Expert: Brian Benosky - 7/30/2009

Question
QUESTION: I have a browser hijacker that is redirecting me when I click on a link usually after a google search. The most common redirect is to this url: http://125.skooble.com/xtr_new?q=ger&enc=WwjCZvml61Zh/WY0mc0bmhtDjkC2UMjoSVAzTiA but there are many others. I have scanned with numerous other programs (Mcafee, F-secure, Spyware doctor, Windows Defender, and more) that cannot find it. They have found and removed a keylogger and a trojan (TrojanDownloader:Win32/Renos.IO) but not the hijacker. I have emptied cookies and temp files and checked the hosts file. The entry below is the Hijack This report but as you can see it looks fine. Anywhere else I should look?

--------------------
Scan saved at 12:34:31 PM, on 7/27/2009
Platform: Windows Vista (WinNT 6.0)
MSIE: Internet Explorer v8.0 (8.0.6001.18783)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9b2d5d343e4b0) (gupdate1c9b2d5d343e4b0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe


ANSWER: Hi Trevor

Your HJT log file is very incomplete.  Either the program is corrupted, or you somehow did not copy the entire log.  Try uninstalling HJT, reboot into Safe Mode with Networking by tapping the F8 key on boot, then download HJT again from here:
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
Reinstall and run a scan and save a log file.  Copy everything from notepad and paste it in a reply to me.  Thanks.

Brian

---------- FOLLOW-UP ----------

QUESTION: Here it is again:
------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:49 PM, on 7/27/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\stephen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0RZAZ9BJ\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberty.edu/luonline/index.cfm?PID=14239
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKUS\S-1-5-18\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q c:\users\stephen\appdata\local\temp\IpAdrSet.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\AD63KGA5\SERVIC~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\0I8WNI6M\60A855~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\36K02ZBG\401CA4~1.SH! C:\$Recycle.Bin\S-82F4~1\$R1YBEAK.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RGGC9VVA\SONGTO~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RGGC9VVA\GADGET~3.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RGGC9VVA\MATCH_~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RGGC9VVA\INDEX_~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RGGC9VVA\CLICK_~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\0I8WNI6M\NOWONR~1.SH! C:\Users\stephen\AppData\Local\MICROS
O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\Users\stephen\AppData\Local\Temp\TEMPFO~1.AAA\xtras.SH! C:\Users\stephen\AppData\Local\Temp\TEMPFO~1.SH! C:\Users\stephen\AppData\Local\Temp\HSPERF~1.SH! C:\Users\stephen\AppData\Local\Temp\Low\~DF36CB.tmp C:\Users\stephen\AppData\Local\Temp\Low\~DF36BC.tmp C:\Users\stephen\AppData\Local\Temp\Low\HSPERF~1.SH! C:\Users\stephen\AppData\Local\Temp\IpAdrSet.SH! C:\Users\stephen\AppData\Local\Temp\wmsetup.SH! C:\Users\stephen\AppData\Local\Temp\~ef3cff.SH! C:\Users\stephen\AppData\Local\Temp\~eff314.SH! C:\Users\stephen\AppData\Local\Temp\~ef426c.SH! C:\Users\stephen\AppData\Local\Temp\~ef5afa.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\D1DHD85F\AUDIBL~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\XN6A6PNY\LOGO_K~1.SH! C:\Users\stephen\AppData\Local\Temp\Tar33CD.SH! C:\Users\stephen\AppData\Local\Temp\Cab33CC.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\C
O4 - HKUS\.DEFAULT\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q c:\users\stephen\appdata\local\temp\IpAdrSet.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\AD63KGA5\SERVIC~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\0I8WNI6M\60A855~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\36K02ZBG\401CA4~1.SH! C:\$Recycle.Bin\S-82F4~1\$R1YBEAK.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RGGC9VVA\SONGTO~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RGGC9VVA\GADGET~3.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RGGC9VVA\MATCH_~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RGGC9VVA\INDEX_~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RGGC9VVA\CLICK_~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\0I8WNI6M\NOWONR~1.SH! C:\Users\stephen\AppData\Local\MICROS
O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\Users\stephen\AppData\Local\Temp\TEMPFO~1.AAA\xtras.SH! C:\Users\stephen\AppData\Local\Temp\TEMPFO~1.SH! C:\Users\stephen\AppData\Local\Temp\HSPERF~1.SH! C:\Users\stephen\AppData\Local\Temp\Low\~DF36CB.tmp C:\Users\stephen\AppData\Local\Temp\Low\~DF36BC.tmp C:\Users\stephen\AppData\Local\Temp\Low\HSPERF~1.SH! C:\Users\stephen\AppData\Local\Temp\IpAdrSet.SH! C:\Users\stephen\AppData\Local\Temp\wmsetup.SH! C:\Users\stephen\AppData\Local\Temp\~ef3cff.SH! C:\Users\stephen\AppData\Local\Temp\~eff314.SH! C:\Users\stephen\AppData\Local\Temp\~ef426c.SH! C:\Users\stephen\AppData\Local\Temp\~ef5afa.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\D1DHD85F\AUDIBL~1.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\XN6A6PNY\LOGO_K~1.SH! C:\Users\stephen\AppData\Local\Temp\Tar33CD.SH! C:\Users\stephen\AppData\Local\Temp\Cab33CC.SH! C:\Users\stephen\AppData\Local\MICROS~1\Windows\TEMPOR~1\C
O4 - Global Startup: $McRebootA5E6DEAA56$.lnk = C:\Windows\System32\cmd.exe
O15 - Trusted Zone: mail.google.com
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: http://bb7.liberty.edu
O15 - Trusted Zone: www.liberty.edu
O15 - Trusted Zone: *.luonline.com
O15 - Trusted Zone: *.mediafire.com
O15 - Trusted Zone: *.tehorng.com
O15 - Trusted Zone: http://en.wikipedia.org
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

--
End of file - 6150 bytes


ANSWER: Hi Trevor

Let's see if we can't get this cleaned up.  Download CCleaner from here:
http://www.ccleaner.com/download/builds/downloading-slim
Install and run the program according to the instructions here:
http://www.ccleaner.com/help/tour/1-after-installation
Note: You only need to follow pages 1-5 of the tour.

Next, restart the computer in Safe Mode by continuously tapping the F8 key on boot until a black screen with a menu appears.  Choose to Start Windows in Safe Mode with Networking.  Log on as usual.  

Please download Malwarebytes' Anti-Malware to your desktop from here:

http://www.besttechie.net/tools/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to
o Update Malwarebytes' Anti-Malware
* then click Finish.
* If an update is found, it will download and install the latest version.
*Run a Full Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.  Save that log to your desktop and reboot normally.

Finally, post me the Malwarebytes' log and a new HJT log.

Brian


---------- FOLLOW-UP ----------

QUESTION: Sorry for the delay I had an issue with my Internet service at home.
I ran CCcleaner but that did not help anything and MalwareBytes will not work. I tried reinstalling it and running it in Normal and Safe mode. When I click on the icon nothing happens at all. I have had this same problem with Kaspersky but not any other Anti Viruses.

PS Will I be able to contact you another way if this question runs out?

Answer
Hi Trevor

You can always start a new question to me, or you can email me directly at numbersix6@yahoo.com.  Your troubles at running the scans may be caused by the malware blocking the programs.  I would like for you to try running ComboFix in safe mode.
Please download ComboFix from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
*Important* - Save it to your desktop!.
Reboot into safe mode.
Double-click on the ComboFix icon found on your desktop.
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.  
Follow the prompts.  If the program asks to install the Windows Recovery Console, please allow it to do so.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.  If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer.  Do not intervene.  Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.  It will then display the log file automatically for you.  Post me that log in a follow-up, along with a new HJT scan.    

Brian