FF and IE Search hijack

[smlunatick]

Last week I somehow got hit with the "Antivirus" virus / hijack, even
with my anti-virus (CA) functioning. I have managed to clear it out
but I now suffer the "Search" bar re-direct hijack in both IE 7 and
FireFox 3.5.2 (fresh install)

I have yet to find a proper "free" clean up solution to fix this.

 

[DL]

You are infected with malaware, which your AV wont neccessarily detect or
remove

Try these
2.Clean HDD
Delete files using Disk Cleanup (if on Vista)
http://windowshelp.microsoft.com/Windows/en-US/help/1264bc24-72a8-48aa-84e3-a355327139d91033.mspx

3.Download/execute:
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Free
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

 

[smlunatick]

You are infected with malaware, which your AV wont neccessarily detect or
remove

Try these
2.Clean HDD
Delete files using Disk Cleanup (if on Vista)http://windowshelp.microsoft..com/Windows/en-US/help/1264bc24-72a8-48a...

3.Download/execute:
Malwarebytes© Corporation - Anti-Malwarehttp://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Freehttp://www.superantispyware.com/downloadfile.html?productid=SUPERANTI...

SuperAntiSpyware and Malwarebytes AntiMalware run and was constantly
reporting the system clean.

Turned out a "RootKit" got installed also, which then "hides" the
search "bars" re-direct. Located a similar issue:
http://www.bleepingcomputer.com/forums/topic246599.html

There seemed to have a "fake" System32 driver. I ran "RootRepeal" and
found an "equivalent" driver: C:\WINDOWS\system32\drivers
\vsfoceuovawvva.sys

Once I removed this file, Malwarebytes detected the "trojan" files:

C:\WINDOWS\system32\vsfoceauhejycn.dll (Trojan.TDSS)
C:\WINDOWS\system32\vsfocebkmdfuyi.dll (Trojan.TDSS)

 

[PA Bear [MS MVP]]

I have yet to find a proper "free" clean up solution to fix this.

Don't hold your breath.

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[PA Bear [MS MVP]]

You may have much more work to do!

SuperAntiSpyware and Malwarebytes AntiMalware run and was constantly
reporting the system clean.

Turned out a "RootKit" got installed also, which then "hides" the
search "bars" re-direct. Located a similar issue:
http://www.bleepingcomputer.com/forums/topic246599.html

There seemed to have a "fake" System32 driver. I ran "RootRepeal" and
found an "equivalent" driver: C:\WINDOWS\system32\drivers
\vsfoceuovawvva.sys

Once I removed this file, Malwarebytes detected the "trojan" files:

C:\WINDOWS\system32\vsfoceauhejycn.dll (Trojan.TDSS)
C:\WINDOWS\system32\vsfocebkmdfuyi.dll (Trojan.TDSS)

 

[smlunatick]

You may have much more work to do!

Read my previous response. I have managed to clear out my "spyware"
infestation and re-activated my CA anti-virus. I was just stuck with
the search bars re-direct infestation. Turned out a "fake" System32
driver got installed and "activated" a rootkit. I managed to locate
the "rootkit" control and was cable to clear out the remain trojans.

 

[PA Bear [MS MVP]]

Read my previous response. I have managed to clear out my "spyware"
infestation and re-activated my CA anti-virus. I was just stuck with
the search bars re-direct infestation. Turned out a "fake" System32
driver got installed and "activated" a rootkit. I managed to locate
the "rootkit" control and was cable to clear out the remain trojans.

I saw that. Nevertheless, I'd still recommend posting in an appropriate
forum and get a second opinion from an expert in such matters (no offense).