Solved

Posted on 2010-01-07
1,512 Views
I have a user who ended up with some malware after clicking on a Google logo that featured something about the Netherlands. Since that time, her Google home page redirects to Google.nl (Nederland). I have run MalwareBytes on her PC until it's clean (according to MWB, anyway). I have also just run a HJT log (attached). I see that there are several sites listed in this log file that seem suspicious. I don't want to delete anything in error, so could you please direct me in this?

Any assistance provided is much appreciated!
hijackthis.1.7.10.log
0
Question by:troypar90

LVL 11

Expert Comment

edit the file c:\windows\system32\drivers\etc\hosts with notepad... you need to remove all those google entries as well as others...

the file should look like this:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

0

LVL 1

Expert Comment

As the other provider stated check the host file
0

LVL 47

Expert Comment

Definitely fix all those 01 google entries... btw, I would fix all those 01 entries

After fixing those entries run ComboFix and attach the log so we can make sure it's clean.

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0

Author Comment

Thank you for your posts. I have run Combo Fix, rebooted and then ran Hijack this again. When Hijack This runs, it gives a warning that it cannot access the Hosts file - that it's Read Only. I have tried following the steps that HJT posts (opening the Hosts file, deleting the lines that HJT recommends and then saving it the way they instruct). The problem is that I save the file, reboot and the same hijacking of IE8 occurs. I am away from the user's computer, but will try to get the ComboFix log and post that later today, if possible. I can see the bad lines in the Hosts file, but am unsure how I can repair this. Any advice?
Thank you!
0

Author Comment

ComboFix log file attached (ran 1/11/10)
ComboFix.txt
0

LVL 47

Accepted Solution

Check the properties of these folders below if you don't recognized them we can delete them. You need to show hidden files and folders first.
c:\documents and settings\All Users\Application Data\WIZVGEJNPNAG
c:\documents and settings\All Users\Application Data\9a3bcaa

Extract the zip file to your desktop or a permanent folder on your hard drive.
Open the folder and double-click on HostsXpert.exe.
Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
Click "Restore Microsofts Hosts File".
Click "OK" and exit the program.
0

Author Comment

I deleted the files you referenced:
c:\documents and settings\All Users\Application Data\WIZVGEJNPNAG
c:\documents and settings\All Users\Application Data\9a3bcaa

I then downloaded and ran HostsXpert, but got an error upon loading that the Hosts file could not be written to - it is read only. I tried to 'Make Hosts Writable", but that feature was locked. So, I researched a few other threads on EE and found someone with a similar problem. His suggestion was to delete the etc folder (since I cannot manipulate the Hosts file at all) and create a new one. So, I did that (moved the etc folder to the desktop and created a new one in C:\WINDOWS\System32\Drivers. Meanwhile, I downloaded and ran a SpyBot scan. Once I opened IE8, a new Hosts file was generated. I rebooted and upon reboot, I found that IE8 was no longer hijacked. I ran HJT and ComboFix and have attached the log files here.

What do you think? All clean?
hijackthis.1.13.10.log
ComboFix.txt
0

LVL 47

Expert Comment

Well done...you did a good job!
Glad to know the redirects has stopped.
Logs look clean.

Is the SweetIM toolbar uninstalled? If so also navigate to the program Files folder and delete the folder if still present.
If you didn't purposely installed Viewpoint toolbar I also suggest uninstalling it.

You can then fix these entries below:

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)

If everything is fine now.. you can then uninstall ComboFix.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall

0

Author Closing Comment

Many thanks for your time and effort!
0

## Featured Post

### Suggested Solutions

PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…