Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijacked Firefox as per instructions

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hijacked Firefox as per instructions

Unread postby Bob4 » March 1st, 2011, 7:17 pm

psychlist78 wrote:Jeez, I'm stupid. Thanks.
No your not... Better to ask than to make a mistake.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Re: Hijacked Firefox as per instructions

Unread postby psychlist78 » March 1st, 2011, 7:28 pm

All processes killed
========== FILES ==========
C:\WINDOWS\imsins.BAK moved successfully.
========== OTL ==========
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ycxj6tgz.default\searchplugins\godarkus.xml moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-2665951772-1106983033-1367571814-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-2665951772-1106983033-1367571814-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Registry value HKEY_USERS\S-1-5-21-2665951772-1106983033-1367571814-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56545 bytes

User: LocalService
->Temp folder emptied: 66284 bytes
->Temporary Internet Files folder emptied: 442770 bytes
->Flash cache emptied: 2766 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 107381556 bytes
->Java cache emptied: 4434 bytes
->Flash cache emptied: 10262 bytes

User: user
->Temp folder emptied: 283740054 bytes
->Temporary Internet Files folder emptied: 3859689 bytes
->Java cache emptied: 73874832 bytes
->FireFox cache emptied: 46890485 bytes
->Flash cache emptied: 2847236 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 20552968 bytes
%systemroot%\System32 .tmp files removed: 4182033 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 612806035 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 38345622 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,140.00 mb


OTL by OldTimer - Version 3.2.22.2 log created on 03012011_175818

Files\Folders moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_11e0.dat moved successfully.
C:\WINDOWS\temp\vtclrg41.tmp moved successfully.

Registry entries deleted on Reboot...

The machine rebooted after one slip-up -- a Windows issue -- and is running fine.
psychlist78
Regular Member
 
Posts: 32
Joined: February 18th, 2011, 4:01 pm

Re: Hijacked Firefox as per instructions

Unread postby Bob4 » March 1st, 2011, 8:08 pm

Nice work. Your system seems to be clean again.
Just a few things to clean up some of what we used and a few preventative tips.

_____________________________
This process is going to clean up some of the tools we have used.
Open OTL.exe click on the cleanup button. You will be asked to reboot.
Please do so now to clean up some tools we used.

________________________________
Please create a 'clean' System Restore Point:
The reason for doing this is in case you need system restore you don't put back all we just took out.
  • Click start/all programs /accessories/system tools/system restore
  • Place a check mark by turn off system restore
  • Windows will give you a warning click yes
  • Click APPLY
  • REBOOT the computer
  • Once rebooted go right back to the same place and place a check mark by system restore
  • Click APPLY and OK


_____________________________
Firewalls
A few words on Microsoft firewall in XP . It only works in one direction. Incoming.
That means if something gets by it you would never know it was trying
to contact the internet.
Example: A bad program installs itself. You would never know it was contacting the internet.
Downloading other nasties and so forth.

If you decide to run one of these you should be certain Microsofts firewall is disabled.

1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, click Off (not recommended).
3. Click OK.
I will list a few free firewalls for you. These are good (free) firewalls:
Never run 2 firewalls together. They will interfere with each other.
So just download and install one!

Online Armor Firewall
Sunbelt Personal Firewall Free

______________________________________
Windows Updates
Be certain automatic updates are turned on via your control panel.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical/important updates.
I know rebooting sometimes can be at an inconvenient time. This will still take less time than we needed to fix your machine. ;-)

_________________________________
Replace your host file
What this does... A host file is a list of known bad sites.
When you click or type in a link the host file is checked first.
If that link you typed or clicked is in the host file your browser will redirect you to http://127.0.0.1 .
A page on your computer. Go ahead and click that. Then use the back button to come back.

Download HostsXpert v4.1 and unzip it to your desktop.
  • Double click on HostsXpert.exe
  • Click on Make writeable. (if Available) You should now see Make Readable.
  • Then click on Download<< MVPs Hosts << Replace. If your firewall asks allow it.
    Once it's done.
  • Click on Make Hosts Read Only to secure it against further infection.

_______________________________________
Always watch closely to any software your installing.
If they want to install something more than their program stop right there and investigate what it is they want to place on your computer.
If they give you the option not to install it choose that until you investigate it completely.
The more you install that you don't want or need the more you'll wish you didn't.

Here's a good read, if you care to, on...So how did you get infected in the first place ?

Safe and Happy Surfing. :)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hijacked Firefox as per instructions

Unread postby psychlist78 » March 1st, 2011, 10:14 pm

Yippee! Almost done!

A couple of questions:

When I go to "system restore," there is not a place to turn off system restore unless I click on "syhstem restore settings." Is this correct?

Further -- should I turn off the firewall before downloading another one? Isn't this dangerous? Maybe I am thinking too much.

