Show Posts

1

Tech Clinic / IE Hijacked, Help Please.

« on: December 20, 2007, 06:24:24 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:43 AM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\SOUNDMAN.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Run Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

--
End of file - 3301 bytes

I am no longer having any troubles! Go figure that one AVG product didn't pick this up but another did.

Thank you for all the help and saving me from formatting, I greatly appreciate it.

2

Tech Clinic / IE Hijacked, Help Please.

« on: December 19, 2007, 02:55:42 AM »

Username "Tabion" - 12/20/2007 1:52:15 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Logitech Utility"="Logi_MwX.Exe"
"SoundMan"="SOUNDMAN.EXE"
"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"lxdcamon"="\"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\windows\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

[font=\"Arial\"][color=\"red\"]BitDefender Online Scanner[/color][/font]

[font=\"Arial\"]Scan report generated at: Thu, Dec 20, 2007 - 02:52:20[/font]

[font=\"Arial\"] [/font]

[font=\"Arial\"]Scan path: A:\;C:\

:\;F:\;G:\;[/font]

    [font=\"Arial\"] [/font]

[font=\"Arial\"]Statistics[/font]

[font=\"Arial\"]Time[/font]

[font=\"Arial\"]00:51:14[/font]

[font=\"Arial\"]Files[/font]

[font=\"Arial\"]192896[/font]

[font=\"Arial\"]Folders[/font]

[font=\"Arial\"]5259[/font]

[font=\"Arial\"]Boot Sectors[/font]

[font=\"Arial\"]4[/font]

[font=\"Arial\"]Archives[/font]

[font=\"Arial\"]1799[/font]

[font=\"Arial\"]Packed Files[/font]

[font=\"Arial\"]9570[/font]

     [font=\"Arial\"]Results[/font]

[font=\"Arial\"]Identified Viruses [/font]

[font=\"Arial\"]1[/font]

[font=\"Arial\"]Infected Files [/font]

[font=\"Arial\"]2[/font]

[font=\"Arial\"]Suspect Files [/font]

[font=\"Arial\"]0[/font]

[font=\"Arial\"]Warnings[/font]

[font=\"Arial\"]0[/font]

[font=\"Arial\"]Disinfected[/font]

[font=\"Arial\"]0[/font]

[font=\"Arial\"]Deleted Files[/font]

[font=\"Arial\"]2[/font]

    [font=\"Arial\"]Engines Info[/font]

[font=\"Arial\"]Virus Definitions[/font]

[font=\"Arial\"]882639[/font]

[font=\"Arial\"]Engine build[/font]

[font=\"Arial\"]AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)[/font]

[font=\"Arial\"]Scan plugins[/font]

[font=\"Arial\"]14[/font]

[font=\"Arial\"]Archive plugins[/font]

[font=\"Arial\"]38[/font]

[font=\"Arial\"]Unpack plugins[/font]

[font=\"Arial\"]7[/font]

[font=\"Arial\"]E-mail plugins[/font]

[font=\"Arial\"]6[/font]

[font=\"Arial\"]System plugins[/font]

[font=\"Arial\"]1[/font]

    [font=\"Arial\"]Scan Settings[/font]

[font=\"Arial\"]First Action[/font]

[font=\"Arial\"]Disinfect[/font]

[font=\"Arial\"]Second Action[/font]

[font=\"Arial\"]Delete[/font]

[font=\"Arial\"]Heuristics[/font]

[font=\"Arial\"]Yes[/font]

[font=\"Arial\"]Enable Warnings[/font]

[font=\"Arial\"]Yes[/font]

     [font=\"Arial\"]Scanned Extensions[/font]

[font=\"Arial\"]*;[/font]

[font=\"Arial\"]Exclude Extensions[/font]

[font=\"Arial\"] [/font]

[font=\"Arial\"]Scan Emails[/font]

[font=\"Arial\"]Yes[/font]

[font=\"Arial\"]Scan Archives[/font]

[font=\"Arial\"]Yes[/font]

[font=\"Arial\"]Scan Packed[/font]

[font=\"Arial\"]Yes[/font]

[font=\"Arial\"]Scan Files[/font]

[font=\"Arial\"]Yes[/font]

[font=\"Arial\"]Scan Boot[/font]

