Malware messing with my browsin'!

Stranger Danger

After a visit to mobafire gave me a goose-ton of malware and spyware, I ran a deep cleaning with my limited knowledge of computers. I managed to get rid of everything but a browser redirector. It keeps changing my google searches and opening new tabs to random sites like stopzilla and b00kmarks. Try as I might, I can't seem to chase this bastard down.

I have run scans with Spybot, Ad-aware, and Malwarebytes but have come up clean. I have also cleaned my registry with ccleaner and re-installed firefox.

Here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:51:53 PM, on 22/05/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Matt\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [F.lux] "C:\Users\Matt\Local Settings\Apps\F.lux\flux.exe" /noshow
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WNA1100 Smart Wizard.lnk = ?
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 4617 bytes

Please help?

Thanatos

It's probably from a proxy server.

Open up IE, go into the connection settings, and turn off your proxy server.

Note: I didn't actually look at your log. Also, I'd tell you exactly how to do it, but my home computer runs XP; sorry.

Great Scott

Stranger Danger, try checking your Hosts file - it's possible that there isn't any malware installed (any more), but the text file has aliases for common websites redirecting your machine, causing it to ignore DNS.

Check the contents of the (plain text) Hosts file located in C:\Windows\System32\Drivers\Etc

If there are any strange entries you can remove them. Also, the file isn't needed for Windows to function - you could simply delete it. Note that this is a system protected file, so you might need to be in administrative mode to change it. It might be simpler to rename the file to HOSTS.OLD so it won't be read.

deadonthestreet

Network and Sharing Center->Internet Options->Advanced->Restore Advanced Settings and Reset.

This will basically reset every internet setting that isn't tied to Firefox back to Windows default and solves a ton of issues.

Stranger Danger

I should mention that I always use firefox and never IE

It's probably from a proxy server.

Open up IE, go into the connection settings, and turn off your proxy server.

Note: I didn't actually look at your log. Also, I'd tell you exactly how to do it, but my home computer runs XP; sorry.

I don't think I have a proxy server. I tried going into IE but didn't see an option for that in the connection settings.

Stranger Danger, try checking your Hosts file - it's possible that there isn't any malware installed (any more), but the text file has aliases for common websites redirecting your machine, causing it to ignore DNS.

Check the contents of the (plain text) Hosts file located in C:\Windows\System32\Drivers\Etc

If there are any strange entries you can remove them. Also, the file isn't needed for Windows to function - you could simply delete it. Note that this is a system protected file, so you might need to be in administrative mode to change it. It might be simpler to rename the file to HOSTS.OLD so it won't be read.

I changed the file name but it did not fix it.

Network and Sharing Center->Internet Options->Advanced->Restore Advanced Settings and Reset.

This will basically reset every internet setting that isn't tied to Firefox back to Windows default and solves a ton of issues.

I tried this but it did not fix the problem, sadly.

Great Scott

By process of elimination, this seems to be some sort of issue with Firefox itself.

I would first double-check to make sure that other browsers aren't affected. Once you're sure the problem is Firefox-specific, save all your bookmarks and other Firefox settings.

After that, uninstall Firefox and then remove any remaining folders (both in Program Files/Program Files (x86) and C:\Users\<username>\AppData\Roaming).

Reinstall Firefox and restore your bookmarks.

I say this because something similar infected my Opera browser and the only solution was a complete re-install.

Stranger Danger

After some experimentation, it appears to be effecting IE as well as Firefox.

