Jump to content

Browser Hijacked

GunGramps
 Share

Recommended Posts

GunGramps

GunGramps

Posted
Posted

I am a MalwareBytes Pro user and my browser has been hijacked. I am using Windows 7 Professional and have:

- turned off system restore

- booted into Safe Mode, and ran Malwarebytes scans until it showed a clean computer

- deleted all files in all temporary directories

- disabled all browser add-ons except Shockwave Flash & Silverlight

- looked for all hosts files on the computer to insure they did not contain any malicious commands

- booted back into normal mode and again ran Malwarebytes scans until it showed a clean computer

and still had the browser hijack infection.

I ran DDS, and have included the two text files.

Any help would be appreciated...

Attach.txt

DDS.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum.

Looks like you're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

Let confirm it.....

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options)

Post back the report.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Yes....LSP: mswsock.dll <-----from your DDS log...this points to that infection.

So read this over:

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

  • There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  • There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  • I strongly suggest you back up all of the important items on the system before we continue.

Please let me know you have read this and agree to it.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------

Please make sure system restore is running and create a new restore point before continuing.

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

Link to post
Share on other sites
GunGramps

GunGramps

Posted
  • Author
Posted

MrC,

Thank you for your help. I have a network at this location with four computers and a Windows Small Business Server 2011. The computer that is infected is my main computer which I use for my small business, banking, and personal and business financial purposes. I have disconnected that machine from the network and internet and am communicating from another machine.

Based on what you have indicated in your prior post, I am going to wipe my machine and reinstall the operating system and all software - what a pain... I do have several questions that perhaps you can help me with.

- I am running Symantec Endpoint Protection, Small Business Edition on the rest of my machines and my server. Several months ago I ran into a problem with the Symantec software on my main computer - it was preventing me from connecting to my server, and after several hours of troubleshooting, I ended up deleting that program and loading MalwareBytes Pro on that computer.

- How did Malwarebytes allow this infection??

- Should I be running both Malwarebytes Pro and Symantec Endpiont Protection on all computers??

- If so, will Malwarebytes run on the Server??

- Should I be worried about infection on the rest of the machines on the network, including the server??

- The computer that is infected has a second hard disk (Drive D:). Do I need to wipe that drive when I reinstall Windows 7??

Thank you for your assistance...

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted
- I am running Symantec Endpoint Protection, Small Business Edition on the rest of my machines and my server. Several months ago I ran into a problem with the Symantec software on my main computer - it was preventing me from connecting to my server, and after several hours of troubleshooting, I ended up deleting that program and loading MalwareBytes Pro on that computer.

- How did Malwarebytes allow this infection??

Malware uses varies methods to infect you......you should also have an anti-virus program running.

- Should I be running both Malwarebytes Pro and Symantec Endpiont Protection on all computers??

Yes

- If so, will Malwarebytes run on the Server??

I'm not a member of the staff here so I would suggest you ask that question in

this part of the forum, I believe it does though.

- Should I be worried about infection on the rest of the machines on the network, including the server??

They should be OK, but I would check them

- The computer that is infected has a second hard disk (Drive D:). Do I need to wipe that drive when I reinstall Windows 7??

It should be OK, but check it.

Take a look at My Preventive Maintenance to avoid being infected again.

Any questions please post back.

MrC

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.