Jump to content

ib.adnxs.com Browser Hijacker Within AOL Desktop Software


Lanny
 Share

Recommended Posts

Thanks to Emissoft for this service!

 

    I have a legacy system that I use for old e-mail.  It is a Windows XP system with AOL Desktop 10.1 software.  About 10 days ago, I began to notice the ib.adnxs.com Browser Hijacker.  The hijacker does not appear when I use either IE or Firefox by themselves.  When I open the AOL Desktop software, the AOL welcome page is shown within a browser.  There is no problem at that point.  My problem starts only when I open the AOL e-mail client, even before I open any individual e-mail messages.  Within a few seconds a new tab is opened in the AOL browser with a new one opening ever several seconds after that, each one going to  ib.adnxs.com.

 

    I found a similar entry under this forum, but the person reporting it did not seem to follow through on the recommendations.

 

    I have scanned with Microsoft Security Essentials, MalwareBytes, Ccleaner, Junk Removal Tool, AdwCleaner, Hitman Pro, and Emsisoft Antimalware.  Some found nothing.  When items were found (seemingly unrelated to ib.adnxs.com), I either deleted or quarantined them.  The hijacking persisted.

 

    I consulted with the AOL help desk twice.  The first time I was instructed to set the pop-up filter to "Never".  That did not help.  The second time I was instructed to "delete the browser footprint", akin to flushing the browser chache.  That did not help either.

 

    I have attached the three scan files from your software.  The EEK scan file found three things that were not found when I scanned with Emissoft a few days ago.  I had quarantined four items previously.

 

    As an aside, some of your "Start Here" instructions seem to be either out of date or confusing (to me, anyway).  I have some suggestions for you.

 

1.  The note that starts "You only need to run the version compatible with your system..." confused me as there was only one version of each program displayed.  The note only made sense when I clicked on the FRST link and was taken to another page with two OS options. I suggest that you preface the note with "For the FRST software, when you click on the link you will see two versions.  You only need to...".

 

2.  When I double-clicked on the downloaded EEK file, it unzipped, but it did not install as expected.  I had to go to the EEK folder and double-click on "Start Emergency Kit Scanner.exe for the install to start.

 

3.  Once it started, the instruction "Put the mouse cursor over the "Menu" tab on the left..." did not apply.  I did not see any tabs.  I had to click on the Back button and then click the Scan button to start the scan.

 

Thanks for your help.

 

 

Link to comment
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\...\Policies\Explorer: [NoCDBurning] 0
Toolbar: HKCU - No Name - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} 
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2014-09-30 18:42 - 2014-09-30 18:45 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-10-05 20:00 - 2014-05-25 16:29 - 00000426 _____ () C:\WINDOWS\Tasks\At7.job
2014-10-05 18:00 - 2014-05-25 16:29 - 00000426 _____ () C:\WINDOWS\Tasks\At6.job
2014-10-05 16:00 - 2014-05-25 16:29 - 00000426 _____ () C:\WINDOWS\Tasks\At5.job
2014-10-05 14:00 - 2014-05-25 16:29 - 00000426 _____ () C:\WINDOWS\Tasks\At4.job
2014-10-05 12:00 - 2014-05-25 16:29 - 00000426 _____ () C:\WINDOWS\Tasks\At3.job
2014-10-05 10:00 - 2014-05-25 16:29 - 00000426 _____ () C:\WINDOWS\Tasks\At2.job
2014-10-05 08:00 - 2014-05-25 16:29 - 00000426 _____ () C:\WINDOWS\Tasks\At1.job
2014-10-04 22:00 - 2014-05-25 16:29 - 00000426 _____ () C:\WINDOWS\Tasks\At8.job
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At4.job
C:\Windows\Tasks\At5.job
C:\Windows\Tasks\At6.job
C:\Windows\Tasks\At7.job
C:\Windows\Tasks\At8.job
C:\WINDOWS\Installer\MSICE.tmp-\spusm.dll
C:\WINDOWS\Installer\MSIDC.tmp-\spusm.dll
C:\WINDOWS\Installer\MSIDC.tmp-\srbu.dll
C:\WINDOWS\Installer\MSICE.tmp-
C:\WINDOWS\Installer\MSIDC.tmp-
Task: C:\WINDOWS\Tasks\At1.job => ?
Task: C:\WINDOWS\Tasks\At2.job => ?
Task: C:\WINDOWS\Tasks\At3.job => ?
Task: C:\WINDOWS\Tasks\At4.job => ?
Task: C:\WINDOWS\Tasks\At5.job => ?
Task: C:\WINDOWS\Tasks\At6.job => ?
Task: C:\WINDOWS\Tasks\At7.job => ?
Task: C:\WINDOWS\Tasks\At8.job => ?
Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

