Author Topic: IE Hijacked, Help Please. (Read 3933 times)

Tab · « **on:** December 12, 2007, 05:57:13 AM »

Okay so I have been having this problem for about 2 months now and no matter what I try nothing fixes it. Basically what happens is, I type a search into any engine, yahoo or google normally, and the results come up fine and dandy. The real problem is when I click the links. This redirects me to so many different random sites that I have lost count.
So after just plain out getting fed up with this issue I decided to try out firefox. Turns out, the second this was installed it had the same issue as well.
I have ran many virus and spyware scans but to no avail.
This is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:54:30 AM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\SOUNDMAN.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\windows\system32\lxdccoms.exe
C:\windows\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: lxdc_device - - C:\windows\system32\lxdccoms.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

Not much too it because I already picked it apart myself. I like to pretend I know what I am doing.

So anyways, I am up for any suggestions or help that can be offered and it will be greatly appreciated.

Thanks in advance,

Tab

guestolo · « **Reply #1 on:** December 12, 2007, 10:32:47 PM »

Quote

Not much too it because I already picked it apart myself. I like to pretend I know what I am doing.

Yah, that's can be a problem, I don't like to help unless I see everything running on startup without interference

If you have disabled any startup entries from running on startup with msconfig
Reenable them
Don't reboot the computer yet

NEXT: Open Hijackhthis>>View a list of backups and RESTORE All backups
REboot the computer

Back in Windows, update your version of Hijackthis from my signature below
Run a new scan and save log file and post the new log

Tab · « **Reply #2 on:** December 17, 2007, 05:54:58 AM »

Sorry for the delay in the response, it is a busy time of year.

Everything I posted is just that, everything. I used a tool called MsConfigCleanUp to remove anything else that wasn't actively running and/or needed to boot.

However... I think I may have found the root of the problem. I did some fiddling around with my internet explorer and it turns out I do not have this problem at all when I disable Active X controllers.

Unfortunately I do not know of any ways to take care of this... I was thinking of physically deleting them... or maybe just uninstalling IE and FF from my computer. I would hate to do these options unless I know it will correct the problem.

So is there any way to safely destroy all Active X controllers? Would an uninstall work? Or maybe, is there a way to see which is being the nuisance?

Hope you can help.

Dr Tim · « **Reply #3 on:** December 17, 2007, 10:14:45 AM »

I have had this problem before, but unfortunatly I can't remember how I got rid of it. If I remember, I will tell you.

guestolo · « **Reply #4 on:** December 17, 2007, 08:04:59 PM »

Can you do the following then for me
Download this file - Combofix.exe and save it ONLY to your desktop

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
It's default location is C:\Combofix.txt

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Afterwards, do the following

1. Post the log from Combofix

2. Download Hijackthis from my signature below, install it and run a fresh Scan>>Save logfile, post the whole contents of the log that opens

Tab · « **Reply #5 on:** December 18, 2007, 05:04:33 PM »

ComboFix 07-12-19.2 - Tabion 2007-12-18 16:45:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.456 [GMT -5:00]
Running from: C:\Documents and Settings\Tabion\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\system32\kdfol.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF

