Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: browser hijack showing all my host domains as expired


3 Weeks Ago   #1

Windows 7 Professional 64bit
 
 
browser hijack showing all my host domains as expired

Hi,

Well day before yesterday it was reported by a user of one of the domains on my server that the domain showed expired, but it was not a big deal, they kept trying and finally got it to work... then yesterday it was worse, 2 sites reported it.. now all my sites if i do direct url input or use the icon i get the ww2 page, but if i look anon, i get the right page..

otherwise what im getting is this image attached.

so I finally figure out that checking into dns and also checking the site using a proxy anon the site is fine. so then I suspected it was some kind of global malware.

I ran malware bytes and it found some files, I deleted them and all seemed well again, tried all browsers and all sites came up. But then in 5min the browser was hijacked again. So i removed FF and Chrome and IE 11, then ran malware bytes again and found nothing, just finished a scan and nothing found.

so now im stuck. im not sure what to do now..

whatever this is, it only seems to affect my domains because all other sites seem to work, i think it someone trying to sell domain names and hijacking browsers and reseller hosts. but how do i get this off here.

i have lots of sites but one you can look at is www.icodemods.com

any ideas. here is my scan from malware bytes when it fixed it before. (the first time)

Quote:

Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 6/29/2014
Scan Time: 4:36:18 PM
Logfile: scanlog.txt
Administrator: Yes
Version: 2.00.2.1012
Malware Database: v2014.06.29.09
Rootkit Database: v2014.06.23.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: xxxxxxxx
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 316457
Time Elapsed: 4 min, 26 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 2
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\WOW6432NODE\SEARCHPROTECT, Quarantined, [003d4e3094e73ff701c7d5d806fcb64a],
PUP.Optional.DefaultTab.A, HKU\S-1-5-21-2476543464-4118117661-2746257878-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\DefaultTab, Quarantined, [e855acd2750612243b9534a0b54dd729],
Registry Values: 2
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|AppInit_DLLs, C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll, Quarantined, [6cd185f9f18ae3535c44c344ab595da3]
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\WOW6432NODE\SEARCHPROTECT|InstallDir, C:\PROGRA~2\SearchProtect, Quarantined, [003d4e3094e73ff701c7d5d806fcb64a]
Registry Data: 0
(No malicious items detected)
Folders: 7
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\Logs, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\Logs, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI\rep, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
Files: 4
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\Cvc.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI\rep\UIRepository.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
Physical Sectors: 0
(No malicious items detected)

(end)




Attached Thumbnails
browser hijack showing all my host domains as expired-wtheck.jpg  
My System SpecsSystem Spec
.

3 Weeks Ago   #2

Windows 7 Professional 64bit
 
 

here is my regedit current user IE screen i have no idea what affid deal is.. is that normal..


Attached Thumbnails
browser hijack showing all my host domains as expired-iesample.jpg  
My System SpecsSystem Spec
3 Weeks Ago   #3

Windows 7 Professional 64bit
 
 

i was hoping to get something from the source view of the bogus page hijack, ill have to include the file because its too big to post here.


Attached Files
File Type: txt hijack.txt (34.1 KB, 2 views)
My System SpecsSystem Spec
.


3 Weeks Ago   #4

Windows 7 Professional 64bit
 
 

wow i think i got it... i did a search of my drive for new files created and i found a folder with a bunch of language files in it all for different countries, it was called language, so i deleted it but not out of my bin and i got sidetacked and forgot it was there, i just tried and all is well, but sadly i zapped the bin.. so i cant share what i found.

But its a folder called language and it will be obvious because it don't belong where it is...
My System SpecsSystem Spec
3 Weeks Ago   #5

Windows 7 Professional x64 Sp1
 
 

Your web site is using apache 2.2.25 which is not the latest version. Here are the known vulnerabilities for that version:

http://httpd.apache.org/security/vul...lities_22.html

I suggest patching your site.


If you want to be sure,

Download DDS:

DDS.com

Save the file to your pc. Then open the dds icon to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop.
Include the contents of both logs in your next post by using the paperclip

My System SpecsSystem Spec
3 Weeks Ago   #6

Windows 7 Professional 64bit
 
 

here are the two results, I zipped them both if that's ok...


Attached Files
File Type: zip dds reports.zip (10.9 KB, 2 views)
My System SpecsSystem Spec
3 Weeks Ago   #7

Windows 7 Professional x64 Sp1
 
 

A few things do not look right to me, lets take a look:

1.) Download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool
  • Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Upload the contents of that logfile in your next reply using the paper clip on the reply box.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

2.) Using AdwCleaner v3: Scan & Clean:

Double click on AdwCleaner.exe to run the tool again.
Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...

This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Upload the contents of that logfile in your next reply using the paper clip on the reply box.

Junkware Removal tool:


3.) Please download Junkware Removal Tool to your desktop.


  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Upload the contents of that logfile in your next reply using the paper clip on the reply box.
  • When completed make sure to re-enable your antivirus
My System SpecsSystem Spec
3 Weeks Ago   #8

Windows 7 Professional 64bit
 
 

ok here is the cleaner and jrt stuff.. thanks


Attached Files
File Type: rar adwcleaner_jrt_stuff.rar (4.2 KB, 2 views)
My System SpecsSystem Spec
3 Weeks Ago   #9

Windows 7 Professional x64 Sp1
 
 

Wow, a good bit was removed there.

Fantastic!

Ok, now lets move on to step 2:

Make sure your data is backed up either on an external hard drive or somewhere else before proceeding:

1.) Please download and save the file TFC by Old Timer. Again, save the file to your downloads folder or your desktop. Do not run it.

Downloading TFC


2.) Close your programs before running this tool. TFC will close ALL open programs.

3.) Browse to where you saved tfc. Right click on tfc.exe and choose Run As Administrator.

4.) Click the Start button to begin the cleaning process and let it run uninterrupted to completion. When it finishes it will say total files cleaned, and the start button will be grayed out. Click exit.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
My System SpecsSystem Spec
3 Weeks Ago   #10

Windows 7 Professional x64 Sp1
 
 

Step 3: no rush take your time. Make sure you restarted before doing this step:


1.) Download herdprotect: (choose the portable version)

Download herdProtect - Free Anti-Malware Platform

2.) Run the scan.

3.) When the scan finishes, save the results per the screenshot below. Then upload the log here.

DO NOT REMOVE ANYTHING YET. I will advise if anything needs removed when I receive the log.

Attached Images
My System SpecsSystem Spec
Reply

 browser hijack showing all my host domains as expired




Thread Tools



Similar help and support threads for2: browser hijack showing all my host domains as expired
Thread Forum
browser hijack. System Security
Browser Hijack System Security
Solved sharewareisland browser hijack Browsers & Mail
Browser Hijack issue Browsers & Mail
Need help with Browser Hijack Malware System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:09 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33