Kevin,

 

    Thanks for the quick reply.

 

     I created the fixlist.txt file on my desktop.  I started FRST and it did a quick self-update.  I clicked Fix and it completed sucessfully. 

 

     I attached the fixlog.txt file below.  In viewing the contents, I noticed that some of the results were listed as "not found".  Is that normal?

 

    I  also noticed that the fixlist.txt file was missing from my Desktop.  I presume that is normal to prevent someone from running the same fix twice that may not apply anymore.

 

    Lastly, I did not test the AOL software yet as I was not sure if the malware removal process was finished yet.

 

Thanks,

 

Lanny

Link to comment
Share on other sites

Lanny,

Everything was removed correctly. The not found entries is because I targeted the AT job scheduled tasks 3 different ways. The first set removed the malicious scheduled tasks.

AT Job tasks belong to an older RootKit infection. Therefore, I want to take a deeper look at the system.

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
    • Attach the RogueKiller report to your next reply.
      • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
      • The highest number of [X], is the most recent Scan
Link to comment
Share on other sites

Kevin,

 

    RougeKiller completed sucessfully.  However, there was no log file on my Desktop.  I found it using File Search in this directory: C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs.  It aso had a slightly different name format than shown above.

 

Thanks,

 

Lanny

 

 

Link to comment
Share on other sites

Lanny,

Close all programs and disconnect any USB or external drives before running the tool.

  • Double-click RogueKiller.exe to run the tool again (Vista or 7 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished".
    • Click the Registry Entries Tab and select the following items:
      [PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
      [PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
      [PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555  -> FOUND
      [PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:5555  -> FOUND
      [PUM.StartMenu] HKEY_USERS\S-1-5-21-539038807-72535832-3929814033-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> FOUND
      [PUM.StartMenu] HKEY_USERS\S-1-5-21-539038807-72535832-3929814033-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> FOUND
      [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
    • Click the Delete button.
  • Attach the RogueKiller report to your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex)
    • The highest number of [X], is the most recent Delete
Link to comment
Share on other sites

Kevin,

 

    Thanks for the "not found" explanation earlier.

 

    I ran RougeKiller again.  This time the Prescan produced the following results:

 

Process Tab

 

Status                       Type                PID      Name             Path
KILLED [TermThr]    Proc.Svchost   3716   svchost.exe    (blank)

 

    After the Scan, I selected the seven items listed above and clicked Delete.  The second Scan report and the Delete report are attached.

 

Thanks,

 

Lanny

Link to comment
Share on other sites

Lanny,

The redbook.sys driver appears to be infected.

Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.

    tdss1.png

  • Click Change parameters

    settings20121003115955.png

  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK

    tdss3.png

  • Click on the Start Scan button to begin the scan and wait for it to finish.

    NOTE: Do not use the computer during the scan!

  • During the scan it will look similar to the image below:

    tdss4.jpg

  • When it finishes, you will either see a report that no threats were found like below:

    tdss5.jpg

    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.

  • If any infection or suspected items are found, you will see a window similar to below:

    tdss7.jpg

    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:

    tdss6.jpg

    Reboot immediately if TDSSKiller states that one is needed.

  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Attach this log to your next reply.
Link to comment
Share on other sites

Kevin,

 

    I downloaded and ran TDSSKiller with the options indicated.  No threats were found.  Log file attached.

 

    My redbook.sys file has a Modified Date of 4/13/2008 and a Size of 57,600 bytes.  It seems to be legit.