((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-18 16:44 . 2007-12-18 16:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 16:36 . 2007-12-14 16:51 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-14 15:59 . 2007-12-14 15:59 <DIR> d-------- C:\Program Files\MSConfig CleanUp
2007-12-14 05:23 . 2007-12-14 05:23 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-12-13 00:05 . 2007-12-13 00:05 <DIR> d-------- C:\Program Files\WiFiConnector
2007-12-13 00:00 . 2007-12-13 00:00 <DIR> d-------- C:\Nintendo
2007-12-13 00:00 . 2004-05-12 13:49 1 --a------ C:\WINDOWS\system32\drivers\RT25USBAP.CAT
2007-12-12 23:59 . 2007-12-12 23:59 1,784,670 --a------ C:\Nintendo_WFC_USB.zip
2007-12-12 05:31 . 2007-12-12 05:31 <DIR> d-------- C:\Documents and Settings\Tabion\Application Data\Grisoft
2007-12-12 05:30 . 2007-12-12 05:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 05:30 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-12 05:29 . 2007-12-12 05:29 12,413,440 --a------ C:\avgas-setup-7.5.1.43.exe
2007-12-12 04:50 . 2007-12-12 04:50 251,392 --a------ C:\hijackthis_sfx.exe
2007-12-12 04:17 . 2007-12-12 05:22 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-12 04:16 . 2007-12-12 04:16 121 --a------ C:\WINDOWS\bdagent.INI
2007-12-12 03:14 . 2007-12-12 03:14 77,824 --a------ C:\WINDOWS\system32\xcomm.dll
2007-12-11 06:43 . 2007-12-17 08:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-11 06:43 . 2007-12-11 06:43 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-10 16:10 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-12-07 21:02 . 2007-12-18 00:16 <DIR> d-------- C:\Program Files\Metin2.us
2007-12-07 19:17 . 2007-12-07 19:55 <DIR> d-------- C:\metin2_20071126
2007-12-01 19:02 . 2007-12-01 19:02 <DIR> d-------- C:\Program Files\Netropa
2007-12-01 19:02 . 2002-07-11 07:47 98,304 --a------ C:\WINDOWS\system32\msikbd.dll
2007-12-01 19:02 . 2000-06-08 02:09 28,672 --------- C:\WINDOWS\system32\msiosd32.dll
2007-12-01 19:02 . 2001-12-20 09:02 6,656 --------- C:\WINDOWS\system32\drivers\Msikbd2k.sys
2007-12-01 19:02 . 2007-12-19 16:50 253 --a------ C:\WINDOWS\Msiosd.ini
2007-12-01 19:01 . 2007-12-01 19:01 <DIR> d-------- C:\smartoffice
2007-12-01 19:01 . 2007-12-01 19:01 <DIR> d-------- C:\kb740x
2007-12-01 19:01 . 2007-12-01 19:01 3,909,432 --a------ C:\kb740x.zip
2007-11-30 16:29 . 2007-11-30 16:38 <DIR> d-------- C:\books
2007-11-30 12:44 . 2007-11-30 12:44 <DIR> d-------- C:\Program Files\Realtek AC97
2007-11-30 12:44 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2007-11-30 12:31 . 2007-11-30 12:40 18,476,841 --a------ C:\WDM_A403.exe
2007-11-29 22:05 . 2007-11-29 23:05 289,278,764 --a------ C:\[DB]_Naruto_Shippuuden_036-037_[B06574F4].avi
2007-11-28 23:43 . 2007-11-28 23:43 <DIR> d-------- C:\WINDOWS\Sun
2007-11-28 23:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-28 23:42 . 2007-11-28 23:43 <DIR> d-------- C:\Program Files\Java
2007-11-28 23:42 . 2007-11-28 23:42 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-28 21:05 . 2007-11-28 22:38 <DIR> d-------- C:\ijji
2007-11-19 11:02 . 2007-11-19 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IJJIGame

