Browser hijacked - now with DDS log

**Cuda1337** · 2011-11-27, 00:24

Originally Posted by ken545

Did you set this as your homepage, can you tell me what it is, I am kind of leary going into a site I know nothing about

FF - prefs.js..browser.startup.homepage: "http://www.iknowsearch.net/"

I did not. It keeps popping up every time I load my browser.

**ken545** · 2011-11-27, 04:49

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code:

:processes
killallprocesses

:OTL
FF - prefs.js..browser.startup.homepage: "http://www.iknowsearch.net/"
[2011/11/26 17:17:00 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At36.job
[2011/11/26 16:38:05 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At34.job
[2011/11/26 16:38:05 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At32.job
[2011/11/26 14:27:51 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At28.job
[2011/11/26 14:17:00 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At30.job
[2011/11/26 14:15:59 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At26.job
[2011/11/26 14:15:59 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At24.job
[2011/11/26 14:15:59 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At22.job
[2011/11/26 09:33:51 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At8.job
[2011/11/26 09:33:51 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At6.job
[2011/11/26 09:33:51 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At4.job
[2011/11/26 09:33:51 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At20.job
[2011/11/26 09:33:51 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At18.job
[2011/11/26 09:33:51 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At16.job
[2011/11/26 09:33:51 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At14.job
[2011/11/26 09:33:51 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At12.job
[2011/11/26 09:33:51 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At10.job
[2011/11/26 09:33:50 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At2.job
[2011/11/25 23:17:00 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At48.job
[2011/11/25 22:17:00 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At46.job
[2011/11/25 21:17:00 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At44.job
[2011/11/25 20:17:00 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At42.job
[2011/11/25 19:17:00 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At40.job
[2011/11/25 18:25:27 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At38.job
[2011/11/25 17:14:17 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\g0Qol0.com.b
[2011/11/25 17:13:53 | 000,111,616 | ---- | M] () -- C:\Windows\SysWow64\g0Qol0.com
[2011/11/25 20:10:16 | 000,111,616 | ---- | C] () -- C:\Windows\SysWow64\g0Qol0.com
[2011/11/25 17:14:17 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\g0Qol0.com.b
[2011/11/25 17:11:19 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At48.job
[2011/11/25 17:11:18 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At46.job
[2011/11/25 17:11:18 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At44.job
[2011/11/25 17:11:18 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At42.job
[2011/11/25 17:11:18 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At40.job
[2011/11/25 17:11:18 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At38.job
[2011/11/25 17:11:18 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At36.job
[2011/11/25 17:11:17 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At34.job
[2011/11/25 17:11:17 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At32.job
[2011/11/25 17:11:17 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At30.job
[2011/11/25 17:11:16 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At28.job
[2011/11/25 17:11:16 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At26.job
[2011/11/25 17:11:16 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At24.job
[2011/11/25 17:11:16 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At22.job
[2011/11/25 17:11:16 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At20.job
[2011/11/25 17:11:15 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At18.job
[2011/11/25 17:11:15 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At16.job
[2011/11/25 17:11:15 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At14.job
[2011/11/25 17:11:15 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At12.job
[2011/11/25 17:11:15 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At10.job
[2011/11/25 17:11:14 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At8.job
[2011/11/25 17:11:14 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At6.job
[2011/11/25 17:11:14 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At4.job
[2011/11/25 17:11:14 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\At2.job
@Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:A8ADE5D8
@Alternate Data Stream - 108 bytes -> C:\Windows:


:Services

:Reg

:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c





:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.

Then, drag Combofix to the trash and use the links I provided earlier to download a fresh copy, follow the instructions to run it and post a new log please