 

Thanks,

 

Lanny

 

Link to comment
Share on other sites

Kevin,

 

    I just read that redbook.sys has to to with the CD drive.  I have been having problems with my CD drive lately.  While I can still read from it, I can no longer burn discs.  In case this might help you.

 

Thanks,

 

Lanny

Link to comment
Share on other sites

Kevin,

 

    I ran the EEK and FRST programs a second time. 

 

    EEK found zero threats.

 

    FRST only produced the FRST.txt file, no Addition.txt file this time.

 

    The resulting scan log files are attached.

 

    By the way, I have not restarted my system, nor have I used my AOL Desktop software since interacting with you.  While you have not given me any instructions for either of those things, I chose not to do them in case one of those actions might undo something that we already eradicated.  However, I have been using IE to interact with this forum and do some other Web surfing.  Let me know when it is appropriate to test for the ib.adnxs.com browser hijacker within AOL.

 

Thanks,

 

Lanny

 

Link to comment
Share on other sites

Kevin,

 

    I am afraid that the infection is still with me.  I start my AOL Desktop and the browser window (I too believe the browser is IE-based) displays the AOL Welcome screen.  No infection signs yet.  A number of seconds after I start the mail client, the focus goes back the browser window and a series of new tabs open up to the site ib.adnxs.com. 

 

    It seems that I am not the only one with this problem, I see that a new thread was just opened for the same thing.

 

Thanks,

 

Lanny

 

Link to comment
Share on other sites

Kevin,

 

    That seemed to have worked!  Could the solution have been that simple all along?  Or did we have to do all of those other steps first?  In any case, I guess I got rid of a lot of other junk that I did not need during the process.

 

    I have tried a couple of times to reproduce the infection and I cannot reproduce it.  There were times, before contacting you, that I had been fooled into thinking that the infection was gone.  I will test again tomorrow and let you know.

 

Thanks,

 

Lanny

Link to comment
Share on other sites

Kevin,

 

    Congratulations and thank you.  I cannot get the ib.adnxs.com browser hijacker to return no matter what I do.  And of course that's a good thing!

 

    The tradeoff was that I had to re-customize IE.  When I reset the "AOL browser", it reset IE outside of AOL, probably because AOL uses the same browser and not its own version of it.  But that was a small price to pay: resetting my home page, resetting the Tab behavior, downloading some common plug-ins, etc.

 

    I presume that I can get rid of the "clutter" on my Desktop: all of the programs I downloaded and the resulting text files.  Also there are the C:\EEK and C:\FRST folders.  Is there anything else that I should delete?

 

    xdancer22 with the same problem did not say whether AdwCleaner solved his problem or not,  If not, a browser reset may be his solution too.

 

Thanks,

 

Lanny

Link to comment
Share on other sites

Unless you are having problems, it is time to do the final steps.

Uninstall AdwCleaner:

  • Close all open programs and Internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Uninstall button.
  • Confirm by clicking Yes.
Delete the following from your Desktop: (If they exist)

AdwCleaner.exe

Emsisoft Emergency Kit.lnk

FRST.exe

FRST64.exe

JRT.exe

JRT.txt

TDSSKiller.exe

Anything else I had you use

Delete the following folders: (If they exist)

C:\AdwCleaner

C:\EEK

C:\FRST

C:\TDSSKiller_Quarantine

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner
Run CCleaner
  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • The following should be selected by default, if not, please select:

    4l5a4i.png

  • Click 16jox2o.png and choose 5x3nu8.gif
  • Uncheck 2wlsw11.gif
  • Then go back to 2jb4qyb.gif and click nf47ev.gif to run it.
  • Exit CCleaner.
Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Install and run the Secunia Personal Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

Link to comment
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Link to comment
Share on other sites

Support thread opened at original posters request.

