Browser Hijack problem - For all you I.T bods on here

[Arnold]

Alright guys

I'm an IT techie with a techie problem, so you know i'm having problems with this one!

Got a guy who's PC when he goes onto Google in either firefox or IE, the search results are hijacked, bringing up crap/dodgey URL's in the results instead of the genuine ones. I've tried the following things

• Delete Cookies
• Delete Temp
• Delete Temporary internet files Content.ie5 directory subfolders & contents
• Run Ad-aware
• Run Spybot (Some entries removed - cookies mostly)
• Run CWShredder - nothing found
• Run Regcleaner to remove unwanted registry entries
• Run Hijackthis and removed all dodgey entries - bar one which wont go
• Run MSConfig to remove unneeded startup services & applications.
• Checked System32 for any dodgey exe files & program files for dodgey applications
• Re-installed IE7, Firefox 3 & updates
• System Restore Point - (this failed)

Hijackthis now looks like this

• Logfile of HijackThis v1.99.1
  Scan saved at 11:23:18, on 17/12/08
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v7.00 (7.00.6000.16762)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
  C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
  C:\Program Files\CA\eTrust Antivirus\InoRT.exe
  C:\Program Files\CA\eTrust Antivirus\InoTask.exe
  C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
  C:\WINDOWS\system32\nvsvc32.exe
  C:\Program Files\RealVNC\VNC4\WinVNC4.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Analog Devices\Core\smax4pnp.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
  C:\PROGRA~1\CA\ETRUST~1\realmon.exe
  C:\WINDOWS\system32\ctfmon.exe
  C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
  C:\WINDOWS\system32\wuauclt.exe
  C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
  C:\Program Files\Internet Explorer\IEXPLORE.EXE
  C:\WINDOWS\system32\svchost.exe
  C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
  C:\Program Files\JHACMS5\JHACMS5.exe
  C:\Documents and Settings\jerome\Desktop\HijackThis - Newer.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
  R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=3080328
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by John Hall Associates Limited
  O1 - Hosts: 160.43.94.2 fw1.bloomberg.com
  O1 - Hosts: 160.43.94.3 fw2.bloomberg.com
  O1 - Hosts: 160.43.13.10 lftp1.bloomberg.com
  O1 - Hosts: 160.43.13.13 lftp2.bloomberg.com
  O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
  O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
  O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
  O11 - Options group: [INTERNATIONAL] International*
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = JHAL.local
  O17 - HKLM\Software\..\Telephony: DomainName = JHAL.local
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = JHAL.local
  O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - (no file) << CANT REMOVE THIS ONE!!
  O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
  O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Unknown owner - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service (file missing)
  O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
  O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
  O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
  O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
  O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
  O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
  O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
  

Anyone got any suggestions?

JHACMS5 is the company mailing system so that's not dodgey

Cheers

 

[richj]

its the hosts file doing it

just delete the entry

http://www.bleepingcomputer.com/tutorials/tutorial51.html

 

[Arnold]

Hosts file is downloaded from our domain controller everytime a machine is logged onto the network so it can't be that. I've checked the file and it's fine

 

[richj]

does it happen if you goto http://74.125.45.100/

or http://www.google.fr/search?hl=en&q=google&btnG=Google+Search

 

[James]

One Anti-Malware program i find very good is Malwarebytes Anti-Malware, give it a try -
http://www.malwarebytes.org/mbam.php

It says buy now, but the important bits are free so use the free download!

Direct link:
http://www.download.com/Malwarebyte...4572.html?part=dl-10804572&subj=dl&tag=button

 

[curtis]

Think i had this same prob...

 

[Antony]

i had the same problem, i used xsoft-spy-se.

other than that, i have been told that when a file type has been changed to read in capital letters (eg EXE rather than exe) then it has been altered and is unstable.

might be wrong though. but alot of thos programs i simply dont run at startup. i run with the very basics and then start each on at a time.

your certain that the system32 folder is clean?

 

[curtis]

I can no longer use my pc and im in the process of buying a laptop...

Have you seen that IE scare in the news yet??? ALWAYS USE FIREFOX!!!!!!

 

[Arnold]

Have you seen that IE scare in the news yet??? ALWAYS USE FIREFOX!!!!!!

My problem effects both browsers

your certain that the system32 folder is clean?

Yeah. I sorted icons by date and the most recent thing is genuine. Usually most recent thing would be dodgey, unless it's managed to give itself a historic date and disguised itself, but i'm pretty sure this folder is safe

One Anti-Malware program i find very good is Malwarebytes Anti-Malware, give it a try -
http://www.malwarebytes.org/mbam.php

It says buy now, but the important bits are free so use the free download!

Direct link:
http://www.download.com/Malwarebyte...4572.html?part=dl-10804572&subj=dl&tag=button

Thanks mate, will try that

does it happen if you goto http://74.125.45.100/

or http://www.google.fr/search?hl=en&q=google&btnG=Google+Search

Will try that in a bit, cheers

 

[curtis]

Why not get rid of both browsers ad download google chrome?

 

[Arnold]

Because that's not fixing the problem, and IE is needed for some of our web based systems

 

[curtis]

Right i thought this was just someones home comp...

 

[rlees85]

my advice would be get the user to do a backup and reformat it.... will be 100% sure its clear then and will save you spending hours trying different things lol

 

[Arnold]

Yeah i can rebuild the machine, its just usually my last resort. I like to fix things rather than do the extreme, but i'l try the above things tomorrow and see how i get on

 

[rlees85]

If its IE7 you can disable the add-ons manually. (in internet settings) so you could possibly disable any brower hi-jacks in there...

 

[Adam]

have you tryed onecare from Microsoft

http://onecare.live.com/site/en-gb/default.htm

 

[Arnold]

If its IE7 you can disable the add-ons manually. (in internet settings) so you could possibly disable any brower hi-jacks in there...

The only add on's were Acrobat reader and Java, both safe.

Still yet to carry out the above advice, but i'll do it Monday.

Not tried One Care, but its an MS product trying to fix an MS product! I think i'll pass lol