browser hijack showing all my host domains as expired

Page 1 of 2 12 LastLast

  1. Posts : 119
    Windows 7 Professional 64bit
       #1

    browser hijack showing all my host domains as expired


    Hi,

    Well day before yesterday it was reported by a user of one of the domains on my server that the domain showed expired, but it was not a big deal, they kept trying and finally got it to work... then yesterday it was worse, 2 sites reported it.. now all my sites if i do direct url input or use the icon i get the ww2 page, but if i look anon, i get the right page..

    otherwise what im getting is this image attached.

    so I finally figure out that checking into dns and also checking the site using a proxy anon the site is fine. so then I suspected it was some kind of global malware.

    I ran malware bytes and it found some files, I deleted them and all seemed well again, tried all browsers and all sites came up. But then in 5min the browser was hijacked again. So i removed FF and Chrome and IE 11, then ran malware bytes again and found nothing, just finished a scan and nothing found.

    so now im stuck. im not sure what to do now..

    whatever this is, it only seems to affect my domains because all other sites seem to work, i think it someone trying to sell domain names and hijacking browsers and reseller hosts. but how do i get this off here.

    i have lots of sites but one you can look at is www.icodemods.com

    any ideas. here is my scan from malware bytes when it fixed it before. (the first time)


    Malwarebytes Anti-Malware
    www.malwarebytes.org
    Scan Date: 6/29/2014
    Scan Time: 4:36:18 PM
    Logfile: scanlog.txt
    Administrator: Yes
    Version: 2.00.2.1012
    Malware Database: v2014.06.29.09
    Rootkit Database: v2014.06.23.02
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled
    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: xxxxxxxx
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 316457
    Time Elapsed: 4 min, 26 sec
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Warn
    PUM: Enabled
    Processes: 0
    (No malicious items detected)
    Modules: 0
    (No malicious items detected)
    Registry Keys: 2
    PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\WOW6432NODE\SEARCHPROTECT, Quarantined, [003d4e3094e73ff701c7d5d806fcb64a],
    PUP.Optional.DefaultTab.A, HKU\S-1-5-21-2476543464-4118117661-2746257878-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\DefaultTab, Quarantined, [e855acd2750612243b9534a0b54dd729],
    Registry Values: 2
    PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|AppInit_DLLs, C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll, Quarantined, [6cd185f9f18ae3535c44c344ab595da3]
    PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\WOW6432NODE\SEARCHPROTECT|InstallDir, C:\PROGRA~2\SearchProtect, Quarantined, [003d4e3094e73ff701c7d5d806fcb64a]
    Registry Data: 0
    (No malicious items detected)
    Folders: 7
    PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
    PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\Logs, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
    PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
    PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\Logs, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
    PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
    PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
    PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI\rep, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
    Files: 4
    PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\Cvc.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
    PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
    PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
    PUP.Optional.SearchProtect.A, C:\Users\xxxxxxxx\AppData\Local\SearchProtect\UI\rep\UIRepository.dat, Quarantined, [1c21c5b9037845f1d29df2b8d52d926e],
    Physical Sectors: 0
    (No malicious items detected)

    (end)
    Attached Thumbnails Attached Thumbnails browser hijack showing all my host domains as expired-wtheck.jpg  
      My Computer


  2. Posts : 119
    Windows 7 Professional 64bit
    Thread Starter
       #2

    here is my regedit current user IE screen i have no idea what affid deal is.. is that normal..
    Attached Thumbnails Attached Thumbnails browser hijack showing all my host domains as expired-iesample.jpg  
      My Computer


  3. Posts : 119
    Windows 7 Professional 64bit
    Thread Starter
       #3

    i was hoping to get something from the source view of the bogus page hijack, ill have to include the file because its too big to post here.
    browser hijack showing all my host domains as expired Attached Files
      My Computer


  4. Posts : 119
    Windows 7 Professional 64bit
    Thread Starter
       #4

    wow i think i got it... i did a search of my drive for new files created and i found a folder with a bunch of language files in it all for different countries, it was called language, so i deleted it but not out of my bin and i got sidetacked and forgot it was there, i just tried and all is well, but sadly i zapped the bin.. so i cant share what i found.

    But its a folder called language and it will be obvious because it don't belong where it is...
      My Computer


  5. Posts : 4,566
    Windows 10 Pro
       #5

    Your web site is using apache 2.2.25 which is not the latest version. Here are the known vulnerabilities for that version:

    http://httpd.apache.org/security/vul...lities_22.html

    I suggest patching your site.


    If you want to be sure,

    Download DDS:

    DDS.com

    Save the file to your pc. Then open the dds icon to run the tool.
    When done, DDS will open two (2) logs:
    DDS.txt
    Attach.txt

    Save both reports to your desktop.
    Include the contents of both logs in your next post by using the paperclip

      My Computer


  6. Posts : 119
    Windows 7 Professional 64bit
    Thread Starter
       #6

    here are the two results, I zipped them both if that's ok...
    browser hijack showing all my host domains as expired Attached Files
      My Computer


  7. Posts : 4,566
    Windows 10 Pro
       #7

    A few things do not look right to me, lets take a look:

    1.) Download AdwCleaner by Xplode and save to your Desktop.

    • Double click on AdwCleaner.exe to run the tool


    • Vista/Windows 7/8 users right-click and select Run As Administrator.
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Upload the contents of that logfile in your next reply using the paper clip on the reply box.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


    2.) Using AdwCleaner v3: Scan & Clean:

    Double click on AdwCleaner.exe to run the tool again.
    Click on the Scan button.
    AdwCleaner will begin to scan your computer like it did before.
    After the scan has finished...

    This time click on the Clean button.
    Press OK when asked to close all programs and follow the onscreen prompts.
    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
    Upload the contents of that logfile in your next reply using the paper clip on the reply box.

    Junkware Removal tool:


    3.) Please download Junkware Removal Tool to your desktop.



    • Shutdown your antivirus to avoid any conflicts.
    • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Upload the contents of that logfile in your next reply using the paper clip on the reply box.
    • When completed make sure to re-enable your antivirus
      My Computer


  8. Posts : 119
    Windows 7 Professional 64bit
    Thread Starter
       #8

    ok here is the cleaner and jrt stuff.. thanks
    browser hijack showing all my host domains as expired Attached Files
      My Computer


  9. Posts : 4,566
    Windows 10 Pro
       #9

    Wow, a good bit was removed there.

    Fantastic!

    Ok, now lets move on to step 2:

    Make sure your data is backed up either on an external hard drive or somewhere else before proceeding:

    1.) Please download and save the file TFC by Old Timer. Again, save the file to your downloads folder or your desktop. Do not run it.

    Downloading TFC


    2.) Close your programs before running this tool. TFC will close ALL open programs.

    3.) Browse to where you saved tfc. Right click on tfc.exe and choose Run As Administrator.

    4.) Click the Start button to begin the cleaning process and let it run uninterrupted to completion. When it finishes it will say total files cleaned, and the start button will be grayed out. Click exit.
    Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
      My Computer


  10. Posts : 4,566
    Windows 10 Pro
       #10

    Step 3: no rush take your time. Make sure you restarted before doing this step:


    1.) Download herdprotect: (choose the portable version)

    Download herdProtect - Free Anti-Malware Platform

    2.) Run the scan.

    3.) When the scan finishes, save the results per the screenshot below. Then upload the log here.

    DO NOT REMOVE ANYTHING YET. I will advise if anything needs removed when I receive the log.

    Attached Images
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 10:51.
Find Us