Undeletable browser hijack

[Painkiller667]

I've got a browser hijacker I believe. I've been able to get rid of any problems like this on all of my and my friends'/relatives' computers until this problem that I have now. I'm have AVG Free, MalwareBytes, Spybot SD, Spyware Doctor, CCleaner. All are updated. They have each found something, but everything was deleted and the problem still persists.

My primary browser is Opera and it's acting up the most right now. Whenever I do a search on any of my browsers (opera, firefox, IE, chrome) in almost any search engine (google, live.com), it redirects me almost everytime to some BS website when I click on a result. Opera even crashes every once in a while because of this. When I try to use the Chrome browser, it also redirects, but doesn't crash like opera. Good thing opera saves my previous sessions so I never lose anything after the crashes.

Any help?

[digip]

I've got a browser hijacker I believe. I've been able to get rid of any problems like this on all of my and my friends'/relatives' computers until this problem that I have now. I'm have AVG Free, MalwareBytes, Spybot SD, Spyware Doctor, CCleaner. All are updated. They have each found something, but everything was deleted and the problem still persists.

My primary browser is Opera and it's acting up the most right now. Whenever I do a search on any of my browsers (opera, firefox, IE, chrome) in almost any search engine (google, live.com), it redirects me almost everytime to some BS website when I click on a result. Opera even crashes every once in a while because of this. When I try to use the Chrome browser, it also redirects, but doesn't crash like opera. Good thing opera saves my previous sessions so I never lose anything after the crashes.

Any help?

Maybe your DNS has been rerouted? Check your TCP/IP settings for yoru DNS server. Also check yoru HOSTS file, and if you have a router, login and make sure nothing has been changed, like alternate DNS, etc. I would also suggest running a live disc with an updated virus scanner, check out what is loaded to start with the pc in the registry. UBCD4WIN has some good tools for this and lets you mount the registry in a live disc environment to make changes before rebooting in case something is in there that shouldn't be, you can remove it this way.

All else fails, backup, format, reinstall, restore files.

[Painkiller667]

Maybe your DNS has been rerouted? Check your TCP/IP settings for yoru DNS server. Also check yoru HOSTS file, and if you have a router, login and make sure nothing has been changed, like alternate DNS, etc. I would also suggest running a live disc with an updated virus scanner, check out what is loaded to start with the pc in the registry. UBCD4WIN has some good tools for this and lets you mount the registry in a live disc environment to make changes before rebooting in case something is in there that shouldn't be, you can remove it this way.

All else fails, backup, format, reinstall, restore files.

Yeah, I know that the last resort is a reformat but I've had this OS installed for several years already and have always been able to avoid the reformat. I just tried to check my router's IP address by going to cmd in the run menu, and noticed that every time I type in CMD and click enter, it is as if my explorer.exe process gets restarted momentarily. No icons or taskbar on the screen for several seconds and then back to normal. In other words, CMD does NOT open! Automatic DNS is set up in properties of TCP/IP settings, but to access my router, which isn't wireless btw, I cannot. Tried typing 192.168.1.1 and .0.1 but couldn't get it. Probably not the problem anyway.

My hosts file is fine, it has no entries other than the ones made by spybot SD.

[Sparda]

Reinstall. Some thing is on your system, can't trust it. It will lie to you at every turn.

[Painkiller667]

Reinstall. Some thing is on your system, can't trust it. It will lie to you at every turn.

Yep there's something on my system but I'm not going to give up that easily. Any other suggestions? I also don't feel like doing the whole boot up in safe mode or with live cd and full scan..etc. Would there be any other simpler alternatives before that kind of serious work? You guys want to see my hijack this scan? ;)

[Sparda]

You guys want to see my hijack this scan? ;)

No, it has no use and shows nothing. The Hijack this results could have been doctored by the stuff on your system.

[DingleBerries]

Check your hosts file and see if anything is in there. Clear all you temp folders and empty Recycling Bin and see what happens.

[Painkiller667]

Check your hosts file and see if anything is in there. Clear all you temp folders and empty Recycling Bin and see what happens.

Yeah I said I did all that.

[Sparda]

http://hak5.org/forums/index.php?showtopic=11208

[Painkiller667]

http://hak5.org/forums/index.php?showtopic=11208

Are you too lazy to explain why you gave me that link? I'm not using beta Firefox and I don't think I have that problem at all.

[Painkiller667]

Just noticed that regedit and cmd no longer work when typed in Run menu. "command" still works.

[Painkiller667]

Sorry for the triple post, but I got something interesting. After getting more symptoms of the problem, I was able to find a google result that shows another person had the exact same problem as me: LINK

I noticed also that the following link that is on that page closes all my browsers. If I click on it, browser closes right away. Chrome, Opera, and Firefox all close INSTANTLY when I go to that url. So I can't even access it..

http://miekiemoes.blogspot.com/2008/10/fak...archengine.html

[Sparda]

Are you too lazy to explain why you gave me that link? I'm not using beta Firefox and I don't think I have that problem at all.

The laziness is on your part for not reading the thread. The choice of web browser is irrelevant.

[Sparda]

Sorry for the triple post, but I got something interesting. After getting more symptoms of the problem, I was able to find a google result that shows another person had the exact same problem as me: LINK

I noticed also that the following link that is on that page closes all my browsers. If I click on it, browser closes right away. Chrome, Opera, and Firefox all close INSTANTLY when I go to that url. So I can't even access it..

http://miekiemoes.blogspot.com/2008/10/fak...archengine.html

You should have started reinstalling 30 minuets ago, the Windows setup would be nearly finished by now.

[Painkiller667]

You fail. Reformatting at every single quirk goes against every single ethic of a proper hacker. I always try to find what caused the problem, isolate it, and get rid of the cause instead of just blindly reformatting every week. I almost resolved the issue without having to reformat already.

Yes perhaps a reformat does take 40 minutes, but how long does it take to back up all of the settings and files on an operating system that has been used without formatting for 4 years? Obviously you wouldn't understand if all you do is format and format again. That's probably why you have so many posts. You just keep telling people "Format."

[digip]

I suggest running a live disc and copying of fyour files for backup, reinstall, then restore. I fyou can't evne run any simple things like regedit and cmd, then you obviously got something nasty and its not really worth fighting with the OS to mess with it. On a side note, disconnect that router while doing the resinstall, and once done, reset the router via the switch or button on the back, then login and reconfigure it. Make sure it hasn't been tampered with, and if at all possible, update the firmware on it.

Unless you know what you are looking for and how to remove it, its pretty much a fruitless endeavor trying to fix it. If you really feel the need to figure out what it was and you have the space, or extra machine, make an image of the drive to analyze later or covert to a VM so you can disect it later, but for now, how important is it that your machine is fixed? As suggested before, backup, resintall, restore, be done with it.

One other thing you can try, reboot the machine and start in safe mode or login as adminstrator and see if they hosed up that account. If that works, copy out your important stuff and create a new profile, then delete the old one that is infected, but chances are they got ahold of that as well and the whole OS is not to be trusted.

[Sparda]

You fail. Reformatting at every single quirk goes against every single ethic of a proper hacker. I always try to find what caused the problem, isolate it, and get rid of the cause instead of just blindly reformatting every week. I almost resolved the issue without having to reformat already.

Yes perhaps a reformat does take 40 minutes, but how long does it take to back up all of the settings and files on an operating system that has been used without formatting for 4 years? Obviously you wouldn't understand if all you do is format and format again. That's probably why you have so many posts. You just keep telling people "Format."

I counteract your claim of my failing by your failure to see how you fail. Any thing you do on this computer is potentially been monitored. hak5.org might even make it to the list of sites that this software blacklists. You cannot trust that install of Windows. You'd be at a nice 'blank' desktop now if you had started installing when you should have done.

[Painkiller667]

This particular malware didn't cause my stuff to "potentially been monitored." That link that I referred to in my previous post actually DID fix it. It is pretty new and unheard of, something that you either know or you don't, but it took just a few clicks and it actually fixed my problem. No need to reformat once again. I didn't fail, I won by finding the quickest and easiest way to fix my problem. You failed by telling me three times to format and not suggesting much else other than standard procedure. digip, thanks for helping, at least you honestly tried, but I knew there's got to be an easier way.

As the girl in that forum who posted the solution determined, it was a new variant of the Win32:Daonol. Here's the whole thread once again http://www.bleepingcomputer.com/forums/topic208323.html

[Sparda]

So your system is clean? Unlikely and impossible to determine. Reinstall++

[dranfu]

I've got a browser hijacker I believe. I've been able to get rid of any problems like this on all of my and my friends'/relatives' computers until this problem that I have now. I'm have AVG Free, MalwareBytes, Spybot SD, Spyware Doctor, CCleaner. All are updated. They have each found something, but everything was deleted and the problem still persists.

My primary browser is Opera and it's acting up the most right now. Whenever I do a search on any of my browsers (opera, firefox, IE, chrome) in almost any search engine (google, live.com), it redirects me almost everytime to some BS website when I click on a result. Opera even crashes every once in a while because of this. When I try to use the Chrome browser, it also redirects, but doesn't crash like opera. Good thing opera saves my previous sessions so I never lose anything after the crashes.

Any help?

No such thing as an undeletable browser hijack. In fact, there is no such thing as an undeletable malware or file of any kind. What you need to do is scan your computer with a live CD--while the hard disk is not running and the OS on your hard disk is inactive. Here are some good ones: Ultimate Boot CD (for linux or windows), Bit Defender Rescue CD. Also, learn how to use Autoruns and Process Explorer by Sys Internals.

I clean malware and search for intrusions by malware all day at work, and most can be eliminated using sys internal tools and a good live CD.

It's not the BHO object that's got the problem in this case, it's the user who needs to step his game up :)

P.S. Hijack this, while a good tool when it first came out, is now obsolete. There I said it, and you all know its true.

[Sparda]

No such thing as an undeletable browser hijack. In fact, there is no such thing as an undeletable malware or file of any kind. What you need to do is scan your computer with a live CD--while the hard disk is not running and the OS on your hard disk is inactive. Here are some good ones: Ultimate Boot CD (for linux or windows), Bit Defender Rescue CD. Also, learn how to use Autoruns and Process Explorer by Sys Internals.

I clean malware and search for intrusions by malware all day at work, and most can be eliminated using sys internal tools and a good live CD.

It's not the BHO object that's got the problem in this case, it's the user who needs to step his game up :)

P.S. Hijack this, while a good tool when it first came out, is now obsolete. There I said it, and you all know its true.

What is your method of determining if a computer is still infected?

[Painkiller667]

I did get rid of it Sparda. Now my google search results in all browsers go directly to the links I click and Opera no longer crashes. CMD and Regedit open once again. You are extremely unprofessional for your rank on this forum.

Dranfu, yes I know there is no such thing, I just named it that to draw attention. I agree the livecd scan would be the last method before reformatting but whatever you're scanning with, if the malware was only recently created, either from scratch, or by slightly modifying the code, no scanner will pick it up. It was a very specific problem. If only you could look at that link I mentioned in my previous post, dranfu, maybe you would be able to tell whether that problem would have been scannable or not. Seems like something only a manual job would be able to get rid of.

[dranfu]

Also, you should use an ADS scanner (Alternate Data Stream) to search for files hidden within files. Some malware take advantage of ADS's to hide files. Streams, by sys internals, and LADS, by...some dude, I forgot his name, are decent tools. Streams allows you to delete ADS's without deleting the file, if that's what you need.

Neither tools can find a locked stream, unfortunately, so a good programmer can still fool 99% of anti virus/scanning tools.

[Zimmer]

EDIT I see you have fixed the problem after I visited this page (so I did not see your post.)

I counteract your claim of my failing by your failure to see how you fail. Any thing you do on this computer is potentially been monitored. hak5.org might even make it to the list of sites that this software blacklists. You cannot trust that install of Windows. You'd be at a nice 'blank' desktop now if you had started installing when you should have done.

Don't Reformat!

The link you found was also mentioned in the link from Sparda http://hak5.org/forums/index.php?act=post&...=43&t=11208

and sense you can not access it (http://miekiemoes.blogspot.com/2008/10/fake-sysaudiosys-causes-searchengine.html) I have copied and pasted it bellow

Monday, October 13, 2008

Fake sysaudio.sys causes Searchengine Hijack

What is this infection about...

It actually loads a script, so searchengine results are loaded within a script. For example, when you research something in google or another searchenigine, you get this when you view the source:

script scr= //78. 157. 142. 58/ and then the searchengine results.

or

script scr= //209 .85 .171 .9/ and then the searchengine results.

(more may be present as well)

So, whenever a popular searchengine is being used, a script is loaded to insert its results. For example, a search for: "How to remove rootkits with icesword", you get irrelevant results. Screenshot here:

This only applies for the first page of the results.

It looks like stopzilla.com is also promoted via this piece of malware

Example:

As far as I know.. this one is getting installed via a "Yahoo! Counter starts here" javascript (which is a malicious script and not related with Yahoo) injected on many forums/sites/blogs.

The responsible file for the searchengine hijack is sysaudio.sys, (which is actually a DLL) dropped in the %sysdir% folder (system32 folder).

Note - do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!

The loading point for the fake sysaudio.sys is under the

HKLM\software\microsoft\windows nt\currentversion\drivers32 key

with value and valuedata:

"aux"="sysaudio.sys" or

"aux2"="sysaudio.sys"

Legitimate valuedata for "aux" should be wdmaud.drv or mmdrv.dll or ctwdm32.dll (those are the most common legitimate ones I've seen so far, there could be more)

Other files the fake sysaudio.sys may use are divx.nls or ntnet.drv which is also present in the %sysdir% folder.

(could be more already - newer variants)

Anyway, this is another method being used to "hide" its presence because it causes confusion with legitimate files/keys. So be cautious if you think you're dealing with this one and do not delete the legitimate sysaudio.sys file present in the system32\drivers folder or "aux" value in the registry. Ask for help if you're not sure.

UPDATE!!!

A new variant is Windows\system32\wdmaud.sys <== bad one

The legitimate ones are Windows\system32\wdmaud.drv and Windows\system32\drivers\wdmaud.sys, so don't delete those!!

UPDATE2!!!

And again a new variant around.

Redirections go for example to 209.85.171.199 - or you see 7.7.7.0 in the status bar.

This time, it uses a random file name. To find out, browse to the HKLM\software\microsoft\windows nt\currentversion\drivers32 key in the registry and look what's present under the "aux" values (aux1, aux2, aux3, aux4..) One of them is the cause. It's a "weird" looking filepath and name, examples are: "C:\WINDOWS\system32\..\sjkemx.iqd" or "C:\WINDOWS\system32\..\kvlhurx.niq" or "c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna" - note the reference named ".." which actually refers to "go up two levels". To find the file itself, easiest way is via Windows search. If it comes back immediately after you have removed it, you can use the "Hijackthis - Delete on reboot" option, or any other tool that is able to delete files on reboot.

In case you can't launch regedit (crashes when you launch it), rename regedit and try again.

If you're unsure, don't delete anything, but ask help instead.

To receive help to remove the infection or similar infections, register at one of the forums present on the right, or register at my personal forum here. It's a dutch forum but I also give english support.

Related Posts by Categories

Malware

* Virut and other File infectors - Throwing in the Towel?

* Miekiemoes rules ?? Yeah right...

* MySpace/FaceBook worm causes confusion in HijackThislogs

* Andromeda AV and AntiVirus PRO 2008 - new Rogue scanners

* Beware of fake email from Microsoft!

* Malware Removal - Where to draw the line

* Dutch users Alert! - Beware of fake Tax forms - episode 2

* Dutch users Alert! - Beware of fake Tax Forms

* Virut is back again - sigh

* VIRUS ALERT! in clock and how to restore it

* Popups - annoying... but funny... sometimes

* Vundo goes WGA!

* Email-Worm.Win32.Locksky - new stubborn variant

* April's fool or...

Bookmark/Share • Technorati Links • Email this

Posted by miekiemoes on 7:44 PM

Labels: Malware

Enjoy!

[Sparda]

I did get rid of it Sparda. Now my google search results in all browsers go directly to the links I click and Opera no longer crashes. CMD and Regedit open once again. You are extremely unprofessional for your rank on this forum.

Dranfu, yes I know there is no such thing, I just named it that to draw attention. I agree the livecd scan would be the last method before reformatting but whatever you're scanning with, if the malware was only recently created, either from scratch, or by slightly modifying the code, no scanner will pick it up. It was a very specific problem. If only you could look at that link I mentioned in my previous post, dranfu, maybe you would be able to tell whether that problem would have been scannable or not. Seems like something only a manual job would be able to get rid of.

It is impossible to determine if a compromised windows install is no longer compromised. No amount of argument or personal attacks will change this fact.