Browser Hijackers on IE

[Oscar Wandel]

Browser Hijackers on IE

I have been infected with 'Browser Hijackers' that modify/corrupt the
settings of Internet Explorer.

Can somebody help me to repair this problem. I want to keep the Internet
Explorer as my browser.

Thanks in advance

Oscar Wandel

(e-mail address removed)

I know the location on my computer of this malware: here it is

*** Installation Started 08/18/2006 12:26 ***
Title: TSA Installation
Source: C:\WINDOWS\TEMP\TSINSTALL_4_0_4_0_B4.EXE | 08-18-2006 | 12:26:32 |
1509364
Made Dir: C:\WINDOWS\uifr
File Copy: C:\WINDOWS\uifr\wu | 07-26-2002 | 17:02:06 | | 153088 | 5be5019b
File Copy: C:\WINDOWS\SYSTEM\tsuninst.exe | 11-02-2005 | 00:44:52 | 4.0.4.0
| 127574 | 18c1d951
RegDB Key: Software\uifr
RegDB Val: C:\PROGRA~1\FICHIE~1\uifr
RegDB Name: Path
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: TSA
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: C:\WINDOWS\SYSTEM\tsuninst.exe /u
RegDB Name: UninstallString
RegDB Root: 2
Made Dir: C:\Program Files\Fichiers communs\uifr
File Copy: C:\Program Files\Fichiers communs\uifr\uifrm.exe | 11-03-2005 |
21:20:04 | 4.0.4.0 | 9216 | 78df4366
File Copy: C:\Program Files\Fichiers communs\uifr\uifrl.exe | 11-03-2005 |
21:19:22 | 4.0.4.0 | 16384 | d2fbf87e
File Copy: C:\Program Files\Fichiers communs\uifr\uifra.exe | 11-03-2005 |
21:21:30 | 4.0.4.0 | 16896 | c8b4a248
File Copy: C:\Program Files\Fichiers communs\uifr\uifrp.exe | 11-03-2005 |
21:20:38 | 4.0.4.0 | 9216 | ecac4011
Made Dir: C:\Program Files\Fichiers communs\uifr\uifrd
File Copy: C:\Program Files\Fichiers communs\uifr\uifrd\class-barrel |
04-19-2004 | 21:26:12 | | 4933375 | fa512af9
File Copy: C:\Program Files\Fichiers communs\uifr\uifrd\uifrc.dll |
02-18-2004 | 06:26:00 | | 46080 | 3c9bc69
File Copy: C:\Program Files\Fichiers communs\uifr\uifrd\vocabulary |
04-19-2004 | 21:26:12 | | 1234193 | 4d5f7b92
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Run
RegDB Val: C:\Program Files\Fichiers communs\uifr\uifrm.exe
RegDB Name: uifr
RegDB Root: 1
Delete in-use files: On
RegDB Key: SOFTWARE\uifr\update
RegDB Val: 4.0.4.0
RegDB Name: TSVersion
RegDB Root: 2
RegDB Key: SOFTWARE\uifr
RegDB Val: 174396902
RegDB Name: UID
RegDB Root: 2
File Tree: C:\Program Files\Fichiers communs\uifr\uifrd\*.*
File Tree: C:\Program Files\Fichiers communs\uifr\*.*
File Tree: C:\WINDOWS\uifr\*.*
RegDB Tree: SOFTWARE\uifr
RegDB Root: 2
RegDB Tree: SOFTWARE\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\uifr
RegDB Root: 1
*** Installation Started 08/18/2006 12:48 ***
Title: TSA Installation
Source: C:\WINDOWS\TEMP\TSUPDATE_4_0_4_1_B3.EXE | 08-18-2006 | 12:45:58 |
358404
Preserve Existing: Following file not copied.
File Copy: C:\WINDOWS\uifr\wu
File Overwrite: C:\WINDOWS\SYSTEM\tsuninst.exe | 07-21-2006 | 18:55:38 |
4.0.4.1 | 127578 | 2a055bb1
RegDB Key: Software\uifr
RegDB Val: C:\PROGRA~1\FICHIE~1\UIFR
RegDB Name: Path
RegDB Root: 2
RegDB Old: C:\PROGRA~1\FICHIE~1\uifr
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: TargetSaver
RegDB Name: DisplayName
RegDB Root: 2
RegDB Old: TSA
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: C:\WINDOWS\SYSTEM\tsuninst.exe /u
RegDB Name: UninstallString
RegDB Root: 2
RegDB Old: C:\WINDOWS\SYSTEM\tsuninst.exe /u
File Overwrite: C:\Program Files\Fichiers communs\uifr\uifrm.exe |
07-19-2006 | 14:56:46 | 4.0.4.1 | 9216 | c325cc93
File Overwrite: C:\Program Files\Fichiers communs\uifr\uifrl.exe |
07-19-2006 | 15:05:36 | 4.0.4.1 | 16384 | 8c42560c
File Overwrite: C:\Program Files\Fichiers communs\uifr\uifra.exe |
07-19-2006 | 15:01:24 | 4.0.4.1 | 17408 | 698c8964
File Overwrite: C:\Program Files\Fichiers communs\uifr\uifrp.exe |
07-19-2006 | 15:16:36 | 4.0.4.1 | 9216 | 1d8dddf8
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Run
RegDB Val: C:\Program Files\Fichiers communs\uifr\uifrm.exe
RegDB Name: uifr
RegDB Root: 1
RegDB Old: C:\PROGRAM FILES\FICHIERS COMMUNS\UIFR\UIFRM.EXE
Delete in-use files: On
RegDB Key: SOFTWARE\uifr\update
RegDB Val: 4.0.4.1
RegDB Name: TSVersion
RegDB Root: 2
RegDB Old: 4.0.4.0
RegDB Key: SOFTWARE\uifr
RegDB Val: 174396902
RegDB Name: UID
RegDB Type: 3
RegDB Root: 2
RegDB Old: 174396902
File Tree: C:\Program Files\Fichiers communs\uifr\uifrd\*.*
File Tree: C:\Program Files\Fichiers communs\uifr\*.*
File Tree: C:\WINDOWS\uifr\*.*
RegDB Tree: SOFTWARE\uifr
RegDB Root: 2
RegDB Tree: SOFTWARE\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\uifr
RegDB Root: 1

