res://gehlk.dll/index.html#96676 hijacked my browser

Status
Not open for further replies.

jdr

Solid State Member
Messages
7
Hi everyone, need help destroying annoying res://gehlk.dll/index.html#96676 browser virus. can anyone help.

JDR

here is my hijack this log:



Logfile of HijackThis v1.97.3
Scan saved at 12:16:43 PM, on 6/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINDOWS\System32\windll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\DAP\DAP.EXE
c:\ntldr.exe
c:\m.exe
C:\WINDOWS\ipqj.exe
C:\WINDOWS\sdkol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\art\stay\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gehlk.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gehlk.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gehlk.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gehlk.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gehlk.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gehlk.dll/sp.html#96676
O2 - BHO: (no name) - {2FBCE5B5-36D5-9877-25BB-79933C8F470D} - C:\WINDOWS\system32\addrs32.dll
O4 - HKLM\..\Run: [mysoft] c:\windows\system32\winexplor.exe
O4 - HKLM\..\Run: [ipqj.exe] C:\WINDOWS\ipqj.exe
O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.microsoit.com/direct.php?url=
O13 - WWW Prefix: http://www.microsoit.com/direct.php?url=
 
You may want to peint this

Please download this tool called about:buster from

http://tools.zerosrealm.com/AboutBuster.zip or
http://www.downloads.subratam.org/AboutBuster.zip
Created by RubberDucky

Unzip it to your desktop.

Now start Hijack this and tick the boxes next to these items..

O2 - BHO: (no name) - {2FBCE5B5-36D5-9877-25BB-79933C8F470D} - C:\WINDOWS\system32\addrs32.dll
O4 - HKLM\..\Run: [mysoft] c:\windows\system32\winexplor.exe
O4 - HKLM\..\Run: [ipqj.exe] C:\WINDOWS\ipqj.exe
O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe

Now close ALL windows and hit fix checked.
Do not open internet explorer to come back here until after running my tool.

Start about:buster and hit start. In the first white box input this - starting with
res://C:\WINDOWS\gehlk.dll/sp.html#96676
Now hit ok.
Save the report in a text file somewhere.

Then startup Hijack this and tick the box next to the random 02 (dll)

Restart your computer and post the report and a new Hijack this log.
------------------------------------------------------------------
if once you are back and still infected try this. Boot into safe mode

3) Next startup Hijack this and fix all random entries again.

4) Next goto start - Run - and type in Local Settings. Double click Temp and try deleting everything there. Rerun The program and type and paste in res://C:\WINDOWS\gehlk.dll/sp.html#96676 again (even if the file doesnt exist it should work).

5) Restart your computer and tell us how it goes.

post all of the AboutBuster logs and a fresh hijack this log
 
thank you for the info, but the thing wont go away. Also, it seems like if I try to log onto the net, it calls up a new page. also if I try and type in an adress like google.com, I get a 404 page, so I can't use my internet explorer browser to get any help. so I am doing this from another comp. I did what you told me to, here is the new log file and the hijack this. The res has now been replaced by freeticket.htm . I will try the safe mode method, but if you have anymore tips please post them here.

thank you your help, always appreaciated,
JDR

also, do you think it could be the microsoit adress on 013 thats causeing the problem?



New logfile:

Logfile of HijackThis v1.97.3
Scan saved at 8:31:16 PM, on 6/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\windows\system32\winexplor.exe
C:\WINDOWS\ipqj.exe
C:\art\stay\hijackthis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://65.75.143.119/freeticket.htm
O4 - HKLM\..\Run: [mysoft] C:\windows\system32\winexplor.exe
O4 - HKLM\..\Run: [ipqj.exe] C:\WINDOWS\ipqj.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - DefaultPrefix: http://www.microsoit.com/direct.php?url=
O13 - WWW Prefix: http://www.microsoit.com/direct.php?url=




About:Buster Version 1.21
Removed! : C:\WINDOWS\rrwjl.dat
Removed! : C:\WINDOWS\System32\netac.exe
Removed! : C:\WINDOWS\System32\nqfed.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
 
Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://65.75.143.119/freeticket.htm
O4 - HKLM\..\Run: [mysoft] C:\windows\system32\winexplor.exe
O4 - HKLM\..\Run: [ipqj.exe] C:\WINDOWS\ipqj.exe
O9 - Extra button: Related (HKLM)

O13 - DefaultPrefix: http://www.microsoit.com/direct.php?url=
O13 - WWW Prefix: http://www.microsoit.com/direct.php?url=



-----------------------------------------------------------------------------------------------------------------------------------

To enable the viewing of Hidden files follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

reboot into safe mode

How to boot into safe mode

delete

these files

C:\windows\system32\winexplor.exe
C:\WINDOWS\ipqj.exe

empty your recyle bin
reboot to normal


come back and post a fresh log and tell me how you computers running

Lobos
 
hi, thanks for the advice. I think the ipqj.exe and the winexplor.exe were the problems. I can log on, but something makes me beleive that the bug/virus/ whatever is still looming somewhere inside my computer. Should I dload a program or could you recommend a program to get rid of these hidden files? I havent restarted the computer yet, so I don't know if me getting on was a fluke.

take care,
JDR
 
the bug is still here, but it's crippling effect has lessened. I try to change homepage options in IE and I keep getting this

http://www.microsoit.com/direct.php?url=my.yahoo.com

I should be getting just my.yahoo.com. SHould I post my hijack this again? I dleted the files you asked me to and its fine. but I want to be 100 sure that this bastard is gone.
 
hi LobosBlanco

here is my new hijack this

Logfile of HijackThis v1.97.3
Scan saved at 2:39:58 PM, on 7/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\art\stay\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoit.com/direct.php?url=my.yahoo.com
O4 - HKLM\..\Run: [mysoft] C:\windows\system32\winexplor.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - DefaultPrefix: http://www.microsoit.com/direct.php?url=
O13 - WWW Prefix: http://www.microsoit.com/direct.php?url=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6C92112-9052-4AF8-9FDD-0A8B380CC910}: NameServer = 206.13.28.12 206.13.31.12
 
Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoit.com/direct.php?url=my.yahoo.com

O4 - HKLM\..\Run: [mysoft] C:\windows\system32\winexplor.exe

O13 - DefaultPrefix: http://www.microsoit.com/direct.php?url=

O13 - WWW Prefix: http://www.microsoit.com/direct.php?url=


-----------------------------------------------------------------------------------------------------------------------------------

To enable the viewing of Hidden files follow these steps:

How to see Hidden files and Folders

reboot into safe mode

How to boot into safe mode

delete

this file

C:\windows\system32\winexplor.exe

empty your recyle bin
reboot to normal


come back and post a fresh log and tell me how you computers running


Lobos

you may want to disable your systems restore to make a new restore point

1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.
 
Status
Not open for further replies.
Back
Top Bottom