Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer 7 Exploited


  • This topic is locked This topic is locked
3 replies to this topic

#1 zylon

zylon

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 04 February 2008 - 09:39 PM

Someone please help me. My internet explorer 7 got exploited through an email I opened up. I think it was a auto-download exploit for ie7. I have vista, and I've been trying to reinstall it, but I dont know how. I went to microsoft.com and clicked the button to download, but it doesn't let me becuase it's saying I have it already...

Can someone please help me with this problem, on how to reinstall or repair my ie7.

Here's my HijackThis Log


Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:27:51 PM, on 2/4/2008Platform: Windows Vista  (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16575)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Windows\ehome\ehtray.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Eset\nod32kui.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Windows\system32\SearchFilterHost.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: (no name) - {C1DC94EF-897B-4DC1-A6BA-F06A88167F22} - C:\WINDOWS\system32\mlljj.dll (file missing)O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /autoO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - [url="http://www.topsoftwarefeed.com/redirect.php"]http://www.topsoftwarefeed.com/redirect.php[/url] (file missing)O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - [url="http://www.topsoftwarefeed.com/redirect.php"]http://www.topsoftwarefeed.com/redirect.php[/url] (file missing)O13 - Gopher Prefix: O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - [url="http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab"]http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab[/url]O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - [url="http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab"]http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab[/url]O16 - DPF: {32A155BD-68EC-404E-A14F-72A851C0811D} (WebNG-Uploader Control) - [url="http://cp1.webng.com/client/fm/WebNG-Uploader.cab"]http://cp1.webng.com/client/fm/WebNG-Uploader.cab[/url]O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - [url="http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab55579.cab"]http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab55579.cab[/url]O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - [url="http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab"]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab[/url]O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games  Buddy Invite) - [url="http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab"]http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab[/url]O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - [url="http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab"]http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab[/url]O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [url="http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab"]http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab[/url]O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - [url="http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab"]http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab[/url]O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [url="http://download.divx.com/player/DivXBrowserPlugin.cab"]http://download.divx.com/player/DivXBrowserPlugin.cab[/url]O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - [url="http://www.netmarble.jp/_common/cab/NMJTransX.cab"]http://www.netmarble.jp/_common/cab/NMJTransX.cab[/url]O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - [url="http://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab"]http://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab[/url]O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - [url="http://download.netmarble.com/kdefence/kdfense8237.cab"]http://download.netmarble.com/kdefence/kdfense8237.cab[/url]O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - [url="https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx"]https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx[/url]O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url="http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab"]http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab[/url]O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab[/url]O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - [url="http://www.yoyogames.com/downloads/activex/YoYo.cab"]http://www.yoyogames.com/downloads/activex/YoYo.cab[/url]O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [url="http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab"]http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab[/url]O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games  Game Communicator) - [url="http://zone.msn.com/binframework/v10/StProxy.cab55579.cab"]http://zone.msn.com/binframework/v10/StProxy.cab55579.cab[/url]O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - [url="http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab"]http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{ADA2D14B-C0F1-4B4F-9C9A-F23F4D107D19}: NameServer = 192.168.15.1O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\SYSTEM32\crypserv.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe--End of file - 6899 bytes

I've been to website's and the hacker has somehow gotten my keys. I think the exploit auto downloaded a ie7 keylogger.

BC AdBot (Login to Remove)

 


#2 zylon

zylon
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 05 February 2008 - 02:10 PM

well......................

#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 14 February 2008 - 05:27 PM

Hello and welcome to BC. :thumbsup:

Apologies for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please follow the instructions below:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

======================

Once you're done with that, please visit this webpage for download links, and instructions for running Combofix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
======================

Expected logs:

MBAM log
Combofix.txt
Fresh HijackThis log

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:03 AM

Posted 19 February 2008 - 08:44 PM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users