Download ComboFix from Link

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

!!! IMPORTANT !!! Save ComboFix to your Desktop

NOTE: ComboFix is an advanced utility, and is not like traditional automated tools. It will delete anything that it knows is bad without asking for confirmation, it will save backup copies in it's quarantine automatically, it will restart your computer, and it will produce a log that allows me to analyze and determine if there is anything left over. This log will not contain any personal information, or information about any of your documents, pictures, music, videos, etc. It only compiles information on which applications/drivers/etc were installed within the last 30 days, any applications that have certain properties that could be used for malicious purposes, and most of the load points on your system that can be abused by malicious software. If there is a false positive, and something gets deleted that should not, then I can write a script for ComboFix that will tell it to restore specific items that it deleted.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    See HERE for help

  • Double click on Combo-Fix & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**NOTE: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

NOTE:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

3. If you get a message that states "illegal operation attempted on a registry key that has been marked for deletion" restart your computer.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Link to comment
Share on other sites

Kevin,

 

    Thanks for reopenig this topic.  To summarize the week since you closed this topic:

 

    I was hijacker-free for several days.  Then it returned a few days ago.  I tried to block the site ib.adnxs.com by two methods.  First, by adding the site to the "Restricted Sites" area within IE Options.  No success.  Second, I entered the string "127.0.0.1 ib.adnxs.com" to the Hosts file.  New tabs to the site were still being opened, but they were blank.  So apparently the ads that had appeared were no longer being downloaded.  A small success, I guess.

 

    I downloaded ComboFix and disabled MS Security Essentials and Windows Firewall.  i did not get any messages about Microsoft Windows Recovery Console so apparently it was already installed.

 

    However, I did get a warning that Emsisoft Antivirus was running.  That was surprising since I had installed and uninstalled that program before even contacting you.   I attempted to close ComboFix by clicking on the X button, but it continued anyway.  I then got a second warning and once again the X button had no effect on stopping ComboFix from running.  How could I have stopped it?

 

    In any case, it completed some 50 stages before producing its report, attached below.

 

    I started AOL mail and so far so good, but that is not definitive.  I have been fooled before into thinking it had been removed.  It seems that it can be stopped by continually closing the tabs.  Then it is dormant for the rest of the day, but it returns the next day.  Xdancer22/Sara in topic "ib-adnx.com trojan in AOL browser (not IE/Chrome)" reported something similar.

 

    I will reboot my system to test the effects of ComboFix on the rest of my system.  I have already noticed that the keyboard buttons for changing the volume no longer produce the volume screen display as before.  Also, my Hosts file was cleaned out except for the string "127.0.0.1 localhost", something not noted in the log file.

 

    I will test AOL tomorrow morning and report if there is anything new.

 

Thanks,

 

Lanny
 

Link to comment
Share on other sites

Kevin,

 

    I rebooted my system yesterday and it appeared to be a normal reboot.  The volume control display, that appears whenever I press the up or down volume buttons, was restored.

 

    AOL seems normal too.  No return of the browser hijacker after the mail client starts.

 

    What did you learn from the ComboFix log?

 

Thanks,

 

Lanny

Link to comment
Share on other sites

ComboFix removed some folders that are not valid folder paths for the Windows folder and removed a couple of files that are suspicious. As well as removing a few suspicious start locations.

If everything is running fine then you can uninstall COmboFix by doing:

Press the Windows key + R and this will open the Run text box. Copy/paste the following text into the Run box as shown and click OK.

Combofix /Uninstall

(Note: There is a space between the ..X and the /U that needs to be there.)

CF.jpg

Link to comment
Share on other sites

Kevin,

 

    My system continues to be free of the AOL browser hijacking that had appeared only when I used the mail client.

 

    I am continuing to check out my applications, just to make sure that ComboFix did not affect any legitimate ones.

 

    Also, as I reported and as shown in the log, ComboFix thought Emsisoft Anti-Malware was installed.  However, I had uninstalled it about three weeks ago.  Presumably there some remnant that ComboFix checks for that did not get uninstalled.  Do you have any guidance on where I should look and what steps I should take to completely uninstall it?

 

Thanks,

 

Lanny

 

Link to comment
Share on other sites

You can use our cleaning utility to remove any remnants that were left behind when Emsisoft was uninstalled.

