Can't manage to remove a browser hijacker

November 18, 2012 at 15:32:44
Specs: Windows Vista, Pentium 2Ghz / 2GB RAM
I've run into a bit of a problem: I have a browser hijacker that's undetected by my various AV software, and I believe it's preventing me from both installing and uninstalling programs.

When using Firefox or IE, I get a login request:
A username and password are being requested by http://staging.ktsart.com. The site says: "staging"

I can cancel out, and all is seemingly fine. This login does not appear on Chrome (my primary browser), Opera, or SR Ware Iron. However, regardless of the browser I use, I still can't download things. See, every time I download a file, I get a window saying that the file cannot be found, that it has been removed. Moreover, I can't uninstall anything; I get a popup saying that Windows Uninstaller Service is not running. I think this occurs even in Safe Mode, which makes me wonder what's up, but my research into this http://staging.ktsart.com thing leads me to believe that it's the cause, at least for the installation portion.

I can download something from another computer, put it on a flash drive, and drag it to my desktop to add programs, but this is of course a poor workaround. Can someone help?

Here's what I've tried so far:
System restore (I can't be sure I wasn't affected at the point I restored to, though)
Malwarebytes (detected some other things, but didn't resolve the issue)
aswMBR (Avast's anti-rootkit, no dice)
tdsskiller (Kaspersky's anti-rootkit, nothing)

I tried out the rootkit things because I had read that the hijacker was "related" to a rootkit.


See More: Cant manage to remove a browser hijacker

Report •


#1
November 18, 2012 at 16:17:07
Run ESET & post the log please. This scan may take a very long while, so please be patient. Start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
You may have to download ESET from a good computer, put it on a thumb drive & run it from there.
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.

Report •

#2
November 18, 2012 at 22:12:58
Ok, I have (or at least had) two penetration testing pieces of software on my computer, Metasploit and Rapid 7; those came up with a ton of false-positives. For briefness' sake I removed all of their log notes.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=bcb46469593f26438baace8dc1055bbe
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-11-19 05:52:55
# local_time=2012-11-18 09:52:55 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6000 NT
# compatibility_mode=1024 16777175 100 0 135765093 135765093 0 0
# compatibility_mode=5892 16776573 100 100 0 189894648 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=297993
# found=242
# cleaned=242
# scan_time=17229
C:\$Recycle.Bin\S-1-5-21-4083263321-2276381533-1220120345-1000\$R3NHFPS.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$Recycle.Bin\S-1-5-21-4083263321-2276381533-1220120345-1000\$R59LTVO.tmp a variant of MSIL/Injector.DJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\$Recycle.Bin\S-1-5-21-4083263321-2276381533-1220120345-1000\$R6ROG8C.tmp multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\$Recycle.Bin\S-1-5-21-4083263321-2276381533-1220120345-1000\$R9Z6CTH.tmp multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\$Recycle.Bin\S-1-5-21-4083263321-2276381533-1220120345-1000\$RVC1TE0.tmp multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\TurmoilscapeUpdater.exe a variant of MSIL/Injector.DJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8Z0ZJZV4\signin[1].htm Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O3R5R7DQ\google_com[1] Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O3R5R7DQ\ietbconfig[1].xml Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O3R5R7DQ\list[2].us Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V7B00OE7\ietbconfig[1].xml Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V7B00OE7\list[1].us Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V7B00OE7\signin[1].htm Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V7B00OE7\version[1].xml Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\2b67b213-77d95a99 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\4ec704df-3cf29d45 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.7.windows.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\Downloads\frostwire-4.21.3.windows.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\Downloads\install_flash_player (1).exe a variant of Win32/Injector.DRK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\Downloads\install_flash_player (2).exe a variant of Win32/Injector.DRK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\Downloads\Instant Hits & Ad Clicker 1.3.rar a variant of Win32/Injector.DBM trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\Downloads\Instant Hits _ Ad Clicker 1.3.rar a variant of Win32/Injector.DBM trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\Downloads\Instant+Hits+%26+Ad+Clicker.exe a variant of MSIL/Ubot.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\Downloads\Instant_Hits___Ad_Clicker_1.3.rar a variant of Win32/Injector.DBM trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\Downloads\mirc715.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\Downloads\oi_setup.exe a variant of Win32/OpenInstall application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\Downloads\winzip155.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Kevin\Downloads\youtubetomp3setup.exe a variant of Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\DriverUSB.exe a variant of MSIL/Injector.VF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


Report •

#3
November 18, 2012 at 22:20:23
Please copy & paste instructions into a text file, print steps & info. You will need them, as they are hard to remember, for when you are offline.