 

[Guest]

Browser Hijackers on IE

I have been infected with 'Browser Hijackers' that modify/corrupt the
settings of Internet Explorer.

Can somebody help me to repair this problem. I want to keep the Internet
Explorer as my browser.

Thanks in advance

Oscar Wandel

(e-mail address removed)

I know the location on my computer of this malware: here it is

*** Installation Started 08/18/2006 12:26 ***
Title: TSA Installation
Source: C:\WINDOWS\TEMP\TSINSTALL_4_0_4_0_B4.EXE | 08-18-2006 | 12:26:32 |
1509364
Made Dir: C:\WINDOWS\uifr
File Copy: C:\WINDOWS\uifr\wu | 07-26-2002 | 17:02:06 | | 153088 | 5be5019b
File Copy: C:\WINDOWS\SYSTEM\tsuninst.exe | 11-02-2005 | 00:44:52 | 4.0.4.0
| 127574 | 18c1d951
RegDB Key: Software\uifr
RegDB Val: C:\PROGRA~1\FICHIE~1\uifr
RegDB Name: Path
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: TSA
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: C:\WINDOWS\SYSTEM\tsuninst.exe /u
RegDB Name: UninstallString
RegDB Root: 2
Made Dir: C:\Program Files\Fichiers communs\uifr
File Copy: C:\Program Files\Fichiers communs\uifr\uifrm.exe | 11-03-2005 |
21:20:04 | 4.0.4.0 | 9216 | 78df4366
File Copy: C:\Program Files\Fichiers communs\uifr\uifrl.exe | 11-03-2005 |
21:19:22 | 4.0.4.0 | 16384 | d2fbf87e
File Copy: C:\Program Files\Fichiers communs\uifr\uifra.exe | 11-03-2005 |
21:21:30 | 4.0.4.0 | 16896 | c8b4a248
File Copy: C:\Program Files\Fichiers communs\uifr\uifrp.exe | 11-03-2005 |
21:20:38 | 4.0.4.0 | 9216 | ecac4011
Made Dir: C:\Program Files\Fichiers communs\uifr\uifrd
File Copy: C:\Program Files\Fichiers communs\uifr\uifrd\class-barrel |
04-19-2004 | 21:26:12 | | 4933375 | fa512af9
File Copy: C:\Program Files\Fichiers communs\uifr\uifrd\uifrc.dll |
02-18-2004 | 06:26:00 | | 46080 | 3c9bc69
File Copy: C:\Program Files\Fichiers communs\uifr\uifrd\vocabulary |
04-19-2004 | 21:26:12 | | 1234193 | 4d5f7b92
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Run
RegDB Val: C:\Program Files\Fichiers communs\uifr\uifrm.exe
RegDB Name: uifr
RegDB Root: 1
Delete in-use files: On
RegDB Key: SOFTWARE\uifr\update
RegDB Val: 4.0.4.0
RegDB Name: TSVersion
RegDB Root: 2
RegDB Key: SOFTWARE\uifr
RegDB Val: 174396902
RegDB Name: UID
RegDB Root: 2
File Tree: C:\Program Files\Fichiers communs\uifr\uifrd\*.*
File Tree: C:\Program Files\Fichiers communs\uifr\*.*
File Tree: C:\WINDOWS\uifr\*.*
RegDB Tree: SOFTWARE\uifr
RegDB Root: 2
RegDB Tree: SOFTWARE\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\uifr
RegDB Root: 1
*** Installation Started 08/18/2006 12:48 ***
Title: TSA Installation
Source: C:\WINDOWS\TEMP\TSUPDATE_4_0_4_1_B3.EXE | 08-18-2006 | 12:45:58 |
358404
Preserve Existing: Following file not copied.
File Copy: C:\WINDOWS\uifr\wu
File Overwrite: C:\WINDOWS\SYSTEM\tsuninst.exe | 07-21-2006 | 18:55:38 |
4.0.4.1 | 127578 | 2a055bb1
RegDB Key: Software\uifr
RegDB Val: C:\PROGRA~1\FICHIE~1\UIFR
RegDB Name: Path
RegDB Root: 2
RegDB Old: C:\PROGRA~1\FICHIE~1\uifr
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: TargetSaver
