Browser Hijack...

Nemo

Hi,

I got a few trojans on my PC 6 hours ago which I've been trying to sort since. What a way to spend Xmas eve!!!

I've sorted most of it by running Malwarebytes in safe mode after downloading updates, and similarly with Spybot which found 1 thing which Malwarebytes missed.

Everything seems ok now except when I click on a link from a search engine, more times than it doesn't, it takes me to a different random site. I'm going to run a full virus scan in the morning, but if I post a HijackThis log, can someone take a look please and see if there's anything obvious. If not, any advice on what to try next? The internet seems to be full of people with this problem, but there don't seem to be many solutions.

Cheers!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:41:48, on 24/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Office Mouse Driver\MouseDrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pc\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Office Mouse Driver\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S25B.tmp"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O8 - Extra context menu item: QuickTranslate - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\edtrans.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://24.105.203.109:95/kxhcm10.ocx
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 8225 bytes

aliEnRIK

Download HostsXpert
http://www.softpedia.com/get/Security/Security-Related/Hoster.shtml
and then follow the below steps.

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program


have you UPDATE malwarebytes and run a FULL scan?

aliEnRIK

TICK this in hijack and click to FIX it ~
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://24.105.203.109:95/kxhcm10.ocx

4743hudsonj

Ok first off, when you get sorted, upgrade xp to SP3.

Then either upgrade IE to 8 or better yet, jump ship to Safari 4, Chrome 3/4, Firefox 3.2 or Opera 10. All will be much better security wise.

Im no expert at these but have some expereince, i cant see anything to worry about apart from O16 processes. I did a quick google and there seems to be a recurring theme of security issues.

Wait for others advice but if you are not aware what housecall control, pc pitstop, housecall65 etc etc (theyre all downloads?) it may be that.

But again wait for others before acting upon anything.

Hope somebody gets to you soon.

One last suggestion would be to use the AVG removal tool and switch to Avira or ESET NOD32 if your willing to pay.

And Superantispyware could be used to just check for adware and spyware, in my experience it has better detection rates for adware and spyware which is what your issue could be caused by.

Merry Christmas
Josh

EDIT: Beaten to it. I thought those O16 looked iffy. especially when my AV flagged them.

Nemo

Ok, I'm back post-Xmas Day. Thanks for your help so far. This is where I'm at:-

The random site problem still exists!!!
Malwarebytes is returning a clean scan in full scan mode after updating.
After finding the 1 extra item, Spybot now returns a clean scan, again after updating.
I removed the item from the HijackThis log.

The hosts file is dated 23/8/2001 and is as follows:-

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost

I presume therefore I don't need to do the hosts 'rebuild' mentioned in the earlier post. Tell me if I do.

I have also run CCleaner to check/fix the registry/delete temp files etc.

I've just downleaded and run SuperAntiSpyware which says it's found Adware.Globolook in one of my favourites items. I think it may be a false postive, but I'm happy for it to go anyway. It's found a load of tracking cookies, then it's flagged 2 items as containing Trojan.Agent/GenDropper[Temp]. The files are 'c:\WINDOWS\Prefetch\4.TMP-368A74D3.pf' and C:\WINDOWS\TEMP\4.TMP'. I'll just show part of my Malwarebytes log from when I did the first clean and found the problems:-

Files Infected:
C:\WINDOWS\Temp\3.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\pfpx.tmp\svchost.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\5_odb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\pc\Local Settings\Temp\5_odb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\pc\Local Settings\Temp\4_pinnew.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\pc\Local Settings\Temp\2_load.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\pc\Local Settings\Temp\6_ldr3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avto.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\pc\Local Settings\Temp\avto.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avto1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avto2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\pc\Local Settings\Temp\avto1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\pc\Local Settings\Temp\avto2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\pc\Local Settings\Temp\avto3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\pc\Local Settings\Temp\q1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp1812274.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp4122674.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tmp5619951.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\lsass.exe (Trojan.PWS) -> Quarantined and deleted successfully.
C:\WINDOWS\odb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\svc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\svx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\wdmon.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\pc\Local Settings\Temp\teste1_p.exe (Trojan.Agent) -> Quarantined and deleted successfully.

I looked at some of these files listed above before removing, and they were dated 24/12/09 at between 17:02 and 17:42. I suspect that 17:02 is the initial infection time, and 17:42 is when I rebooted in non-safe mode firstly, and when I started getting pop-ups saying updating Flash...Run, Save, Close etc. The file named 4.TMP that SuperAntiSpyware has flagged is timed at 17:42 on the 24th. In this WINDOWS\Temp directory I also have files named 407.tmp and fla6.tmp timed at 17:09 and 17:42 respectively. There are 7 other files in this directory beginning 'fla' in this directory and 1 called avg8info.id . The 'fla' files are all dated yesterday (ie the 25th), the 'avg' files is dated 10/11/09.

I've looked in the WINDOWS\Prefetch directory and found the other file that SuperAntiSpyware has flagged. ie 4.TMP-368A74D3.pf . This is dated 24/12/09 at 17:42. In this directory are also some of the other names in the Malwarebytes log above. eg. 6_ODB.EXE-224EB9E3.pf @ 17:10 and AVTO1.EXE-033B32CC.pf @17:04 .

I've not done the removal yet in SuperAntiSpyware. I'll just await advice first. Will it be a case of doing this clean, then manually deleting all the other files in the WINDOWS\Temp directory through Windows Explorer (if it'll let me), then doing the same with any files in the WINDOWS\Prefetch directory dated 24/12/09 between those times? (I don't know if it's safe to just remove from the Prefetch directory.)

I'll just mention that I tried running Internet Explorer without plugins, but it didn't fix the problem.

Many thanks in advance!

enigma52

you can safely delete everything in the prefetch folder to clean it out. Windows will rebuild it from fresh when you reboot.

Browntoa

I'd run this next

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


it's a combined tool so will attack it using several means

post the log file when its done

aliEnRIK

Run hostsxpert

Or dont, your call................

Nemo

aliEnRIK (+others),

I'm really appreciating your help here!

Ok, I've done the HostsXpert thing and rebooted, but it's made no difference.

I've not done the deletion of the Windows\Temp directory stuff yet. As well as the files in there that I mentioned earlier (eg. 407.tmp, fla1D.tmp), I've got directories named 'Cookies', 'History', and 'Temporary Internet Files'. These folders are all dated 24/12/09 @ 17:26, and contain 1 item each, namely index.dat, History.IE5, and Content.IE5 . Do I just get rid of everything in Windows\Temp, including these folders?

I've also not cleared the Windows/Prefetch directory yet. Do you think I should? The only non '.pf' file in there is Layout.ini . If I need to clear this directory, does that include this file?

I#ve just been reading instructions for ComboFix as per BrownToa. Is this the next step you'd do?

Cheers!

aliEnRIK

Definitely run combofix next, hopefully the log will show us why we're not getting anywhere

Can you also please post the DATABASE version of malwarebytes you ran? (top of the log under LOGS)

Nemo

aliEnRIK, this is the last full Malwarebytes scan:-

Malwarebytes' Anti-Malware 1.42
Database version: 3426
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13
25/12/2009 11:51:31
mbam-log-2009-12-25 (11-51-31).txt
Scan type: Full Scan (C:\|)
Objects scanned: 276899
Time elapsed: 1 hour(s), 48 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Sorry, can I just ask again, would you do anything with Temp and Prefetch, or not bother at this point?

I'll run ComboFix shortly.

Thanks.