Jump to content

Recommended Posts

Since this morning I have a problem with my browser (Firefox 35.0 on a Windows 7-pc).

Instead of my customized startpage I always get the page "http:///?type=hppp". When I manually set it to something else (either website or html-page on local folder) it works first hand, but after closing and reopening Firefox the strange "http:///?type=hppp" reappears.

 

I think it's related to something called PUM.HomePage. I spent a lot of time reading through various forums and websites and found a bit of information on this, but not too much. Anyway, since I'm not a pro on those technical issues, I only understood part of what people in various forums wrote (run this or that program) on such issues and am unsure, what exactly must be my next steps.

 

Avira Antivir doesn't find any problem and the on-board Microsoft Security Essential says everything's fine (what do you expect...). Before running the programs mentioned below I disabled both of these to prevent them blocking something.

 

RogueKiller noticed this PUM.HomePage-issue (see log below). In my last search it also showed something about PUM.DesktopIcons in the registry, that did not appear until the last of several checks.

 

I also ran FRST64, both logs (FRST/Addition) below as well.

 

Malwarebytes found no problem in my last complete search (Threat Scan, inclued Scan for rootkits, both PUM and PUP set to "Treat detections as malware"). In some earlier search something was found that I first quarantined and then deleted, but I don't know if it was related to this issue.

 

In one forum someone with a similar problem was told to use Kaspersky TDSSKiller which I did as well - no threats found.

 

Below I post all the logs from the checks mentioned (except Avira/MSE). I know there's surely an answer in this forum or on some other website, I just don't understand it due to my level of knowledge on such issues. Can someone give me a hint what these logs tell me? It's like Chinese to me.

1_RKreport_SCN_01182015_211335.log

2_FRST.txt

3_Addition.txt

4_malwarebytes.txt

5_kaspersky-tdss.txt

Link to post
Share on other sites

Due to the fact that there was no reply after 4 days I ran the various programs again - logs are attached below.

 

Alongside the PUM.HomePage now also PUM.DesktopIcons was found by Rogue Killer, so it looks a bit like double trouble.

 

Still Avira Antivir, MS Security Essentials and Malwarebytes cannot find any suspicious issues on my computer.

1_RKreport_SCN_01222015_221651.log

2_FRST.txt

3_Addition.txt

4_malwarebytes.txt

5_Kaspersky_TDSS.txt

Link to post
Share on other sites

Hello and welome,

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

There are two anti-virus programs installed on your system, that is counterproductive, uninstall one of those now, your choice...

 

Next,

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

When the scan is completed from the main GUI click on History > Application Logs. Find your scan log, the date when run will identify it. Checkmark "select" box > then hit the "view" button. The history log window will open. At the bottom of that window are two options, "Copy to clipboard" and "Export"

Select > "Copy to clipboard" that copies the full log to the windows clipboard, so at your reply you right click into the text field and select "Paste" the log is pasted (copied) to  your reply.

 

Or select "Export" you are given the option to export as a Text file (*.txt) or XML file (*.xml) Choose text file, save the exported file to a place of your choice. That file can be attached to your reply...

 

Next,

 

51a612a8b27e2-Zoek.pngScan with ZOEK

 

Please download ZOEK by Smeenk from here: http://hijackthis.nl/smeenk/ and save it to your desktop (preferred version is the *.exe one)

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

 


Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
Wait patiently until the main console will appear, it may take a minute or two.
In the main box please paste in the following script:

 

services_list;standardsearch;autoclean;emptyclsid;emptyfolderscheck;deleteiedefaults;firefoxlook;chromelook;FFdefaults;CHRdefaults;

 

 


Make sure that Scan All Users option is checked.
Push Run Script and wait patiently. The scan may take a couple of minutes.
When the scan completes, a zoek-results logfile should open in notepad.
If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

 

Please include its content in your next reply. Don't forget to re-enable security software!

 

Post those logs, let me know if there are any remaining issues or concerns.....

 

Thank you,

 

Kevin

Link to post
Share on other sites

Hello kevinf80, thank you for your reply.

 

I uninstalled MS Security Essentials.

 

After that I ran Malwarebytes with the requested settings, but just like the last times nothing was found. Log attached.

 

Next I ran Zoek and did the restart at the end, as the program asked for. Log attached as well.