**Cuda1337** · 2011-11-27, 05:53

All processes killed
========== PROCESSES ==========
========== OTL ==========
Prefs.js: "http://www.iknowsearch.net/" removed from browser.startup.homepage
C:\Windows\Tasks\At36.job moved successfully.
C:\Windows\Tasks\At34.job moved successfully.
C:\Windows\Tasks\At32.job moved successfully.
C:\Windows\Tasks\At28.job moved successfully.
C:\Windows\Tasks\At30.job moved successfully.
C:\Windows\Tasks\At26.job moved successfully.
C:\Windows\Tasks\At24.job moved successfully.
C:\Windows\Tasks\At22.job moved successfully.
C:\Windows\Tasks\At8.job moved successfully.
C:\Windows\Tasks\At6.job moved successfully.
C:\Windows\Tasks\At4.job moved successfully.
C:\Windows\Tasks\At20.job moved successfully.
C:\Windows\Tasks\At18.job moved successfully.
C:\Windows\Tasks\At16.job moved successfully.
C:\Windows\Tasks\At14.job moved successfully.
C:\Windows\Tasks\At12.job moved successfully.
C:\Windows\Tasks\At10.job moved successfully.
C:\Windows\Tasks\At2.job moved successfully.
C:\Windows\Tasks\At48.job moved successfully.
C:\Windows\Tasks\At46.job moved successfully.
C:\Windows\Tasks\At44.job moved successfully.
C:\Windows\Tasks\At42.job moved successfully.
C:\Windows\Tasks\At40.job moved successfully.
C:\Windows\Tasks\At38.job moved successfully.
C:\Windows\SysWOW64\g0Qol0.com.b moved successfully.
C:\Windows\SysWOW64\g0Qol0.com moved successfully.
File C:\Windows\SysWow64\g0Qol0.com not found.
File C:\Windows\SysWow64\g0Qol0.com.b not found.
File C:\Windows\tasks\At48.job not found.
File C:\Windows\tasks\At46.job not found.
File C:\Windows\tasks\At44.job not found.
File C:\Windows\tasks\At42.job not found.
File C:\Windows\tasks\At40.job not found.
File C:\Windows\tasks\At38.job not found.
File C:\Windows\tasks\At36.job not found.
File C:\Windows\tasks\At34.job not found.
File C:\Windows\tasks\At32.job not found.
File C:\Windows\tasks\At30.job not found.
File C:\Windows\tasks\At28.job not found.
File C:\Windows\tasks\At26.job not found.
File C:\Windows\tasks\At24.job not found.
File C:\Windows\tasks\At22.job not found.
File C:\Windows\tasks\At20.job not found.
File C:\Windows\tasks\At18.job not found.
File C:\Windows\tasks\At16.job not found.
File C:\Windows\tasks\At14.job not found.
File C:\Windows\tasks\At12.job not found.
File C:\Windows\tasks\At10.job not found.
File C:\Windows\tasks\At8.job not found.
File C:\Windows\tasks\At6.job not found.
File C:\Windows\tasks\At4.job not found.
File C:\Windows\tasks\At2.job not found.
ADS C:\ProgramData\Temp:DFC5A2B2 deleted successfully.
ADS C:\ProgramData\Temp:A8ADE5D8 deleted successfully.
Unable to delete ADS C:\Windows: .
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /release /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection 2 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
Wireless LAN adapter Wireless Network Connection 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Wireless Network Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4909:23d8:654d:fac8%13
Default Gateway . . . . . . . . . :
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.home:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{EE4C198B-A4C4-4CBF-B9AC-89F88F18467F}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{A472C05C-4A54-4D4C-B1C3-C3ECF3B61BBD}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{73904032-125D-47F0-9092-B2B6EA0C2C49}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Reusable ISATAP Interface {260A4E07-825E-4A91-AB91-813F36DE6055}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:28dc:2821:b89b:41b
Link-local IPv6 Address . . . . . : fe80::28dc:2821:b89b:41b%18
Default Gateway . . . . . . . . . : ::
C:\Users\Cuda\Desktop\cmd.bat deleted successfully.
C:\Users\Cuda\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection 3 while it has its media disconnected.
No operation can be performed on Wireless Network Connection 2 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
Wireless LAN adapter Wireless Network Connection 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Wireless Network Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . : home
Link-local IPv6 Address . . . . . : fe80::4909:23d8:654d:fac8%13
IPv4 Address. . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{EE4C198B-A4C4-4CBF-B9AC-89F88F18467F}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{A472C05C-4A54-4D4C-B1C3-C3ECF3B61BBD}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{73904032-125D-47F0-9092-B2B6EA0C2C49}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Reusable ISATAP Interface {260A4E07-825E-4A91-AB91-813F36DE6055}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:8eb:3c40:3f57:fefd
Link-local IPv6 Address . . . . . : fe80::8eb:3c40:3f57:fefd%18
Default Gateway . . . . . . . . . : ::
C:\Users\Cuda\Desktop\cmd.bat deleted successfully.
C:\Users\Cuda\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Cuda\Desktop\cmd.bat deleted successfully.
C:\Users\Cuda\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Cuda
->Temp folder emptied: 5391503 bytes
->Temporary Internet Files folder emptied: 773980 bytes
->Java cache emptied: 22502239 bytes
->FireFox cache emptied: 186436079 bytes
->Google Chrome cache emptied: 6243486 bytes
->Flash cache emptied: 31077 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 608 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50199 bytes
RecycleBin emptied: 16819138384 bytes

Total Files Cleaned = 16,251.00 mb

OTL by OldTimer - Version 3.2.31.0 log created on 11262011_234909

Files\Folders moved on Reboot...
C:\Users\Cuda\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

**Cuda1337** · 2011-11-27, 06:07

This log was far to long to post from combofix. I would have had to split it up into 10 different posts, so I decided to zip and attach it. Here it is.