[font=\"Arial\"]Yes[/font]

    [font=\"Arial\"]Scanned File[/font]

[font=\"Arial\"] Status[/font]

        [font=\"Arial\"]C:\qoobox\Quarantine\C\WINDOWS\system32\kdfol.exe.vir[/font]

               [font=\"Arial\"]Infected with: Trojan.DNSCHanger.QN[/font]

             [font=\"Arial\"]C:\qoobox\Quarantine\C\WINDOWS\system32\kdfol.exe.vir[/font]

               [font=\"Arial\"]Disinfection failed[/font]

             [font=\"Arial\"]C:\qoobox\Quarantine\C\WINDOWS\system32\kdfol.exe.vir[/font]

               [font=\"Arial\"]Deleted[/font]

             [font=\"Arial\"]C:\System Volume Information\_restore{10955F49-53EE-4A1A-9980-F6DF3FA35510}\RP2\A0000012.exe[/font]

               [font=\"Arial\"]Infected with: Trojan.DNSCHanger.QN[/font]

             [font=\"Arial\"]C:\System Volume Information\_restore{10955F49-53EE-4A1A-9980-F6DF3FA35510}\RP2\A0000012.exe[/font]

               [font=\"Arial\"]Disinfection failed[/font]

             [font=\"Arial\"]C:\System Volume Information\_restore{10955F49-53EE-4A1A-9980-F6DF3FA35510}\RP2\A0000012.exe[/font]

               [font=\"Arial\"]Deleted[/font]



    [font=\"Arial\"] [/font]

    [font=\"Arial\"] [/font]

Well, there very well be my problem!

Any suggestions on proper removal?

3

Tech Clinic / IE Hijacked, Help Please.

« on: December 18, 2007, 05:04:33 PM »

ComboFix 07-12-19.2 - Tabion 2007-12-18 16:45:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.456 [GMT -5:00]
Running from: C:\Documents and Settings\Tabion\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\system32\kdfol.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF

((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-18 16:44 . 2007-12-18 16:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 16:36 . 2007-12-14 16:51 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-14 15:59 . 2007-12-14 15:59 <DIR> d-------- C:\Program Files\MSConfig CleanUp
2007-12-14 05:23 . 2007-12-14 05:23 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-12-13 00:05 . 2007-12-13 00:05 <DIR> d-------- C:\Program Files\WiFiConnector
2007-12-13 00:00 . 2007-12-13 00:00 <DIR> d-------- C:\Nintendo
2007-12-13 00:00 . 2004-05-12 13:49 1 --a------ C:\WINDOWS\system32\drivers\RT25USBAP.CAT
2007-12-12 23:59 . 2007-12-12 23:59 1,784,670 --a------ C:\Nintendo_WFC_USB.zip
2007-12-12 05:31 . 2007-12-12 05:31 <DIR> d-------- C:\Documents and Settings\Tabion\Application Data\Grisoft
2007-12-12 05:30 . 2007-12-12 05:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 05:30 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-12 05:29 . 2007-12-12 05:29 12,413,440 --a------ C:\avgas-setup-7.5.1.43.exe
2007-12-12 04:50 . 2007-12-12 04:50 251,392 --a------ C:\hijackthis_sfx.exe
2007-12-12 04:17 . 2007-12-12 05:22 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-12 04:16 . 2007-12-12 04:16 121 --a------ C:\WINDOWS\bdagent.INI
2007-12-12 03:14 . 2007-12-12 03:14 77,824 --a------ C:\WINDOWS\system32\xcomm.dll
2007-12-11 06:43 . 2007-12-17 08:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-11 06:43 . 2007-12-11 06:43 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-10 16:10 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-12-07 21:02 . 2007-12-18 00:16 <DIR> d-------- C:\Program Files\Metin2.us
2007-12-07 19:17 . 2007-12-07 19:55 <DIR> d-------- C:\metin2_20071126
2007-12-01 19:02 . 2007-12-01 19:02 <DIR> d-------- C:\Program Files\Netropa
2007-12-01 19:02 . 2002-07-11 07:47 98,304 --a------ C:\WINDOWS\system32\msikbd.dll
2007-12-01 19:02 . 2000-06-08 02:09 28,672 --------- C:\WINDOWS\system32\msiosd32.dll
2007-12-01 19:02 . 2001-12-20 09:02 6,656 --------- C:\WINDOWS\system32\drivers\Msikbd2k.sys
2007-12-01 19:02 . 2007-12-19 16:50 253 --a------ C:\WINDOWS\Msiosd.ini
2007-12-01 19:01 . 2007-12-01 19:01 <DIR> d-------- C:\smartoffice
2007-12-01 19:01 . 2007-12-01 19:01 <DIR> d-------- C:\kb740x
2007-12-01 19:01 . 2007-12-01 19:01 3,909,432 --a------ C:\kb740x.zip
2007-11-30 16:29 . 2007-11-30 16:38 <DIR> d-------- C:\books
2007-11-30 12:44 . 2007-11-30 12:44 <DIR> d-------- C:\Program Files\Realtek AC97
2007-11-30 12:44 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2007-11-30 12:31 . 2007-11-30 12:40 18,476,841 --a------ C:\WDM_A403.exe
2007-11-29 22:05 . 2007-11-29 23:05 289,278,764 --a------ C:\[DB]_Naruto_Shippuuden_036-037_[B06574F4].avi
2007-11-28 23:43 . 2007-11-28 23:43 <DIR> d-------- C:\WINDOWS\Sun
2007-11-28 23:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-28 23:42 . 2007-11-28 23:43 <DIR> d-------- C:\Program Files\Java
2007-11-28 23:42 . 2007-11-28 23:42 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-28 21:05 . 2007-11-28 22:38 <DIR> d-------- C:\ijji
2007-11-19 11:02 . 2007-11-19 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IJJIGame