 

Currently situation is not changed, browser startpage is still hijacked and Rogue Killer still finds PUM.HomePage and PUM.Desktop.Icons on my computer. I attached a new Rogue Killer log as well, still mentioning those two issues..

1_malwarebytes2015-01-23_21-38.txt

2_zoek-results.txt

3_RKreport_SCN_01232015_221508.log

Link to post
Share on other sites

Double-click RogueKiller.exe to run again. (Vista/7/8 right-click and select Run as Administrator)

 

When "initializing/pre-scan” completes  press the Scan button, this may take a few minutes to complete.

 

When the scan completes open the Web Browser tab and locate the following detection:

 

[PUM.HomePage][FIREFX:Config] mxqez5st.default : user_pref("browser.startup.homepage", "?type=hppp"); -> Gefunden

 

Make sure that entry is Checkmarked (ticked) also ensure that all other entries (if present) are not Checkmarked.

 

Hit the Delete button, when complete select "Report" post that log...

 

The Desktop Icons are ok, not malicious...

 

Thanks,

 

Kevin

Link to post
Share on other sites

Done. After deleting the PUM.HomePage the log shows "ersetzt (about:home)" (ersetzt = replaced). Full log is attached.

 

After reopening the browser and then running Rogue Killer once more it's back again as before. In case you need it, second log is attached as well.

 

By the way, I noticed that I run Rogue Killer in a German language version. If it helps, I can try to switch to an English one.

1_RKreport_DEL_01232015_235714.log

2_RKreport_SCN_01242015_000849.log

Link to post
Share on other sites

So homepage hijacker is returned. Try the following:

 

Download and save Avast Browser Cleanup to your Desktop: http://malwarefixes.com/avast-browser-cleanup-free-scanner-download/

 

Full instructions at that link. Basically d/l and save to desktop, double click to run. remove what is found.

 

Let me know if that fixes homepage issue...

Link to post
Share on other sites

This is frustrating, we delete the nuisance first with Zoek, then again with RogueKiller but it just returns... Make sure you have Firefox opened, have all other browsers closed. Go to this link in firefox:

 

https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings?redirectlocale=en-US&redirectslug=reset-firefox-easily-fix-most-problems#w_refresh-firefox

 

When the link is opened scroll to Refresh Firefox, it has instructions list 1, 2 and 3. Do exactly what they say. does that help?

Link to post
Share on other sites

... Make sure you have Firefox opened, have all other browsers closed. Go to this link in firefox:

 

https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings?redirectlocale=en-US&redirectslug=reset-firefox-easily-fix-most-problems#w_refresh-firefox

 

When the link is opened scroll to Refresh Firefox, it has instructions list 1, 2 and 3. Do exactly what they say. does that help?

 

It kind of worked with that last thing.

Now the Firefox homepage stays always the same as I set it and gets not distracted by the hijack.

 

Anyway, Rogue Killer still says to find something called PUM.HomePage. Can you take a look at the log, if this means it's just kind of disabled now but still exists?

 

Also, now that I ran it while Firefox was opened (it was always closed in my earlier scans) it also mentions some results "[iAT:Inl(Hook.IEAT)]" in connection with FlashMute. That's a tool I installed to prevent flash pages from annoyingly play music, ads etc. Are these results serious problems or just found because Rogue Killer doesn't know this tool?

RKreport_SCN_01252015_112153.log

Link to post
Share on other sites

RogueKiller log is clean, no malicious entries. Sometimes RK logs can be confusing, it will report many entries that are different to default settings. When a log appears with many entries people can panic. It is bad practice to assume entries listed are always bad, best to do some research first....

 

The new homepage listed is outwith the standard Firefox default, hence it shows in the log. http://www.kicker.deis safe and has no bad feedback...

 

Let me know if there are any remaining issues or concerns, also run the following please;

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)
Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

If Security Check will not run or you get an alert saying it is not supported, Re-boot your PC then try again...
 

Thank you,

 

Kevin...

Link to post
Share on other sites

I'm glad to hear those last reported issues are not malicious.

 

Here's the log of Security Check.

It says Internet Explorer is out of date which is probably true since I don't use it and missed various updates therefore.

Java version 32-bit also says it's out of date although Java itself says it's up to date and that no updates are available.

checkup.txt

Link to post
Share on other sites

If no remaining issues or concerns run the following to clean up...

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

 


    Activate UAC
    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me know if we are ok to close out....

 

Kevin..

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.