Jump to content


Photo

hijacked brower help needed


  • Please log in to reply
1 reply to this topic

#1 jsa

jsa

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 July 2004 - 10:11 PM

Experiencing a hijacked brower. I have ad aware installed and that usually get rid of this but in this case I have a persitent pest. I am attaching my log. Your help is greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 6:02:53 PM, on 7/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\JupitCo.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\addab.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\addmj.exe
C:\WINDOWS\addmj.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Leroy\Local Settings\Temporary Internet Files\Content.IE5\CLU1ANYH\hijackthis1977[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yekqk.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yekqk.dll/index.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yekqk.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yekqk.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yekqk.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yekqk.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089F2967-2FC8-FDF5-0E3A-791483FF7AF6} - C:\WINDOWS\msob.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [addab.exe] C:\WINDOWS\system32\addab.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [addmj.exe] C:\WINDOWS\addmj.exe
O4 - HKLM\..\RunOnce: [mfcap32.exe] C:\WINDOWS\mfcap32.exe
O4 - HKLM\..\RunOnce: [atljn32.exe] C:\WINDOWS\system32\atljn32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://*.gilbaneco.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\zhfbdgku.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37877.325787037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 23 July 2004 - 10:43 AM

Hello please download About:Buster and unzip it to your desktop. Donīt run it yet.

1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R333 18.07.2004 or higher listed.

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.
Move hijack this to its own folder like: C:\HJThis\

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

4. Reboot to Safe Mode
How to start the computer in
Safe mode


5. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yekqk.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yekqk.dll/index.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yekqk.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yekqk.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yekqk.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yekqk.dll/sp.html#37794
O2 - BHO: (no name) - {089F2967-2FC8-FDF5-0E3A-791483FF7AF6} - C:\WINDOWS\msob.dll
O4 - HKLM\..\Run: [addab.exe] C:\WINDOWS\system32\addab.exe
O4 - HKLM\..\RunOnce: [addmj.exe] C:\WINDOWS\addmj.exe
O4 - HKLM\..\RunOnce: [mfcap32.exe] C:\WINDOWS\mfcap32.exe
O4 - HKLM\..\RunOnce: [atljn32.exe] C:\WINDOWS\system32\atljn32.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\zhfbdgku.exe
[/b]


7. Delete the following files if present.
C:\WINDOWS\yekqk.dll
C:\WINDOWS\msob.dll
C:\WINDOWS\system32\addab.exe
C:\WINDOWS\addmj.exe
C:\WINDOWS\mfcap32.exe
C:\WINDOWS\system32\atljn32.exe
C:\Program Files\Internet Explorer\zhfbdgku.exe


8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


11. Reboot to normal mode, scan again with Hijack This and post a new log here.

12. Finally, do an online scan HERE. Let it remove any infected files found.


Post a fresh HijackThis log and the AboutBuster report back here please.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button