Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: browser hijack showing all my host domains as expired

29 Jun 2014   #1
durango1

Windows 7 Professional 64bit
 
 
browser hijack showing all my host domains as expired

Hi,

Well day before yesterday it was reported by a user of one of the domains on my server that the domain showed expired, but it was not a big deal, they kept trying and finally got it to work... then yesterday it was worse, 2 sites reported it.. now all my sites if i do direct url input or use the icon i get the ww2 page, but if i look anon, i get the right page..

otherwise what im getting is this image attached.

so I finally figure out that checking into dns and also checking the site using a proxy anon the site is fine. so then I suspected it was some kind of global malware.

I ran malware bytes and it found some files, I deleted them and all seemed well again, tried all browsers and all sites came up. But then in 5min the browser was hijacked again. So i removed FF and Chrome and IE 11, then ran malware bytes again and found nothing, just finished a scan and nothing found.

so now im stuck. im not sure what to do now..

whatever this is, it only seems to affect my domains because all other sites seem to work, i think it someone trying to sell domain names and hijacking browsers and reseller hosts. but how do i get this off here.

i have lots of sites but one you can look at is www.icodemods.com

any ideas. here is my scan from malware bytes when it fixed it before. (the first time)

Quote:

Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 6/29/2014
Scan Time: 4:36:18 PM
Logfile: scanlog.txt
Administrator: Yes
Version: 2.00.2.1012
Malware Database: v2014.06.29.09
Rootkit Database: v2014.06.23.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: xxxxxxxx
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 316457
Time Elapsed: 4 min, 26 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 2
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\WOW6432NODE\SEARCHPROTECT, Quarantined, [003d4e3094e73ff701c7d5d806fcb64a],
PUP.Optional.DefaultTab.A, HKU\S-1-5-21-2476543464-4118117661-2746257878-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\DefaultTab, Quarantined, [e855acd2750612243b9534a0b54dd729],
Registry Values: 2
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|AppInit_DLLs, C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll, Quarantined, [6cd185f9f18ae3535c44c344ab595da3]
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\WOW6432NODE\SEARCHPROTECT|InstallDir, C:\PROGRA~2\SearchProtect, Quarantined, [003d4e3094e73ff701c7d5d806fcb64a]
Registry Data: 0
(No malicious items detected)
Folders: 7
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\Logs, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\Logs, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI\rep, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
Files: 4
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\Cvc.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI\rep\UIRepository.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
Physical Sectors: 0
(No malicious items detected)

(end)





Attached Thumbnails
-wtheck.jpg  
My System SpecsSystem Spec
.
29 Jun 2014   #2
durango1

Windows 7 Professional 64bit
 
 

here is my regedit current user IE screen i have no idea what affid deal is.. is that normal..


Attached Thumbnails
-iesample.jpg  
My System SpecsSystem Spec
29 Jun 2014   #3
durango1

Windows 7 Professional 64bit
 
 

i was hoping to get something from the source view of the bogus page hijack, ill have to include the file because its too big to post here.


Attached Files
File Type: txt hijack.txt (34.1 KB, 2 views)
My System SpecsSystem Spec
.

29 Jun 2014   #4
durango1

Windows 7 Professional 64bit
 
 

wow i think i got it... i did a search of my drive for new files created and i found a folder with a bunch of language files in it all for different countries, it was called language, so i deleted it but not out of my bin and i got sidetacked and forgot it was there, i just tried and all is well, but sadly i zapped the bin.. so i cant share what i found.

But its a folder called language and it will be obvious because it don't belong where it is...
My System SpecsSystem Spec
29 Jun 2014   #5
andrew129260

Windows 7 Professional x64 Sp1
 
 

Your web site is using apache 2.2.25 which is not the latest version. Here are the known vulnerabilities for that version:

http://httpd.apache.org/security/vul...lities_22.html

I suggest patching your site.


If you want to be sure,

Download DDS:

DDS.com

Save the file to your pc. Then open the dds icon to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop.
Include the contents of both logs in your next post by using the paperclip

My System SpecsSystem Spec
29 Jun 2014   #6
durango1

Windows 7 Professional 64bit
 
 

here are the two results, I zipped them both if that's ok...


