Browser HiJacked..Can someone take a look at this logfile?

Discussion in 'OT Technology' started by Chase, Feb 1, 2005.

  1. Chase

    Chase Fuck you, fuck you, fuck you, you're cool, fuck yo

    Joined:
    Sep 19, 2002
    Messages:
    6,006
    Likes Received:
    0
    Location:
    at home
    Win2k SP4

    Ran spybot, adware, ADS, always running Symantec AV Corporate Ed.

    Removed ALOT of spyware on this computer but the browser is still HiJacked, I also removed alot from the startup group as well. Can someone have a look and try and help me out, thanks.

    Logfile of HijackThis v1.99.0
    Scan saved at 1:58:55 PM, on 2/1/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\HyperTechnologies\Deep Freeze\DfServEx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\javaou32.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\HyperTechnologies\Deep Freeze\_$Df\FrzState.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINNT\system32\ipdq.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Student\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {2E2FF803-AEC5-794D-2287-E646BD0178BE} - C:\WINNT\ntyl32.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ipdq.exe] C:\WINNT\system32\ipdq.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: DFServEx - Hyper Technologies Inc. - C:\Program Files\HyperTechnologies\Deep Freeze\DfServEx.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINNT\javaou32.exe
     
  2. skinjob

    skinjob Active Member

    Joined:
    Jan 6, 2001
    Messages:
    2,337
    Likes Received:
    0
    Location:
    Aztlán
    This tqbjq.dll is probably the culprit. If you have access to a machine that isn't hijacked, change the regkey values to match the values on the clean machine.
     
  3. cmsurfer

    cmsurfer ºllllllº

    Joined:
    Jun 6, 2003
    Messages:
    5,079
    Likes Received:
    0
    Location:
    NJ
  4. Chase

    Chase Fuck you, fuck you, fuck you, you're cool, fuck yo

    Joined:
    Sep 19, 2002
    Messages:
    6,006
    Likes Received:
    0
    Location:
    at home
    got er all fixed. i figured it was that damned tqbjq one, but it kept coming back the fucker. i followed the steps from the walk through on the short-media site and reliased there was a hidden service creating new random hijackers everytime i rebooted or opened IE. thanks fellas.
     
  5. DaIceMan

    DaIceMan Jack Bauer > *.*

    Joined:
    Aug 30, 2004
    Messages:
    3,475
    Likes Received:
    0
    Location:
    Springfield-ish, Missouri
    I'd kill the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\tqbjq.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {2E2FF803-AEC5-794D-2287-E646BD0178BE} - C:\WINNT\ntyl32.dll

    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

    and unless you specifically created these trusted zones...

    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)

    I'd kill those too.
     
  6. bluesphx

    bluesphx Member

    Joined:
    Jan 4, 2005
    Messages:
    512
    Likes Received:
    0
    Location:
    Chattanooga
  7. 0wn3d_productivity

    0wn3d_productivity OT Supporter

    Joined:
    Aug 1, 2002
    Messages:
    6,916
    Likes Received:
    12
    Location:
    New Yawk
    Opera is another alternative. I prefer it to Firefox, although I use both. I NEVER open IE anymore.
     
  8. cmsurfer

    cmsurfer ºllllllº

    Joined:
    Jun 6, 2003
    Messages:
    5,079
    Likes Received:
    0
    Location:
    NJ
    Just remember that switching to another browser will NOT fix your spyware problems...

    I use prefer Opera to Firefox, but still use IE a lot too.
     
  9. Chase

    Chase Fuck you, fuck you, fuck you, you're cool, fuck yo

    Joined:
    Sep 19, 2002
    Messages:
    6,006
    Likes Received:
    0
    Location:
    at home
    I would, but the company website only allows IE to be used :wtc:

    I definately use FF at home.
     

Share This Page