Link to home
Start Free TrialLog in
Avatar of mikeabc27
mikeabc27

asked on

Google redirection in Hosts file - can someone help with HijackThis

hijackthis-blackpc.txtWe have a PC that has played up for sometime. I installed Malwarebytes and this keeps finding trojans everyday so I ran HijackThis and found the following redirections in the Hosts file in the HJThis log:

O1 - Hosts: 87.229.126.50 www.google.com
O1 - Hosts: 87.229.126.51 www.bing.com

This is a hacked Hungarian IP and wonder if someone could take a look at the attached log and advise me on if there is anything else, and how to correct the problem. I presume if I simply correct the Hosts file it will keep returning?

Thanks in advance.
Avatar of PaulNSW
PaulNSW
Flag of Norway image

Hello,

yes, just remove them from your hosts file.  You will need to run your text editor "as administrator" if you are using 7 or Vista

Your hosts file should look something like this

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

Open in new window

Avatar of mikeabc27
mikeabc27

ASKER

You don't think some malware will reset it back to the bogus IP?
Yes, by the looks of your log, you are still infected

C:\Documents and Settings\ros.WINDSORVOICE\jx0mj09vaz.exe

seems to be the main culprit, but it has also added entries to your start up sequence.

Try running a full scan with MalwareBytes anti-malware. It would be best to download this from another PC, then install/run/transfer from USB to the infected PC

You should also run a full scan for viruses using your AV software
Paul, I was going to remove the lines from the Hosts file first, then download Combofix and reboot in Safe Mode and run Combofix.

This is because I find Combofix more powerful than Mbam.

What do you think?
if you are doing this on the infected PC, I would recommend killing the process called
jx0mj09vaz.exe before changing the hosts file and downloading combofix

Then download Combofix and run it from safemode, I would also run it again once you are back in normal mode, as there may be some remnants left in the infected user's profile

I don't have any experience with Combofix, so cannot vouch for its power
Thanks, good point.
The Hosts file is greyed out and won't allow us to save any changes. Have added Everyone with All Rights in Security but still won't save.
Right click the hosts file, Properties, uncheck the box that says:

Read-only

Click OK.
Won't have access to PC until later but will check Read Only and Hidden are unchecked.
Good idea to just use comboFix on it(not in safe mode), run it in normal mode unless the PC can only boot in safe mode.

ComboFix will catch the bad files/reg entries and will also restore the Hosts file to MS default, so no need to manually editing the Hosts file.

Any bad files that combofix will not delete we can delete using its script function so we also need to see the combofix log.
The end user tried downloading combofix but says he gets a regsvr.dll file missing when he tries to get on the Internet.

So I'll get him to download from bleepingcomputer.com on another PC and transfer on a stick.

I always thought it was better to run Combofix in Safe Mode.

Thanks,

Mike
Most antimalware apps  are designed to do their best job in normal mode.  also once this gets straightened out, you should install the hosts files from mvps.com.
Most tools we use these days are designed to be run in normal mode specially tools like MalwareBytes and ComboFix, they work best in normal mode where malware/viruses are active.
Each user on XP and above has their own user profile folder and registry hive.

A lot of viruses infect a user's personal registry hive

If you run from Safe Mode, you are logging in to the Administrator account. You will have access to to files of all user accounts on the machine, but only the Administrator registry hive will be loaded.  

To clean the infection you maybe should run ComboFix from the infected users profile, then again from an administrative profile
Hi. Mikeabc27 ,

Did you happen to ask the user if they saw a application popup that said something along the lines of "<fill-in> Fortress 2012"? You definitely have the signs of the new rootkit going around. Your beat bet is to get information from the user at that station. If you can get more info from them like time it happened ad especially if they noticed any weird/annoying  applications that popup while surfing certain www areas.

Main cause is the user self infecting the system browsing casually.
Hi Russell,

No av software pop up for only $29,99 which I imagine is what Fortress 2012 is.

Simply getting Mbam finding lots of trojans and can't get onto the Internet.

Thanks,

Mike
ASKER CERTIFIED SOLUTION
Avatar of Russell_Venable
Russell_Venable
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
In terms of the hosts file I forgot to post a link

http://www.mvps.org/winhelp2002/hosts.htm
Thanks, will go through all your comments now but uploading a very large combofix now for you to see.
submitted last post before file fully downloaded
ComboFix-black-pc.txt
I believe you are familiar with this object for extending vbscripts functionality to the registry? From the looks of the combofix log. A fellow developer. :)
c:\windows\system32\regobj.dll <-- Combofix removed this and some of your scripts or software may fail now.  These are side effects of using combofix.

If you need to replace this file it shouldn't be that hard.

Did not see these files in the original Hijackthis report.
c:\documents and settings\malcolm\OriadorRota.exe
c:\documents and settings\Administrator.STUDIO\Application Data\Buniu\udvo.tmp
c:\documents and settings\Administrator.STUDIO\Application Data\Buniu\udvo.ybg

This malware obviously uses file-parsing evasion vulnerabilities in norton to slip past your antivirus. In other words the PE file's bytes where changed in certain areas to change its signature bypassing detection. Norton is the top AV target for this type of attack. Certainly not the only one. Its just easier when your source code is stolen and sold on the black market.

Its also obvious that your installation of Norton is corrupt. Reinstalling after securely obliterating this threat is highly encouraged and will restore protection.

Are you still getting redirected? Any symptoms still showing?
mbam report attached
mbam.jpg
Combofix sorted the Hosts files - not hidden or read only. All good except being told the message from Regsvr 32 " no dll name specified " is still coming up especially when connecting to the internet google. Would your suggestion to uninstall google toolbar sort this?
You have a banker malware. This specific type of trojan targets banking information.

What do you get when you when your run this command from the command prompt?

REG QUERY "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v load

Open in new window

If your still getting that message. Its related to this
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\windows\system32\regsvr32.exe"


A few different varient actually disguise itself as actual microsoft tools and also remove services and takes its place in by registering as that products.
I've emailed the user to run the line at the DOS prompt.

What should we do about the entry in the registry?
reply at DOS prompt attached
ee.jpg
Does anyone have any ideas from the Combofix log on any action I need to take? Also I missed Paul's comment earlier about running Combofix as admin then as the user, is this advisable - I've not heard this before?

Once I have done any additional cleaning suggested I will reboot, run a full Malwarebytes scan, and if this shows as all clear, remove and reinstall Symantec Endpoint as Russell suggests.

Any thoughts?
I meant to add as Russell pointed out I need to reinstall a fresh regobj.dll.
Well that is if you use it. If not then don't worry about it. It's not a default installation file, so if you don't restore it then no fowl will become of it.

As far as the registry entry, it needs to be removed along with the google toolbar if not already accomplished.  If the user is still getting that error message every time they open there browser then it's connected with whatever is attached to the browser.

Take another run with combofix and post that log if it's still spawning those files we have not rid if the startup method and it should show what has not been done yet.
Thanks I was just sending the end user an update before I saw your post where I said.

"If you have an hour to spare later can you do the following:

1. I think you would have been logged on as Malcolm when you ran Combofix yesterday. If so, can you run it again logged on as Ros. It's said that to clean the pc properly it should be done from the infected users profile. I can't vouch for this thought as I would have normally ran it logged on as the main user, but I do tend to run Combofix twice. Please email me the log. Reboot.
2. If you are still getting the regsvr32 error we need to sort that as we need this tool to register the replacement for the infected DLL file that Combofix deleted. As this may involve editing the registry please ring me and I will do remotely. Once finished I'll reboot.
3. When we've done this, please run a full scan on Malwarebytes. This will produce a report. Please email me this to me rather than a screenshot of the results page as the report contains a lot more information. Reboot.
4. Please run HijackThis and email me the log.

That's it, if the Combofix, Malwarebytes and HijackThis logs are clean we can consider it done."

Russell, I'll remove the line you pinpointed when I'm in remotely. Will removing the google tbar sort the regsvr32 error?

I'll post all 3 logs once I have them - in around 6 hrs, 4.20pm here at the moment,

Thanks,

Mike
It should fix the error being reported. Will know more when the logs are received.
Google Toolbar now removed.

This PC is used mainly by A and B, and sometimes by C. First Combofix ran logged on as A. tried second one logged on as B run couldn't load CF, so just started one logged on as C,

Should have results in around 2 hrs.

We'll only be only to get combofix log done tonight.
I didn't get the results in until late. It was run using a login rarely used but the one thet use as admin on this pc. Down from 985k to 14k.

Will run mbam now.
cf2-black-pc-malcolm.txt
Ok, Just as suspected. Remove these 2 registry entries .

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\windows\system32\regsvr32.exe" [2008-04-14 11776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"VF0560Inst"="c:\windows\system32\V0560Pin.dll" [2008-06-02 40960]

Just removing the first entry should remove the error.

Here is a few commands you can use to delete them manually. It looks like the infection is mostly wiped.
Reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v swg /f
Reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce /v VF0560Inst /f

Open in new window

Thanks Russell, that's great.

I was going to delete the first line (as you suggested earlier) but will get the user to run the 2 lines from the command line logged in as admin or run as admin (can't remember if XP allows that).

Hopefully this should get rid of the "Regsvr32 no DDL name specified" error.

They are already using the pc so couldn't run mbam yest and won't be able to do this until later.

What about:

1. Delete the 2 reg entries from command line and reboot.
2. Run another combofix and reboot.
3. Run mbam full scan.
4. POst cf and mbam reports.

Thanks,

Mike
Xp, allows to conditions. "Runas" utilizing login as user and also the more generic logging in as the actual administrator account by user switching. You dont have to reboot for those 2 keys to take effect. Though, it your trying to make sure it does not startup again and is not caused by something else, then a reboot is advised.

You have the right idea of doing another scan after the initial disinfection routines. Run (Combfix, MBAM) as you asked about and post. Shouldn't have anything left on the next reports.
Sorry for delay - still waiting for the reports back. Hopefully will have soon time today.

I'm sure they will be clean, mainly want to check they have removed the two entries in registry correctly.
Russell, lines run as well as mbam which reports clean - see attached.

They're still getting the regsvr32 error. I will have the combofix log late tonight and we will see if the 2 registry problems were removed properly.
mbam-log-2012-03-28--23-26-22-.txt
I'm bound to be asked. The pc is used for emails and some Internet, though mbam blocks are dodgy sites. Any sign of how the file came in? Can't see them being stupid enough to open any unknown attachments.
Just got the latest cf log in and the 2 offending registry entries are still there.

I will be logging in remotely tomorrow morning and will remove the entries manually.

Then will run combofix and post results,
blackpc-cf3.txt
I've been kind of busy lately. Just dropping by to tell you I will be checking on this a little later on today.
Do you have "RegCure.exe" normally installed on this computer? From the looks of it. It could of came from anywhere. It makes it easier if the malware is caught, copied, and analyzed.

Malware is getting so advanced these days not even the antivirus company's can completely follow. They do a really good job for what there against, just isn't enough to stop all of it. Too many new tricks that bypass antivirus scans. Mostly offset changes. Doesn't take much.

Are they experiencing anything anymore? If there still getting the registry error. I would start looking at the registry cleaning programs. There have been a few around that are actually malicious and do this kind of exact behaviour. That is why I ask about "RegCure" and if its legit from your point of you.
Thanks Russell, the 2 registry entries have been removed and after a reboot still getting regsvr32 error when they go on the Internet.