Attached Files
File Type: zip dds reports.zip (10.9 KB, 2 views)
My System SpecsSystem Spec
30 Jun 2014   #7
andrew129260

Windows 7 Professional x64 Sp1
 
 

A few things do not look right to me, lets take a look:

1.) Download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool
  • Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Upload the contents of that logfile in your next reply using the paper clip on the reply box.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

2.) Using AdwCleaner v3: Scan & Clean:

Double click on AdwCleaner.exe to run the tool again.
Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...

This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Upload the contents of that logfile in your next reply using the paper clip on the reply box.

Junkware Removal tool:


3.) Please download Junkware Removal Tool to your desktop.


  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Upload the contents of that logfile in your next reply using the paper clip on the reply box.
  • When completed make sure to re-enable your antivirus
My System SpecsSystem Spec
30 Jun 2014   #8
durango1

Windows 7 Professional 64bit
 
 

ok here is the cleaner and jrt stuff.. thanks


Attached Files
File Type: rar adwcleaner_jrt_stuff.rar (4.2 KB, 2 views)
My System SpecsSystem Spec
30 Jun 2014   #9
andrew129260

Windows 7 Professional x64 Sp1
 
 

Wow, a good bit was removed there.

Fantastic!

Ok, now lets move on to step 2:

Make sure your data is backed up either on an external hard drive or somewhere else before proceeding:

1.) Please download and save the file TFC by Old Timer. Again, save the file to your downloads folder or your desktop. Do not run it.

Downloading TFC


2.) Close your programs before running this tool. TFC will close ALL open programs.

3.) Browse to where you saved tfc. Right click on tfc.exe and choose Run As Administrator.

4.) Click the Start button to begin the cleaning process and let it run uninterrupted to completion. When it finishes it will say total files cleaned, and the start button will be grayed out. Click exit.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
My System SpecsSystem Spec
30 Jun 2014   #10
andrew129260

Windows 7 Professional x64 Sp1
 
 

Step 3: no rush take your time. Make sure you restarted before doing this step:


1.) Download herdprotect: (choose the portable version)

Download herdProtect - Free Anti-Malware Platform

2.) Run the scan.

3.) When the scan finishes, save the results per the screenshot below. Then upload the log here.

DO NOT REMOVE ANYTHING YET. I will advise if anything needs removed when I receive the log.

Attached Images
My System SpecsSystem Spec
Reply

 browser hijack showing all my host domains as expired




Thread Tools






Similar help and support threads
Thread Forum
browser hijack.
i have this issues:mad::mad:. every time i click on the Google search result URL it go to the other website:mad:. i already try to use the Malwarebytes Anti-Malware, Rkill , and tdsskiller to scan and remove but it still there. this is the website it direct me to--> (click dot...
System Security
Browser Hijack
Each time we use Google/Bing Engine search, and click on site, we are redirected to other sites, and at the moment it's "bidvertiser....". I have spent the past week and hours on the phone with our antivirus technical support (Trend), and microsoft technical support, and all to no avail. ...
System Security
sharewareisland browser hijack
This website has some nice utilities. But they have some attrocious policies. One of them is if you use any of the software they distribute then you must allow then to hijack your browser start page. If you lock down the home page, they undo the block, intefering with your network security....
Browsers & Mail
Browser Hijack issue
So awhile back i tried to get on internet explorer, but everytime i got on, it redirected me to a page that couldnt be found. even when i typed in a different website, it would start to go there, and then be redirected. i have tried downloading other browsers from my flash drive, but both google...
Browsers & Mail
Need help with Browser Hijack Malware
I've been fighting to clean a virus off my wife's Win 7 laptop. We've battled to a standstill, but I believe the enemy is still lurking on the battlefield (the laptop) and I need help to find the ultimate weapon to win this war! I'm going to put the details of my battles to date here in case...
System Security
Yaa! DLL Hijack Auditor: For Microsoft DLL hijack vulnerability
Not sure if anyone has posted on this tool (or similar tools) yet, but security Exploded makes incredible tools, especially Anti Rootkit tools and Root kit detection tools, so I was happy to learn about this: rmhsCBMIJnA
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 13:51.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App