Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Browser From Font Download, Need Help


  • Please log in to reply
2 replies to this topic

#1 arcitek

arcitek

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 06 November 2007 - 05:36 PM

I am an architect, not a computer guru, so any help would be greatly appreciated. I have run Adaware, Spybot, SmitRem, SmitFraudFix, Rogue Remover and CCleaner several times in safe mode. I have tired to use killbox to zap 2 dll files that just cannot be removed but to no avail. Everytime I run IE 6, I get redirected to a new window and a script dialogue box pops up. I have attached a copy of the Hijack This log. I really do not know what I am looking at so anyhelp would be great as I am trying to work on my office computer which is networked through our server.

Thanks,

Kevin

I should add I am runnning win2000 pro and have been using Avast for virus detection lately. (not really happy as this let this through)

Attached Files


Edited by arcitek, 06 November 2007 - 05:41 PM.


BC AdBot (Login to Remove)

 


m

#2 arcitek

arcitek
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 06 November 2007 - 06:35 PM

I ran combofix and I am including the log from that:

ComboFix 07-11-07.3 - kevinm 11/06/2007 18:11:26.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1562 [GMT -5:00]
Running from: C:\Documents and Settings\kevinm.PRODC\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Program Files\WinAble
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINNT\b122.exe
C:\WINNT\cookies.ini
C:\WINNT\system32\a1
C:\WINNT\system32\g2
C:\WINNT\system32\g2\caws83122.exe
C:\WINNT\system32\h1
C:\WINNT\system32\ldinfo.ldr
C:\WINNT\system32\ocpebkx.dll
C:\WINNT\system32\pac.txt
C:\WINNT\system32\r2
C:\WINNT\system32\r2\wr31drs.exe
C:\WINNT\system32\ssttu.dll
C:\WINNT\system32\uttss.bak1
C:\WINNT\system32\uttss.bak2
C:\WINNT\system32\uttss.ini
C:\WINNT\system32\v8
C:\WINNT\system32\v8\taldrvr11.exe
C:\WINNT\winshow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_FMTR


((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-07 18:23 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_320.dat
2007-11-07 18:18 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_498.dat
2007-11-07 18:17 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_244.dat
2007-11-06 17:52 <DIR> d-------- C:\Program Files\PJW
2007-11-06 11:39 4,090 --a------ C:\WINNT\system32\tmp.reg
2007-11-06 11:32 <DIR> d-------- C:\WINNT\Content.IE5
2007-11-06 11:24 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-11-06 07:43 <DIR> d--hs---- C:\Documents and Settings\kevinm.PRODC\Application Data\Folder Settings
2007-11-06 07:16 87,104 --a------ C:\WINNT\system32\qkydgxhs.dll
2007-11-06 07:05 81,472 --a------ C:\WINNT\system32\auibrcrx.dll
2007-11-06 05:04 35,328 --a------ C:\WINNT\system32\iifgfcy.dll
2007-11-06 05:02 35,328 --a------ C:\WINNT\system32\yaywxuv.dll
2007-11-06 05:01 <DIR> d-a------ C:\WINNT\system32\Mz02r
2007-11-06 05:01 35,840 --a------ C:\WINNT\17PHolmes572.exe
2007-11-06 05:01 35,328 --a------ C:\WINNT\system32\efcbyaa.dll
2007-11-05 14:11 35,840 --a------ C:\WINNT\17PHolmes77.exe
2007-11-05 14:11 35,840 --a------ C:\WINNT\17PHolmes1000106.exe
2007-11-05 14:10 <DIR> d-a------ C:\WINNT\system32\Mz08r
2007-11-05 14:10 <DIR> d-------- C:\TEMP\mZOr
2007-11-05 14:10 36,352 --a------ C:\WINNT\system32\vturqnk.dll
2007-10-17 17:06 <DIR> d-------- C:\Program Files\LogMeIn
2007-10-17 17:06 83,288 --a------ C:\WINNT\system32\LMIRfsClientNP.dll
2007-10-17 17:06 46,112 --a------ C:\WINNT\system32\drivers\LMIRfsDriver.sys
2007-10-17 17:06 21,496 --a------ C:\WINNT\system32\LMIport.dll
2007-10-16 08:21 <DIR> d-------- C:\Program Files\Check

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 21:38 --------- d-----w C:\Program Files\Desktop Restore
2007-10-05 18:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-02 20:51 23,736 ----a-w C:\WINNT\system32\lmimirr.dll
2007-10-02 20:51 10,040 ----a-w C:\WINNT\system32\lmimirr2.dll
2007-09-20 19:04 --------- d-----w C:\Program Files\Details
2007-09-19 19:51 --------- d-----w C:\Program Files\Aide PDF to DXF Converter
2007-09-19 19:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-12 14:20 10,144 ----a-w C:\WINNT\system32\drivers\lmimirr.sys
2007-09-12 14:19 8,784 ----a-w C:\WINNT\system32\ractrlkeyhook.dll
2007-02-02 14:02 722,176 ----a-w C:\Documents and Settings\kevinm.PRODC\gotomypc_428.exe
2006-12-08 17:29 94,120 ----a-w C:\Documents and Settings\kevinm.PRODC\Application Data\GDIPFONTCACHEV1.DAT
2006-11-17 21:35 36,441 ----a-w C:\Program Files\fzuninstv5.5.0.log
2006-11-17 21:35 30,279 ----a-w C:\Program Files\setuplog.txt
2006-09-07 18:47 563,712 ----a-w C:\Documents and Settings\kevinm.PRODC\gotomypc_370.exe
2005-07-08 19:44 8,956 ----a-r C:\Program Files\instlog.lsl
2005-01-04 14:22 92,552 ----a-w C:\Documents and Settings\kevinm\Application Data\GDIPFONTCACHEV1.DAT
2003-11-12 19:24 38,200 -c--a-w C:\Program Files\uninstal.log
2003-11-12 18:58 434 ----a-w C:\Program Files\Shortcut to AnswerWorks 4.0.lnk
2003-09-16 05:19 99,544 -c--a-w C:\WINNT\inf\virprn.exe
2003-09-16 05:19 90,624 ----a-w C:\WINNT\inf\prtproc.dll
2003-09-16 05:19 18,950 -c--a-w C:\WINNT\inf\virpntd.dll
2003-09-16 05:19 10,240 ----a-w C:\WINNT\inf\virport.dll
2002-12-27 17:41 271 ---h--w C:\Program Files\desktop.ini
2002-12-27 17:41 21,952 ---h--w C:\Program Files\folder.htt
2002-07-24 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2007-01-18 21:07:37 88 --sha-r C:\WINNT\system32\AC6ED385C3.sys
2005-12-26 15:35:01 104 --sha-r C:\WINNT\system32\C385D36EAC.sys
2007-01-29 21:01:42 5,852 --sha-w C:\WINNT\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3225EFA8-4CCD-4153-ABEC-3A64CBE95A44}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D9C50B0-B967-43DF-5C8B-06ED43B46653}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
07-11-05 14:10 36352 --a------ C:\WINNT\system32\vturqnk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74611674-4d87-4c9c-ba62-bfe153b8cc6c}]
07-11-06 07:05 81472 --a------ C:\WINNT\system32\auibrcrx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89A9D63B-9042-43CD-368E-2E32557F9C10}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7625F5E-2726-4051-BC3B-D6B33BF04522}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FD66DC-056E-4A0C-90D6-C8F198DBBC53}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAA3947A-B573-4B25-A392-830F98E43447}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [02-09-09 00:18 ]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [06-03-17 13:16 ]
"nwiz"="nwiz.exe" [06-03-17 13:16 C:\WINNT\system32\nwiz.exe]
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [03-04-17 11:31 ]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [03-04-17 11:31 ]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [02-09-24 15:39 ]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [02-03-21 23:41 ]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [02-04-11 03:19 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04-08-25 17:10 ]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [04-12-14 02:12 ]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [06-03-17 13:16 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 03:00 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-10-11 12:18 ]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [07-01-12 17:45 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-07-27 17:03 ]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [07-09-12 09:20 ]
"64b47f5c"="C:\WINNT\system32\qkydgxhs.dll" [07-11-06 07:16 ]
"zSPGuard"="c:\program files\pjw\spguard\spguard.exe" [03-01-20 01:34 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 12:09 C:\WINNT\system32\CTFMON.EXE]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [06-11-13 13:39 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINNT\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-03-09 11:43:23]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 01:35:00]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-10-04 13:59:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINNT\system32\vturqnk.dll [07-11-05 14:10 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturqnk]
vturqnk.dll 07-11-05 14:10 36352 C:\WINNT\system32\vturqnk.dll

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys
R1 lmimirr;lmimirr;C:\WINNT\system32\DRIVERS\lmimirr.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINNT\system32\drivers\LMIRfsDriver.sys
R2 MSSQL$ACT7;SQL Server (ACT7);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sACT7
R3 usbhub20;USB Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 18:24:44
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 18:26:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-22 13:01
C:\ComboFix2.txt ... 07-08-22 13:03
.
--- E O F ---

Thanks,

Kevin

#3 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:10:55 PM

Posted 24 November 2007 - 03:28 AM

Hi Kevin, Welcome to the forum,

We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like. If you still require assistance please post a new HijackThis log into this topic and I'd be happy to help you clean up any remaining problems.

Thanks

Andy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users