Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


IE Explorer and Opera Hijacked

  • This topic is locked This topic is locked
3 replies to this topic

#1 Duzzlight


  • Members
  • 3 posts
  • Local time:03:42 AM

Posted 06 July 2009 - 11:53 AM

DDS (Ver_09-06-26.01) - NTFSx86
Run by Random at 12:43:43.98 on Mon 07/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.45 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Random\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {0712e8ae-df9d-4e16-b0e2-2058e977c3c6} - c:\windows\system32\howuyogi.dll
BHO: {0fe11291-35a4-4f40-9018-75c586f37e25} - No File
BHO: {15625ce8-3870-4eeb-ad8f-efe6df9012ac}: {ca2109fd-6efe-f8da-bee4-07838ec52651}
BHO: {4313034F-B8F3-47A0-A79A-4BF01838164D} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {a63e645f-13bd-45ed-b15f-6e8c1bd57279} - c:\windows\system32\iifccdbx.dll
BHO: {f09c49be-3f48-4129-af70-3ff29a8c340d} - c:\windows\system32\ljJCtTml.dll
BHO: {F4AEFE10-D78D-47C8-86EF-F0E058DD3E3F} - No File
BHO: {fe79d728-e373-46b3-a2f8-be9013591fdc}: {b00b}
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {00000000-0000-0000-0000-000000000000} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [gadcom] "c:\documents and settings\random\application data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] c:\program files\opera\program\plugins\NPSWF32_FlashUtil.exe -p
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [CPMf37f5b0c] Rundll32.exe "c:\windows\system32\numosiko.dll",a
mRun: [bakuvolenu] Rundll32.exe "c:\windows\system32\dugejapo.dll",s
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [NoIE4StubProcessing] c:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed Components" /v "NoIE4StubProcessing" /f
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246851680890
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: iifccdbx - iifccdbx.dll
AppInit_DLLs: xrqcpc.dll c:\windows\system32\zefarife.dll vtdhka.dll c:\windows\system32\numosiko.dll c:\windows\system32\lowalama.dll c:\windows\system32\duyojaye.dll c:\windows\system32\dumenebi.dll c:\windows\system32\zuhepuji.dll,c:\windows\system32\gotiyewi.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zuhepuji.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\dumenebi.dll
SEH: {a63e645f-13bd-45ed-b15f-6e8c1bd57279} - c:\windows\system32\iifccdbx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJCtTml
LSA: Notification Packages = scecli c:\windows\system32\zefarife.dll c:\windows\system32\gotiyewi.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [2008-11-23 83552]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-11-23 26144]

=============== Created Last 30 ================

2009-07-06 12:30 873 a------- c:\windows\system32\spupdsvc.inf
2009-07-06 12:13 <DIR> -cd-h--- c:\windows\ie8
2009-07-06 11:53 <DIR> --d----- c:\program files\Trend Micro
2009-07-06 03:00 <DIR> --d----- c:\windows\system32\PreInstall
2009-07-06 03:00 <DIR> --d-h--- c:\windows\$hf_mig$
2009-07-05 23:40 <DIR> --ds---- c:\documents and settings\random\UserData
2009-07-05 22:04 <DIR> --d----- c:\program files\ESET

==================== Find3M ====================

2009-05-14 15:49 94,360 a------- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 15:47 107,256 a------- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 15:41 114,472 a------- c:\windows\system32\drivers\eamon.sys
2008-11-23 16:02 17,536 a------- c:\docume~1\random\applic~1\GDIPFONTCACHEV1.DAT
2008-09-15 23:09 67,196 a--sh--- c:\windows\system32\bepetoto.dll
2008-12-15 23:00 67,196 a--sh--- c:\windows\system32\dasujiye.dll
2008-12-25 03:52 97,380 a--sh--- c:\windows\system32\dewulale.dll
2008-12-29 00:03 97,983 a--sh--- c:\windows\system32\dumenebi.dll
2008-12-04 00:13 64,053 a--sh--- c:\windows\system32\duvikefi.dll
2008-12-29 12:04 97,585 a--sh--- c:\windows\system32\duyojaye.dll
0000-00-00 00:00 61,201 a--sh--- c:\windows\system32\gotiyewi.dll
2008-12-27 08:02 100,656 a--sh--- c:\windows\system32\hamehalu.dll
0000-00-00 00:00 61,201 a--sh--- c:\windows\system32\howuyogi.dll
2008-12-24 15:51 97,041 a--sh--- c:\windows\system32\hupezivu.dll
2008-12-26 20:01 98,050 a--sh--- c:\windows\system32\huyasuzo.dll
2008-12-24 14:52 65,231 a--sh--- c:\windows\system32\kutotoho.dll
2008-12-25 15:52 98,078 a--sh--- c:\windows\system32\lowalama.dll
2008-12-28 00:03 98,091 a--sh--- c:\windows\system32\nitekazu.dll
2008-12-26 08:01 97,858 a--sh--- c:\windows\system32\numosiko.dll
2008-12-30 00:04 62,067 a--sh--- c:\windows\system32\ponaboso.dll
2008-12-31 00:04 61,201 a--sh--- c:\windows\system32\ragogoka.dll
2008-12-08 12:15 63,215 a--sh--- c:\windows\system32\vemifaju.dll
2008-12-11 03:07 61,598 a--sh--- c:\windows\system32\vufawevu.dll
2008-09-11 03:16 61,598 a--sh--- c:\windows\system32\vujaboka.dll
2008-12-04 12:13 65,589 a--sh--- c:\windows\system32\yowozedi.dll
2008-09-11 03:16 61,598 a--sh--- c:\windows\system32\zafafuro.dll
2008-09-15 23:09 67,196 a--sh--- c:\windows\system32\zividejo.dll
2008-12-28 12:03 97,991 a--sh--- c:\windows\system32\zuhepuji.dll

============= FINISH: 12:49:35.03 ===============

Well, I haven't used this machine in quite a while, as my usual one's power supply just broke down it seems. Seems as if I didn't take really good care of this machine, as I have pop-ups from IE frequently, directing me to an Ip Address that I don't recognize, and usually it opens up many IE browsers at once and I have to close them through the Processes tab of Task Manager. Not sure what else to say honestly, but if you need the attachment, I'll get it to you pronto.

BC AdBot (Login to Remove)


#2 aommaster


    I !<3 malware

  • Malware Response Team
  • 5,294 posts
  • Gender:Male
  • Location:Dubai
  • Local time:11:42 AM

Posted 13 July 2009 - 07:02 AM

Hello, Duzzlight.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.


Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#3 aommaster


    I !<3 malware

  • Malware Response Team
  • 5,294 posts
  • Gender:Male
  • Location:Dubai
  • Local time:11:42 AM

Posted 16 July 2009 - 04:29 AM

Hello Duzzlight
Are you still with us?

My website: http://aommaster.com
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#4 kahdah


  • Security Colleague
  • 11,138 posts
  • Gender:Male
  • Location:Florida
  • Local time:03:42 AM

Posted 18 July 2009 - 02:22 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users