Download EmsiClean to your Desktop

https://dl.emsisoft.com/Emsiclean.zip

After you downloaded the tool, just run it. Read the disclaimer carefully and press "Yes" if you accept it. The tool will then show a list of all Emsisoft Anti-Malware and Mamutu objects it found installed on your system. Simply enable the check boxes of all objects you want to remove. Be careful with objects of type "Folder" though and check their contents before selecting them for removal, as they may still contain data that you may want to save first. Then press the "Remove selected objects" button and reboot when asked.

Edited by GT500
Updated link for Emsiclean. There are now two versions (32-bit and 64-bit) bundled in a ZIP archive. Run EmsiClean64, and if you see an error message then run EmsiClean32.
Link to comment
Share on other sites

Kevin,

 

    Thanks for the EmsiClean program.  It found the Services remnant cleanhlp32.sys.  I clicked Remove and rebooted as instructed.  I ran Emsiclean again and it found no traces of your software.  Cleanhlp32.sys seemed to have been a remnant of the Emsisoft Emergency Kit as EmisClean made references to the (previously deleted) C:\EEK folder.  Perhaps you need to include EmisClean in future cleanup instructions.

 

    I will continue to report the status of the browser hijacker for the rest of the week,

 

Thanks,

 

Lanny

Link to comment
Share on other sites

Kevin,

 

    All of my applications that I have tried seem to have been unaffected by ComboFix, so it did not seem to have any false positives.  So I will probably run the ComboFix uninstall program on Friday.

 

    Some mixed news on the browser front.  As I reported above, everything was fine yesterday afternoon.  However, the hijacker returned last night.  It seemed to have opened ten or so tabs and then stopped.  This morning there is no sign of it.

 

    I did confirm that adding the site name "ib.adnxs.com" to the "Restricted Sites" in Internet Options affects the site's content.  If I remove the site, the content returns.  If the site is included, the content is blocked.  In both cases, the tabs continue to open with that address.

 

    Our previous experience shows that either running ComboFix or resetting IE seems to rid my system of the hijacker.  I say "seems to rid my system" because I am not sure if it just lays dormant for a while or if it is truly gone and I get re-infected.  If it is a case of re-infection, I suppose I can reset IE whenever it returns.

 

Thanks,

 

Lanny

Link to comment
Share on other sites

Kevin,

 

    OK, here we go again.

 

    For an extra measure of thoroughness, I opted for the Full Scan versus the Smart Scan in the EEK.  Log attached.

 

    Ran FRST, logs attached.

 

    Note that while the infection was evident Wednesday night, there has been no sign of it yesterday and today.  May just be dormant.

 

Thanks,

 

Lanny

Link to comment
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS"
Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

Kevin,

 

    I ran FRST with the script above on Friday.  It seemed to have run successfully and the log file is attached.

 

    I did not notice any difference afterward as the hijacker was not active at the time.  It did return on Sunday though.

 

    As noted before it does not appear when I browse outside of AOL.  It only occurs when I open AOL's software to read my e-mail.  However, I seemed to have found a way to stop it, at least temporarily.  If I close the mail client, while leaving the rest of AOL's software open, the hijacking stops.  Then when I open the mail client again, the hijacker is no longer active,.  This usually works for a day or two.  This is actually an improvement from when it first started to appear.  Back then it seemed that every time I opened the mail client I got hijacked.

 

    I realize that I was inexact above by using "seemed" twice, but I can't remember everything that happened since this started over a month ago.  Plus it is kind of hard to test it if only appears every few days.

 

    While the ib.adnxs.com hijacker can occur outside of AOL software, as seen in this forum I am not the only one with AOL that has this problem.  So I plan to contact AOL again about this.  As I mentioned in my first writing on this topic, my previous interactions with them were unsuccessful.  That was during chat sessions though.  This time I will summarize what I know in an e-mail in hopes that I will get a better answer.  I'll let you know what I find out befoe I make any changes to my system.

 

Thanks,

 

Lanny

 

Link to comment
Share on other sites

Kevin,

 

    Hijacking returned yesterday, after a three-day dormant period, this has happened several times now.  I closed mail and reopened it with no sign afterward.  A work-around that has worked several times as well.

 

    No response from AOL yet.

 

Thanks,

 

Lanny

Link to comment
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or GT500 to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...