Link to home
Create AccountLog in
Avatar of Erik Mcfrazier
Erik McfrazierFlag for United States of America

asked on

Browser Hijacking

I have a computer that seems to be clean of virus/spyware, but the browsers still get hijacked. I ran malwarebytes, combofix, avast, cleared temp files, flushed dns, cleared any proxy settings, etc. here is the log from combofix. anybody see anything I missed? log.txt
Avatar of edbedb
edbedb
Flag of United States of America image

This looks like it could be the problem.
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [2010-05-13 59280]
Avatar of Chris Millard
Try using RootAlyzer - it is excellent at finding Rootkits hidden from Win32. If it DOES find Rootkits that are hidden from Windows, then I suggest booting from a Linux Live CD to delete any unwanted items...

When using it, perform a DEEP scan
Avatar of Erik Mcfrazier

ASKER

I think this at least partially has to do with stopzilla. that's one of the sights that my browser keeps redirecting to.
Have you removed the item I pointed out?
yes, but the browser is still being hijacked. I just ran rootalyzer, so we'll see if that fixes it.
Nope, still hijacked. I removed the files that rootalyzer found except a data file found in app data\microsoft office.
Hve you rescanned with HJT to see if that entry has been removed?
OK - let's backtrack. What browser are you using, and what is happening?
Yes, that file seems to be deleted. Here is the most current HJT log. I am using IE and Firefox. Both are being hijacked. Whenever I do a google search, and click on one of the links, it redirects most of the time.  hijackthis.log
Oh yeah, and windows update does not work either. Used dial-a-fix, but still get an error on the website and can't automatically download updates either.
OK - another program to try is SuperAntiSpyware. HOWEVER, it may be that the files are being put back in by system restore, so can I suggest turning off system restore before doing the cleanups, then turn system restore back on afterwards.
I wouldn't turn off system restore.

Have you tried running IE without add-ons to test for redirection?
Click Start>Run>iexplore -extoff
@edbedb - this isn't affecting just IE - but Firefox as well, and although I would agree that under normal circumstances, system restore shouldn't be turned off, if the system restore files are too infected then this could be the cause of continual re-infection.
Sorry, when I asked you to rescan with HJT, I shoud have said ComboFix.
I just ran superantispyware with system restore off. It found over 300 browser related problems, and I thought it was fixed, but the browser started redirecting again. When I flush dns, it seems to be better for a little while, but then it starts happening again. I am about to run Combofix again. any other ideas?
I would like to see what ComboFix finds first.

Have you tried running IE without add-ons?
No, I haven't tried running IE without addons. I figured since Firefox was redirecting as well with a clean installation. I will post the ComboFix log after running.
Still happening. Here is the log file from CF. log.txt
That item is still showing, in fact it now has two entries so I am confident that is the problem.

I would get Autoruns
Start the computer in safe mode.
Under the Drivers tab in Autoruns, find these entries and disable them.
R0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [x]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [x]
Then using Windows Explorer, locate the files and delete them.
The files were already deleted, but I disabled the autorun and deleted the entry. Flushed dns, but still redirects...oh and all addons are disabled.
ASKER CERTIFIED SOLUTION
Avatar of edbedb
edbedb
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
yup, that's the one I have the tdl3 rootkit. CF detected it, but could not remove it I guess. We'll see if Hitman gets it. Thanks for all of your help.
Hitman Pro it is! Thanks millions edbedb. It got the rootkit, and all seems to be good now. Thanks again everybody for all your help.

em