Jump to content


Photo

Home page Hijacked (lefqd); Popups; Log attached


  • Please log in to reply
2 replies to this topic

#1 Algernon

Algernon

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 June 2004 - 08:50 PM

This is what I've done so far (I'm at my wit's end)...

1) Ensured that AdAware and SpyBot and CWShredder were up to date.
2) Rebooted in Safe Mode
3) Ran AdAware, Spybot, and CWShredder; removed everything they found
4) Ran HijackThis
5) Deleted the R0 and R1 entries that listed lefqd.dll (this is in the page url that is getting hijacked to), and the 04... sdkhy.exe entry.
6) Restarted; same problem
7) Ran HijackThis again and deleted the same entries (which reappeared)
8) Manually reset my home page
9) Exited IE and went back in; same problem

Something somewhere is obviously still hijacking my system, but I don't know what. Assistance requested. <= (understatement of the year)


Here is the HijackThis log...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\WINABI~1\FOLDER~1\FGKEY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\PhotoWorks\PhotoWorks Digital Partner\Acquire.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\sdkhy.exe
C:\WINDOWS\system32\msph32.exe
C:\Documents and Settings\Gary Bakker\My Documents\downloaded pgms\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lefqd.dll/sp.html#26980
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lefqd.dll/index.html#26980
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lefqd.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lefqd.dll/sp.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lefqd.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lefqd.dll/sp.html#26980
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26292D92-C47D-8978-68F1-EADFBF80E5DD} - C:\WINDOWS\system32\mshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [FolderGuard] C:\PROGRA~1\WINABI~1\FOLDER~1\FGKEY.EXE /CL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sdkhy.exe] C:\WINDOWS\sdkhy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: PhotoWorks Acquire.lnk = C:\Program Files\PhotoWorks\PhotoWorks Digital Partner\Acquire.exe
O4 - Startup: PhotoWorks Upload Scheduler.lnk = C:\Program Files\PhotoWorks\PhotoWorks Digital Partner\PhotoWorksWiz.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...porter.cab?RND=
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7866.8395023148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312

#2 Algernon

Algernon

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 June 2004 - 08:53 PM

Oops. I neglected to mention that...

a) I read the FAQ
b) I'm running IE6
c) I'm running Windows XP Professional

#3 Algernon

Algernon

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 June 2004 - 09:33 PM

To the Moderator(s): Please accept my humble and embarrassed apologies. I posted this in the wrong forum. I've re-posted it in the correct Malware forum. I would think this is a no-no, but I couldn't find any info on reporting my post to a Mod (I suspect that one cannot report their own post).

Please forgive this newbie. You can close and lock this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button