Solved

Google redirection in Hosts file - can someone help with HijackThis

Posted on 2012-03-25
64
1,012 Views
Last Modified: 2013-12-09
hijackthis-blackpc.txtWe have a PC that has played up for sometime. I installed Malwarebytes and this keeps finding trojans everyday so I ran HijackThis and found the following redirections in the Hosts file in the HJThis log:

O1 - Hosts: 87.229.126.50 www.google.com
O1 - Hosts: 87.229.126.51 www.bing.com

This is a hacked Hungarian IP and wonder if someone could take a look at the attached log and advise me on if there is anything else, and how to correct the problem. I presume if I simply correct the Hosts file it will keep returning?

Thanks in advance.
0
Comment
Question by:mikeabc27
  • 35
  • 20
  • 5
  • +2
64 Comments
 
LVL 7

Expert Comment

by:PaulNSW
Comment Utility
Hello,

yes, just remove them from your hosts file.  You will need to run your text editor "as administrator" if you are using 7 or Vista

Your hosts file should look something like this

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

Open in new window

0
 

Author Comment

by:mikeabc27
Comment Utility
You don't think some malware will reset it back to the bogus IP?
0
 
LVL 7

Expert Comment

by:PaulNSW
Comment Utility
Yes, by the looks of your log, you are still infected

C:\Documents and Settings\ros.WINDSORVOICE\jx0mj09vaz.exe

seems to be the main culprit, but it has also added entries to your start up sequence.

Try running a full scan with MalwareBytes anti-malware. It would be best to download this from another PC, then install/run/transfer from USB to the infected PC

You should also run a full scan for viruses using your AV software
0
 

Author Comment

by:mikeabc27
Comment Utility
Paul, I was going to remove the lines from the Hosts file first, then download Combofix and reboot in Safe Mode and run Combofix.

This is because I find Combofix more powerful than Mbam.

What do you think?
0
 
LVL 7

Expert Comment

by:PaulNSW
Comment Utility
if you are doing this on the infected PC, I would recommend killing the process called
jx0mj09vaz.exe before changing the hosts file and downloading combofix

Then download Combofix and run it from safemode, I would also run it again once you are back in normal mode, as there may be some remnants left in the infected user's profile

I don't have any experience with Combofix, so cannot vouch for its power
0
 

Author Comment

by:mikeabc27
Comment Utility
Thanks, good point.
0
 

Author Comment

by:mikeabc27
Comment Utility
The Hosts file is greyed out and won't allow us to save any changes. Have added Everyone with All Rights in Security but still won't save.
0
 
LVL 7

Expert Comment

by:PaulNSW
Comment Utility
Right click the hosts file, Properties, uncheck the box that says:

Read-only

Click OK.
0
 

Author Comment

by:mikeabc27
Comment Utility
Won't have access to PC until later but will check Read Only and Hidden are unchecked.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Good idea to just use comboFix on it(not in safe mode), run it in normal mode unless the PC can only boot in safe mode.

ComboFix will catch the bad files/reg entries and will also restore the Hosts file to MS default, so no need to manually editing the Hosts file.

Any bad files that combofix will not delete we can delete using its script function so we also need to see the combofix log.
0
 

Author Comment

by:mikeabc27
Comment Utility
The end user tried downloading combofix but says he gets a regsvr.dll file missing when he tries to get on the Internet.

So I'll get him to download from bleepingcomputer.com on another PC and transfer on a stick.

I always thought it was better to run Combofix in Safe Mode.

Thanks,

Mike
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
Most antimalware apps  are designed to do their best job in normal mode.  also once this gets straightened out, you should install the hosts files from mvps.com.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Most tools we use these days are designed to be run in normal mode specially tools like MalwareBytes and ComboFix, they work best in normal mode where malware/viruses are active.
0
 
LVL 7

Expert Comment

by:PaulNSW
Comment Utility
Each user on XP and above has their own user profile folder and registry hive.

A lot of viruses infect a user's personal registry hive

If you run from Safe Mode, you are logging in to the Administrator account. You will have access to to files of all user accounts on the machine, but only the Administrator registry hive will be loaded.  

To clean the infection you maybe should run ComboFix from the infected users profile, then again from an administrative profile
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Hi. Mikeabc27 ,

Did you happen to ask the user if they saw a application popup that said something along the lines of "<fill-in> Fortress 2012"? You definitely have the signs of the new rootkit going around. Your beat bet is to get information from the user at that station. If you can get more info from them like time it happened ad especially if they noticed any weird/annoying  applications that popup while surfing certain www areas.

Main cause is the user self infecting the system browsing casually.
0
 

Author Comment

by:mikeabc27
Comment Utility
Hi Russell,

No av software pop up for only $29,99 which I imagine is what Fortress 2012 is.

Simply getting Mbam finding lots of trojans and can't get onto the Internet.

Thanks,

Mike
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 500 total points
Comment Utility
Well, Can you post the mbam log and the combofix log after you have accomplished that? Combofix will take care of the host file in part of its sweep. The other files listed should be taken care of as well as there not in the usual places.

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe <-- that is not normal at all.
O4 - HKCU\..\Run: [swg] "C:\WINDOWS\system32\regsvr32.exe" <-- neither is this. Try uninstall the Google toolbar and see if this entry goes away.
O4 - HKCU\..\Run: [jx0mj09vaz] C:\Documents and Settings\ros.WINDSORVOICE\jx0mj09vaz.exe  <-- without a doubt is the location and the startup point for this malware.

I take it that malcolms1.plus.com is from some kind of media manager?
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://81.174.154.113/ssi.cgi/cab/OCXChecker_8300.cab

Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" <--  Version 9.0 is Vulnerable to remote exploitation

Current java is Version 6 Update 31. Your good to go there.

This infection appears to be a media download or drive-by attack from the looks of what you have given so far. Its too early to tell so far. You definitely have vulnerabilities open as pointed out.

Can't get on internet or just cannot browse using the browser? Try open up command prompt and issue a command of "ping -a www.msn.com" and see if you get a response like.

Pinging www.msn.com [0.0.0.0] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Open in new window

or a successful ping

Pinging us.co1.cb3.glbdns.microsoft.com [65.55.84.56] with 32 bytes of data:
Reply from 65.55.84.56: bytes=32 time=66ms TTL=55
Reply from 65.55.84.56: bytes=32 time=65ms TTL=55
Reply from 65.55.84.56: bytes=32 time=67ms TTL=55
Reply from 65.55.84.56: bytes=32 time=68ms TTL=55

Ping statistics for 65.55.84.56:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 65ms, Maximum = 68ms, Average = 66ms

Open in new window

0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
In terms of the hosts file I forgot to post a link

http://www.mvps.org/winhelp2002/hosts.htm
0
 

Author Comment

by:mikeabc27
Comment Utility
Thanks, will go through all your comments now but uploading a very large combofix now for you to see.
0
 

Author Comment

by:mikeabc27
Comment Utility
submitted last post before file fully downloaded
ComboFix-black-pc.txt
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
I believe you are familiar with this object for extending vbscripts functionality to the registry? From the looks of the combofix log. A fellow developer. :)
c:\windows\system32\regobj.dll <-- Combofix removed this and some of your scripts or software may fail now.  These are side effects of using combofix.

If you need to replace this file it shouldn't be that hard.

Did not see these files in the original Hijackthis report.
c:\documents and settings\malcolm\OriadorRota.exe
c:\documents and settings\Administrator.STUDIO\Application Data\Buniu\udvo.tmp
c:\documents and settings\Administrator.STUDIO\Application Data\Buniu\udvo.ybg

This malware obviously uses file-parsing evasion vulnerabilities in norton to slip past your antivirus. In other words the PE file's bytes where changed in certain areas to change its signature bypassing detection. Norton is the top AV target for this type of attack. Certainly not the only one. Its just easier when your source code is stolen and sold on the black market.

