problem with Firefox

[smif123]

im pretty new to using Mozilla Firefox but so far i'm lovin it compared to explorer, but i've encountered my first problem with it.
the first time i load Firefox every day it sends me to the website "http://www.dxstar.com/" . It's not changing my homepage, just sending me there once a day. Any suggestions as to how to get rid of it? i'll post my HijackThis log here (although there's nothing in there I see that would cause this problem). Thanks in advance - Smif123


Logfile of HijackThis v1.98.2
Scan saved at 11:37:22 AM, on 13/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WUPDPIJ32.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\********\My Documents\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [emqgmqhi] C:\WINDOWS\System32\tppznyqt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Update Pro] WUPDPIJ32.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Xyoulbvt] C:\WINDOWS\System32\kghnl.exe
O4 - HKCU\..\RunOnce: [Windows Update Pro] WUPDPIJ32.EXE
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24.hotmail.msn.com/...x/HMAtchmt.ocx

[Soda_Popinsky]

Ladies and Gentlemen...

We have our first FireFox hijack. I would love to know the vector on that one...

I am off to class, so unfortunately I can't help review your log. I just find it very interesting that it seems FF has been hijacked. (who said it wouldn't happen )

[Tiger Shark]

Smif:

You definitely have some odd processes running or called at start. Unless you can pisitively ID them I would try the foloowing:-

1. Open Task Manager and stop the process C:\WINDOWS\system32\WUPDPIJ32.EXE if you can.
2. Fix the following keys:-

O4 - HKLM\..\Run: [emqgmqhi] C:\WINDOWS\System32\tppznyqt.exe
O4 - HKLM\..\Run: [Windows Update Pro] WUPDPIJ32.EXE
O4 - HKCU\..\Run: [Xyoulbvt] C:\WINDOWS\System32\kghnl.exe
O4 - HKCU\..\RunOnce: [Windows Update Pro] WUPDPIJ32.EXE (note this is a runonce key, the other is a run key... there are 2.... unusual IMO).

3. I really am not happy about this one either... You might want to consider getting rid of it too unless you know what it is:-

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

4. Any clue what this is?

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24.hotmail.msn.com...ex/HMAtchmt.ocx

That's my assessment..... Comments anyone?

[groovicus]

Spot on. Also make sure to delete those files too.

The first 016 entry is a quicktime installer. I have no idea what the second one does, other than something for (obviously) Hotmail. 016's are always safe top remove withHJT. If they are ever needed again, they will be automatically downloaded.

[Tiger Shark]

Thanks Groove, (the HJT King)....

BTW, I forgot to mention.... After fixing restart the box and run HJT again to make sure they left. If thet are still there repost the HJT logs so we can look at it again.... It's possible that if you can't stop the WUPDPIJ32.EXE process that it will re-instate itself at shutdown, (actually, it's not an issue of "possible" it's quite bloody common for this crap to do it.... ).

[chsh]

Originally posted here by Soda_Popinsky
Ladies and Gentlemen...
We have our first FireFox hijack. I would love to know the vector on that one...

From the sounds of it, it's not a Firefox problem.

[Soda_Popinsky]

Although I would expect that process got placed through means that didn't involve FF, I don't see anything that argues that FF didn't get exploited?
Except maybe this, but would require some clarification from the thread's author:

im pretty new to using Mozilla Firefox but so far i'm lovin it compared to explorer, but i've encountered my first problem with it.

Maybe IE was responsible for the hijacker, but why would malware target Firefox when it gets there through IE? If IE gets exploited, then that means the exploited user has IE as their preferred browser, making FF functions of the payload irrelevant?

Either IE got exploited with malware as a payload that predicts the user would switch to FF after being exploited, or FF itself got exploited... My money is on the former, but it would be damning for FF to get hijacked right after their final release.

Or maybe any browser would be redirected to that page? A cross browser hijack?

Malware gets complicated sometimes.

[Relyt]

I’ve been trying to keep an eye open for Firefox Hijackers and there has been some discussion about them, but nothing has really been directly related to FF. Here are some of the recent boards:


http://www.trojaner-board.de/showthread.php?t=7428


Translated versions:

Here:


Resolution to what they thought was a FF Hijack - Javascript refresh

Here:


Soda presents some very interesting scenarios, they will make them more difficult to detect and why not a "cross browser hijack" coming next?

cheers

[groovicus]

I was sitting here trying to noodle through what may have happened, then relyt said something that made sense, Javascript refresh. I was about to bet that if the user turned off javascript and jave in FF, that the redirect would no longer happen. So my thought is that it is actually a windows issue.

Since I have no earathly clue about JavaScrpt, would it be correct to assume that each browser has to use the same interpreter (assuming that it is an interpreted language), and therefore it wouldn't matter what browser was being used?

Now I am making my head hurt.

[ShagDevil]

O4 - HKLM\..\Run: [emqgmqhi] C:\WINDOWS\System32\tppznyqt.exe
O4 - HKLM\..\Run: [Windows Update Pro] WUPDPIJ32.EXE
O4 - HKCU\..\Run: [Xyoulbvt] C:\WINDOWS\System32\kghnl.exe
O4 - HKCU\..\RunOnce: [Windows Update Pro] WUPDPIJ32.EXE (note this is a runonce key, the other is a run key... there are 2.... unusual IMO).

Tiger is dead on on those files. I checked Google, Yahoo, Answers That Work, and WinTask Library for those files and found nothing. They seem extremely shady to me.
For starters, follow Tiger's advice and repair those files with HJT. Next,
(and I'm surprised it wasn't mentioned) you should download:Spybot and/or
Ad-Aware
Run those and see what they find. You appear to have some kind of porn hijacker.