Most links redirecting to ads

[Sunyavadin]

So, this problem appeared a few days ago - firstly windows started alerting me that an application I didn't recognise was crashing every 5 minutes. A quick check and it turned out to be a (Pretty poorly coded if you ask me) trojan which kept crashing. MBAM swiftly removed it, however I've noticed that since then links keep redirecting me to ad sites and sometimes a new tab will just show up (Every site they've so far redirected to has either already been in, or I've immediately added the domain to my adblock definitions).

My browser is Firefox (3.6.15) I reinstalled the latest version and the problem remains.

I've checked my extensions for known advertising bots, but no sign of any. The only ones in there are my standard ones I personally installed, like adblock.

So far I've done full system scans with the following tools:

MBAM
AVG
Spybot S&D
Microsoft Malicious software remover

All are fully updated to the latest version, all say my system is 100% clean.

I checked the HjT log myself but couldn't find any entries normally associated with this problem, anyone else care to see what I may have missed?

(As a side note, when I removed the trojan, my system restore history was deleted as an added precaution - which led to my woes yesterday with an infinite loop of bluescreens, caused by the kernel not liking something zonealarm had left behind when it was uninstalled)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 08:44:05, on 18/03/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\Ray Adams\ATI Tray Tools\atitray.exe (Before you say anything - I need this to make my second monitor visible. It's too dark without the individual gamma boost this allows me to implement)
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
C:\Program Files (x86)\DisplayFusion\DisplayFusionHookx86.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\Online Armor\OAhlp.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [DisplayFusion] "C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe"
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files (x86)\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Washu\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: desktop (1).ini
O10 - Unknown file in Winsock LSP: c:\windows\system32\msible.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [URL]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/URL]
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A64CC60-EF60-4539-87A6-9125570B5318}: NameServer = 194.168.4.100,194.168.8.100
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files (x86)\Online Armor\OAcat.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files (x86)\Online Armor\oasrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Users\Washu\Desktop\stuffses\00_ayria-flicker-2005-back-fwyh.jpg
O24 - Desktop Component 1: (no name) - C:\Users\Washu\Desktop\stuffses\00_ayria-flicker-2005-front-fwyh.jpg
 
--
End of file - 7661 bytes

 

[baarod]

I suspect DNS poisoning. Sounds bad but easy to fix. First fix your hosts file %SystemRoot%\system32\drivers\etc\ and then check your Control Panel\Network and Internet\Network Connections looking for numeric IP addresses rather than automatic adresses.

 

[Sunyavadin]

Hosts file was one of the first things I checked. Only the clean defaults for ipv4 and ipv6 are there. As for my ip configuration - for the LAN connection it's still set to the manual ip settings I set up for my network, for the internet one it's still on automatic, with my DNS set to Virgin's one (194.168.4.100).

Sorry, should have mentioned this in my original post. Only remembered to on my way to university. (Currently sitting in the reception on my laptop so any new suggestions will have to wait until I finish digesting this DNA and checking it for the gene I inserted)

 

[baarod]

Hosts file was one of the first things I checked. Only the clean defaults for ipv4 and ipv6 are there. As for my ip configuration - it's still set to the manual ip and DNS settings I set up for my network.

Manual? Which DNS host are you using? They change policies frequently...

If you are using IE I suggest you to open start and type "in op" for internet options, click advanced tab and reset all.

 

[Sunyavadin]

Odd, you didn't see my edit clarifying it even though it was 10 minutes before you posted your reply? (That said, I have auto reload every 5 mins enabled on firefox here and your response only just popped up - might be the fault of the choppy network I have here at Uni) - My LAN settings are all manual ip (192.168.0.1, obviously), my net settings have manual DNS, and automatic ip.

As for your second question - No, I only use Microsoft Firefox Download Tool once, when I first install Windows.

 

[Dwarf]

Set your DNS servers to OpenDNS. There are 4 addresses to choose from, listed below:

208.67.220.220
208.67.222.222
208.67.220.222
208.67.222.220

 

[Sunyavadin]

What? Virgin's DNS might be what's hijacked?
Well, as soon as I get home I'll try those ones out, see if we can rule out that, and let you know what happens.

For now I have an agarose gel to run, so I expect to be done by 2pm.

*Edit* Actually I can rule that out already, since every other system on my network has exactly the same DNS settings. And they are all fine.

 

[severedsolo]

If your using Virgin Media's DNS I would highly recommend changing to OpenDNS anyway. Virgins DNS servers are ridiculously slow. You will see a massive improvement in response times.

Have you tried a different browser? I saw a similar case to this recently where only IE was infected, I installed FF, and that allowed me to track down the problem much quicker.

It will at least tell us whether you have a widespread problem, or whether it's more easily fixed.

 

[Sunyavadin]

I've confirmed FF, IE and Chrome are all affected, confirming a more systemic problem.
And yeah, I'll make that DNS switch ASAP.

 

[Sunyavadin]

Gah. Now it's doing it every time one of the pages on this forum finishes loading.

Also that opendns crap can go to hell. Slower than my regular DNS (As comppared using DNS Benchmark) and takes me to some stupid opendns search for the website every time I type any incomplete URL in. Not switching to something like that. I switched to firefox with google as my default fallback search back in the day to stop IE giving me that sort of pointless bollocks.

ANYWAY, distractions aside - conclusions so far are:

It's not a hijack of my hosts file.
It's not something any of my anti-malware software can find.
It's not a rogue Firefox extension.
It's something affecting all my browsing as a whole, not individual browsers.
It's not a hijack of my DNS settings.

*EDIT*

UPDATE! Okay, beginning to suspect whatever it is is using Java. since it keeps turning itself on. Uninstalling Java temporarily to see if it fixes it.

*Edit 2*

I think I've got it! Another tool has located msible.dll - sounds like my culprit.

 

[severedsolo]

Not really sure what to suggest on how to fix it, I'll let one of our security experts advise you on that, but for now, try this; [How-To] Stop Automatic Redirects To Other Websites with Firefox 3 it will at least stop the redirects (hopefully)

Or this addon: https://addons.mozilla.org/en-us/firefox/addon/redirect-remover/ (buggy with Firefox 4.0 if your using that version)

 

[Jacee]

O10 - Unknown file in Winsock LSP: c:\windows\system32\msible.dll
Troj/Agent-QHC Trojan (Trojan.gen, Trojan.Win32.Agent.hfpw) - Sophos security analysis

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click to run as Administrator. Your Computer will reboot itself.

Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

• Double click combofix.exe and follow the prompts.
• When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run
***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix

 

[Sunyavadin]

The latest AVG update recognised it. Seeing if that does the trick first.

*Edit*
And so far it's picked up PSW.Agent.ALCB, Dropper.Genertic3.AGKF, and PSW.Agent.ALCD.dropper - which is a positive result for the AVG team, when yesterday it found nothing at all!

 

[Sunyavadin]

The moment I attempted your fix - I got as far as resetting my ips and the "DRIVER IRQL NOT LESS THAN OR EQUAL" infinite bluescreen loop returned with a vengeance.

I'm starting to suspect the trojan has replaced or modified my network drivers, and this is how it's able to bypass needing to modify everything else like my hosts file and also what's causing my bluescreens when I boot to regular windows or safe mode with networking enabled.

 

[Jacee]

The Winsock has been corrupted by the infected .dll file ...

Repair and Reset Windows Vista TCP/IP Winsock Catalog Corruption » My Digital Life

 

[Sunyavadin]

Gah. Once again no infection is detected - but it's STILL redirecting.

Also - it gets worse as the constant bluescreens that started after resetting winsock have now got me stuck in safe mode 100% of the time.

*Edit* Got back into normal mode for about 3 minutes. Long enough to learn that the trojan seems to have gotten wise to my antivirus and disabled it completely. Didn't find out any more since immediately afterward, another bluescreen hit and I'm back in safe mode.

 

[Sunyavadin]

After several attempts I've given up on Combofix. Each time I run it I get another IRQL NOT LESS THAN OR EQUAL bluescreen.

Bleepingcomputer threads on this topic suggested I attempt sticking a flash drive with farbar recovery scanner on it in, so while I wait for more suggestions I'll give that a try.

 

[Dwarf]

Sorry about the OpenDNS. I use them, and have no problem with them. It is very likely that this issue you're currently having is causing the slow response.

What do the following registry locations show (exact spellings, please):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

 

[Sunyavadin]

My firewall (@OnlineArmor GUI "C:\Program Files (x86)\Online Armor\oaui.exe"), google updater (Google update "C:\Users\Washu\AppData\Local\Google\Update\GoogleUpdate.exe" /c) (Which always restores the entry every time I update chrome or Google Earth no matter how often I delete it), and my audio manager (which I need to make my onboard sound work) (VIAAUD C:\Program Files (x86)\VIA\VIAudioi\VDeck\VIAAUD.exe.)

So in summary:
One application I installed myself just today while trying to fix my problems, after being led to believe a zonealarm file was causing my crashes.
One application that reinstalls itself every time I install any google software.
One application that came with my motherboard and I need to have sound.


*Edit* And yes, I'll try benchmarking the DNS servers again once my system can manage more than a couple of minutes uptime.

 

[Jacee]

PSW.Agent.ALCB <-- this is a password stealer ... I advise you to change all your passwords using a known "clean" computer.

Download RKill to a flash drive, then use it on the infected computer. http://download.bleepingcomputer.com/grinler/beta/rkill.exe
This log file is located at C:\rkill.log.
Please post the log