Reply
Wed 2 Mar, 2005 06:47 pm
A very nasty bug has creeped into my computer.
I ran Spybot, Adaware & HijackThis to no avail.
Everytime the damn thing is deleted, it reappears again.
The computer guy at the office says it's a new procedure. Even if deleted "by hand" it reappears again. It probably is inside the Windows registry, and maybe other hidden program calls this bug to run.
This are the characteristic of the bug, according to Spybot S-D:
AllCyberSearch
Browser hijacker
Redirects IE standard search pages to the AllCyberSearch search page. Same Family as EzCyberSearch and GoCyberSearch (which is also listed as AllCyberSearch). Includes also TinyBar which seems to be the same page.
Any help will be highly appreciated.
We can prolly nail the sucker for ya, fbaezer -
See
This Topic
If you've already just run scans with
CURRENTLY UPDATED AdAware SE and Spybot S&D, you can skip over those parts. Do the rest, though.
When you go to do the recommended online virus scans,
DISABLE YOUR OWN RESIDENT ANTIVIRUS. Remember to re-enable it before goin' elsewhere on the 'web or checkin' email.
When you get to the part about runnin' a full system scan with your own antivirus, I recommend you update it first, then run the scan in safe mode.
I'd also suggest you uninstall your current copy of HJT and download and install the latest version, as linked on that page, bein' sure to install it to and run it from its own folder on your root drive. When you've run and saved its scan its scan, post the logfile here, and we'll get to work on it .... sooner or later
Thanks, Timber.
Tried, but to no avail.
The computer guy at the office says it's a new brand. That it actually has 3 programs, one of them set "in the heart of the Windows system"; other redirects pages and the third one "makes sure" that the second one is redirecting the pages.
Except for hotmail and yahoo, I can still open all the pages, with some spam pop-ups.
IT man, AKA Geek God, sees it as a challenge, infected one of his own computers and says he'll fix it in a few days (or find the cure).
For now I will use hotmail and yahoo only at home.
I got the virus from opening a hotmail message which came from a believable name, passed through my medium filter and had an attachment that I didn't open.
Could be wrong, but I think it may not be all that new; it sounds like a known, recent variation of a yuckware subtype which has been around in various forms a couple-3 years or so. Its what's referred to as a "Blended Threat"; it uses several different means to conduct and protect its nastiness - a toughie, yeah, but it most likely can be gotten rid of.
Its quite normal for contemporary yuckware to embed itself deeply within the system, protectin' itself by resettin' permissions, creatin' hidden, protected files and folders, and scatterin' files and registry keys all over. It definitely is in the registry, and it definitely has created hidden, protected files; that's the very nature of such beasts.
Generally, in simple terms, the key to gettin' rid of 'em is to determine the processes and services in use by the critters, terminate 'em, disable and remove the protections they've equipped themselves with, then hunt down and burn out all their hidin' places, followed by implemention' of whatever might be required to prevent re-infestation.
A constantly growin', adaptin' variety of procedures and tools designed to do precisely that exist, and there is a large and very active web community of folks who specialize in yuckware removal and prevention; there are scores of forums and newsgroups dedicated to the fight. Their members consult with one another, monitor new developments both in yuckware and anti-yuckware, exchange ideas, applications, tweaks, and other findin's and info, all on a day-to-day basis, and manage pretty much to stay even with the yuckware builders. Even Microsoft has gotten into the fray, and in a big way.
Now, of course, I can't guarantee a fix for ya, but I'm willin' to take a look at your problem, give it a try, do what I can, and turn to the larger anti-yuckware community for any additional help I might need. Your call.
I followed all the steps you gave, but cannot send the scan. There was a message that said the bug cannot be destroyed, since it is on an e-mail message (????).
What I'm going to do tonight is go home and, in my home computer, empty my hot-mail garbage bin. I doubt it will work, but I'll keep on trying anyway.
fbaezer (the technopeasant)
Now ya really got me puzzled - where the "Bug" is or isn't should have no bearin' on your ability to post an HJT scan if you can in fact run the scan and post anything anywhere ... and it appears you can post here.
Hi fbaezer
I m just a bit curious here? Is the infected machine at work ? your still able to veiw web pages but not post a HJT log?
Are you replying to this topic on the infected machine?
I know thats a lot of question sorry but it may help to figure out the solution to the problem,
Were you able to download HJT on the infected machine I believe the answer is yes.
Is it possible for you to save the log to a floppy and post it from the non infected machine,
Another approach which might help would be to log in
www.pcpitstop.com and running their online diagnostics.
The infected machine can open several web pages, even if unwanted pop-ups open now and then.
If I try to get into hotmail or yahoo, it redirects them to a spam page.
Antiviruses run, but say they cannot destroy the bug. Some trojan horses are put into quarantine or destroyed. The cleansing program says it cannot destroy this particular critter.
At the moment, I'm an another machine, but I could as well post in A2K with the infected one.
I m in agreemnet with Timber on this one, Not sure why your unable to post the HJT log...
Give this a go assuming you have downloaded Spybot and Ad-aware, If your able check both of them for updates prior to running as instructed in the link Timber poste earlier,
Download and install
Cleanup
Run "Cleanup" and when it has finished, Reboot,
Next reboot to safe mode (by tapping the F8 key on start up ) run a scan with Ad-aware,Spybot and run cleanup! again please,
See if you can't post back a log after that please
HofT wrote:Another approach which might help would be to log in
www.pcpitstop.com and running their online diagnostics.
PCPS is a valuable resource, and I recommend it unreservedly - for what it is and what it does. Thanks for bringin' it to the table here, HofT.
Gotta say though, not to dis 'em at all, but that in this sorta case, PCPS is sorta like a Quick Oilchange/Minor Tune-up place, while what Don77 and I are doin' is more like dealer-garage diagnostic and shop work
Mostly, about all fbaezer would get from PCPS is confirmation he has a problem of the nature of the problem he knows he has.
Timber - that's very true. Parenthesis here to say I laughed when I read your post - for countless years driving from Heathrow to London had seen a huge building with sign "Body Shop" and had always thought it to be a Jane-Fonda-type of leotard-clad ladies' hangout. Only when my car had to be taken to real experts did I realize it's a major repair garage, and I think Baeser belongs to a similarly clueless category in the computer field... Close parenthesis <G>
fbaezer wrote:The infected machine can open several web pages, even if unwanted pop-ups open now and then.
If I try to get into hotmail or yahoo, it redirects them to a spam page.
That's prototypical behavior for the infection we suspect, baezer - just exactly what we'd expect to see happenin'. That info alone is quite useful.
Quote:Antiviruses run, but say they cannot destroy the bug. Some trojan horses are put into quarantine or destroyed. The cleansing program says it cannot destroy this particular critter.
Again, thats pretty much the way these critters work. We expect to see that.
Quote:At the moment, I'm an another machine, but I could as well post in A2K with the infected one.
That would be most helpful - and please be sure HJT resides in and is run from its own folder on your root drive - not from your desktop or from within a personal folder. Instructions for seein' to that are on the intial page I offered you. If you have any trouble or question - just holler. Its best to hang tight and do nothin' if you're not clear about what we'd like ya to do.