Note: Is your important stuff backed up, including your emails & address book? Anything can happen, during the clean up.

The badies are always ahead of the goodies, be aware, this can be a very long process, involving many different tools to clean up an infected comp.
Some infections are irremovable.
Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc.
The use of the computer is the primary factor in the decision whether to re-format and re-install, or just disinfect.
http://www.dslreports.com/faq/10063
How to report ID theft, fraud, drive-by installs, hijacking and malware?
http://www.dslreports.com/faq/10451
Change your router password if it is not strong or still uses the default one.
Hack lets intruders sneak into home routers
http://tinyurl.com/4pz64fc
http://compnetworking.about.com/od/...

If you do decide to reinstall, make sure you delete ALL partitions & format to NTFS.
D to Delete the selected partition ( XP )
http://www.blackviper.com/os-instal...
W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
http://www.blackviper.com/os-instal...
http://www.blackviper.com/os-instal...
Here are some examples of why you delete all partitions.
http://forums.spybot.info/showthrea...
http://forums.whatthetech.com/index...
http://blog.eset.com/2011/10/18/tdl...

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.
Removal of infected parts of the system, may cause other parts to stop working, such as your Internet connection or Services. These then we have to repair.

If any program won't run ( due to the infection ) let me know. Post the log/logs after each run.
Screenshots ( SS ) may also requested, or if you want to illustrate a point yourself, use the uploader.
If any of the logs are too large, upload them to a site of your choosing or, all can be done with this. I use Imgur.com
Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru
How to use
http://i.imgur.com/IwZrT.gif
http://i.imgur.com/q4uHK.gif
http://i.imgur.com/qk0sN.gif
http://i.imgur.com/TTVsl.gif
For other files.
http://i.imgur.com/KT4wS.gif
http://i.imgur.com/wAG3q.gif

After each fix or change we make, let me know how the comp is running. Example: "I still have a browser hijacker that's undetected by my various AV software, and I believe it's preventing me from both installing and uninstalling programs"


Report •

Related Solutions

#4
November 18, 2012 at 22:26:35
Ok, lets continue.

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3: Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://www.sur-la-toile.com/RogueKi...
http://www.sur-la-toile.com/RogueKi...
RogueKiller tutorial
http://en.kioskea.net/faq/11626-rog...


Report •

#5
January 12, 2013 at 23:07:32
I used Unhide and RogueKiller as you said; the latter deleted one thing and replaced two others. I missed the report on accident (sorry if you wanted it), but I think all three were in Software/Windows, if that helps at all.

Something odd I noticed a few weeks ago, before running Unhide and RogueKiller: the problem with the login request no longer occurs for IE, but still happens when I use Firefox. Still can't download from any browser, though. Still infected with what I believe is a hijacker.

P.S. I ran Unhide and RogueKiller in online mode; would offline provide different results?


Report •

#6
January 13, 2013 at 00:27:41
"P.S. I ran Unhide and RogueKiller in online mode; would offline provide different results?"
Don't know.

I see you are US PST time zone.

Here is mine, so you have a rough idea when I'm awake & asleep.
I shall keep your web page open all the time. The clock works when the page is open.
http://www.timeanddate.com/worldclo...

4: Run Hitman Pro & post the log please.
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.surfright.nl/en/HitmanPro
http://www.surfright.nl/en/hitmanpro/
Unlimited free scanning and free 30-day version to remove detected malware.
Download now (32-bit)
http://dl.surfright.nl/HitmanPro35.exe
Download now (64-bit)
http://dl.surfright.nl/HitmanPro35_...
Review
http://www.youtube.com/watch?v=WmPQ...


Report •


Ask Question