Solved Redirects, constantly kicked off/on internet, and router hacked?

broni · 2009/06/03

Very good

Uninstall Combofix:

Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "
Restart computer.

============================================================

I can't run msconfig from start, run
Click to expand...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.

Vista users:: Right click on SystemLook.exe, click Run As Administrator

Copy the content of the following box into the main textfield:

:filefind
msconfig.exe
Click to expand...

Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

==============================================================

Open Notepad. Copy, and paste following text into it:

Windows Registry Editor Version 5.00

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
Click to expand...

Save it as fix.reg to known location.

Right click on fix.reg, click Merge.

Allow registry merge.

Restart computer.

Post fresh HJT log.

ohsogirly · 2009/06/03

Hi Broni,
Here's the SystemLook scan. I'm not sure if I told you that I can't access Help & Support either. Didn't know if you wanted me to have SystemLook try and find that too. (I didn't do anything)

I'm doing the other part of the last post from you right now.

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 18:12 on 03/06/2009 by Mary Garcia (Administrator - Elevation successful)

========== filefind ==========

Searching for "msconfig.exe "
No files found.

-=End Of File=-

broni · 2009/06/03

I can see, that you got msconfig.exe from somewhere, and you placed it in c:\program files. Move it to C:\Windows\System32, and it should work.

As for Help & Support check here: http://windowsxp.mvps.org/startmenuhelp.htm

ohsogirly · 2009/06/03

Here's the Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:57 PM, on 6/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe "
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{58571CEB-F283-493C-92C3-4D59C728B04C}: NameServer = 68.190.192.35,66.214.48.27
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 3310 bytes

broni · 2009/06/03

OK. I'm not gonna worry about those four O2 entries, since, they are all legit. They belong to Yahoo, Kaspersky, Adobe Acrobat, and Java.
They must be getting recreated. No biggie here.

Malware-wise speaking.....

Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

[SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Let me know, how is your computer doing.

broni · 2009/06/03

I think, I found the solution to O2(BHO) entries.
Kaspersky uses Registry Guard, which prevents any registry changes.
To turn it off...
Open Kaspersky, click settings, proactive defense and untick "registry guard ".

ohsogirly · 2009/06/03

Do you have any idea why i'd have soooo many errors in Event Viewer for Security? They're like every single second.

6/3/2009 7:37:52 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE INSPIRON "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege "
6/3/2009 7:37:52 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE INSPIRON "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: - "
6/3/2009 7:37:12 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE INSPIRON "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege "
6/3/2009 7:37:12 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE INSPIRON "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: - "
6/3/2009 7:37:07 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE INSPIRON "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege "
6/3/2009 7:37:07 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE INSPIRON "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: - "
6/3/2009 7:37:05 PM Security Success Audit Policy Change 858 NT AUTHORITY\SYSTEM INSPIRON Windows Firewall group policy settings have been applied.
6/3/2009 7:37:04 PM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM INSPIRON A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: Remote Desktop
Port number: 3389
Protocol: TCP
State: Disabled
Scope: All subnets
6/3/2009 7:37:04 PM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM INSPIRON A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: UPnP Framework over TCP
Port number: 2869
Protocol: TCP
State: Enabled
Scope: Local subnet only
6/3/2009 7:37:04 PM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM INSPIRON A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: SSDP Component of UPnP Framework
Port number: 1900
Protocol: UDP
State: Enabled
Scope: Local subnet only
6/3/2009 7:37:04 PM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM INSPIRON A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: SMB over TCP
Port number: 445
Protocol: TCP
State: Enabled
Scope: Local subnet only
6/3/2009 7:37:04 PM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM INSPIRON A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: NetBIOS Session Service
Port number: 139
Protocol: TCP
State: Enabled
Scope: Local subnet only
6/3/2009 7:37:04 PM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM INSPIRON A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: NetBIOS Datagram Service
Port number: 138
Protocol: UDP
State: Enabled
Scope: Local subnet only
6/3/2009 7:37:04 PM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM INSPIRON A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: NetBIOS Name Service
Port number: 137
Protocol: UDP
State: Enabled
Scope: Local subnet only
6/3/2009 7:37:04 PM Security Success Audit Policy Change 850 NT AUTHORITY\SYSTEM INSPIRON A port was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Interface: All interfaces
Name: DHCP Discovery Service
Port number: 67
Protocol: UDP
State: Enabled
Scope: All subnets
6/3/2009 7:37:04 PM Security Success Audit Policy Change 849 NT AUTHORITY\SYSTEM INSPIRON An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Remote Assistance
Path: %windir%\system32\sessmgr.exe
State: Enabled
Scope: All subnets
6/3/2009 7:37:04 PM Security Success Audit Policy Change 848 NT AUTHORITY\SYSTEM INSPIRON The following policy was active when the Windows Firewall started.

Group Policy applied: Yes
Profile used: Standard
Interface: All interfaces
Operational mode: On
Services:
File and Printer Sharing: Enabled
Remote Desktop: Disabled
UPnP Framework: Enabled
Allow remote administration: Disabled
Allow unicast responses to multicast/broadcast traffic: Disabled
Security Logging:
Log dropped packets: Disabled
Log successful connections Disabled
ICMP:
Allow incoming echo request: Enabled
Allow incoming timestamp request: Disabled
Allow incoming mask request: Disabled
Allow incoming router request: Disabled
Allow outgoing destination unreachable: Disabled
Allow outgoing source quench: Disabled
Allow outgoing parameter problem: Disabled
Allow outgoing time exceeded: Disabled
Allow redirect: Disabled
Allow outgoing packet too big: Disabled
6/3/2009 7:37:03 PM Security Success Audit System Event 515 NT AUTHORITY\SYSTEM INSPIRON "A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

broni · 2009/06/03

Rule of thumb: leave Event Viewer alone, unless you're troubleshooting some problem.
Believe me, every computer has hundreds of them.

ohsogirly · 2009/06/03

[FONT= "Comic Sans MS"]Broni......You're the best!!! [/FONT]

Ok, thank you for all of your help.

Last question.....Can you tell me what I had? You mentioned you're always amazed what GMER finds when everything else is showing clean. What'd GMER show you?

Again, thank you for all of your help.

Re; event viewer, that's where my problem lies as far as being kicked on/off internet. I have a lot of tcpip, Tcpip6, and DHCP back to back.

broni · 2009/06/03

You're very welcome
I was actually referring to Combofix, not GMER.
There were quiet a few trojans present.

As for your internet problems, I propose, you start a new thread in appropriate section.
This forum is strictly for malware removal, and only very limited number of people are allowed to post here. You'll get more attention somewhere else.

I'll mark this topic as resolved.

Log in or Sign up

Solved Redirects, constantly kicked off/on internet, and router hacked?

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Redirects, constantly kicked off/on internet, and router hacked?

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches