Author Topic: help. I've been hijacked. (Read 5404 times)

Guest · « **Reply #20 on:** February 21, 2005, 09:35:19 PM »

ok,here's the latest.

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\vkkqvp.dat: .aspack
C:\WINDOWS\kggykw.exe: .aspack

Files Found in all users startup Folder............
------------------------
C:\WINDOWS\Start Menu\Programs\StartUp\niiynh.exe: .aspack
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\gooagh.dll: <Edit>
C:\WINDOWS\annzae.dll: updates.qoologic.com
C:\WINDOWS\qaapqh.exe: updates.qoologic.com
C:\WINDOWS\pqqgpc.dll: updates.qoologic.com
Finished

guestolo · « **Reply #21 on:** February 21, 2005, 09:57:14 PM »

Please copy and paste these instructions to an empty Notepad file and leave it on your desktop and then Disconnect completely from the Internet
Open these instructions and leave them open until we have restarted your computer

Close down all other windows

Open Hijackthis>>Open Misc tools>>Open Process Manager
Kill these process if you can and if found>>If you can't end process carry on
C:\WINDOWS\SYSTEM\DPFPOV.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NIIYNH.EXE

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\ELQOOE.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\DPFPOV.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\kggykw.exe

O4 - Startup: niiynh.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox>>Now you have Killbox and this notepad file open
click on Tools --> Select Delete Temp Files. Click OK.
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\ELQOOE.exe

Press the button with a red circle and a white X
Click Yes to Delete on Reboot
IF asked if you would like to Reboot Now, select No.

Do the same for all these:

C:\WINDOWS\SYSTEM\DPFPOV.exe

C:\WINDOWS\kggykw.exe

C:\WINDOWS\vkkqvp.dat

C:\WINDOWS\gooagh.dll

C:\WINDOWS\annzae.dll

C:\WINDOWS\qaapqh.exe

C:\WINDOWS\pqqgpc.dll

C:\WINDOWS\SYSTEM\srorage.dll

Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\Start Menu\Programs\StartUp\niiynh.exe

Press the button with a red circle and a white X.
If asked to Reboot, select Yes!!

Allow the system to Restart or restart anyways

When your back in Windows

Open Hijackthis>>Open Misc Tools>>Open Hosts File Manager
Delete any lines Below
127.0.0.1 localhost <--don't delete this and nothing above
But only any below that entry you didn't add yourself or don't recognize

Run DLLCompare again and post the log
Run VX2 Finder again and post the log

Also post back with a fresh hijackthis log

Hopefully, we're just left with some final cleanup

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Guest · « **Reply #22 on:** February 21, 2005, 10:26:21 PM »

new dllcompare log:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

792 items found: 792 files, 0 directories.
Total of file sizes: 146,809,104 bytes 140.01 M

--------------------End log-----

Nothing under VX2 finder.

new hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 10:23:25 PM, on 2/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

ok. what do we got now? I want to thank you by the way for your time and your help. It is very much appreciated!

guestolo · « **Reply #23 on:** February 21, 2005, 10:46:44 PM »

Let's backup the registry manually
Go to START>>RUN>>type in regedit
Hit OK
In the Reg. Editor>>>Ensure "My Computer" is highlighted
Click "Registry" at the top
"Export Registry File"
In the new box>> Save in "MyDocuments"
File Name>>Give it a Name Backup >>>Click SAVE
Let it finish saving and then Exit the Registry Editor

You may want to Print the rest of this out or Save it to a Notepad file on your desktop
for easy access

Disconnect completely from the Internet
Close down all Browser windows, including this one

Ensure that you unzipped LSP fix and your not running it from within the Zip file
With ONLY LSP fix open
Check "I know what I'm doing".
Then select all instances of aklsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane) Click Finish <--you may have to scroll down a bit to see it, Finish is NOT the X button at the top

Restart the computer

Back in Windows>>>Some double checks
double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well

Could you also download Runkey2.zip

Unzip it and then doubleclick on RunKey2.bat. It will produce a All.txt file. Please copy and paste that here

Could you also post a Startup log from Hijackthis
Open Hijackthis>>Open Misc tools section>>Put a check in
List all Minor Sections(full)
Generate a Startup list and post it back here

One last scan with Hijackthis and post that log too, thanks

NOTE>>> If you have problems with loss of Connection issues
Navigate to Backup.reg and double click on it and allow to merge to Registry
Restart your computer
You shouldn't have a problem if instructions were followed closely

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Guest · « **Reply #24 on:** February 21, 2005, 11:12:22 PM »

from findit.bat

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,750.56 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 03-01-04 12:12a folder.htt
DESKTOP INI 266 03-01-04 12:12a desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 35,750.56 MB free

---------- Files Named "Guard" -------------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,750.56 MB free

--------- Temp Files in System Directory --------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,750.56 MB free

---------------- User Agent ------------

------------ Keys Under Notify ------------

------------ Keys Under Notify ------------

------------ Keys Under Notify ------------

---------------- Xfind Results -----------------

---------------- Xfind Results -----------------

---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM\
lvgif11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
mtrle32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
twpi32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
sbtup4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
ddtmsft.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
aacore.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
slrrun.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
wtvdmoe.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
qrvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
lbpsd11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
mawebdvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
rccrt4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K

12 items found: 12 files, 0 directories.
Total of file sizes: 2,670,816 bytes 2.55 M

No matches found.

from runkey2

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu]
@="{85BBD920-42A0-1069-A2E4-08002B30309D}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\BriefcaseMenu]
@="{85BBD920-42A0-1069-A2E4-08002B30309D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

from hijack this

StartupList report, 2/21/05, 11:08:36 PM
StartupList version: 1.52.2
Started from : C:\HJT\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\HJT\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
HPDJ Taskbar Utility = C:\WINDOWS\SYSTEM\hpztsb04.exe
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
rtvscn95 = C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
defwatch = C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exeadvpack.dll

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[5f9cf8c0-843b-11d9-b69e-00a0cc5afeac] *
StubPath = C:\WINDOWS\qaapqh.exe

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 21/2/2005, 22:13:0)

[Rename]
NUL=C:\WINDOWS\SYSTEM\ELQOOE.EXE
NUL=C:\WINDOWS\SYSTEM\DPFPOV.EXE
NUL=C:\WINDOWS\KGGYKW.EXE
NUL=C:\WINDOWS\VKKQVP.DAT
NUL=C:\WINDOWS\GOOAGH.DLL
NUL=C:\WINDOWS\ANNZAE.DLL
NUL=C:\WINDOWS\QAAPQH.EXE
NUL=C:\WINDOWS\PQQGPC.DLL
NUL=C:\WINDOWS\SYSTEM\SRORAGE.DLL
NUL=

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...38304.781724537

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINDOWS\SYSTEM\QDIAGH.OCX
CODEBASE = http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/yinst/yinst_current.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ZINTRO.OCX
CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\POPCAPLOADER.DLL
CODEBASE = http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,509 bytes
Report generated in 0.295 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Logfile of HijackThis v1.99.1
Scan saved at 11:09:51 PM, on 2/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

ok... is that all?

guestolo · « **Reply #25 on:** February 22, 2005, 02:02:47 AM »

Sorry for the delay
Can you do me a favor

Will try another method to ensure we get you clean

Open Killbox, This time copy and paste the lines into the the Full Path of File to Delete box
Just click the Delete button after each
red button with the white X

Keep track of any that won't delete

C:\WINDOWS\SYSTEM\lvgif11n.dll
C:\WINDOWS\SYSTEM\mtrle32.dll
C:\WINDOWS\SYSTEM\twpi32.dll
C:\WINDOWS\SYSTEM\sbtup4.dll
C:\WINDOWS\SYSTEM\ddtmsft.dll
C:\WINDOWS\SYSTEM\aacore.dll
C:\WINDOWS\SYSTEM\slrrun.dll
C:\WINDOWS\SYSTEM\wtvdmoe.dll
C:\WINDOWS\SYSTEM\qrvd.dll
C:\WINDOWS\SYSTEM\lbpsd11n.dll
C:\WINDOWS\SYSTEM\mawebdvd.dll
C:\WINDOWS\SYSTEM\rccrt4.dll

For any that won't delete use the delete on reboot method

Restart the computer afterwards

When your back in Windows
Download Findit9xme.zip
Unzip the contents and open the Findit9xMe folder
Double click on Findit9xme.bat
Wait for the log and post it back

Sorry if I missed you, I've edited this post, I added the entries below to this fix, which is unneeded, we already nailed these ones>>If you didn't see it, don't worry about fixing these ones
C:\WINDOWS\SYSTEM\ELQOOE.EXE
C:\WINDOWS\SYSTEM\DPFPOV.EXE
C:\WINDOWS\KGGYKW.EXE
C:\WINDOWS\VKKQVP.DAT
C:\WINDOWS\GOOAGH.DLL
C:\WINDOWS\ANNZAE.DLL
C:\WINDOWS\QAAPQH.EXE
C:\WINDOWS\PQQGPC.DLL
C:\WINDOWS\SYSTEM\SRORAGE.DLL

Actually those entries are in your
C:\WINDOWS\WININIT.BAK file
There nothing to worry about>>If you want you could open Wininit.bak with Notepad
and edit out those lines
But fix the ones I have still posted and post back the log from Findit9xme.bat

priscilla · « **Reply #26 on:** February 22, 2005, 07:17:23 AM »

sorry about disappearing.. I fell asleep.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Here is the log file from findit9xme

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,761.19 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 03-01-04 12:12a folder.htt
DESKTOP INI 266 03-01-04 12:12a desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 35,761.16 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: logqoologic.txt
C:\WINDOWS\USER.DAT: hlogqoologic.txt
C:\WINDOWS\USER.DAT: logqoologic.txt.lnk
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ISCVID.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

I opened wininit.bak w/ notepad and there were no files listed.

what's next?

guestolo · « **Reply #27 on:** February 22, 2005, 07:32:33 PM »

Copy and paste this full path to file into Killbox>>>

C:\WINDOWS\SYSTEM\ISCVID.DLL

Hit the Delete button
red button with the white X

If it won't delete, use the delete on reboot method

Restart the computer

Run findit9xme.bat again
Post the log and one more hijackthis log,

priscilla · « **Reply #28 on:** February 22, 2005, 08:01:17 PM »

ok.

here's the findit9xme log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,727.78 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 03-01-04 12:12a folder.htt
DESKTOP INI 266 03-01-04 12:12a desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 35,727.75 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\USER.DAT: logqoologic.txt
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC
C:\WINDOWS\USER.DAT: qoologic
C:\WINDOWS\USER.DAT: QOOLOGIC

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

here's a fresh hi-jack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:59:22 PM, on 2/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\NOTEPAD.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

guestolo · « **Reply #29 on:** February 22, 2005, 08:41:04 PM »

Your log looks good now, just some final leftovers to take care of

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad, not including the word Notepad
Name the file as Remove.reg
Change the Save as Type to All Files.
Save this file on the desktop

Quote

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\5f9cf8c0-843b-11d9-b69e-00a0cc5afeac][-HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\5f9cf8c0-843b-11d9-b69e-00a0cc5afeac]

Double click on Remove.reg and allow to merge to the registry

Open Ad-Aware and check for updates>>Make sure your Running Ad-Aware SE 1.05
If not download and install the latest, allow to remove the old version
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart your computer

To help prevent these types of infections in the future
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

Check for updates every couple of weeks
After every update just simply enable all protection

If you plan on normally using Internet Explorer, I would install IE-Spyad also
If you would like a link, let me know

Guest · « **Reply #30 on:** February 22, 2005, 09:22:37 PM »

as far as all of the tools I downloaded for this fix, should I keep them on my computer or is it ok to delete them?

priscilla · « **Reply #31 on:** February 22, 2005, 09:41:02 PM »

ok. just finished the ad-aware scan and restart.

I am going to download the SpywareBlaster.

As for Internet Explorer, I'm going to try not to use it that often. The Firefox browser from Mozilla seems to be working alright. If you could send a link for the IE-Spyad that would be great. It can't hurt to have it.

Thanks so much!!!!!!!!!!!!!!!!!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #32 on:** February 22, 2005, 09:42:34 PM »

Hold onto Winzip and SpywareBlaster

You can manually delete the rest of the fixes we used, which include
VX2 finder>>DLLCompare>>Findit.bats
Reg fixes
The backup of the registry

Pocket Killbox>>User preference, if you want, hold onto it....

Don't delete Hijackthis yet, Hold onto it until your happy with the way everything is running
Then delete the backups and the program if you want

I take it everything is running better?

Here's the link to IE-Spyad
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Keep the link to IE-Spyad bookmarked so you can check for updates

Guest · « **Reply #33 on:** February 22, 2005, 10:10:53 PM »

yes, everything seems back to normal. I just downloaded the spyware blaster.

thanks again. I really appreciate it.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #34 on:** February 22, 2005, 10:40:04 PM »

I'll lock this topic as your problems appear to be resolved
If you need it reopened, PM a Mod or the site Admin and supply a link to this thread
Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: help. I've been hijacked. (Read 5404 times)

Guest

help. I've been hijacked.

guestolo

help. I've been hijacked.

Guest

help. I've been hijacked.

guestolo

help. I've been hijacked.

Guest

help. I've been hijacked.

guestolo

help. I've been hijacked.

priscilla

help. I've been hijacked.

guestolo

help. I've been hijacked.

priscilla

help. I've been hijacked.

guestolo

help. I've been hijacked.

Guest

help. I've been hijacked.

priscilla

help. I've been hijacked.

guestolo

help. I've been hijacked.

Guest

help. I've been hijacked.

guestolo

help. I've been hijacked.