TheTechGuide Forum

General Category => Tech Clinic => Topic started by: priscilla on February 21, 2005, 12:24:28 PM

Title: help. I've been hijacked.
Post by: priscilla on February 21, 2005, 12:24:28 PM: If anyone can help I would gladly appreciate it. I clicked on an innocent looking webpage link and when the page opened all this crazy stuff started happening to my computer. I tried running ad-aware and I get an illegal operation message and it won't delete the objects it finds. With spybot I get an error message. No matter what I try I can't get my computer back to normal. HELP!!!!!!!!!!!!!!!!!!!

priscilla
Title: help. I've been hijacked.
Post by: guestolo on February 21, 2005, 05:03:05 PM: Can you Download Hijackthis 1.99.1
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Title: help. I've been hijacked.
Post by: priscilla on February 21, 2005, 05:29:19 PM: ok. Here it is. I just want to thank you for your help too. I really appreciate it. I have been struggling w/ this damn machine all weekend and I'm ready to throw it out the window! /mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />

Logfile of HijackThis v1.99.1
Scan saved at 5:22:07 PM, on 2/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\N20050308.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\IPRDEX.EXE
C:\WINDOWS\TEMP\ICD3.TMP\SVCMM32.EXE
C:\WINDOWS\SYSTEM\IOSX16.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS
\N20050308.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [os5V36e] IPRDEX.EXE
O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\ICD3.TMP\SVCMM32.EXE" /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ZBu9RWK7Q] IOSX16.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe (http://\"http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab (http://\"http://www.ouchvideo.com/mmviewer_ic13.cab\")
Title: help. I've been hijacked.
Post by: guestolo on February 21, 2005, 05:48:57 PM: I need you to download a few tools

Can you download and UNZIP to your desktop Lspfix.zip from this location
http://www.cexx.org/lspfix.htm (http://\"http://www.cexx.org/lspfix.htm\")
Open up LSPfix.exe and let me know what you see on the KEEP side and the REMOVE
side

Could you also
Download VX2 finder
http://downloads.subratam.org/VX2Finder9x(126).exe (http://\"http://downloads.subratam.org/VX2Finder9x(126).exe\")

Open VX2 finder
Click the "Click to Find VX2.BetterInternet"
then click the make log button.
Post the log

Also Click HERE (http://\"http://forums.techguy.org/attachment.php?attachmentid=44794\") to download DLLCompare.zip.

Unzip it to your desktop.

Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, click on the Make a log of what was found button. When it asks to "View log file" click yes and the log will open in notepad. Save the log to copy and paste back here in your next reply

One last request
Please download FindIt.zip (http://\"http://www.bleepingcomputer.com/forums/index.php?act=Attach&type=post&id=40938\")

Unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.
I've even heard this running up to 15 minutes
Give it time, but not too much...
Title: help. I've been hijacked.
Post by: Guest on February 21, 2005, 06:05:00 PM: I wasn't able to open Lspfix.zip. or any of the zip files. I guess my computer doesn't have whatever it takes to zip and unzip.

This is what the log said on VX2 finder

Files Found---

User Agent String---
{1040F820-8400-11D9-B69E-99978194B37E}

Is it still possible to fix this without the other downloads?
Title: help. I've been hijacked.
Post by: guestolo on February 21, 2005, 06:08:04 PM: You will need an unzipping utility
I have to see the files
Are you sure you don't have winzip installed?