Thanks,

Michael
psychlist78
Regular Member
 
Posts: 32
Joined: February 18th, 2011, 4:01 pm

Re: Hijacked Firefox as per instructions

Unread postby psychlist78 » March 1st, 2011, 10:19 pm

Oh,and should I delete HighJackThis?
psychlist78
Regular Member
 
Posts: 32
Joined: February 18th, 2011, 4:01 pm

Re: Hijacked Firefox as per instructions

Unread postby psychlist78 » March 1st, 2011, 10:20 pm

And the ESET scanner? It does take up 107 MB.
psychlist78
Regular Member
 
Posts: 32
Joined: February 18th, 2011, 4:01 pm

Re: Hijacked Firefox as per instructions

Unread postby psychlist78 » March 1st, 2011, 10:25 pm

When I try to run HostsXpert, I get the error message "Your DNS Client Service is running and should be disabled before utilizing a large Hosts file." Any idea what this is in reference to?
psychlist78
Regular Member
 
Posts: 32
Joined: February 18th, 2011, 4:01 pm

Re: Hijacked Firefox as per instructions

Unread postby Bob4 » March 2nd, 2011, 8:14 am

psychlist78 wrote:When I go to "system restore," there is not a place to turn off system restore unless I click on "syhstem restore settings." Is this correct?
Yes
psychlist78 wrote:Further -- should I turn off the firewall before downloading another one? Isn't this dangerous? Maybe I am thinking too much.
Keep windows firewall on until you install the new one.

You may delete HJT if you like. Same with eset.

    Disable DNS Client Service.
  • From Start, or Start, Run
    Type services.msc in the box and hit <Enter>
  • Give permission to continue if necessary.
  • Scroll down to DNS Client on the list, Right Click it and choose Properties.
  • Under Service Status, click Stop. Wait until it reports the service stopped.
  • Under Startup Type, choose Disabled.
  • Then click Apply, OK
Now go ahead and install the host file.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hijacked Firefox as per instructions

Unread postby psychlist78 » March 2nd, 2011, 7:11 pm

I'm assuming the DNS client service should be started again.....when I'm done with the host.
psychlist78
Regular Member
 
Posts: 32
Joined: February 18th, 2011, 4:01 pm

Re: Hijacked Firefox as per instructions

Unread postby Bob4 » March 3rd, 2011, 7:20 am

psychlist78 wrote:I'm assuming the DNS client service should be started again.....when I'm done with the host.

NO. It will slow your internet connection down alot. At this point were just using the host file.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hijacked Firefox as per instructions

Unread postby psychlist78 » March 3rd, 2011, 11:28 am

Hit a problem.

I did all of the above as asked, including not restarting DNS. I installed Online Armor and it "learned" the system. However, once it was done, I got a continual error message about a serious problem that Windows encountered. Of course, the user is then asked to report the problem to Microsoft. I did so, and the error message returned continuously. It just looped. So, I removed Online Armor and went back to the set point established before I installed it. The looping error message continues. I get that "serious problem" message, send a report to Microsoft, and then I get the "application not found" message. I'd send you a screen shot, but I don't think I have that capability here. 40a6-

The "application not found" message says, "http://wer.microsoft.com/responses/resredir/aspx?sid=1505&Bucket=OLD_IMAGE.ibmflilter.sys_IBM&state=O&ID=2303ea48-4393-40a6-8372-cda4b8afada7&LCID=1033&OS=5.1.2600.2.00010100.3.0"

I know that,strictly speaking, this is not a malware issue, but I'm hopeful you can give me an idea on how to get rid of this looping error message.

Thanks for all you've done for me so far!

Michael
psychlist78
Regular Member
 
Posts: 32
Joined: February 18th, 2011, 4:01 pm

Re: Hijacked Firefox as per instructions

Unread postby Bob4 » March 3rd, 2011, 8:09 pm

. Sometimes malware will hurt things on a system and we have no idea what or how. I'll try a bit to help with this. If I can't I'll list a few forums the do this type of work more often.
If your machine is under any type of warranty it may be beneficial to contact the vendor for more specific help.

Seems this might have to do with a program on your machine.
IBM Rescue and Recovery with Rapid Restore
Try this to see if it makes a difference. This is only to see if it's the cause.

Stop and Disable a Service

Go to Start/Run copy this in Services.msc " click OK.
Scroll down and find this service: IBM Rapid Restore Ultra Service
Double-click on it.
Under the General tab, click the Stop button.
Then as start up type click disable.

Reboot the machine to see if that message goes away.


A quick search around shows me that updating this software should help this issue. There will be a bit of research to do on your part.
You will have to know which version you have now. ( usually Opening the program and clicking on Help/about will tell you which version you have. )
Have a look here and see if updating to a newer version helps.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hijacked Firefox as per instructions

Unread postby psychlist78 » March 3rd, 2011, 8:32 pm

Thanks much! Working on this now. Do you think I should try the other firewall, or stay with the one that I used earlier? I understand the difference between cause and correlation, and the boot problems might not have had anything to do with the firewall.
psychlist78
Regular Member
 
Posts: 32
Joined: February 18th, 2011, 4:01 pm

Re: Hijacked Firefox as per instructions

Unread postby psychlist78 » March 4th, 2011, 12:15 pm

Downloaded IBM Rapid Restore Ultra Service from Lenovo last night. Haven't installed it yet, but the other steps have stopped the error messages. Or at least they've gone away.
psychlist78
Regular Member
 
Posts: 32
Joined: February 18th, 2011, 4:01 pm

Re: Hijacked Firefox as per instructions

Unread postby Bob4 » March 4th, 2011, 10:35 pm

psychlist78 wrote:but the other steps have stopped the error messages. Or at least they've gone away.
Then we know that IBM Rapid Restore Ultra Service is your culprit.
I am going to have to suggest another forum or 2 that are more suited to this kind of problem.
Here is a list of a few other reputable free sites they may be better suited to help you with this sort of problem.
Best of luck.


Tech help sites.

Tech Support Guy
Tech Support Forum
The Elder Geek on Windows
BleepingComputer.com
WhattheTech...formerly TomCoyote
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware