Browser hijacking persists

[Alpha2]

I'm not sure when it happened but my netbook is suffering from a hijacking. I feel like it started when I installed a program (which didnt seem to have any problems and didnt trigger my antivirus at all) I suddenly started getting search bar plug-ins that switched my google search to bing and changed my start pages to go.microsoft.com or something, the plug ins seemed to be from some company called Zugo and I was able to uninstall this installation in the control panel, but after that many of my google searches seemed to get redirected. I did the usual and scanned for viruses with AVG and downloaded CWshredder, Hijackthis, flushed my dns and cleaned out a few things suggested by one of the automatic HJT log analyzers. I use both Internet Explorer and Firefox and while Firefox doesnt seem to be suffering anymore, IE still gets redirected occasionally and it seems some sort of trojan downloader is still triggering my antivirus.


Here's my log file so far:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:06:24 PM, on 9/19/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Oceanis\SystemSetting\WallPaperAgent.exe
C:\Windows\Explorer.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\taskeng.exe
C:\HJT\Trend Micro\HiJackThis\HiJackThis.exe
 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0566.0\msneshellx.dll
O2 - BHO: Windows 7 Starter Helper - {D381FF29-7CFB-4D4E-B92A-C4EDDC696614} - C:\Program Files\Oceanis\SystemSetting\StarterHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Simplify Media] "C:\Program Files\Hp\HP MediaStream\HPMediaStream.exe" -splash
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [URL]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/URL]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\aestsrv.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM, Inc. - C:\SPLASH.SYS\config\DVMExportService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\STacSV.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Program Files\Tablet\Pen\Pen_Tablet.exe
O23 - Service: Wacom Consumer Touch Service (TouchServicePen) - Wacom Technology, Corp. - C:\Program Files\Tablet\Pen\Pen_TouchService.exe
 
--
End of file - 6960 bytes

I have a feeling I might have even nuked a couple of things that weren't any problem at all trying to find the problem so I'm turning to the experts now.

 

[Keiichi25]

I noticed in the listing you posted you had the following:

C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0566.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll


When you installed OpenOffice, or Java or even some of the Adobe products... Did you pay attention to the 'extras' windows?

Cause I know OpenOffice, Java and Adobe Reader/Flash will want to put on toolbars, which the Live ones tend to lean towards Bing to begin with, and unless you tell it not to, it will set those things for you. You should be able to uninstall the tools and reset the settings to how you want to, but pay extra attention to installers from Oracle, Java and Adobe if you were to re-do installs, as this is one of those annoying habit packaging they do.

 

[Alpha2]

I noticed in the listing you posted you had the following:

C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0566.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll


When you installed OpenOffice, or Java or even some of the Adobe products... Did you pay attention to the 'extras' windows?

Cause I know OpenOffice, Java and Adobe Reader/Flash will want to put on toolbars, which the Live ones tend to lean towards Bing to begin with, and unless you tell it not to, it will set those things for you. You should be able to uninstall the tools and reset the settings to how you want to, but pay extra attention to installers from Oracle, Java and Adobe if you were to re-do installs, as this is one of those annoying habit packaging they do.

Yeah I'm usually pretty good about avoiding the extras but I had actually miss clicked and it installed a tool bar once when I got the computer, I uninstalled Open Office and tried to clean out all the toolbar stuff before reinstalling it and avoiding the extras. I'm not sure if those are left over entries from when I miss-clicked or from this situation but I know I specifically said no to any extras when I installed the program, I almost feel like there was a pop up that might have appeared while I wasnt looking.

 

[jimbo45]

Just Re-install the OS.

In general you should always have a CLEAN OS image that you can restore but in this case you probably haven't got one.

Acronis will boot from a USB so you can run a restore from the USB.

Don't rely on cleansing an infected system -- you will NEVER be 100% certain its been fixed.

Cheers
jimbo

 

[Bill2]

1) Follow the steps in this article.

Google Redirect Virus Removal - How to Manually Remove Google Redirect Virus

2) Run a MBAM scan.

3) if issues still persist, reformat.

 

[1Bowtie]

Just Re-install the OS.

In general you should always have a CLEAN OS image that you can restore but in this case you probably haven't got one.

Acronis will boot from a USB so you can run a restore from the USB.

Don't rely on cleansing an infected system -- you will NEVER be 100% certain its been fixed.

Cheers
jimbo

Totally agree with Jimbo45, the only way to have peace of mind is reinstall os

 

[Alpha2]

I've experienced hijackers in the past and it's never been so serious that I had to reformat a computer. Seeing as it's a net book a reformat isnt really even a viable option as there's no restore disk (there might be something in the recovery partition but from experience it'd be easier to find an neutralize the problem then to have go through the weeks of reinstalling, updating and reconfiging all the things I'll loose with a reformat.)

Thanks, I'll give the article a try and see if that helps.


EDIT://
It's been a few hours and I just finished with everything in Bill2's article link (I havent downloaded MBAM yet though, because I want to make sure there's not going to be a conflict with any of the other protective programs I have installed). I might be cautiously optimistic here but it seems to have done the trick. The test searches that used to have redirects so far have gone right to the websites.

In particular it seems the problem might have been a variation of TDSSserv.sys. as I got no real results until I used the TSDkiller tool linked on the second page of the article, afterwards I did a scan with Ad-aware and it found one last trojan that hadn't shown up before. I ran CCleaner and got rid of a bunch of stuff like apparently orphaned registry entries (hopefully I can remember all my browser passwords!) and started testing.

I'll give it a couple of days before I relax of course, one can never tell what might be broken after all this.