Go into your Add/Remove programs and see if you have an entry for Winzip
If not you should have an unzipping utility anyways, I can find you a free one, you will need it now and in the future
Title: help. I've been hijacked.
Post by: Guest on February 21, 2005, 06:17:33 PM: There is no Winzip... what do you suggest?
Title: help. I've been hijacked.
Post by: guestolo on February 21, 2005, 06:24:40 PM: Most use the Evaluation version of Winzip
Found here under the Downloads
http://www.winzip.com/downwz.htm (http://\"http://www.winzip.com/downwz.htm\")

Personally, I like IZArc, no prompts everytime you run it
Check it out, you only need one or the other
http://www.izsoft.dir.bg/download_izarc.htm (http://\"http://www.izsoft.dir.bg/download_izarc.htm\")

After either are installed you just right click on the zip file and Unzip or Extract to a folder, or the Desktop
Title: help. I've been hijacked.
Post by: priscilla on February 21, 2005, 06:29:24 PM: ok. I've downloaded the evaluation version of winzip.

so far...
from the LSPflx.exe

on the keep side:

mr20.dll DNS Name Space Provider
AKLSP.DLL (protocol handler)
mswsosp.dll (protocol handler)
msafd.dll (protocol handler)
rsvpsp.dll (protocol handler)

There was nothing listed on the remove side.

I will move on to the next one now. /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Title: help. I've been hijacked.
Post by: priscilla on February 21, 2005, 06:38:52 PM: Here is the log from DIICompare

DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\lvgif11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mtrle32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\twpi32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\sbtup4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\ddtmsft.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\aacore.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\slrrun.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\wtvdmoe.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\qrvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\lbpsd11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mawebdvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\rccrt4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
________________________________________________

803 items found: 803 files (12 H/S), 0 directories.
Total of file sizes: 149,426,160 bytes 142.50 M

I take it this must be some bad stuff because the date and time is exactly when I clicked on that link that messed me up in the first place.
ok. one more to go. /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: help. I've been hijacked.
Post by: priscilla on February 21, 2005, 06:45:37 PM: ok. I downloaded and unzipped FindIt.zip

when I opened the folder that I unzipped it to there is
Find, Locate and Xfind icons. I did not see a find.bat.

please advise.
Title: help. I've been hijacked.
Post by: guestolo on February 21, 2005, 06:56:32 PM: May as well get you to do this now, as it will make it easier
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Uncheck Hide Extensions for Known file types
* Click OK.
Title: help. I've been hijacked.
Post by: priscilla on February 21, 2005, 07:01:58 PM: ok. done
Title: help. I've been hijacked.
Post by: guestolo on February 21, 2005, 07:04:53 PM: I guess that means you can see Find.bat
And your going to post the log soon?
Title: help. I've been hijacked.
Post by: priscilla on February 21, 2005, 07:10:12 PM: ok. this is what it gave me.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

LVGIF11N DLL 222,568 02-19-05 8:41a lvgif11n.dll
MTRLE32 DLL 222,568 02-19-05 8:41a MTRLE32.DLL
TWPI32 DLL 222,568 02-19-05 8:41a TWPI32.DLL
SBTUP4 DLL 222,568 02-19-05 8:41a SBTUP4.DLL
DDTMSFT DLL 222,568 02-19-05 8:41a DDTMSFT.DLL
AACORE DLL 222,568 02-19-05 8:41a aacore.dll
SLRRUN DLL 222,568 02-19-05 8:41a SLRRUN.DLL
WTVDMOE DLL 222,568 02-19-05 8:41a wtvdmoe.dll
QRVD DLL 222,568 02-19-05 8:41a QRVD.DLL
LBPSD11N DLL 222,568 02-19-05 8:41a lbpsd11n.dll
MAWEBDVD DLL 222,568 02-19-05 8:41a mawebdvd.dll
RCCRT4 DLL 222,568 02-19-05 8:41a RCCRT4.DLL
12 file(s) 2,670,816 bytes
0 dir(s) 35,689.81 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 03-01-04 12:12a folder.htt
DESKTOP INI 266 03-01-04 12:12a desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 35,689.81 MB free

---------- Files Named "Guard" -------------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,689.81 MB free

--------- Temp Files in System Directory --------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,689.81 MB free

---------------- User Agent ------------

------------ Keys Under Notify ------------

------------ Keys Under Notify ------------

---------------- Xfind Results -----------------

---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM\
lvgif11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
mtrle32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
twpi32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
sbtup4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
ddtmsft.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
aacore.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
slrrun.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
wtvdmoe.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
qrvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
lbpsd11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
mawebdvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
rccrt4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K

12 items found: 12 files, 0 directories.
Total of file sizes: 2,670,816 bytes 2.55 M
Title: help. I've been hijacked.
Post by: guestolo on February 21, 2005, 07:47:58 PM: One more small download
Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice

Please copy and paste these instructions to an empty Notepad file and leave it on your desktop and then Disconnect completely from the Internet
Open these instructions and leave them open until we have restarted your computer

Open Hijackthis>>Open Misc tools>>Open Process Manager
Kill these process if you can and if found
C:\WINDOWS\N20050308.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\IPRDEX.EXE
C:\WINDOWS\TEMP\ICD3.TMP\SVCMM32.EXE
C:\WINDOWS\SYSTEM\IOSX16.EXE

Do another scan with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS
\N20050308.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [os5V36e] IPRDEX.EXE
O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\ICD3.TMP\SVCMM32.EXE" /startup

O4 - HKCU\..\Run: [ZBu9RWK7Q] IOSX16.EXE

O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab (http://\"http://www.ouchvideo.com/mmviewer_ic13.cab\")

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox>>Now you have Killbox and this notepad file open
click on Tools --> Select Delete Temp Files. Click OK.
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

Do the same thing for explorer.exe
Your Desktop and Icons will disappear, don't let it worry you
OK it

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\lvgif11n.dll

Press the button with a red circle and a white X
Click Yes to Delete on Reboot
When asked if you would like to Reboot Now, select No.

Do the same for all these:

C:\WINDOWS\SYSTEM\mtrle32.dll

C:\WINDOWS\SYSTEM\twpi32.dll

C:\WINDOWS\SYSTEM\sbtup4.dll

C:\WINDOWS\SYSTEM\ddtmsft.dll

C:\WINDOWS\SYSTEM\aacore.dll

C:\WINDOWS\SYSTEM\slrrun.dll

C:\WINDOWS\SYSTEM\wtvdmoe.dll

C:\WINDOWS\SYSTEM\qrvd.dll

C:\WINDOWS\SYSTEM\lbpsd11n.dll

C:\WINDOWS\SYSTEM\mawebdvd.dll

C:\WINDOWS\SYSTEM\rccrt4.dll

C:\WINDOWS\Guard.tmp

C:\WINDOWS\N20050308.EXE

C:\WINDOWS\TEMP\ICD3.TMP\SVCMM32.EXE

C:\WINDOWS\SYSTEM\IPRDEX.EXE

Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\SYSTEM\IOSX16.EXE

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!

Allow the system to Restart or restart anyways

When your back in Windows
Run VX2 Finder again and click the User Agent$ button

Open Hijackthis>>Open Misc Tools>>Open Hosts File Manager
Delete any lines Below
127.0.0.1 localhost <--don't delete this and nothing above
But only any below that entry you didn't add yourself or don't recognize

Run DLLCompare again and post the log
Run VX2 Finder again and post the log

Also post back with a fresh hijackthis log

Special NOTE: Your Winsock settings have been hijacked, as indicated by Hijackthis
from the 010 entries of your log
Don't attempt to fix those entries
If you find that once your back in Windows and you have no Internet connection
Do this only if you have to, we will do these steps later

Close down all Browser windows

Ensure that you unzipped LSP fix and your not running it from withing the Zip file
With ONLY LSP fix open
Check "I know what I'm doing".
Then select all instances of aklsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane) Click Finish <--you may have to scroll down about to see it, Finish is NOT the X button at the top

Restart the computer
Title: help. I've been hijacked.
Post by: priscilla on February 21, 2005, 08:54:04 PM: New DLLCompare Log:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\srorage.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
________________________________________________

793 items found: 793 files (1 H/S), 0 directories.
Total of file sizes: 147,031,672 bytes 140.22 M

--------------------End log---------------------

When I ran VX2 again nothing came up.

New Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:49:59 PM, on 2/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DPFPOV.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NIIYNH.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\ELQOOE.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\DPFPOV.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\kggykw.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: niiynh.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe (http://\"http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")

Does this mean everything is Ok?
Also, I was told that Internet Explorer is very susceptible to adware and spyware ,etc. and that firefox from mozilla is the way to go... would you agree with that?
Title: help. I've been hijacked.
Post by: guestolo on February 21, 2005, 09:14:13 PM: Not clean yet, but your close
I never suspected you had Narrator trojan too

I'm uploading a file called find_qoologic.zip

Save it to your desktop and Unzip the contents
Open the qoologic folder and double click to run qoologic.bat

Let this finish scanning, may take 5 minutes or so, even if it appears to freeze

When it's done it will produce a log
C:log.txt <<post this log

EDIT>>woops, forgot the attachment

Try not to restart your computer, if you do I need to see a new DLLCompare log too
Title: help. I've been hijacked.
Post by: Guest on February 21, 2005, 09:30:31 PM: I'm just waiting for that to finish. What is Narrator Trojan?
Title: help. I've been hijacked.
Post by: guestolo on February 21, 2005, 09:33:03 PM: Something that you have /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Many times you see it in a computer with VX2 infection, which you have
and we still have to get rid of
You can see it by these entries, we'll fix them in a bit
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\kggykw.exe
and a startup entry
Don't touch them yet
Title: help. I've been hijacked.
Post by: Guest on February 21, 2005, 09:35:19 PM: ok,here's the latest.

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\vkkqvp.dat: .aspack
C:\WINDOWS\kggykw.exe: .aspack

Files Found in all users startup Folder............
------------------------
C:\WINDOWS\Start Menu\Programs\StartUp\niiynh.exe: .aspack
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\gooagh.dll: <Edit>
C:\WINDOWS\annzae.dll: updates.qoologic.com
C:\WINDOWS\qaapqh.exe: updates.qoologic.com
C:\WINDOWS\pqqgpc.dll: updates.qoologic.com
Finished
Title: help. I've been hijacked.
Post by: guestolo on February 21, 2005, 09:57:14 PM: Please copy and paste these instructions to an empty Notepad file and leave it on your desktop and then Disconnect completely from the Internet
Open these instructions and leave them open until we have restarted your computer

Close down all other windows

Open Hijackthis>>Open Misc tools>>Open Process Manager
Kill these process if you can and if found>>If you can't end process carry on
C:\WINDOWS\SYSTEM\DPFPOV.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NIIYNH.EXE

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\ELQOOE.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\DPFPOV.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\kggykw.exe

O4 - Startup: niiynh.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox>>Now you have Killbox and this notepad file open
click on Tools --> Select Delete Temp Files. Click OK.
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\ELQOOE.exe

Press the button with a red circle and a white X
Click Yes to Delete on Reboot
IF asked if you would like to Reboot Now, select No.

Do the same for all these:

C:\WINDOWS\SYSTEM\DPFPOV.exe

C:\WINDOWS\kggykw.exe

C:\WINDOWS\vkkqvp.dat

C:\WINDOWS\gooagh.dll

C:\WINDOWS\annzae.dll

C:\WINDOWS\qaapqh.exe

C:\WINDOWS\pqqgpc.dll

C:\WINDOWS\SYSTEM\srorage.dll

Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\Start Menu\Programs\StartUp\niiynh.exe

Press the button with a red circle and a white X.
If asked to Reboot, select Yes!!

Allow the system to Restart or restart anyways

When your back in Windows

Open Hijackthis>>Open Misc Tools>>Open Hosts File Manager
Delete any lines Below
127.0.0.1 localhost <--don't delete this and nothing above
But only any below that entry you didn't add yourself or don't recognize

Run DLLCompare again and post the log
Run VX2 Finder again and post the log

Also post back with a fresh hijackthis log

Hopefully, we're just left with some final cleanup /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Title: help. I've been hijacked.
Post by: Guest on February 21, 2005, 10:26:21 PM: new dllcompare log:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"
________________________________________________

792 items found: 792 files, 0 directories.
Total of file sizes: 146,809,104 bytes 140.01 M

--------------------End log-----

Nothing under VX2 finder.

new hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 10:23:25 PM, on 2/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe (http://\"http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")

ok. what do we got now? I want to thank you by the way for your time and your help. It is very much appreciated!
Title: help. I've been hijacked.
Post by: guestolo on February 21, 2005, 10:46:44 PM: Let's backup the registry manually
Go to START>>RUN>>type in regedit
Hit OK
In the Reg. Editor>>>Ensure "My Computer" is highlighted
Click "Registry" at the top
"Export Registry File"
In the new box>> Save in "MyDocuments"
File Name>>Give it a Name Backup >>>Click SAVE
Let it finish saving and then Exit the Registry Editor

You may want to Print the rest of this out or Save it to a Notepad file on your desktop
for easy access

Disconnect completely from the Internet
Close down all Browser windows, including this one

Ensure that you unzipped LSP fix and your not running it from within the Zip file
With ONLY LSP fix open
Check "I know what I'm doing".
Then select all instances of aklsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane) Click Finish <--you may have to scroll down a bit to see it, Finish is NOT the X button at the top

Restart the computer

Back in Windows>>>Some double checks
double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well

Could you also download Runkey2.zip (http://\"http://forums.techguy.org/attachment.php?attachmentid=45168&stc=1\")

Unzip it and then doubleclick on RunKey2.bat. It will produce a All.txt file. Please copy and paste that here

Could you also post a Startup log from Hijackthis
Open Hijackthis>>Open Misc tools section>>Put a check in
List all Minor Sections(full)
Generate a Startup list and post it back here

One last scan with Hijackthis and post that log too, thanks

NOTE>>> If you have problems with loss of Connection issues
Navigate to Backup.reg and double click on it and allow to merge to Registry
Restart your computer
You shouldn't have a problem if instructions were followed closely /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: help. I've been hijacked.
Post by: Guest on February 21, 2005, 11:12:22 PM: from findit.bat

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,750.56 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 03-01-04 12:12a folder.htt
DESKTOP INI 266 03-01-04 12:12a desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 35,750.56 MB free

---------- Files Named "Guard" -------------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,750.56 MB free

--------- Temp Files in System Directory --------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,750.56 MB free

---------------- User Agent ------------

------------ Keys Under Notify ------------

------------ Keys Under Notify ------------

------------ Keys Under Notify ------------

---------------- Xfind Results -----------------

---------------- Xfind Results -----------------

---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM\
lvgif11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
mtrle32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
twpi32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
sbtup4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
ddtmsft.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
aacore.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
slrrun.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
wtvdmoe.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
qrvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
lbpsd11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
mawebdvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
rccrt4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K

12 items found: 12 files, 0 directories.
Total of file sizes: 2,670,816 bytes 2.55 M

No matches found.

from runkey2

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu]
@="{85BBD920-42A0-1069-A2E4-08002B30309D}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\BriefcaseMenu]
@="{85BBD920-42A0-1069-A2E4-08002B30309D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

from hijack this

StartupList report, 2/21/05, 11:08:36 PM
StartupList version: 1.52.2
Started from : C:\HJT\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\HJT\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
HPDJ Taskbar Utility = C:\WINDOWS\SYSTEM\hpztsb04.exe
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
rtvscn95 = C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
defwatch = C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exeadvpack.dll

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[5f9cf8c0-843b-11d9-b69e-00a0cc5afeac] *
StubPath = C:\WINDOWS\qaapqh.exe

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 21/2/2005, 22:13:0)

[Rename]
NUL=C:\WINDOWS\SYSTEM\ELQOOE.EXE
NUL=C:\WINDOWS\SYSTEM\DPFPOV.EXE
NUL=C:\WINDOWS\KGGYKW.EXE
NUL=C:\WINDOWS\VKKQVP.DAT
NUL=C:\WINDOWS\GOOAGH.DLL
NUL=C:\WINDOWS\ANNZAE.DLL
NUL=C:\WINDOWS\QAAPQH.EXE
NUL=C:\WINDOWS\PQQGPC.DLL
NUL=C:\WINDOWS\SYSTEM\SRORAGE.DLL
NUL=

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...38304.781724537 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38304.781724537\")

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINDOWS\SYSTEM\QDIAGH.OCX
CODEBASE = http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323\")

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/yinst/yinst_current.cab (http://\"http://download.yahoo.com/dl/yinst/yinst_current.cab\")

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (http://\"http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB\")

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe (http://\"http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ZINTRO.OCX
CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab\")

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\POPCAPLOADER.DLL
CODEBASE = http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab (http://\"http://www.apple.com/qtactivex/qtplugin.cab\")

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,509 bytes
Report generated in 0.295 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Logfile of HijackThis v1.99.1
Scan saved at 11:09:51 PM, on 2/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe (http://\"http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")

ok... is that all?
Title: help. I've been hijacked.
Post by: guestolo on February 22, 2005, 02:02:47 AM: Sorry for the delay
Can you do me a favor

Will try another method to ensure we get you clean

Open Killbox, This time copy and paste the lines into the the Full Path of File to Delete box
Just click the Delete button after each
red button with the white X

Keep track of any that won't delete

C:\WINDOWS\SYSTEM\lvgif11n.dll
C:\WINDOWS\SYSTEM\mtrle32.dll
C:\WINDOWS\SYSTEM\twpi32.dll
C:\WINDOWS\SYSTEM\sbtup4.dll
C:\WINDOWS\SYSTEM\ddtmsft.dll
C:\WINDOWS\SYSTEM\aacore.dll
C:\WINDOWS\SYSTEM\slrrun.dll
C:\WINDOWS\SYSTEM\wtvdmoe.dll
C:\WINDOWS\SYSTEM\qrvd.dll
C:\WINDOWS\SYSTEM\lbpsd11n.dll
C:\WINDOWS\SYSTEM\mawebdvd.dll
C:\WINDOWS\SYSTEM\rccrt4.dll

For any that won't delete use the delete on reboot method

Restart the computer afterwards

When your back in Windows
Download Findit9xme.zip (http://\"http://www.thatcomputerguy.us/downloads/findit9xme.zip\")
Unzip the contents and open the Findit9xMe folder
Double click on Findit9xme.bat
Wait for the log and post it back

Sorry if I missed you, I've edited this post, I added the entries below to this fix, which is unneeded, we already nailed these ones>>If you didn't see it, don't worry about fixing these ones
C:\WINDOWS\SYSTEM\ELQOOE.EXE
C:\WINDOWS\SYSTEM\DPFPOV.EXE
C:\WINDOWS\KGGYKW.EXE
C:\WINDOWS\VKKQVP.DAT
C:\WINDOWS\GOOAGH.DLL
C:\WINDOWS\ANNZAE.DLL
C:\WINDOWS\QAAPQH.EXE
C:\WINDOWS\PQQGPC.DLL
C:\WINDOWS\SYSTEM\SRORAGE.DLL

Actually those entries are in your
C:\WINDOWS\WININIT.BAK file
There nothing to worry about>>If you want you could open Wininit.bak with Notepad
and edit out those lines
But fix the ones I have still posted and post back the log from Findit9xme.bat
Title: help. I've been hijacked.
Post by: priscilla on February 22, 2005, 07:17:23 AM: sorry about disappearing.. I fell asleep. /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Here is the log file from findit9xme

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,761.19 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 03-01-04 12:12a folder.htt
DESKTOP INI 266 03-01-04 12:12a desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 35,761.16 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: logqoologic.txt
C:\WINDOWS\USER.DAT: hlogqoologic.txt
C:\WINDOWS\USER.DAT: logqoologic.txt.lnk
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ISCVID.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

I opened wininit.bak w/ notepad and there were no files listed.

what's next?
Title: help. I've been hijacked.
Post by: guestolo on February 22, 2005, 07:32:33 PM: Copy and paste this full path to file into Killbox>>>

C:\WINDOWS\SYSTEM\ISCVID.DLL

Hit the Delete button
red button with the white X

If it won't delete, use the delete on reboot method

Restart the computer

Run findit9xme.bat again
Post the log and one more hijackthis log,
Title: help. I've been hijacked.
Post by: priscilla on February 22, 2005, 08:01:17 PM: ok.

here's the findit9xme log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,727.78 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 03-01-04 12:12a folder.htt
DESKTOP INI 266 03-01-04 12:12a desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 35,727.75 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: logqoologic.txt
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

here's a fresh hi-jack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:59:22 PM, on 2/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\NOTEPAD.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe (http://\"http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
Title: help. I've been hijacked.
Post by: guestolo on February 22, 2005, 08:41:04 PM: Your log looks good now, just some final leftovers to take care of

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad, not including the word Notepad
Name the file as Remove.reg
Change the Save as Type to All Files.
Save this file on the desktop
Quote
REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\5f9cf8c0-843b-11d9-b69e-00a0cc5afeac][-HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\5f9cf8c0-843b-11d9-b69e-00a0cc5afeac]

Double click on Remove.reg and allow to merge to the registry

Open Ad-Aware and check for updates>>Make sure your Running Ad-Aware SE 1.05
If not download and install the latest, allow to remove the old version
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart your computer

To help prevent these types of infections in the future
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

Check for updates every couple of weeks
After every update just simply enable all protection

If you plan on normally using Internet Explorer, I would install IE-Spyad also
If you would like a link, let me know
Title: help. I've been hijacked.
Post by: Guest on February 22, 2005, 09:22:37 PM: as far as all of the tools I downloaded for this fix, should I keep them on my computer or is it ok to delete them?
Title: help. I've been hijacked.
Post by: priscilla on February 22, 2005, 09:41:02 PM: ok. just finished the ad-aware scan and restart.

I am going to download the SpywareBlaster.

As for Internet Explorer, I'm going to try not to use it that often. The Firefox browser from Mozilla seems to be working alright. If you could send a link for the IE-Spyad that would be great. It can't hurt to have it.

Thanks so much!!!!!!!!!!!!!!!!!! /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: help. I've been hijacked.
Post by: guestolo on February 22, 2005, 09:42:34 PM: Hold onto Winzip and SpywareBlaster

You can manually delete the rest of the fixes we used, which include
VX2 finder>>DLLCompare>>Findit.bats
Reg fixes
The backup of the registry

Pocket Killbox>>User preference, if you want, hold onto it....

Don't delete Hijackthis yet, Hold onto it until your happy with the way everything is running
Then delete the backups and the program if you want

I take it everything is running better?

Here's the link to IE-Spyad
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Keep the link to IE-Spyad bookmarked so you can check for updates
Title: help. I've been hijacked.
Post by: Guest on February 22, 2005, 10:10:53 PM: yes, everything seems back to normal. I just downloaded the spyware blaster.

thanks again. I really appreciate it. /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: help. I've been hijacked.
Post by: guestolo on February 22, 2005, 10:40:04 PM: I'll lock this topic as your problems appear to be resolved
If you need it reopened, PM a Mod or the site Admin and supply a link to this thread
Stay safe /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />