Author Topic: help. I've been hijacked. (Read 5426 times)

priscilla · « **on:** February 21, 2005, 12:24:28 PM »

If anyone can help I would gladly appreciate it. I clicked on an innocent looking webpage link and when the page opened all this crazy stuff started happening to my computer. I tried running ad-aware and I get an illegal operation message and it won't delete the objects it finds. With spybot I get an error message. No matter what I try I can't get my computer back to normal. HELP!!!!!!!!!!!!!!!!!!!

priscilla

guestolo · « **Reply #1 on:** February 21, 2005, 05:03:05 PM »

Can you Download Hijackthis 1.99.1
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important

priscilla · « **Reply #2 on:** February 21, 2005, 05:29:19 PM »

ok. Here it is. I just want to thank you for your help too. I really appreciate it. I have been struggling w/ this damn machine all weekend and I'm ready to throw it out the window!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />

Logfile of HijackThis v1.99.1
Scan saved at 5:22:07 PM, on 2/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\N20050308.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\IPRDEX.EXE
C:\WINDOWS\TEMP\ICD3.TMP\SVCMM32.EXE
C:\WINDOWS\SYSTEM\IOSX16.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS
\N20050308.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [os5V36e] IPRDEX.EXE
O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\ICD3.TMP\SVCMM32.EXE" /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ZBu9RWK7Q] IOSX16.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab

guestolo · « **Reply #3 on:** February 21, 2005, 05:48:57 PM »

I need you to download a few tools

Can you download and UNZIP to your desktop Lspfix.zip from this location
http://www.cexx.org/lspfix.htm
Open up LSPfix.exe and let me know what you see on the KEEP side and the REMOVE
side

Could you also
Download VX2 finder
http://downloads.subratam.org/VX2Finder9x(126).exe

Open VX2 finder
Click the "Click to Find VX2.BetterInternet"
then click the make log button.
Post the log

Also Click HERE to download DLLCompare.zip.

Unzip it to your desktop.

Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, click on the Make a log of what was found button. When it asks to "View log file" click yes and the log will open in notepad. Save the log to copy and paste back here in your next reply

One last request
Please download FindIt.zip

Unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.
I've even heard this running up to 15 minutes
Give it time, but not too much...

Guest · « **Reply #4 on:** February 21, 2005, 06:05:00 PM »

I wasn't able to open Lspfix.zip. or any of the zip files. I guess my computer doesn't have whatever it takes to zip and unzip.

This is what the log said on VX2 finder

Files Found---

User Agent String---
{1040F820-8400-11D9-B69E-99978194B37E}

Is it still possible to fix this without the other downloads?

guestolo · « **Reply #5 on:** February 21, 2005, 06:08:04 PM »

You will need an unzipping utility
I have to see the files
Are you sure you don't have winzip installed?

Go into your Add/Remove programs and see if you have an entry for Winzip
If not you should have an unzipping utility anyways, I can find you a free one, you will need it now and in the future

Guest · « **Reply #6 on:** February 21, 2005, 06:17:33 PM »

There is no Winzip... what do you suggest?

guestolo · « **Reply #7 on:** February 21, 2005, 06:24:40 PM »

Most use the Evaluation version of Winzip
Found here under the Downloads
http://www.winzip.com/downwz.htm

Personally, I like IZArc, no prompts everytime you run it
Check it out, you only need one or the other
http://www.izsoft.dir.bg/download_izarc.htm

After either are installed you just right click on the zip file and Unzip or Extract to a folder, or the Desktop

priscilla · « **Reply #8 on:** February 21, 2005, 06:29:24 PM »

ok. I've downloaded the evaluation version of winzip.

so far...
from the LSPflx.exe

on the keep side:

mr20.dll DNS Name Space Provider
AKLSP.DLL (protocol handler)
mswsosp.dll (protocol handler)
msafd.dll (protocol handler)
rsvpsp.dll (protocol handler)

There was nothing listed on the remove side.

I will move on to the next one now.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

priscilla · « **Reply #9 on:** February 21, 2005, 06:38:52 PM »

Here is the log from DIICompare

DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\lvgif11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mtrle32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\twpi32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\sbtup4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\ddtmsft.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\aacore.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\slrrun.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\wtvdmoe.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\qrvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\lbpsd11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mawebdvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\rccrt4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
________________________________________________

803 items found: 803 files (12 H/S), 0 directories.
Total of file sizes: 149,426,160 bytes 142.50 M

I take it this must be some bad stuff because the date and time is exactly when I clicked on that link that messed me up in the first place.
ok. one more to go.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

priscilla · « **Reply #10 on:** February 21, 2005, 06:45:37 PM »

ok. I downloaded and unzipped FindIt.zip

when I opened the folder that I unzipped it to there is
Find, Locate and Xfind icons. I did not see a find.bat.

please advise.

guestolo · « **Reply #11 on:** February 21, 2005, 06:56:32 PM »

May as well get you to do this now, as it will make it easier
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Uncheck Hide Extensions for Known file types
* Click OK.

priscilla · « **Reply #12 on:** February 21, 2005, 07:01:58 PM »

ok. done

guestolo · « **Reply #13 on:** February 21, 2005, 07:04:53 PM »

I guess that means you can see Find.bat
And your going to post the log soon?

priscilla · « **Reply #14 on:** February 21, 2005, 07:10:12 PM »

ok. this is what it gave me.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

LVGIF11N DLL 222,568 02-19-05 8:41a lvgif11n.dll
MTRLE32 DLL 222,568 02-19-05 8:41a MTRLE32.DLL
TWPI32 DLL 222,568 02-19-05 8:41a TWPI32.DLL
SBTUP4 DLL 222,568 02-19-05 8:41a SBTUP4.DLL
DDTMSFT DLL 222,568 02-19-05 8:41a DDTMSFT.DLL
AACORE DLL 222,568 02-19-05 8:41a aacore.dll
SLRRUN DLL 222,568 02-19-05 8:41a SLRRUN.DLL
WTVDMOE DLL 222,568 02-19-05 8:41a wtvdmoe.dll
QRVD DLL 222,568 02-19-05 8:41a QRVD.DLL
LBPSD11N DLL 222,568 02-19-05 8:41a lbpsd11n.dll
MAWEBDVD DLL 222,568 02-19-05 8:41a mawebdvd.dll
RCCRT4 DLL 222,568 02-19-05 8:41a RCCRT4.DLL
12 file(s) 2,670,816 bytes
0 dir(s) 35,689.81 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 03-01-04 12:12a folder.htt
DESKTOP INI 266 03-01-04 12:12a desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 35,689.81 MB free

---------- Files Named "Guard" -------------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,689.81 MB free

--------- Temp Files in System Directory --------

Volume in drive C has no label
Volume Serial Number is 1C72-1F06
Directory of C:\WINDOWS\SYSTEM

35,689.81 MB free

---------------- User Agent ------------

------------ Keys Under Notify ------------

------------ Keys Under Notify ------------

---------------- Xfind Results -----------------

---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM\
lvgif11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
mtrle32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
twpi32.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
sbtup4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
ddtmsft.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
aacore.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
slrrun.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
wtvdmoe.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
qrvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
lbpsd11n.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
mawebdvd.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
rccrt4.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K

12 items found: 12 files, 0 directories.
Total of file sizes: 2,670,816 bytes 2.55 M

guestolo · « **Reply #15 on:** February 21, 2005, 07:47:58 PM »

One more small download
Download the Pocket Killbox
UNZIP it to a folder of your choice

Please copy and paste these instructions to an empty Notepad file and leave it on your desktop and then Disconnect completely from the Internet
Open these instructions and leave them open until we have restarted your computer

Open Hijackthis>>Open Misc tools>>Open Process Manager
Kill these process if you can and if found
C:\WINDOWS\N20050308.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\IPRDEX.EXE
C:\WINDOWS\TEMP\ICD3.TMP\SVCMM32.EXE
C:\WINDOWS\SYSTEM\IOSX16.EXE

Do another scan with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS
\N20050308.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [os5V36e] IPRDEX.EXE
O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\ICD3.TMP\SVCMM32.EXE" /startup

O4 - HKCU\..\Run: [ZBu9RWK7Q] IOSX16.EXE

O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox>>Now you have Killbox and this notepad file open
click on Tools --> Select Delete Temp Files. Click OK.
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

Do the same thing for explorer.exe
Your Desktop and Icons will disappear, don't let it worry you
OK it

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\lvgif11n.dll

Press the button with a red circle and a white X
Click Yes to Delete on Reboot
When asked if you would like to Reboot Now, select No.