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 13:36 --------- d-----w C:\Documents and Settings\Tabion\Application Data\uTorrent
2007-12-17 10:40 --------- d-----w C:\Program Files\Lexmark 1300 Series
2007-12-17 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-17 06:06 --------- d-----w C:\Program Files\Lx_cats
2007-12-16 23:45 --------- d-----w C:\Program Files\DazzlingEvents
2007-12-14 21:00 --------- d-----w C:\Documents and Settings\Tabion\Application Data\IGN_DLM
2007-12-14 10:17 685,816 ----a-w C:\windows\system32\drivers\sptd.sys
2007-12-12 09:18 --------- d-----w C:\Documents and Settings\Tabion\Application Data\Juniper Networks
2007-12-12 09:17 --------- d-----w C:\Program Files\Axialis
2007-12-07 05:12 --------- d-----w C:\Program Files\Winamp Remote
2007-11-29 03:18 --------- d-----w C:\Program Files\Winamp
2007-11-29 01:41 --------- d--h--w C:\Documents and Settings\Tabion\Application Data\ijjigame
2007-11-28 17:31 --------- d-----w C:\Program Files\Razor
2007-11-15 12:34 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-15 12:31 --------- d-----w C:\Program Files\Yahoo!
2007-11-14 10:25 --------- d-----w C:\Program Files\ICQ6
2007-11-08 19:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-11-08 19:26 15,081,800 ----a-w C:\winampremote.exe
2007-10-29 21:54 --------- d-----w C:\Program Files\EA GAMES
2007-10-29 19:26 --------- d-----w C:\Program Files\Diablo II
2007-10-29 18:39 --------- d-----w C:\Program Files\UOAM
2007-10-27 21:59 --------- d-----w C:\Program Files\Renaissance Software
2007-10-27 05:07 --------- d-----w C:\Documents and Settings\Tabion\Application Data\ICAClient
2007-10-27 05:04 --------- d-----w C:\Program Files\Citrix
2007-10-26 16:20 4,124,352 ----a-r C:\windows\system32\drivers\alcxwdm.sys
2007-10-23 07:46 --------- d-----w C:\Program Files\Trillian
2007-10-20 19:05 43,520 ----a-w C:\windows\system32\CmdLineExt03.dll
2007-10-19 19:20 21,840 ----a-w C:\windows\system32\SIntfNT.dll
2007-10-19 19:20 17,212 ----a-w C:\windows\system32\SIntf32.dll
2007-10-19 19:20 12,067 ----a-w C:\windows\system32\SIntf16.dll
2007-10-19 19:09 94,208 ----a-w C:\windows\DIIUnin.exe
2007-10-19 05:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-19 04:28 --------- d-----w C:\Program Files\Arovax AntiSpyware
2007-10-16 22:10 164 ----a-w C:\install.dat
2007-10-05 21:39 776,704 ----a-w C:\amem5a.exe
2007-10-05 19:37 5,290,394 ----a-w C:\win2k_xp1417.exe
2007-06-03 09:49 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-03 18:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 08:50 C:\WINDOWS\LOGI_MWX.EXE]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 C:\WINDOWS\soundman.exe]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-06-19 10:50]
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 18:32]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []
"IE7-11"="advpack.dll" [2007-03-21 05:11 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-12-13 00:05:39]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 18:56 15360 --a------ C:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 09:32 77824 --a------ C:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 09:36 114688 --a------ C:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-09-20 09:35 94208 --a------ C:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdcmon.exe]
C:\Program Files\Lexmark 1300 Series\lxdcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"wuauserv"=2 (0x2)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AWService"=2 (0x2)
"SamSs"=2 (0x2)
"SharedAccess"=2 (0x2)
"usnjsvc"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
"lxdc_device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ipTray.exe"="C:\Program Files\Intel\IDU\iptray.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\windows\system32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\windows\system32\DRIVERS\EAPPkt.sys [2005-04-01 10:43]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2006-10-27 18:18]
R2 SIODRV;SIODRV;C:\WINDOWS\system32\drivers\SIODRV.SYS [2007-05-23 09:17]
R3 smbusp;Intel® SMBus 2.0 Driver;C:\windows\system32\DRIVERS\intelsmb.sys [2006-08-30 10:09]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\windows\system32\DRIVERS\wg111v2.sys []
S4 DNADownloader;DNADownloader;C:\Program Files\GameSpot\DownloadManager_Win32.exe [2007-07-10 01:17]
S4 lxdc_device;lxdc_device;C:\windows\system32\lxdccoms.exe -service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\autorun.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 16:50:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-19 16:51:19 - machine was rebooted

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:06 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\windows\System32\svchost.exe
C:\windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Run Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

--
End of file - 2285 bytes

guestolo · « **Reply #6 on:** December 18, 2007, 07:50:27 PM »

Do the next couple steps please

download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Double click on Fixwareout.exe on desktop
Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Afterwards
Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
At the 'END USER SOFTWARE LICENSE AGREEMENT' select 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program if one is installed, then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.

Also Post the report from Fixwareout>>report.txt in the C:\Fixwareout folder

Tab · « **Reply #7 on:** December 19, 2007, 02:55:42 AM »

Username "Tabion" - 12/20/2007 1:52:15 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Logitech Utility"="Logi_MwX.Exe"
"SoundMan"="SOUNDMAN.EXE"
"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"lxdcamon"="\"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\windows\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

[font=\"Arial\"][color=\"red\"]BitDefender Online Scanner[/color][/font]

[font=\"Arial\"]Scan report generated at: Thu, Dec 20, 2007 - 02:52:20[/font]

[font=\"Arial\"] [/font]

[font=\"Arial\"]Scan path: A:\;C:\

:\;F:\;G:\;[/font]

    [font=\"Arial\"] [/font]

[font=\"Arial\"]Statistics[/font]

[font=\"Arial\"]Time[/font]

[font=\"Arial\"]00:51:14[/font]

[font=\"Arial\"]Files[/font]

[font=\"Arial\"]192896[/font]

[font=\"Arial\"]Folders[/font]

[font=\"Arial\"]5259[/font]

[font=\"Arial\"]Boot Sectors[/font]

[font=\"Arial\"]4[/font]

[font=\"Arial\"]Archives[/font]

[font=\"Arial\"]1799[/font]

[font=\"Arial\"]Packed Files[/font]

[font=\"Arial\"]9570[/font]

     [font=\"Arial\"]Results[/font]

[font=\"Arial\"]Identified Viruses [/font]

[font=\"Arial\"]1[/font]

[font=\"Arial\"]Infected Files [/font]

[font=\"Arial\"]2[/font]

[font=\"Arial\"]Suspect Files [/font]

[font=\"Arial\"]0[/font]

[font=\"Arial\"]Warnings[/font]

[font=\"Arial\"]0[/font]

[font=\"Arial\"]Disinfected[/font]

[font=\"Arial\"]0[/font]

[font=\"Arial\"]Deleted Files[/font]

[font=\"Arial\"]2[/font]

    [font=\"Arial\"]Engines Info[/font]

[font=\"Arial\"]Virus Definitions[/font]

[font=\"Arial\"]882639[/font]

[font=\"Arial\"]Engine build[/font]

[font=\"Arial\"]AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)[/font]

[font=\"Arial\"]Scan plugins[/font]

[font=\"Arial\"]14[/font]

[font=\"Arial\"]Archive plugins[/font]

[font=\"Arial\"]38[/font]

[font=\"Arial\"]Unpack plugins[/font]

[font=\"Arial\"]7[/font]

[font=\"Arial\"]E-mail plugins[/font]

[font=\"Arial\"]6[/font]

[font=\"Arial\"]System plugins[/font]

[font=\"Arial\"]1[/font]

    [font=\"Arial\"]Scan Settings[/font]

[font=\"Arial\"]First Action[/font]

[font=\"Arial\"]Disinfect[/font]

[font=\"Arial\"]Second Action[/font]

[font=\"Arial\"]Delete[/font]

[font=\"Arial\"]Heuristics[/font]

[font=\"Arial\"]Yes[/font]

[font=\"Arial\"]Enable Warnings[/font]

[font=\"Arial\"]Yes[/font]

     [font=\"Arial\"]Scanned Extensions[/font]

[font=\"Arial\"]*;[/font]

[font=\"Arial\"]Exclude Extensions[/font]

[font=\"Arial\"] [/font]

[font=\"Arial\"]Scan Emails[/font]

[font=\"Arial\"]Yes[/font]

[font=\"Arial\"]Scan Archives[/font]

[font=\"Arial\"]Yes[/font]

[font=\"Arial\"]Scan Packed[/font]

[font=\"Arial\"]Yes[/font]

[font=\"Arial\"]Scan Files[/font]

[font=\"Arial\"]Yes[/font]

[font=\"Arial\"]Scan Boot[/font]

[font=\"Arial\"]Yes[/font]

    [font=\"Arial\"]Scanned File[/font]

[font=\"Arial\"] Status[/font]

        [font=\"Arial\"]C:\qoobox\Quarantine\C\WINDOWS\system32\kdfol.exe.vir[/font]

               [font=\"Arial\"]Infected with: Trojan.DNSCHanger.QN[/font]

             [font=\"Arial\"]C:\qoobox\Quarantine\C\WINDOWS\system32\kdfol.exe.vir[/font]

               [font=\"Arial\"]Disinfection failed[/font]

             [font=\"Arial\"]C:\qoobox\Quarantine\C\WINDOWS\system32\kdfol.exe.vir[/font]