RegDB Name: DisplayName
RegDB Root: 2
RegDB Old: TSA
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: C:\WINDOWS\SYSTEM\tsuninst.exe /u
RegDB Name: UninstallString
RegDB Root: 2
RegDB Old: C:\WINDOWS\SYSTEM\tsuninst.exe /u
File Overwrite: C:\Program Files\Fichiers communs\uifr\uifrm.exe |
07-19-2006 | 14:56:46 | 4.0.4.1 | 9216 | c325cc93
File Overwrite: C:\Program Files\Fichiers communs\uifr\uifrl.exe |
07-19-2006 | 15:05:36 | 4.0.4.1 | 16384 | 8c42560c
File Overwrite: C:\Program Files\Fichiers communs\uifr\uifra.exe |
07-19-2006 | 15:01:24 | 4.0.4.1 | 17408 | 698c8964
File Overwrite: C:\Program Files\Fichiers communs\uifr\uifrp.exe |
07-19-2006 | 15:16:36 | 4.0.4.1 | 9216 | 1d8dddf8
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Run
RegDB Val: C:\Program Files\Fichiers communs\uifr\uifrm.exe
RegDB Name: uifr
RegDB Root: 1
RegDB Old: C:\PROGRAM FILES\FICHIERS COMMUNS\UIFR\UIFRM.EXE
Delete in-use files: On
RegDB Key: SOFTWARE\uifr\update
RegDB Val: 4.0.4.1
RegDB Name: TSVersion
RegDB Root: 2
RegDB Old: 4.0.4.0
RegDB Key: SOFTWARE\uifr
RegDB Val: 174396902
RegDB Name: UID
RegDB Type: 3
RegDB Root: 2
RegDB Old: 174396902
File Tree: C:\Program Files\Fichiers communs\uifr\uifrd\*.*
File Tree: C:\Program Files\Fichiers communs\uifr\*.*
File Tree: C:\WINDOWS\uifr\*.*
RegDB Tree: SOFTWARE\uifr
RegDB Root: 2
RegDB Tree: SOFTWARE\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\uifr
RegDB Root: 1

Hi Oscar,
After searching found that you have a Malware infection from a type known as
Target Saver malware Agressive Marketting Tool send you Surfing Habits and
Target you with Pop-Ups which come from their server.
First, try to disable the runing Processors for this *Scum* Ware by Pressing
these set of Keys ALT+DEL+CTRL to pring the Task Manager and look for these
Runing Processors and Terminate them:
Oirra.exe
oirra.lck
class-barrel
oirrc.cll
oirrp.exe
oirri.lck
vocabulary
tsuninst.exe
and what you find suspecious in the Task Manager.
Run the Command Line and type;
regedit.exe or regedit32.exe and Press Enter or OK
In the registry Eidtor try to locate these Keys and Delete the Oirra or the
Target Folder not the Key (be aware Deleting the Key will render your System
Useless,just the Folder or Entery between Brackets in this Example);
HKEY_CURRENT_USER\Software\(oirr)


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\(TSA)

HKEY_LOCAL_MACHINE\Software\(oirr)
HKEY_LOCAL_MACHINE\Software\(TSA)
Exit the Registry Editor and Connect to the Internet and Run a scan online
from this link;
http://housecall.trendmicro.com
or http://www.trendmicro.com
http://www.avast.com
Download this Utility;
http://www.lavassoftusa.com look for Ad-ware SE personal

Try scaning in Safe mode and Normal mode to get complete result of getting
rid of this Malware.

HTH.
Please let us know your result.
Regards,
nass

 

[Guest]

Hi Oscar, you should try to use Spybot-S&D. This software is a great tool
for this kind of problems. You can download form this site:
http://www.safer-networking.org/en/index.html.