**ken545** · 2011-11-27, 12:47

Thats fine,

Rerun aswMBR just to scan, dont fix anything and post the new log.

Download CKScanner by askey127 from Here & save it to your Desktop.

Doubleclick CKScanner.exe then click Search For Files
When the cursor hourglass disappears, click Save List To File
A message box will verify the file saved
Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

**Cuda1337** · 2011-11-27, 14:51

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-26 14:28:36
-----------------------------
14:28:36.425 OS Version: Windows x64 6.1.7600
14:28:36.440 Number of processors: 8 586 0x2A07
14:28:36.440 ComputerName: CUDA-PC UserName: Cuda
14:28:38.437 Initialize success
14:28:43.523 AVAST engine defs: 11112601
14:28:46.222 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:28:46.222 Disk 0 Vendor: TOSHIBA_ MC00 Size: 610480MB BusType: 3
14:28:46.237 Disk 0 MBR read successfully
14:28:46.237 Disk 0 MBR scan
14:28:46.237 Disk 0 Windows VISTA default MBR code
14:28:46.237 Service scanning
14:28:48.889 Modules scanning
14:28:48.889 Disk 0 trace - called modules:
14:28:48.905 ntoskrnl.exe CLASSPNP.SYS disk.sys stdcfltn.sys ACPI.sys iaStor.sys hal.dll
14:28:48.905 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006619060]
14:28:48.905 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa8006482c80]
14:28:48.905 5 stdcfltn.sys[fffff8800184bc52] -> nt!IofCallDriver -> [0xfffffa8005f52e40]
14:28:48.920 7 ACPI.sys[fffff8800100b781] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005f54050]
14:28:50.496 AVAST engine scan C:\Windows
14:28:55.394 AVAST engine scan C:\Windows\system32
14:29:02.836 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Malware-gen
14:30:25.018 AVAST engine scan C:\Windows\system32\drivers
14:30:40.384 AVAST engine scan C:\Users\Cuda
14:33:17.006 File: C:\Users\Cuda\AppData\Local\Temp\akslsunobi **INFECTED** Win32:FakeAlert-BLY [Trj]
14:33:19.496 File: C:\Users\Cuda\AppData\Local\Temp\mgr.dll **INFECTED** Win32:FakeAlert-BLY [Trj]
14:33:29.730 File: C:\Users\Cuda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\54a13990-49a30161 **INFECTED** Win32:FakeAlert-BLY [Trj]
14:36:46.418 AVAST engine scan C:\ProgramData
14:46:15.405 Scan finished successfully
14:46:50.238 Disk 0 MBR has been saved successfully to "C:\Users\Cuda\Desktop\MBR.dat"
14:46:50.244 The log file has been saved successfully to "C:\Users\Cuda\Desktop\aswMBR.txt"

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-27 08:50:13
-----------------------------
08:50:13.109 OS Version: Windows x64 6.1.7600
08:50:13.109 Number of processors: 8 586 0x2A07
08:50:13.110 ComputerName: CUDA-PC UserName: Cuda
08:50:14.638 Initialize success
08:50:25.930 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:50:25.933 Disk 0 Vendor: TOSHIBA_ MC00 Size: 610480MB BusType: 3
08:50:25.950 Disk 0 MBR read successfully
08:50:25.953 Disk 0 MBR scan
08:50:25.956 Disk 0 Windows VISTA default MBR code
08:50:25.959 Service scanning
08:50:27.377 Modules scanning
08:50:27.386 Disk 0 trace - called modules:
08:50:27.432 ntoskrnl.exe CLASSPNP.SYS disk.sys stdcfltn.sys ACPI.sys iaStor.sys hal.dll
08:50:27.437 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007e9e060]
08:50:27.442 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa8007d06cb0]
08:50:27.446 5 stdcfltn.sys[fffff8800164bc52] -> nt!IofCallDriver -> [0xfffffa8005f5cd10]
08:50:27.450 7 ACPI.sys[fffff88000f58781] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005f60050]
08:50:27.455 Scan finished successfully
08:50:37.525 Disk 0 MBR has been saved successfully to "C:\Users\Cuda\Desktop\MBR.dat"
08:50:37.541 The log file has been saved successfully to "C:\Users\Cuda\Desktop\aswMBR.txt"

**Cuda1337** · 2011-11-27, 14:53

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.ZZ.11.KWAPAH
----- EOF -----

**ken545** · 2011-11-27, 15:44

Looks like the CKScanner log has been altered, can you explain ?

**Cuda1337** · 2011-11-27, 16:01

Just ran it again and this is what I get...

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.RKGLPN
----- EOF -----

**ken545** · 2011-11-27, 17:59

How many times have you actually run CKScanner, the instructions state to run it just once unless asked to run it again

Thread: Browser hijacked - now with DDS log

Thread Tools

Display

Posting Permissions