They say RegCure has been on for a few years and they definately did NOT pay for it, but not sure how it's on there.

If it's malicious what's the best way to remove it?

I normally use CCleaner but doesn't appear to be on this PC.

Will run combofix when issues sorted
If its been on there for years and there hasn't been a incident because of it we will ignore this program for now. If you used CCleaner on that computer dont use the "cleaner" instead use "registry" User generated imageand selecting the option of "missing imported DLL's". If a Dynamic Link Library(DLL) is being referenced and there is no DLL to reference from you can get this error as well. This option helps clean those from the registry. If that doesn't clean it something else is sending that message particularly a executable file.
OK, I'll ask them to san the registry for issues using ccleaner. Normally download fro hippofile.

Hopefully will fix the regsvr32 issue.
CCleaner found 645 registry issues (many DDLs) on first run, 5 on second, 2 on third and 0 on fourth.

The regsvr32 error is still there, so I have asked them to remove RegCure in Add/Remove programs and if it's still there, I'll get them to run Combofix to check the reference tp regsvr32 is gone from the registry,

On the up side, the PC is performing better than is has for a long time.
BTW, regsvr32 problem started after the second or third run of mbam.
Can you get a screenshot of the error message? I think it would be more informative if I actually saw what It was. Its also important to note that if the error message, if it really is a error. Should report a error number.

Example:
The module 'MyDll.dll' was loaded but the call to DllRegisterServer failed with error code 0x80004005.

Open in new window

This way I know what problem is really causing this and should be able to give a more specific approach.
see attached screenshot
regsvr32.jpg
Excellent! Now the other part. You can use "Regfind.exe" from the win2000 resource kit and pipe all the entries for "regsvr32" into a text file and post it here.

The command used with regfind would be:
regfind -y "regsvr32" > registry.txt

Open in new window

Here is a link to the kit in seperate pieces. Win2000 Resource Kit.

I will go through the list and spot exactly where its coming from or use Autoruns and save the information it collects and post it here.
Thanks will post the registry.txt file as soon as I receive it.
Ok, Any news today?
Sorry for delay, just sent a chasing email for the registry.txt file.
Russell, just received an email to say the user was having a problem with this and needed to speak to me.

He uses this PC in the evenings (he's out tonight), normally when I've finished. so most contact is by email.

Anyway, I checked regfind on one of my own xp PCs and emailed him full step by step instructions. I didn't find any problems, the only thing I can think of is that he is not changing from the default user directory at the DOS prompt.

Thanks,

Mike
It shouldn't matter what directory is used from the console. It's main goal is to search the structure of the registry and return and/or replace values therein. It sounds like part of the instructions given had "cd <some Dir>" included? Since regfind is a part of the resource kit and a console utility. Place it in the system32 directory by a simple drag and drop, then attempt to run the command with regrind. Other option is to have it already scripted out so the user only has to run 1 script to help automate and exclude user error.

Of course this must be from a privileged account to move/drop that file into system32 folder and read the HKEY_LOCAL_MACHINE.

In a batch file example.

@echo off
Rem Just using desktop as a good example after the file is unzipped directory on the desktop.
Rem another way if "unzip.exe" is already there: Unzip regfind.zip %windir%\system32 or
Move %userprofile%\desktop\regfind.exe %windir%\system32
Regfind -y "regsvr32">results.txt


That should be simple enough of a example. There are lots of good ways to write this.
Thanks, I'll do remotely if he has any problems but not sure if the end user will contact me before the Easter holidays end, i.e Tuesday..
Not a rush on my end. Do as you can :)
Thanks Russell have a good weekend
Sorry, still chasing and still getting excuses.
Gotcha. I'll be ready when it comes.
You can also cut down on the scan time by using this vbscript to scan the specific area, it will list all occurrences of regsvr32 in the file association commands.
getregsrv32.vbs
Russell, the real problem was sorted long ago so I'm closing this for now and will open new thread when the end user gets back to me.