PDA

View Full Version : Browser hijacker and hosts/wininit problems


Lurker87
2010-07-15, 03:30
I am trying to help a friend whose Vista Business 32-bit computer has recently started showing quite a few symptoms of malware. I ran Malwarebyte, and was able to get rid of about ten infections, however some were unable to be removed. However, there were still instances of the browser being hijacked, often to sites such as 7search.com, and others. I went on to use HJT to look for other malware possibilities, and this was when I first came across the problem of "For some reason your system denied write access to the Hosts file... etc". I have googled both it and the wininit version of the error message.

I took a look at the log and noticed the list of 'hosts' appeared quite substantial.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:10:23 PM, on 7/14/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 188.124.7.188 www.google.com
O1 - Hosts: 188.124.7.188 google.com
O1 - Hosts: 188.124.7.188 google.com.au
O1 - Hosts: 188.124.7.188 www.google.com.au
O1 - Hosts: 188.124.7.188 google.be
O1 - Hosts: 188.124.7.188 www.google.be
O1 - Hosts: 188.124.7.188 google.com.br
O1 - Hosts: 188.124.7.188 www.google.com.br
O1 - Hosts: 188.124.7.188 google.ca
O1 - Hosts: 188.124.7.188 www.google.ca
O1 - Hosts: 188.124.7.188 google.ch
O1 - Hosts: 188.124.7.188 www.google.ch
O1 - Hosts: 188.124.7.188 google.de
O1 - Hosts: 188.124.7.188 www.google.de
O1 - Hosts: 188.124.7.188 google.dk
O1 - Hosts: 188.124.7.188 www.google.dk
O1 - Hosts: 188.124.7.188 google.fr
O1 - Hosts: 188.124.7.188 www.google.fr
O1 - Hosts: 188.124.7.188 google.ie
O1 - Hosts: 188.124.7.188 www.google.ie
O1 - Hosts: 188.124.7.188 google.it
O1 - Hosts: 188.124.7.188 www.google.it
O1 - Hosts: 188.124.7.188 google.co.jp
O1 - Hosts: 188.124.7.188 www.google.co.jp
O1 - Hosts: 188.124.7.188 google.nl
O1 - Hosts: 188.124.7.188 www.google.nl
O1 - Hosts: 188.124.7.188 google.no
O1 - Hosts: 188.124.7.188 www.google.no
O1 - Hosts: 188.124.7.188 google.co.nz
O1 - Hosts: 188.124.7.188 www.google.co.nz
O1 - Hosts: 188.124.7.188 google.pl
O1 - Hosts: 188.124.7.188 www.google.pl
O1 - Hosts: 188.124.7.188 google.se
O1 - Hosts: 188.124.7.188 www.google.se
O1 - Hosts: 188.124.7.188 google.co.uk
O1 - Hosts: 188.124.7.188 www.google.co.uk
O1 - Hosts: 188.124.7.188 google.co.za
O1 - Hosts: 188.124.7.188 www.google.co.za
O1 - Hosts: 188.124.7.188 www.google-analytics.com
O1 - Hosts: 188.124.7.188 www.bing.com
O1 - Hosts: 188.124.7.188 search.yahoo.com
O1 - Hosts: 188.124.7.188 www.search.yahoo.com
O1 - Hosts: 188.124.7.188 uk.search.yahoo.com
O1 - Hosts: 188.124.7.188 ca.search.yahoo.com
O1 - Hosts: 188.124.7.188 de.search.yahoo.com
O1 - Hosts: 188.124.7.188 fr.search.yahoo.com
O1 - Hosts: 188.124.7.188 au.search.yahoo.com
O2 - BHO: C:\Windows\system32\ar8315.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\Windows\system32\ar8315.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\Windows\system32\ar8315.dll, HUI_proc
O15 - Trusted Zone: http://*.buy-security-essentials.com
O15 - Trusted Zone: http://*.download-soft-package.com
O15 - Trusted Zone: http://*.download-software-package.com
O15 - Trusted Zone: http://*.get-key-se10.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.buy-security-essentials.com (HKLM)
O15 - Trusted Zone: http://*.get-key-se10.com (HKLM)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: zzop93 - zzop93.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\Windows\system32\ar8315.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe

------------------------------------------------------------------



I googled multiple techniques to get around this, and have tried other removal methods, such as adaware S&D, and even going so far as to try using ComboFix, which only made it to stage 5 after an hour, before I finally canceled it and began searching again. I have come across the hosts file in Windows/System32/driver/etc, and have tried multiple variations of granting permissions, as well as ownership, to both it and spybot, and each time, I obtained an error that mentioned the hosts file or wininit. I came across HostsXpert in one of this site's threads as a possible way to unlock the hosts file, but upon trying to restore MS's hosts file, I obtained the error "ERROR: Cannot create file C:\Windows\System32\DRIVERS\ETC\hosts"... no surprise there X(

I have deactivated all the antivirus programs (I believe), and have disconnected from the internet, as well as all pages and email clients. The firewall is down, and now I'm running out of ideas. However, I am basing this on the conclusion that I need to find some way to allow access to the hosts and wininit files.

I am still finding multiple malware infections, and would appreciate any help. After 7 hours of stumbling around, I have only succeeded in further proving my ignorance :sad:

----------------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
ken545
2010-07-22, 02:10
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.



You have a bit of a mess going on, I am going to have you download HostsXpert with the instructions to run it ...BUT DONT RUN IT YET Make sure you download it to your desktop


Download the HostsXpert 4.3 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).

Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper left corner.
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.








Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop.
Double click the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/OTMdesktopicon.png icon on your desktop.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area.
Do not include the word "Code".



:Processes
explorer.exe

:Services

:Reg

:Files
c:\windows\system32\drivers\etc\hosts


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/results.png line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Now run HostsXpert <========


Restore Microsoft's Hosts file <-- You will get a message stating that there is no hosts file available do you want to create one SAY YES





Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.

Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer
Internet Explorer is needed to run this program properly.





Hijackthis has become somewhat outdated and we dont use it much anymore, run both these scans and post the reports


Download DDS by sUBs from one of the following links. Save it to your desktop.

DDS.com (http://www.techsupportforum.com/sectools/sUBs/dds)
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://www.forospyware.com/sUBs/dds)

Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control Here (http://www.bleepingcomputer.com/forums/topic114351.html)



http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?

det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in your next reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



I need to see the reports from

1. OTM
2. DDS
3. GMER
ken545
2010-07-28, 22:03
Due to inactivity, this thread will now be closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.