               [font=\"Arial\"]Deleted[/font]

             [font=\"Arial\"]C:\System Volume Information\_restore{10955F49-53EE-4A1A-9980-F6DF3FA35510}\RP2\A0000012.exe[/font]

               [font=\"Arial\"]Infected with: Trojan.DNSCHanger.QN[/font]

             [font=\"Arial\"]C:\System Volume Information\_restore{10955F49-53EE-4A1A-9980-F6DF3FA35510}\RP2\A0000012.exe[/font]

               [font=\"Arial\"]Disinfection failed[/font]

             [font=\"Arial\"]C:\System Volume Information\_restore{10955F49-53EE-4A1A-9980-F6DF3FA35510}\RP2\A0000012.exe[/font]

               [font=\"Arial\"]Deleted[/font]



    [font=\"Arial\"] [/font]

    [font=\"Arial\"] [/font]

Well, there very well be my problem!

Any suggestions on proper removal?

guestolo · « **Reply #8 on:** December 20, 2007, 01:11:55 AM »

Don't worry about what BitDefender found
qoobox is part of combofix's quarantine

And System Volume Information folder are your System Restore points
Only bad if you restore back to those infected points

Do the following
Go to START>>RUN>>Copy then paste the next command below in bold
Then hit OK

combofix /u

This will uninstall combofix

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Select>>Create a New restore point
Give it a name and click Create
Windows will prompt when it was created successfully
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

Although we ran BitDefender Online Virus scan, it does Not replace having your own AV protection running active in the background
I suggest that you install ONE of these free Anti-Virus software
You decide which one, But only choose ONE, more than one active AV running in the background
Can, and probably will cause conflicts

AVG 7 by Grisoft
OR
Avast Home Edition by ALWIL
OR
Avira AntiVir Personal Edition Classic

After you have installed your new AV
Ensure it is updated and then run a complete system scan
Afterwards, reboot the computer than come back here and post one more fresh hijackthis log
Let me know how things are running

NOTE: Avg-Antispyware is NOT the same as AVG-AntiVirus software

Tab · « **Reply #9 on:** December 20, 2007, 06:24:24 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:43 AM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\SOUNDMAN.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\windows\System32\svchost.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Run Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

--
End of file - 3301 bytes

I am no longer having any troubles! Go figure that one AVG product didn't pick this up but another did.

Thank you for all the help and saving me from formatting, I greatly appreciate it.

guestolo · « **Reply #10 on:** December 20, 2007, 09:59:09 PM »

You can go ahead and delete Fixwareout on desktop and the following folder
C:/Fixwareout

NEXT:
Go to START>>RUN>>Copy then paste the next command below in bold
Then hit OK

combofix /u

This will uninstall combofix

Also, Can you do the following
I suggest that you add SpywareBlaster to your protection software
SpywareBlaster 3.5.1 by JavaCool

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Also, It wouldn't be a bad idea to install Spybot 1.4 if you don't have it installed
You can download it from
HERE

Install with default settings that are selected
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
RIGHT CLICK in the download results and click Select All
OR
Individually Check, and then download all updates
Ensure all updates are successful, a GREEN check will indicate this
If you have an error updating, search for updates again and retry the download until all updates are successfully installed
After update is complete

Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process
In addition, utilize the Immunization feature
After every update
Click the "Immunize" button>>OK the prompt>>Immunize again at the top green cross

If there are other user profiles on the computer, have them login and enable all protections with Spywareblaster
and Immunize with Spybot after every update

NEXT:
Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning
I hope that helps

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: IE Hijacked, Help Please. (Read 3933 times)

Tab

IE Hijacked, Help Please.

guestolo

IE Hijacked, Help Please.

Tab

IE Hijacked, Help Please.

Dr Tim

IE Hijacked, Help Please.

guestolo

IE Hijacked, Help Please.

Tab

IE Hijacked, Help Please.

guestolo

IE Hijacked, Help Please.

Tab

IE Hijacked, Help Please.

guestolo

IE Hijacked, Help Please.

Tab

IE Hijacked, Help Please.

guestolo

IE Hijacked, Help Please.