[RESOLVED] Hijacked browser

[704_Skate]

Still redirects. It doesn't start doing it until I click about 4-6 search results, then from there on it keeps redirecting me. Nothing else though seems to be malfunctioning though.

[Broni]

Does it happen only in Firefox?
Can you check IE?

[704_Skate]

I just checked IE, at the bottom it says, "Internet | protection mode:Off", should I proceed to test the browser or is it not safe?

[704_Skate]

Tested Safari and it redirects there also.

[Broni]

I just checked IE, at the bottom it says, "Internet | protection mode:Off"

I don't use IE much, but mine looks the same.

Download Kenco.exe to your desktop

• Close all windows and run the program.
• It wont take long to run.
• Kenco will reboot the system if it finds anything.
• Post the log it gives you ( it will be saved in the same place as Kenco.exe).

[704_Skate]

Kenco by jpshortstuff (31.12.09.1)
Log created at 12:28 on 08/02/2010 (User)

========== Task Unlocker ==========

========== KencoScan ==========
C:\Windows\system32\bcdsrv.dll -> Error setting security information [5]!
C:\Windows\system32\scksp.dll -> Error setting security information [5]!

========== C:\Windows\Tasks ==========
GoogleUpdateTaskMachineCore.job -> [15:38 19/11/2009] 878 bytes
GoogleUpdateTaskMachineUA.job -> [15:39 19/11/2009] 882 bytes
HPCeeScheduleForUser.job -> [14:12 03/08/2008] 318 bytes

-=E.O.F=-

[Broni]

Re-run HJT, checkmark:
- O17 - HKLM\System\CCS\Services\Tcpip\..\{B49E12CC-02FC-45FE-8DA5-1273D4C78BC3}: NameServer = 93.188.162.95,93.188.161.78
- O17 - HKLM\System\CCS\Services\Tcpip\..\{C35F5C38-1486-4B24-BB49-E83F68466F23}: NameServer = 93.188.162.95,93.188.161.78
- O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.95,93.188.161.78
- O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.95,93.188.161.78
Click "Fix checked" button.

Restart computer.
Check for redirection.
Post fresh HJT log.

[704_Skate]

I can't locate those lines. I noticed in the first hijack log I posted they're there, but the ones I posted after that don't show those lines anymore, here's a recent one;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:09 PM, on 2/8/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\PixArt\Pac207\Monitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myctc.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ARIO&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe"
O4 - HKLM\..\Run: [WAWifiMessage] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PAC207_Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7937 bytes

[Broni]

I assume, the redirection is still there?

Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  
  Note: The scan can take some time. DO NOT run any other programs while the scan is running
• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

[704_Skate]

Problem, Got an error upon start up (did not record the error) ran the scan and got an error about the drivers, then another error, and it finished with this log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/08 13:02
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP0
==================================================

SSDT
-------------------
SYSENTER/INT2E Hooked [0x81c8c9c0]!

==EOF==

[704_Skate]

Here's one of the errors log, where it says "Could not read system registry, please contact the author"

13:02:46: DeviceIoControl Error! Error Code = 0x0
13:02:46: DeviceIoControl Error! Error Code = 0x0
13:02:46: DeviceIoControl Error! Error Code = 0x0
13:02:46: DeviceIoControl Error! Error Code = 0x0
13:02:46: DeviceIoControl Error! Error Code = 0x0
13:02:46: DeviceIoControl Error! Error Code = 0x0
13:02:46: Could not scan drive C (error 0xc0000024)
13:02:49: Could not scan drive D (error 0xc0000024)
13:02:50: Could not get the name for PID 4.
13:02:50: Could not get the name for PID 448.
13:02:50: Could not get the name for PID 512.
13:02:50: Could not get the name for PID 552.
13:02:50: Could not get the name for PID 560.
13:02:50: Could not get the name for PID 608.
13:02:50: Could not get the name for PID 616.
13:02:50: Could not get the name for PID 624.
13:02:50: Could not get the name for PID 688.
13:02:50: Could not get the name for PID 820.
13:02:50: Could not get the name for PID 892.
13:02:50: Could not get the name for PID 928.
13:02:50: Could not get the name for PID 1032.
13:02:50: Could not get the name for PID 1108.
13:02:50: Could not get the name for PID 1124.
13:02:50: Could not get the name for PID 1200.
13:02:50: Could not get the name for PID 1232.
13:02:50: Could not get the name for PID 1280.
13:02:50: Could not get the name for PID 1400.
13:02:50: Could not get the name for PID 1560.
13:02:50: Could not get the name for PID 1604.
13:02:50: Could not get the name for PID 1632.
13:02:50: Could not get the name for PID 1760.
13:02:50: Could not get the name for PID 1788.
13:02:50: Could not get the name for PID 1804.
13:02:50: Could not get the name for PID 1844.
13:02:50: Could not get the name for PID 1860.
13:02:50: Could not get the name for PID 1868.
13:02:50: Could not get the name for PID 1876.
13:02:50: Could not get the name for PID 1884.
13:02:50: Could not get the name for PID 1904.
13:02:50: Could not get the name for PID 1972.
13:02:50: Could not get the name for PID 1988.
13:02:50: Could not get the name for PID 1544.
13:02:50: Could not get the name for PID 1596.
13:02:50: Could not get the name for PID 1680.
13:02:50: Could not get the name for PID 964.
13:02:50: Could not get the name for PID 1520.
13:02:50: Could not get the name for PID 2360.
13:02:50: Could not get the name for PID 2372.
13:02:50: Could not get the name for PID 2424.
13:02:50: Could not get the name for PID 2604.
13:02:50: Could not get the name for PID 2692.
13:02:50: Could not get the name for PID 2720.
13:02:50: Could not get the name for PID 2772.
13:02:50: Could not get the name for PID 2840.
13:02:50: Could not get the name for PID 2864.
13:02:50: Could not get the name for PID 2936.
13:02:50: Could not get the name for PID 2952.
13:02:50: Could not get the name for PID 2976.
13:02:50: Could not get the name for PID 3248.
13:02:50: Could not get the name for PID 3288.
13:02:50: Could not get the name for PID 3428.
13:02:50: Could not get the name for PID 3968.
13:02:50: Could not get the name for PID 2620.
13:02:50: DeviceIoControl Error! Error Code = 0xc0000024
13:02:50: DeviceIoControl Error! Error Code = 0xc0000024
13:02:55: Warning - the number of SSDT entries from the kernel and the number on-disk are different (0 and 398).
13:02:55: DeviceIoControl Error! Error Code = 0x0
13:02:55: WARNING: The SSDT in our driver has been faked (0x00000250)!
13:02:55: DeviceIoControl Error! Error Code = 0x0
13:02:55: Could not get loaded modules!
13:02:55: DeviceIoControl Error! Error Code = 0xc0000024
13:02:55: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000d0)
13:02:55: Could not read system registry! Please contact the author!

[Broni]

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

[704_Skate]

Ok, I attached both logs.

[Broni]

I see nothing there...

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Zip the log, and attach zipped file to your next reply.

[704_Skate]

Ok got it.