Search Engine Hijack (qhosts?), HijackThis.log.

  • Thread starter Thread starter GodsTeeth
  • Start date Start date
G

GodsTeeth

I guess I'm kind of new to the QHOSTS problem, but I followed the
below directions.

"
<quote / unquote Mike Burgess>
Trojan Qhosts hijacks the HOSTS file, however unlike normal
redirectors,
this one hides the HOSTS file in the "Windows\Help" folder.

See: http://www.mvps.org/winhelp2002/hosts.htm
Download: either "RenHelpHostXP.bat" or RenHelpHostME.bat"
Follow up with the link provided instructions .......
</snip>

Get the latest hotfix: http://www.microsoft.com/security/security_bulletins/ms03-040.asp

If no joy, run the Beta "Hijack This" utility which detects the HOSTS
file that has been taken over.
http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip
Hijack This, How-to: http://mvps.org/winhelp2002/unwanted.htm

More info: http://www.spywareinfo.com/newsletter/archives/0903/30.php
"

After completing the above recommendations, I found that if I press
the "Back" button on my browser tool-bar then click the link, in
sucession, 3 times, I will get the correct page.

The redirection is loaded from shedalight.info.

Terribly annoying!

I guess the only thing I can think to do is post my Hijack log: This
is what I get:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:04:39 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager
\SPCSUtilityService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps
\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager
\SPCSCM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Aaron Divelbliss\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-
B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat
\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:
\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java
\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe
\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /
STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM
\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft
\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32
advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft
\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32
advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK
SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft
\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32
advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft
\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32
advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files
\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files
\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files
\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu
\PowerMenu.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
- %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic
\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172129299304
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
- http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172143750609
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17588C48-0D0F-4981-8018-
F6BBB4EA6601}: NameServer = 85.255.113.206,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C9B0D07-5F22-4D23-9D82-
B552D2553480}: NameServer = 85.255.113.206,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..
\{2EE0185A-3579-4E9D-94A3-5F4965BBDEDE}: NameServer =
85.255.113.206,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE3026BA-FF89-4ADF-A538-
B675DDD73EAF}: NameServer = 85.255.113.206,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDEF78D3-90F7-4C80-92BD-
ADB340B4D009}: NameServer = 85.255.113.206,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB9E1317-
B08B-46E3-8AC6-6080C5A32B20}: NameServer = 85.255.113.206
85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFFA2F7A-26B3-49F9-
A788-1DFF528F45CD}: NameServer = 85.255.113.206,85.255.112.153
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
85.255.113.206 85.255.112.153
O17 - HKLM\System\CS1\Services\Tcpip\..\{17588C48-0D0F-4981-8018-
F6BBB4EA6601}: NameServer = 85.255.113.206,85.255.112.153
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
85.255.113.206 85.255.112.153
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-
B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -
{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS
\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files
\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS
\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS
\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
- C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:
\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files
\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS
\System32\oodag.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:
\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager
\SPCSUtilityService.exe
 
GodsTeeth said:
I guess I'm kind of new to the QHOSTS problem, but I followed the
below directions.

"
<quote / unquote Mike Burgess>
Trojan Qhosts hijacks the HOSTS file, however unlike normal
redirectors,
this one hides the HOSTS file in the "Windows\Help" folder.

See: http://www.mvps.org/winhelp2002/hosts.htm
Download: either "RenHelpHostXP.bat" or RenHelpHostME.bat"
Follow up with the link provided instructions .......
</snip>

Get the latest hotfix:
http://www.microsoft.com/security/security_bulletins/ms03-040.asp

If no joy, run the Beta "Hijack This" utility which detects the HOSTS
file that has been taken over.
http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip
Hijack This, How-to: http://mvps.org/winhelp2002/unwanted.htm

More info: http://www.spywareinfo.com/newsletter/archives/0903/30.php
"

After completing the above recommendations, I found that if I press
the "Back" button on my browser tool-bar then click the link, in
sucession, 3 times, I will get the correct page.

The redirection is loaded from shedalight.info.

Terribly annoying!

I guess the only thing I can think to do is post my Hijack log...
<snip>

We do not interpret HijackThis logs in public newsgroups.

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

PS: You've got a WareOut infection and probably more, considering your lousy
anti-virus application and lack of any anti-spyware application.

And the fact that you may have done a customized install of WinXP using
nLite would most likely lead to an "horked" install of IE7.
 
<snip>

We do not interpret HijackThis logs in public newsgroups.

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackwarehttp://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=58...p://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot...tboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log tohttp://forums.spybot.info/forumdisplay.php?f=22,http://castlecops.com/forum67.html,...owforum=7,http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

PS: You've got a WareOut infection and probably more, considering your lousy
anti-virus application and lack of any anti-spyware application.

And the fact that you may have done a customized install of WinXP using
nLite would most likely lead to an "horked" install of IE7.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Adminhttp://aumha.net
DTS-Lhttp://dts-l.org/

I'm sorry, like I said, I'm new to this! Thank you for your time and
patience!
 
Back
Top