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 13:36 --------- d-----w C:\Documents and Settings\Tabion\Application Data\uTorrent
2007-12-17 10:40 --------- d-----w C:\Program Files\Lexmark 1300 Series
2007-12-17 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-17 06:06 --------- d-----w C:\Program Files\Lx_cats
2007-12-16 23:45 --------- d-----w C:\Program Files\DazzlingEvents
2007-12-14 21:00 --------- d-----w C:\Documents and Settings\Tabion\Application Data\IGN_DLM
2007-12-14 10:17 685,816 ----a-w C:\windows\system32\drivers\sptd.sys
2007-12-12 09:18 --------- d-----w C:\Documents and Settings\Tabion\Application Data\Juniper Networks
2007-12-12 09:17 --------- d-----w C:\Program Files\Axialis
2007-12-07 05:12 --------- d-----w C:\Program Files\Winamp Remote
2007-11-29 03:18 --------- d-----w C:\Program Files\Winamp
2007-11-29 01:41 --------- d--h--w C:\Documents and Settings\Tabion\Application Data\ijjigame
2007-11-28 17:31 --------- d-----w C:\Program Files\Razor
2007-11-15 12:34 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-15 12:31 --------- d-----w C:\Program Files\Yahoo!
2007-11-14 10:25 --------- d-----w C:\Program Files\ICQ6
2007-11-08 19:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-11-08 19:26 15,081,800 ----a-w C:\winampremote.exe
2007-10-29 21:54 --------- d-----w C:\Program Files\EA GAMES
2007-10-29 19:26 --------- d-----w C:\Program Files\Diablo II
2007-10-29 18:39 --------- d-----w C:\Program Files\UOAM
2007-10-27 21:59 --------- d-----w C:\Program Files\Renaissance Software
2007-10-27 05:07 --------- d-----w C:\Documents and Settings\Tabion\Application Data\ICAClient
2007-10-27 05:04 --------- d-----w C:\Program Files\Citrix
2007-10-26 16:20 4,124,352 ----a-r C:\windows\system32\drivers\alcxwdm.sys
2007-10-23 07:46 --------- d-----w C:\Program Files\Trillian
2007-10-20 19:05 43,520 ----a-w C:\windows\system32\CmdLineExt03.dll
2007-10-19 19:20 21,840 ----a-w C:\windows\system32\SIntfNT.dll
2007-10-19 19:20 17,212 ----a-w C:\windows\system32\SIntf32.dll
2007-10-19 19:20 12,067 ----a-w C:\windows\system32\SIntf16.dll
2007-10-19 19:09 94,208 ----a-w C:\windows\DIIUnin.exe
2007-10-19 05:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-19 04:28 --------- d-----w C:\Program Files\Arovax AntiSpyware
2007-10-16 22:10 164 ----a-w C:\install.dat
2007-10-05 21:39 776,704 ----a-w C:\amem5a.exe
2007-10-05 19:37 5,290,394 ----a-w C:\win2k_xp1417.exe
2007-06-03 09:49 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-03 18:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 08:50 C:\WINDOWS\LOGI_MWX.EXE]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 C:\WINDOWS\soundman.exe]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-06-19 10:50]
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 18:32]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []
"IE7-11"="advpack.dll" [2007-03-21 05:11 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-12-13 00:05:39]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 18:56 15360 --a------ C:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 09:32 77824 --a------ C:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 09:36 114688 --a------ C:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-09-20 09:35 94208 --a------ C:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdcmon.exe]
C:\Program Files\Lexmark 1300 Series\lxdcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"wuauserv"=2 (0x2)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AWService"=2 (0x2)
"SamSs"=2 (0x2)
"SharedAccess"=2 (0x2)
"usnjsvc"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
"lxdc_device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ipTray.exe"="C:\Program Files\Intel\IDU\iptray.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\windows\system32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\windows\system32\DRIVERS\EAPPkt.sys [2005-04-01 10:43]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2006-10-27 18:18]
R2 SIODRV;SIODRV;C:\WINDOWS\system32\drivers\SIODRV.SYS [2007-05-23 09:17]
R3 smbusp;Intel® SMBus 2.0 Driver;C:\windows\system32\DRIVERS\intelsmb.sys [2006-08-30 10:09]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\windows\system32\DRIVERS\wg111v2.sys []
S4 DNADownloader;DNADownloader;C:\Program Files\GameSpot\DownloadManager_Win32.exe [2007-07-10 01:17]
S4 lxdc_device;lxdc_device;C:\windows\system32\lxdccoms.exe -service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\autorun.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 16:50:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-19 16:51:19 - machine was rebooted

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:06 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\windows\System32\svchost.exe
C:\windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Run Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

--
End of file - 2285 bytes

4

Tech Clinic / IE Hijacked, Help Please.

« on: December 17, 2007, 05:54:58 AM »

Sorry for the delay in the response, it is a busy time of year.

Everything I posted is just that, everything. I used a tool called MsConfigCleanUp to remove anything else that wasn't actively running and/or needed to boot.

However... I think I may have found the root of the problem. I did some fiddling around with my internet explorer and it turns out I do not have this problem at all when I disable Active X controllers.

Unfortunately I do not know of any ways to take care of this... I was thinking of physically deleting them... or maybe just uninstalling IE and FF from my computer. I would hate to do these options unless I know it will correct the problem.

So is there any way to safely destroy all Active X controllers? Would an uninstall work? Or maybe, is there a way to see which is being the nuisance?

Hope you can help.

5

Tech Clinic / IE Hijacked, Help Please.

« on: December 12, 2007, 05:57:13 AM »

Okay so I have been having this problem for about 2 months now and no matter what I try nothing fixes it. Basically what happens is, I type a search into any engine, yahoo or google normally, and the results come up fine and dandy. The real problem is when I click the links. This redirects me to so many different random sites that I have lost count.
So after just plain out getting fed up with this issue I decided to try out firefox. Turns out, the second this was installed it had the same issue as well.
I have ran many virus and spyware scans but to no avail.
This is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:54:30 AM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\SOUNDMAN.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\windows\system32\lxdccoms.exe
C:\windows\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: lxdc_device - - C:\windows\system32\lxdccoms.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

Not much too it because I already picked it apart myself. I like to pretend I know what I am doing.

So anyways, I am up for any suggestions or help that can be offered and it will be greatly appreciated.

Thanks in advance,

Tab

TheTechGuide Forum

News:

Show Posts

Messages - Tab

Tech Clinic / IE Hijacked, Help Please.

Tech Clinic / IE Hijacked, Help Please.

Tech Clinic / IE Hijacked, Help Please.

Tech Clinic / IE Hijacked, Help Please.

Tech Clinic / IE Hijacked, Help Please.