and reinstalling Firefox, but GooredFix solved things perfectly.  It seeks and destroys hidden Firefox add-ons.

Anyway, thanks for your help!

   - Bogue

Replies are locked for this thread.