Do the same for all these:

C:\WINDOWS\SYSTEM\mtrle32.dll

C:\WINDOWS\SYSTEM\twpi32.dll

C:\WINDOWS\SYSTEM\sbtup4.dll

C:\WINDOWS\SYSTEM\ddtmsft.dll

C:\WINDOWS\SYSTEM\aacore.dll

C:\WINDOWS\SYSTEM\slrrun.dll

C:\WINDOWS\SYSTEM\wtvdmoe.dll

C:\WINDOWS\SYSTEM\qrvd.dll

C:\WINDOWS\SYSTEM\lbpsd11n.dll

C:\WINDOWS\SYSTEM\mawebdvd.dll

C:\WINDOWS\SYSTEM\rccrt4.dll

C:\WINDOWS\Guard.tmp

C:\WINDOWS\N20050308.EXE

C:\WINDOWS\TEMP\ICD3.TMP\SVCMM32.EXE

C:\WINDOWS\SYSTEM\IPRDEX.EXE

Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\SYSTEM\IOSX16.EXE

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!

Allow the system to Restart or restart anyways

When your back in Windows
Run VX2 Finder again and click the User Agent$ button

Open Hijackthis>>Open Misc Tools>>Open Hosts File Manager
Delete any lines Below
127.0.0.1 localhost <--don't delete this and nothing above
But only any below that entry you didn't add yourself or don't recognize

Run DLLCompare again and post the log
Run VX2 Finder again and post the log

Also post back with a fresh hijackthis log

Special NOTE: Your Winsock settings have been hijacked, as indicated by Hijackthis
from the 010 entries of your log
Don't attempt to fix those entries
If you find that once your back in Windows and you have no Internet connection
Do this only if you have to, we will do these steps later

Close down all Browser windows

Ensure that you unzipped LSP fix and your not running it from withing the Zip file
With ONLY LSP fix open
Check "I know what I'm doing".
Then select all instances of aklsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane) Click Finish <--you may have to scroll down about to see it, Finish is NOT the X button at the top

Restart the computer

priscilla · « **Reply #16 on:** February 21, 2005, 08:54:04 PM »

New DLLCompare Log:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\srorage.dll Sat Feb 19 2005 8:41:24a ..S.R 222,568 217.35 K
________________________________________________

793 items found: 793 files (1 H/S), 0 directories.
Total of file sizes: 147,031,672 bytes 140.22 M

--------------------End log---------------------

When I ran VX2 again nothing came up.

New Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:49:59 PM, on 2/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DPFPOV.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NIIYNH.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\ELQOOE.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\DPFPOV.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\kggykw.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: niiynh.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

Does this mean everything is Ok?
Also, I was told that Internet Explorer is very susceptible to adware and spyware ,etc. and that firefox from mozilla is the way to go... would you agree with that?

guestolo · « **Reply #17 on:** February 21, 2005, 09:14:13 PM »

Not clean yet, but your close
I never suspected you had Narrator trojan too

I'm uploading a file called find_qoologic.zip

Save it to your desktop and Unzip the contents
Open the qoologic folder and double click to run qoologic.bat

Let this finish scanning, may take 5 minutes or so, even if it appears to freeze

When it's done it will produce a log
C:log.txt <<post this log

EDIT>>woops, forgot the attachment

Try not to restart your computer, if you do I need to see a new DLLCompare log too

Guest · « **Reply #18 on:** February 21, 2005, 09:30:31 PM »

I'm just waiting for that to finish. What is Narrator Trojan?

guestolo · « **Reply #19 on:** February 21, 2005, 09:33:03 PM »

Something that you have

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Many times you see it in a computer with VX2 infection, which you have
and we still have to get rid of
You can see it by these entries, we'll fix them in a bit
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\kggykw.exe
and a startup entry
Don't touch them yet

News:

Author Topic: help. I've been hijacked. (Read 5426 times)

priscilla

priscilla

Guest

Guest

priscilla

priscilla

priscilla

priscilla

priscilla

priscilla

Guest