I ran Trend's Rootkit Buster. Here's the logs:

+

---

| Trend Micro RootkitBuster
| Module version: 3.60.0.1016
| Computer Name: THEBEAST
| User Name: Matt
+

---

--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted
Root : 0
SubKey : Restricted
ValueName : ccc
Data : 48 E7 E 92 58 B3 13 E6 ...
ValueType : 3
AccessType: 0
FullLength: 0x66
DataSize : 0xc8
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP
Root : 0
SubKey : DHCP
ValueName : Collection
Data : 44 0 1 0
ValueType : 3
AccessType: 0
FullLength: 0x58
DataSize : 0x4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap
Root : 0
SubKey : RPC-EPMap
ValueName : Collection
Data : 87 0 1 0
ValueType : 3
AccessType: 0
FullLength: 0x5d
DataSize : 0x4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo
Root : 0
SubKey : Teredo
ValueName : Collection
Data : B4 D9 1 0 D8 D 1 0
ValueType : 3
AccessType: 0
FullLength: 0x5a
DataSize : 0x8
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg
Root : 0
SubKey : Cfg
ValueName : s1
Data : 771343423
ValueType : 4
AccessType: 0
FullLength: 0x3d
DataSize : 0x4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg
Root : 0
SubKey : Cfg
ValueName : s2
Data : 285507792
ValueType : 4
AccessType: 0
FullLength: 0x3d
DataSize : 0x4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg
Root : 0
SubKey : Cfg
ValueName : g0
Data : 38 23 E8 D0 BF F2 2D 6F ...
ValueType : 3
AccessType: 0
FullLength: 0x3d
DataSize : 0x20
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg
Root : 0
SubKey : Cfg
ValueName : h0
Data : 1
ValueType : 4
AccessType: 0
FullLength: 0x3d
DataSize : 0x4
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
SubKey : 14919EA49A8F3B4AA3CF1058D9A64CEC
FullLength: 0x5e
9 hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
No hidden operating system service hooks found.

--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
[KERNEL_CODE][DRIVER_OBJECT]:
Driver Name : a3qr2fhj
DRiverObject at : 861ADF38
1 Kernel code patching found.

--== Dump Hidden Services ==--
No hidden services found.

Great Scott

This is a long shot here but you're getting redirected and it's not a system problem (as far as we can tell).

Maybe try checking and/or changing your DNS servers? Go to Network and Sharing Center, Change Adapter Settings (from the left bar), right-click Local Area Connection, choose Properties. Select "Internet Protocol Version 4" and click the Properties button.

Check that your DNS servers listed make sense (they possibly shouldn't be set at all, depending on your DHCP settings).

If you aren't sure, try selecting the radio button "Use the following DNS server addresses" and putting in Google's servers (which are 8.8.4.4 and 8.8.8.8).

Note: this will mean that Google knows all the site lookups your PC is doing. Of course, this is probably preferable to your ISP knowing where you are going...

Hahnsoo1

What is this file in your Hijack This log? Do you recognize it?:

C:\Users\Matt\Local Settings\Apps\F.lux\flux.exe

EDIT: The reason it looks suspicious to me is because it's running out of your Local Settings\Apps\ directory.

Stranger Danger

This is a long shot here but you're getting redirected and it's not a system problem (as far as we can tell).

Maybe try checking and/or changing your DNS servers? Go to Network and Sharing Center, Change Adapter Settings (from the left bar), right-click Local Area Connection, choose Properties. Select "Internet Protocol Version 4" and click the Properties button.

Check that your DNS servers listed make sense (they possibly shouldn't be set at all, depending on your DHCP settings).

If you aren't sure, try selecting the radio button "Use the following DNS server addresses" and putting in Google's servers (which are 8.8.4.4 and 8.8.8.8).

Tried out your advice, but I'm still getting redirected.

What is this file in your Hijack This log? Do you recognize it?:

C:\Users\Matt\Local Settings\Apps\F.lux\flux.exe

EDIT: The reason it looks suspicious to me is because it's running out of your Local Settings\Apps\ directory.

It's a familiar program, one that's been on my machine for years and caused no problems.

Stranger Danger

Problem solved! It was a nasty rootkit called TDL4 or ambrosia or something like that. After going through a dozen different programs I finally managed to remove it.

I'd like to thank everyone who contributed to this thread.

Feel free to lock this one mods!