Browser Hijack Virus

Hi I have Norton 360, but it seems my computer is infected with a browser / Google search hijacking virus.  The symptom is that clicking on a Google search link  brings me to a bogus site like www.comparedby.us .  I was hoping that there would be some generic solution to this, but I can't seem to find that.  Can you help?  Thanks!

   - bogue12

Hi bogue12:

 

Have you cleared your browser cache and temp files?  You can also try Malwarebytes free version.  Download it, install, update and run a full scan.  You will be able to post the log by using the "add attachments" link below the message window. Save the log to Notepad before attaching as a .txt file.

 

If that doesn't work, it may provide more information about what to do next.

 

http://www.filehippo.com/download_malwarebytes_anti_malware/

 

Thanks for your reply.  I previously installed Malwarebytes and recently did a quickscan, and it found nothing.  I am running a full scan now.  In the mean time, I have attached the log file from hijackthis.

Thanks!

Hi bogue

 

Don't forget to update Malwarebytes before doing the scans with it. That program updates quite often.

Hi bogue

 

I can tell you this much. You have very old Java and Adobe files running on your computer. Both of those sites update their programs quite often for security reasons.

O4 - HKLM\..\Run: [Nkaqiyixev] rundll32.exe "C:\WINDOWS\utajevoherajo.dll",Startup

 

I don't have a qualified reader available online at the moment, and I am not one.  This seems to be the only item that requires further investigation.  It is coming up as unknown on Google searches.  It is in your startup file.  You could go to msconfig and disable it to see if that prevents the redirect without disabling anything important. If there is no issue and it stops the redirect, you can then pull Hijackthis back up and click fix.

OK, the Malwarebytes full scan took a while.  Indeed it did find some bad files (located in system restore) which are now removed.  Also, I unchecked utajevoherajo in system start-up, as you suggested.  My symptoms (redirected search links) have been intermittent historicall, and so I am not ready to say everything is OK yet.  I will get back to you in 24 hours or when I see the problem again, which ever comes first.

Thanks!


Run HiJackThis and check (mark) the following:

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [Nkaqiyixev] rundll32.exe "C:\WINDOWS\utajevoherajo.dll",Startup
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

 

Then select "Fix checked " from the main menu.  Restart your system and see if the redirects are still happening.

Some of the recent infections I am seeing on customer computers is that the host file has been modified by the viruses and add re-directors to it. To check it go to C:windows\system32\drivers\etc\host It will ask what you want to open it with, just tell it wordpad or similar. If there is anything below the commented section (the parts with # at the start of the line), delete them. Really it would be safe to delete everything in there most of the time. If your not sure copy and paste what is in there to a reply in this thread.

First, thank you all for your help.  I was about to declare victory, but late today I got another redirect.  It is intermittent, this thing.  Often the redirect is to comparedby<dot>us.  Anyway, before I got the redirect again, I fixed the bad filed from the Malwarebytes scan (as I mentioned before), fixed the HiJackThis files that dbrisendine suggested, and even checked C:windows\system32\drivers\etc\host as omega7441 suggested (nothing there).

 

After reboot, I ran HiJackThis again and this one is back again:

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

 

Killed it again, reboot, and it is back.  (Attached is updated log file.)  So do you think this is the culprit?

 

On a different line of thinking, I saw some other discussion board posts about redirect virus, and I saw some people claim that a complete uninstall and reinstall of Firefox did the trick.  I have not done this.  Let me know if you think that would make sense.

 

Thanks!

I just realized that HiJackThis cannot remove this:

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

Just tried running HiJackThis after booting in Safe Mode, and that did not help.

 


delphinium wrote:

O4 - HKLM\..\Run: [Nkaqiyixev] rundll32.exe "C:\WINDOWS\utajevoherajo.dll",Startup

 

I don't have a qualified reader available online at the moment, and I am not one.  This seems to be the only item that requires further investigation.  It is coming up as unknown on Google searches.  It is in your startup file.  You could go to msconfig and disable it to see if that prevents the redirect without disabling anything important. If there is no issue and it stops the redirect, you can then pull Hijackthis back up and click fix.

 

 

There is a reason for that

 

" [Random] rundll32.exe "C:\WINDOWS\[random].dll",Startup"

 

Google searches won't give results or correct results for the file if the file name has a completely random name. 

 

Quads

Hi.  I still can't get rid of

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

Hijackthis see it but can't get rig of it.  I wonder if the is a method of getting rid of this with regedit.  What do you think?

 

I am assuming this getting rid of this will solve the problem.  But another line of thinking is that I could uninstall and reinstall Firefox.  Other boards point to that is a possible solution to the redirect virus.  What do you think?

 

Thanks!

Hi.  I just tried something called GooredFix.exe, and it may have solved the problem.  It seems there is a redirect virus specific to Firefox, and this app finds and solves the problem.  My problem has been quite intermittent, and so I do not want to declare victory yet.  I will post again in 24 hours.

 

In the mean time, I still have

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

and that has me worried since everyone says it is bad, and I can't get rid of it with HiJackThis.  If anyone has any suggestions on a method of removal, please let me know.

 

Thanks!

 

Hi bogue

 

You may want to try and remove that entry by going into safe mode and then try to remove it by using HiJackThis and see if that will work.


floplot wrote:

Hi bogue

 

You may want to try and remove that entry by going into safe mode and then try to remove it by using HiJackThis and see if that will work.

 


 

 

The Person has already tried Safe Mode with Hijackthis as seen in this post

 

 


 

Quote:

 

I just realized that HiJackThis cannot remove this:

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

Just tried running HiJackThis after booting in Safe Mode, and that did not help.

 


 

 

There are entries that Hijackthis won't remove, usually people who are new to Hijackthis don't realise.

 

Quads

Hey, Quads.  Is there another method for removing the things the HiJackThis finds but can't remove?  Like maybe regedit?  If I knew where to look... Do you?

   - bogue

Advanced tools with scripts would remove it,  

 

It look at it in the registry look for any of these entries

 

 


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\AutorunsDisabled

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\AutorunsDisabled

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\AutorunsDisabled


 

 

Quads

Hi Quads:

OK, I do not have anything in these two locations:


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\AutorunsDisabled

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\AutorunsDisabled

 

But I do have some stuff here:


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\AutorunsDisabled

 

What I have actually looks begign:

In folder intu-help-qb1, there is

 - (Default), REG_SZ,  Intuit Help System Asunc Pluggable Protocol (v1) for QuickBooks

 - CLSID, REG_SZ, {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3}

and in folder skype4com, there is

 - (Default), REG_SZ,  Skype4COM Pluggable Protocol

 - CLSID, REG_SZ, {FFC8B962-9B404DFF9458-1830C7DD7F5D}

 

However, I do have something that looks fishy here:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\mk\

In a folder called *, there is

 - (Default), REG_SZ,  (value not set)

 - CLSID, REG_SZ, {9D148291-B9C8-11D0-A4CC-0000F80149F6}

 

What do you think?  Should I just delete the Name-Space Handler folder using regedit?

No deleting entries in regedit not knowing what they are or belong to is dangerous

 

In Regedit highlight / select "My Computer" at the top

In the edit menu, select "Find"

In the "Find What" Box, type "AutorunsDisabled" and press Enter  if it finds 1 entry or more than 1, you can press F3 to carry on searching

 

Procols.regedit.jpg