Its also obvious that your installation of Norton is corrupt. Reinstalling after securely obliterating this threat is highly encouraged and will restore protection.

Are you still getting redirected? Any symptoms still showing?
0
 

Author Comment

by:mikeabc27
Comment Utility
mbam report attached
mbam.jpg
0
 

Author Comment

by:mikeabc27
Comment Utility
Combofix sorted the Hosts files - not hidden or read only. All good except being told the message from Regsvr 32 " no dll name specified " is still coming up especially when connecting to the internet google. Would your suggestion to uninstall google toolbar sort this?
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
You have a banker malware. This specific type of trojan targets banking information.

What do you get when you when your run this command from the command prompt?

REG QUERY "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v load

Open in new window

0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
If your still getting that message. Its related to this
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\windows\system32\regsvr32.exe"


A few different varient actually disguise itself as actual microsoft tools and also remove services and takes its place in by registering as that products.
0
 

Author Comment

by:mikeabc27
Comment Utility
I've emailed the user to run the line at the DOS prompt.

What should we do about the entry in the registry?
0
 

Author Comment

by:mikeabc27
Comment Utility
reply at DOS prompt attached
ee.jpg
0
 

Author Comment

by:mikeabc27
Comment Utility
Does anyone have any ideas from the Combofix log on any action I need to take? Also I missed Paul's comment earlier about running Combofix as admin then as the user, is this advisable - I've not heard this before?

Once I have done any additional cleaning suggested I will reboot, run a full Malwarebytes scan, and if this shows as all clear, remove and reinstall Symantec Endpoint as Russell suggests.

Any thoughts?
0
 

Author Comment

by:mikeabc27
Comment Utility
I meant to add as Russell pointed out I need to reinstall a fresh regobj.dll.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Well that is if you use it. If not then don't worry about it. It's not a default installation file, so if you don't restore it then no fowl will become of it.

As far as the registry entry, it needs to be removed along with the google toolbar if not already accomplished.  If the user is still getting that error message every time they open there browser then it's connected with whatever is attached to the browser.

Take another run with combofix and post that log if it's still spawning those files we have not rid if the startup method and it should show what has not been done yet.
0
 

Author Comment

by:mikeabc27
Comment Utility
Thanks I was just sending the end user an update before I saw your post where I said.

"If you have an hour to spare later can you do the following:

1. I think you would have been logged on as Malcolm when you ran Combofix yesterday. If so, can you run it again logged on as Ros. It's said that to clean the pc properly it should be done from the infected users profile. I can't vouch for this thought as I would have normally ran it logged on as the main user, but I do tend to run Combofix twice. Please email me the log. Reboot.
2. If you are still getting the regsvr32 error we need to sort that as we need this tool to register the replacement for the infected DLL file that Combofix deleted. As this may involve editing the registry please ring me and I will do remotely. Once finished I'll reboot.
3. When we've done this, please run a full scan on Malwarebytes. This will produce a report. Please email me this to me rather than a screenshot of the results page as the report contains a lot more information. Reboot.
4. Please run HijackThis and email me the log.

That's it, if the Combofix, Malwarebytes and HijackThis logs are clean we can consider it done."

Russell, I'll remove the line you pinpointed when I'm in remotely. Will removing the google tbar sort the regsvr32 error?

I'll post all 3 logs once I have them - in around 6 hrs, 4.20pm here at the moment,

Thanks,

Mike
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
It should fix the error being reported. Will know more when the logs are received.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:mikeabc27
Comment Utility
Google Toolbar now removed.

This PC is used mainly by A and B, and sometimes by C. First Combofix ran logged on as A. tried second one logged on as B run couldn't load CF, so just started one logged on as C,

Should have results in around 2 hrs.

We'll only be only to get combofix log done tonight.
0
 

Author Comment

by:mikeabc27
Comment Utility
I didn't get the results in until late. It was run using a login rarely used but the one thet use as admin on this pc. Down from 985k to 14k.

Will run mbam now.
cf2-black-pc-malcolm.txt
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Ok, Just as suspected. Remove these 2 registry entries .

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\windows\system32\regsvr32.exe" [2008-04-14 11776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"VF0560Inst"="c:\windows\system32\V0560Pin.dll" [2008-06-02 40960]

Just removing the first entry should remove the error.

Here is a few commands you can use to delete them manually. It looks like the infection is mostly wiped.
Reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v swg /f
Reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce /v VF0560Inst /f

Open in new window

0
 

Author Comment

by:mikeabc27
Comment Utility
Thanks Russell, that's great.

I was going to delete the first line (as you suggested earlier) but will get the user to run the 2 lines from the command line logged in as admin or run as admin (can't remember if XP allows that).

Hopefully this should get rid of the "Regsvr32 no DDL name specified" error.

They are already using the pc so couldn't run mbam yest and won't be able to do this until later.

What about:

1. Delete the 2 reg entries from command line and reboot.
2. Run another combofix and reboot.
3. Run mbam full scan.
4. POst cf and mbam reports.

Thanks,

Mike
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Xp, allows to conditions. "Runas" utilizing login as user and also the more generic logging in as the actual administrator account by user switching. You dont have to reboot for those 2 keys to take effect. Though, it your trying to make sure it does not startup again and is not caused by something else, then a reboot is advised.

You have the right idea of doing another scan after the initial disinfection routines. Run (Combfix, MBAM) as you asked about and post. Shouldn't have anything left on the next reports.
0
 

Author Comment

by:mikeabc27
Comment Utility
Sorry for delay - still waiting for the reports back. Hopefully will have soon time today.

I'm sure they will be clean, mainly want to check they have removed the two entries in registry correctly.
0
 

Author Comment

by:mikeabc27
Comment Utility
Russell, lines run as well as mbam which reports clean - see attached.

They're still getting the regsvr32 error. I will have the combofix log late tonight and we will see if the 2 registry problems were removed properly.
mbam-log-2012-03-28--23-26-22-.txt
0
 

Author Comment

by:mikeabc27
Comment Utility
I'm bound to be asked. The pc is used for emails and some Internet, though mbam blocks are dodgy sites. Any sign of how the file came in? Can't see them being stupid enough to open any unknown attachments.
0
 

Author Comment

by:mikeabc27
Comment Utility
Just got the latest cf log in and the 2 offending registry entries are still there.

I will be logging in remotely tomorrow morning and will remove the entries manually.

Then will run combofix and post results,
blackpc-cf3.txt
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
I've been kind of busy lately. Just dropping by to tell you I will be checking on this a little later on today.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Do you have "RegCure.exe" normally installed on this computer? From the looks of it. It could of came from anywhere. It makes it easier if the malware is caught, copied, and analyzed.

Malware is getting so advanced these days not even the antivirus company's can completely follow. They do a really good job for what there against, just isn't enough to stop all of it. Too many new tricks that bypass antivirus scans. Mostly offset changes. Doesn't take much.

Are they experiencing anything anymore? If there still getting the registry error. I would start looking at the registry cleaning programs. There have been a few around that are actually malicious and do this kind of exact behaviour. That is why I ask about "RegCure" and if its legit from your point of you.
0
 

Author Comment

by:mikeabc27
Comment Utility
Thanks Russell, the 2 registry entries have been removed and after a reboot still getting regsvr32 error when they go on the Internet.

They say RegCure has been on for a few years and they definately did NOT pay for it, but not sure how it's on there.

If it's malicious what's the best way to remove it?

I normally use CCleaner but doesn't appear to be on this PC.

Will run combofix when issues sorted
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
If its been on there for years and there hasn't been a incident because of it we will ignore this program for now. If you used CCleaner on that computer dont use the "cleaner" instead use "registry" Registry Exampleand selecting the option of "missing imported DLL's". If a Dynamic Link Library(DLL) is being referenced and there is no DLL to reference from you can get this error as well. This option helps clean those from the registry. If that doesn't clean it something else is sending that message particularly a executable file.
0
 

Author Comment

by:mikeabc27
Comment Utility
OK, I'll ask them to san the registry for issues using ccleaner. Normally download fro hippofile.

Hopefully will fix the regsvr32 issue.
0
 

Author Comment

by:mikeabc27
Comment Utility
CCleaner found 645 registry issues (many DDLs) on first run, 5 on second, 2 on third and 0 on fourth.

The regsvr32 error is still there, so I have asked them to remove RegCure in Add/Remove programs and if it's still there, I'll get them to run Combofix to check the reference tp regsvr32 is gone from the registry,

On the up side, the PC is performing better than is has for a long time.
0
 

Author Comment

by:mikeabc27
Comment Utility
BTW, regsvr32 problem started after the second or third run of mbam.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Can you get a screenshot of the error message? I think it would be more informative if I actually saw what It was. Its also important to note that if the error message, if it really is a error. Should report a error number.

Example:
The module 'MyDll.dll' was loaded but the call to DllRegisterServer failed with error code 0x80004005.

Open in new window

This way I know what problem is really causing this and should be able to give a more specific approach.
0
 

Author Comment

by:mikeabc27
Comment Utility
see attached screenshot
regsvr32.jpg
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Excellent! Now the other part. You can use "Regfind.exe" from the win2000 resource kit and pipe all the entries for "regsvr32" into a text file and post it here.

The command used with regfind would be:
regfind -y "regsvr32" > registry.txt

Open in new window

Here is a link to the kit in seperate pieces. Win2000 Resource Kit.

I will go through the list and spot exactly where its coming from or use Autoruns and save the information it collects and post it here.
0
 

Author Comment

by:mikeabc27
Comment Utility
Thanks will post the registry.txt file as soon as I receive it.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Ok, Any news today?
0
 

Author Comment

by:mikeabc27
Comment Utility
Sorry for delay, just sent a chasing email for the registry.txt file.
0
 

Author Comment

by:mikeabc27
Comment Utility
Russell, just received an email to say the user was having a problem with this and needed to speak to me.

He uses this PC in the evenings (he's out tonight), normally when I've finished. so most contact is by email.

Anyway, I checked regfind on one of my own xp PCs and emailed him full step by step instructions. I didn't find any problems, the only thing I can think of is that he is not changing from the default user directory at the DOS prompt.

Thanks,

Mike
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
It shouldn't matter what directory is used from the console. It's main goal is to search the structure of the registry and return and/or replace values therein. It sounds like part of the instructions given had "cd <some Dir>" included? Since regfind is a part of the resource kit and a console utility. Place it in the system32 directory by a simple drag and drop, then attempt to run the command with regrind. Other option is to have it already scripted out so the user only has to run 1 script to help automate and exclude user error.

Of course this must be from a privileged account to move/drop that file into system32 folder and read the HKEY_LOCAL_MACHINE.

In a batch file example.

@echo off
Rem Just using desktop as a good example after the file is unzipped directory on the desktop.
Rem another way if "unzip.exe" is already there: Unzip regfind.zip %windir%\system32 or
Move %userprofile%\desktop\regfind.exe %windir%\system32
Regfind -y "regsvr32">results.txt


That should be simple enough of a example. There are lots of good ways to write this.
0
 

Author Comment

by:mikeabc27
Comment Utility
Thanks, I'll do remotely if he has any problems but not sure if the end user will contact me before the Easter holidays end, i.e Tuesday..
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Not a rush on my end. Do as you can :)
0
 

Author Comment

by:mikeabc27
Comment Utility
Thanks Russell have a good weekend
0
 

Author Comment

by:mikeabc27
Comment Utility
Sorry, still chasing and still getting excuses.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Gotcha. I'll be ready when it comes.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
You can also cut down on the scan time by using this vbscript to scan the specific area, it will list all occurrences of regsvr32 in the file association commands.
getregsrv32.vbs
0
 

Author Closing Comment

by:mikeabc27
Comment Utility
Russell, the real problem was sorted long ago so I'm closing this for now and will open new thread when the end user gets back to me.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
Ok.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now