Solved IE 6.0 Home Page Hijacked to 345dh.cn?tg=7

noahdfear · 2008/11/11

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
KillAll::
File::
c:\windows\system32\drivers\zntbv.sys
Driver::
zntbv
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

DianeR · 2008/11/11

Hi. Here's the log. Got that error again when ComboFix starts up... "Error loading C:\Windows\system32\knlzem.dll The specified module could not be found. "

ComboFix 08-11-10.01 - joannek 2008-11-11 17:57:42.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.291 [GMT -7:00]
Running from: c:\documents and settings\JOannek\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JOannek\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\zntbv.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\zntbv.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZNTBV
-------\Service_zntbv

((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-05 21:06 . 2008-11-05 21:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2008-11-05 21:05 . 2008-11-05 21:05 0 --a------ c:\windows\nsreg.dat
2008-11-05 18:59 . 2008-11-05 20:12 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
2008-11-05 17:54 . 2008-11-05 18:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\CoreFTP
2008-11-05 16:50 . 2008-11-05 17:43 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-11-05 15:37 . 2008-11-05 15:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-11-05 14:52 . 2008-11-05 14:56 4,274 --a------ c:\windows\system32\tmp.reg
2008-11-04 18:13 . 2008-11-10 17:56 <DIR> d-------- C:\rsit
2008-11-04 18:13 . 2008-11-10 17:32 <DIR> d-------- c:\program files\trend micro
2008-11-04 12:56 . 2008-11-04 12:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-04 12:55 . 2008-11-04 12:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-04 12:55 . 2008-11-04 12:55 <DIR> d-------- c:\documents and settings\JOannek\Application Data\SUPERAntiSpyware.com
2008-10-31 15:43 . 2008-10-31 17:01 <DIR> d-------- c:\documents and settings\JOannek\Application Data\HouseCall 6.6
2008-10-31 13:14 . 2008-11-03 09:10 <DIR> d-------- c:\documents and settings\JOannek\.housecall6.6
2008-10-31 12:55 . 2008-10-31 12:55 <DIR> d-------- c:\program files\Sophos
2008-10-31 12:49 . 2008-10-31 12:49 1,181,383 --a------ c:\temp\SophosAntiRootKit_sarsfx.exe
2008-10-31 12:49 . 2008-10-31 12:49 1,181,383 --a------ c:\documents and settings\JOannek\SophosAntiRootKit_sarsfx.exe
2008-10-31 12:27 . 2008-10-31 12:27 <DIR> d-------- c:\windows\ERUNT
2008-10-31 12:23 . 2008-11-03 16:03 <DIR> d-------- C:\SDFix
2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\documents and settings\JOannek\Application Data\Malwarebytes
2008-10-31 10:55 . 2008-10-31 10:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-31 10:55 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-31 10:55 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-30 17:03 . 2008-11-04 09:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-30 17:03 . 2008-10-30 17:08 <DIR> d-------- C:\fixwareout
2008-10-30 16:13 . 2001-08-23 05:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-10-29 15:19 . 2008-10-29 15:19 <DIR> d---s---- c:\documents and settings\LocalService\UserData
2008-10-22 14:04 . 2008-10-30 16:12 <DIR> d-------- c:\windows\system32\inf
2008-10-14 11:03 . 2004-08-04 00:56 221,184 --a------ c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 01:06 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-11 15:04 --------- d-----w c:\program files\LogMeIn
2008-11-05 21:52 --------- d-----w c:\documents and settings\JOannek\Application Data\CoreFTP
2008-10-31 19:22 --------- d-----w c:\program files\ZipCentral
2008-10-30 23:06 --------- d-----w c:\documents and settings\JOannek\Application Data\U3
2008-10-29 17:17 --------- d-----w c:\program files\SalesLogix
2008-10-17 15:07 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys
2008-10-14 14:17 --------- d-----w c:\program files\Google
2008-10-08 15:45 --------- d-----w c:\program files\Java
2008-10-08 15:43 --------- d-----w c:\program files\Common Files\Java
.

((((((((((((((((((((((((((((( snapshot@2008-11-05_22.48.16.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-12 01:05:50 16,384 ----atw c:\windows\temp\Perflib_Perfdata_3ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
"Synchronization Manager "= "c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"TVT Scheduler Proxy "= "c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-10 536576]
"ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 344064]
"ACTray "= "c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-05-17 413696]
"ACWLIcon "= "c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-05-17 126976]
"SoundMAXPnP "= "c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"BMMGAG "= "c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMLREF "= "c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND "= "c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BLOG "= "c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"MSConfig "= "c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2005-09-26 169984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Setup "= "MSIEXEC.EXE" [2005-05-04 c:\windows\system32\msiexec.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen "= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-05-17 11:41 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 08:06 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\0\0]
"Script "=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\1\0]
"Script "=inventory.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1181\Scripts\Logon\2\0]
"Script "=mapdrv.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\0\0]
"Script "=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\1\0]
"Script "=inventory.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1187\Scripts\Logon\2\0]
"Script "=mapdrv.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\0\0]
"Script "=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-286463997-3611086172-1349692979-1319\Scripts\Logon\1\0]
"Script "=mapdrv.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-06-27 08:53 88363 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "= "0x00000000 "
"UpdatesDisableNotify "= "0x00000000 "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2007-04-02 4224]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\Drivers\RCFOX.sys [2007-09-27 101528]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\Tppwr.sys [2005-04-20 16384]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-17 47640]
R2 SalesLogix Server Service;SalesLogix Server;c:\program files\SalesLogix\SLXServer.exe [2006-10-16 536576]
R2 SlxSearch;SalesLogix SpeedSearch;c:\program files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe [2007-01-05 940544]
R2 vnccom;vnccom;c:\windows\system32\Drivers\vnccom.SYS [2004-06-26 6016]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2005-11-08 24876]
S3 kwkxusb;Kyocera CDMA Wireless Modem Driver;c:\windows\system32\DRIVERS\kwusb2k.sys [2004-11-29 29952]
S3 NAL;Nal Service ;c:\windows\system32\Drivers\iqvw32.sys [2005-12-13 20480]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-07-17 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-04-20 01:38]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 18:07:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\RegSrvc.exe
c:\program files\Symantec AntiVirus\SavRoam.exe
c:\program files\SalesLogix\SLXLoggingServer.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\SalesLogix\SLXSystem.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Verizon Wireless\venturi\Client\VentC.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\1XConfig.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Adobe\Acrobat 7.0\Distillr\acrodist.exe
c:\windows\system32\rundll32.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-11 18:16:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-12 01:16:26
ComboFix2.txt 2008-11-11 03:38:35
ComboFix3.txt 2008-11-11 03:18:12
ComboFix4.txt 2008-11-06 05:48:53
ComboFix5.txt 2008-11-12 00:57:05

Pre-Run: 6,138,466,304 bytes free
Post-Run: 6,136,193,024 bytes free

209 --- E O F --- 2007-06-13 00:02:09

DianeR · 2008/11/11

FYI, I think it might be licked! I went into Internet Options (via Control Panel - after closing my browser) and changed the startup page to what it should be and when I re-launched it, it wasn't hijacked any longer! Woot! I'm going to reboot and see if I everything seems happy after that. Thanks SOOOOO much for your help (and patience)!

You ROCK!

noahdfear · 2008/11/11

Your log looks clean. I'd say go on home for tonight and tomorrow when you get a chance, do an online scan with Kaspersky. Instructions below. If all is good, we'll do a bit of cleanup and mark this resolved.

Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click View scan report at the bottom.

Click the Save Report As... button.

Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.

Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Post the Kaspersky log and one more fresh HijackThis log.

DianeR · 2008/11/11

Here's the Kaspersky report...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, November 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, November 12, 2008 00:42:50
Records in database: 1380838
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\
U:\

Scan statistics:
Files scanned: 89417
Threat name: 22
Infected objects: 59
Suspicious objects: 0
Duration of the scan: 02:19:31

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00D40000\49D73906.VBN Infected: Trojan-Spy.Win32.Pophot.ghr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01CC0000\49CCB48F.VBN Infected: Trojan-Downloader.Win32.Small.aftn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01CC0001\49CCB49C.VBN Infected: Trojan-Downloader.Win32.Small.aftn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06680000\4F68C8C2.VBN Infected: Trojan-Clicker.HTML.IFrame.yo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06680001\4F68C9FF.VBN Infected: Trojan-Clicker.HTML.IFrame.yo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06680002\4F68CAA7.VBN Infected: Trojan-Clicker.HTML.IFrame.yo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06680006\4F68D069.VBN Infected: Trojan-Clicker.HTML.IFrame.yo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06680008\4F68D3A6.VBN Infected: Trojan-Clicker.HTML.IFrame.yo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06680009\4F68D8C5.VBN Infected: Trojan-Clicker.HTML.IFrame.yo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0668000A\4F68DA23.VBN Infected: Trojan-Clicker.HTML.IFrame.yo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0668000B\4F68DDE5.VBN Infected: Trojan-Clicker.HTML.IFrame.yo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40000\4FEF4E6E.VBN Infected: Trojan-Spy.Win32.Pophot.ght 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40001\4FEF4F58.VBN Infected: Trojan-Spy.Win32.Pophot.ghs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40002\4FEF502D.VBN Infected: Trojan-Spy.Win32.Pophot.ghs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40003\4FEF5328.VBN Infected: Trojan-Spy.Win32.Pophot.ght 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40004\4FEF541C.VBN Infected: Trojan-Spy.Win32.Pophot.ght 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40005\4FEF54F2.VBN Infected: Trojan-Spy.Win32.Pophot.ght 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40006\4FEF55D0.VBN Infected: Trojan-Spy.Win32.Pophot.ght 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40007\4FEF56B0.VBN Infected: Trojan-Spy.Win32.Pophot.ght 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40008\4FEF5789.VBN Infected: Trojan-Spy.Win32.Pophot.ght 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40009\4FEF584B.VBN Infected: Trojan-Spy.Win32.Pophot.ghs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E4000A\4FEF58B7.VBN Infected: Trojan-Spy.Win32.Pophot.ghs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300000\49FF9E6A.VBN Infected: Trojan-Downloader.Win32.Tiny.bxw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300001\49FF9E81.VBN Infected: Trojan-Downloader.Win32.Tiny.bxw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300002\49FFAFB0.VBN Infected: Worm.Win32.AutoRun.rho 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300003\49FFAFBF.VBN Infected: Trojan.Win32.Monder.vxp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300005\49FFB8AF.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.srh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300006\49FFB8BD.VBN Infected: Trojan.Win32.Agent.akau 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300007\49FFB8DF.VBN Infected: not-a-virus:AdWare.Win32.Agent.ftd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\093C0000\493CB499.VBN Infected: Backdoor.Win32.Agent.ubq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\093C0001\493CB644.VBN Infected: Trojan-Downloader.Win32.Agent.akuo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\093C0003\493CB9D2.VBN Infected: Backdoor.Win32.Agent.tni 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80000.VBN Infected: Trojan-Spy.Win32.Pophot.ghr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80002.VBN Infected: Trojan-Spy.Win32.Pophot.ghr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AC80005.VBN Infected: Trojan-Spy.Win32.Pophot.ghr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BEC0000.VBN Infected: Rootkit.Win32.Small.br 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D600000.VBN Infected: Backdoor.Win32.Small.gpk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D600001.VBN Infected: Backdoor.Win32.Small.gpk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D600002.VBN Infected: Backdoor.Win32.Small.gpk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E280002\4F2DDE44.VBN Infected: Trojan-Clicker.Win32.Agent.efb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E280003\4F2DDE4E.VBN Infected: Trojan-Clicker.Win32.Agent.efb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E280004\4F2DEE04.VBN Infected: Trojan-Spy.Win32.Pophot.ghr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E280005\4F2E0156.VBN Infected: Trojan-Downloader.Win32.Small.aftn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E280006\4F2E1903.VBN Infected: Trojan-Spy.Win32.Pophot.ghr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E280007\4F2E1DF9.VBN Infected: Trojan-Downloader.Win32.Agent.uro 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E280008\4F2E1E63.VBN Infected: Trojan-Downloader.Win32.Agent.uro 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E280009\4F2E3FE5.VBN Infected: Trojan-Spy.Win32.Pophot.ghr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E840001.VBN Infected: not-a-virus:AdWare.Win32.Cinmus.srh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E840002\4F849166.VBN Infected: Trojan.Win32.Agent.akau 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E840003\4F8491CE.VBN Infected: not-a-virus:AdWare.Win32.Agent.ftd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E840004\4F849723.VBN Infected: Trojan-Downloader.Win32.Small.aftn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E840005\4F849735.VBN Infected: Trojan-Downloader.Win32.Small.aftn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB00000\4FFF958D.VBN Infected: Worm.Win32.AutoRun.rho 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB00001\4FFF959C.VBN Infected: Trojan.Win32.Monder.vxp 1
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\69QN8ZQ3\f1[1].gif Infected: Trojan-Downloader.JS.Agent.cxd 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\69QN8ZQ3\i28[1].swf Infected: Trojan-Downloader.SWF.Agent.ak 1

The selected area was scanned.

noahdfear · 2008/11/11

Looks great actually.

Copy the bolded path below, quotes included.

"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5 "

Click Start>Run then paste in the copied path and hit enter.
Delete every folder present there.

Now open Symantec and remove all items in quarantine.
Verify they have been removed by opening the quarantine folder. (you can paste this path too).

"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine "

If successful, and you're satisfied the computer is working as it should, proceed as follows to finish up.

Open MBAM and remove any items quarantined. Do the same with Super AntiSpyware.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
You can delete any other logs that were created/saved too.

Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot

That should be a wrap.

DianeR · 2008/11/11

Thanks, Dave, for all your help! The system seems to be working properly now. I really appreciate your expertise in getting this cleaned up! I'll be able to return this system to the user now in the morning.

Thanks again!

noahdfear · 2008/11/11

You're very welcome Diane.

Log in or Sign up

Solved IE 6.0 Home Page Hijacked to 345dh.cn?tg=7

noahdfear Inactive

DianeR Inactive Thread Starter

DianeR Inactive Thread Starter

noahdfear Inactive

DianeR Inactive Thread Starter

noahdfear Inactive

DianeR Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved IE 6.0 Home Page Hijacked to 345dh.cn?tg=7

noahdfear Inactive

DianeR Inactive Thread Starter

DianeR Inactive Thread Starter

noahdfear Inactive

DianeR Inactive Thread Starter

noahdfear Inactive

DianeR Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches