Author Topic: Computer Hijacked (Read 1310 times)

LittleLady · « **on:** March 27, 2005, 11:08:34 AM »

Hi,
Have read most all of your posts on having problems with computer
hijacking but have not seen one that is like mine. Have downloaded
HiJackThis...but dont have a clue as to what to do. Can you help me
get my system back? My brother has been trying to fix it but still
have this left in the log.

Logfile of HijackThis v1.99.1
Scan saved at 11:02:17 AM, on 3/27/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\COMPAQ\ACCESS\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MFCWT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ADDWV32.EXE
C:\WINDOWS\SYSTEM\MSUV32.EXE
C:\WINDOWS\ADDPT.EXE
C:\WINDOWS\SYSTEM\ADDUM32.EXE
C:\WINDOWS\SYSTEM\APPPL32.EXE
C:\WINDOWS\SYSTEM\APINY32.EXE
C:\WINDOWS\SYSTEM\IETP32.EXE
C:\WINDOWS\SYSTEM\SYSOM32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SYSMM.EXE
C:\WINDOWS\SYSTEM\SYSOM32.EXE
C:\WINDOWS\SYSTEM\MFCWT.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {C69D9E41-F19B-2CBA-D6A0-97F33C1827E5} - C:\WINDOWS\D3ZD.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [SYSMM.EXE] C:\WINDOWS\SYSTEM\SYSMM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [MFCWT.EXE] C:\WINDOWS\SYSTEM\MFCWT.EXE /s
O4 - HKLM\..\RunServices: [ADDWV32.EXE] C:\WINDOWS\SYSTEM\ADDWV32.EXE /s
O4 - HKLM\..\RunServices: [MSUV32.EXE] C:\WINDOWS\SYSTEM\MSUV32.EXE /s
O4 - HKLM\..\RunServices: [ADDPT.EXE] C:\WINDOWS\ADDPT.EXE /s
O4 - HKLM\..\RunServices: [ADDUM32.EXE] C:\WINDOWS\SYSTEM\ADDUM32.EXE /s
O4 - HKLM\..\RunServices: [APPPL32.EXE] C:\WINDOWS\SYSTEM\APPPL32.EXE /s
O4 - HKLM\..\RunServices: [APINY32.EXE] C:\WINDOWS\SYSTEM\APINY32.EXE /s
O4 - HKLM\..\RunServices: [IETP32.EXE] C:\WINDOWS\SYSTEM\IETP32.EXE /s
O4 - HKLM\..\RunServices: [SYSOM32.EXE] C:\WINDOWS\SYSTEM\SYSOM32.EXE /s
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.240:8000/Java/cfs40320.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

guestolo · « **Reply #1 on:** March 27, 2005, 02:10:54 PM »

===Download to desktop About:Buster
by RubbeR Ducky
Unzip the contents to desktop, a folder will be placed on your desktop
Open it and run About:buster.exe
Click the Update Button and check for updates, if any download them
Then close it for now, well need this later

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Find and delete these file or folders if found

C:\WINDOWS\SYSTEM\MFCWT.EXE <-file
C:\WINDOWS\SYSTEM\ADDWV32.EXE
C:\WINDOWS\SYSTEM\MSUV32.EXE
C:\WINDOWS\SYSTEM\ADDUM32.EXE
C:\WINDOWS\SYSTEM\APPPL32.EXE
C:\WINDOWS\SYSTEM\APINY32.EXE
C:\WINDOWS\SYSTEM\IETP32.EXE
C:\WINDOWS\SYSTEM\SYSOM32.EXE
C:\WINDOWS\SYSTEM\SYSMM.EXE
C:\WINDOWS\ADDPT.EXE
C:\WINDOWS\D3ZD.DLL

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jussu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jussu.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {C69D9E41-F19B-2CBA-D6A0-97F33C1827E5} - C:\WINDOWS\D3ZD.DLL

O4 - HKLM\..\Run: [SYSMM.EXE] C:\WINDOWS\SYSTEM\SYSMM.EXE

O4 - HKLM\..\RunServices: [MFCWT.EXE] C:\WINDOWS\SYSTEM\MFCWT.EXE /s
O4 - HKLM\..\RunServices: [ADDWV32.EXE] C:\WINDOWS\SYSTEM\ADDWV32.EXE /s
O4 - HKLM\..\RunServices: [MSUV32.EXE] C:\WINDOWS\SYSTEM\MSUV32.EXE /s
O4 - HKLM\..\RunServices: [ADDPT.EXE] C:\WINDOWS\ADDPT.EXE /s
O4 - HKLM\..\RunServices: [ADDUM32.EXE] C:\WINDOWS\SYSTEM\ADDUM32.EXE /s
O4 - HKLM\..\RunServices: [APPPL32.EXE] C:\WINDOWS\SYSTEM\APPPL32.EXE /s
O4 - HKLM\..\RunServices: [APINY32.EXE] C:\WINDOWS\SYSTEM\APINY32.EXE /s
O4 - HKLM\..\RunServices: [IETP32.EXE] C:\WINDOWS\SYSTEM\IETP32.EXE /s
O4 - HKLM\..\RunServices: [SYSOM32.EXE] C:\WINDOWS\SYSTEM\SYSOM32.EXE /s

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Again, in safe mode
Navigate to About:buster you unzipped and updated earlier
===Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to possibly scan more than twice until it finds no more files or Data streams

Restart back to Normal mode

===# Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

===Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Also look for these files on your computer, they are legit, but this hijacker may of deleted them
C:\Windows\Control.exe <-this file
C:\Windows\System\Shell.dll <--file
If both or either are gone we can easily replace them, let me know

I would also suggest you run a Free online virus scan at Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm
Save the report after it's done and post it back here

Also, Post back with a fresh Hijackthis log after doing the above
Could you also open Hijackthis>>Open Misc Tools section>>Open Hosts file manager
Click the "Open in Notepad" button
Copy and paste back here the Hosts notepad file

LittleLady · « **Reply #2 on:** March 28, 2005, 12:42:11 AM »

Ok did everything you said...still have problems. Please help!!

Logfile of HijackThis v1.99.1
Scan saved at 12:40:26 AM, on 3/28/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\COMPAQ\ACCESS\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SDKMP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\WINDL.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {C970DB1E-CFEB-B341-5FA1-C2EE692D7DE2} - C:\WINDOWS\JAVAGE32.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Antispy] C:\Program Files\Defender Pro\AntiSpy\Dpas.exe startup
O4 - HKLM\..\Run: [WINDL.EXE] C:\WINDOWS\WINDL.EXE
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SDKMP.EXE] C:\WINDOWS\SYSTEM\SDKMP.EXE /s
O4 - HKLM\..\RunServices: [CRQQ.EXE] C:\WINDOWS\CRQQ.EXE /s
O4 - Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender\Defender Pro Firewall\KAVPF.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.240:8000/Java/cfs40320.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

guestolo · « **Reply #3 on:** March 28, 2005, 01:00:09 AM »

Can we try this again
I see you never tried the scan at Panda's
So I can assume you never did everything I asked

Download CWShredder.exe from my signature below and save it too desktop

Print off these instructions or save them too a notepad file on the deskto
RESTART back to Safe mode

Find and delete these files or folders if found
C:\WINDOWS\SYSTEM\SDKMP.EXE <-file
C:\WINDOWS\WINDL.EXE <-file
C:\WINDOWS\CRQQ.EXE <-file

In safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iisaj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iisaj.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {C970DB1E-CFEB-B341-5FA1-C2EE692D7DE2} - C:\WINDOWS\JAVAGE32.DLL

O4 - HKLM\..\Run: [WINDL.EXE] C:\WINDOWS\WINDL.EXE

O4 - HKLM\..\RunServices: [SDKMP.EXE] C:\WINDOWS\SYSTEM\SDKMP.EXE /s
O4 - HKLM\..\RunServices: [CRQQ.EXE] C:\WINDOWS\CRQQ.EXE /s

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Again, in safe mode
Navigate to About:buster you unzipped and updated earlier
===Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to possibly scan more than twice until it finds no more files or Data streams

Open Just CWShredder and let it FIX all problems

Restart back to Normal mode

Post back a fresh hijackthis log and the logs from the About:Buster scans

Read all I asked you to do
Do EVERYTHING
Then go back to my first reply and supply the information I asked from that reply

Here is what you missed
===============================================
Also look for these files on your computer, they are legit, but this hijacker may of deleted them
C:\Windows\Control.exe <-this file
C:\Windows\System\Shell.dll <--file
If both or either are gone we can easily replace them, let me know

I would also suggest you run a Free online virus scan at Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm
Save the report after it's done and post it back here

Could you also open Hijackthis>>Open Misc Tools section>>Open Hosts file manager
Click the "Open in Notepad" button
Copy and paste back here the Hosts notepad file
==================================================
Also open Ad-Aware
Click on DETAILS under Intialization status
Let me know reference number and Internal build

After you do the above and you Post back ALL information, we'll carry on in ensuring your machine is clean

LittleLady · « **Reply #4 on:** March 28, 2005, 02:56:45 PM »

Ok... I personally tried to do everything that you said to do an here are the results.

The files
C:\Windows\Control.exe is gone
C:\Windows\System\Shell.dll shows in system and in sysbckup

When started in safe mode
Could run Hijack and Buster - the following is the results from those
Hijack is first

Logfile of HijackThis v1.99.1
Scan saved at 2:46:35 PM, on 3/28/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\COMPAQ\ACCESS\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\IPQM32.EXE
C:\WINDOWS\IEUV.EXE
C:\WINDOWS\SYSTEM\CRFA32.EXE
C:\WINDOWS\SYSTEM\NTYM32.EXE
C:\WINDOWS\SYSTEM\SDKMB.EXE
C:\WINDOWS\IENX.EXE
C:\WINDOWS\IEIU32.EXE
C:\WINDOWS\CRZH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\IEBU.EXE
C:\WINDOWS\WINLC32.EXE
C:\WINDOWS\SYSTEM\SYSIL.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\ATLHE.EXE
C:\WINDOWS\NETPQ.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\ATLVO.EXE
C:\PROGRAM FILES\DEFENDER\DEFENDER PRO FIREWALL\KAVPF.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\IENX.EXE
C:\WINDOWS\SYSTEM\MSAJ32.EXE
C:\WINDOWS\SYSTEM\SYSIL.EXE
C:\WINDOWS\IPQM32.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\gyajf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {E4F78A3B-E4C9-A50B-F62B-9CD76792AA50} - C:\WINDOWS\IENY.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Antispy] C:\Program Files\Defender Pro\AntiSpy\Dpas.exe startup
O4 - HKLM\..\Run: [ATLVO.EXE] C:\WINDOWS\SYSTEM\ATLVO.EXE
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [IPQM32.EXE] C:\WINDOWS\IPQM32.EXE /s
O4 - HKLM\..\RunServices: [IEUV.EXE] C:\WINDOWS\IEUV.EXE /s
O4 - HKLM\..\RunServices: [CRFA32.EXE] C:\WINDOWS\SYSTEM\CRFA32.EXE /s
O4 - HKLM\..\RunServices: [NTYM32.EXE] C:\WINDOWS\SYSTEM\NTYM32.EXE /s
O4 - HKLM\..\RunServices: [SDKMB.EXE] C:\WINDOWS\SYSTEM\SDKMB.EXE /s
O4 - HKLM\..\RunServices: [IENX.EXE] C:\WINDOWS\IENX.EXE /s
O4 - HKLM\..\RunServices: [IEIU32.EXE] C:\WINDOWS\IEIU32.EXE /s
O4 - HKLM\..\RunServices: [CRZH.EXE] C:\WINDOWS\CRZH.EXE /s
O4 - HKLM\..\RunServices: [IEBU.EXE] C:\WINDOWS\IEBU.EXE /s
O4 - HKLM\..\RunServices: [WINLC32.EXE] C:\WINDOWS\WINLC32.EXE /s
O4 - HKLM\..\RunServices: [SYSIL.EXE] C:\WINDOWS\SYSTEM\SYSIL.EXE /s
O4 - HKLM\..\RunServices: [ATLHE.EXE] C:\WINDOWS\SYSTEM\ATLHE.EXE /s
O4 - HKLM\..\RunServices: [NETPQ.EXE] C:\WINDOWS\NETPQ.EXE /s
O4 - HKLM\..\RunServices: [MSAJ32.EXE] C:\WINDOWS\SYSTEM\MSAJ32.EXE /s
O4 - Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender\Defender Pro Firewall\KAVPF.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.240:8000/Java/cfs40320.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Then Buster
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

ADS not scanned System(FAT)

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

ADS not scanned System(FAT)
Scan Aborted

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25

ADS not scanned System(FAT)

When tried to run cwshredder is says that
OLEACC.dll File cannot start check the file to determine the problem
I have no idea what that means since I downloaded it from where you said to.

Also checked to see how many files have been modified recently
3-21-05 to 3-22-05 = 138
3-22-05 to 3-23-05 = 164
3-23-05 to 3-24-05 = 7163
3-24-05 to 3-25-05 = Exceeds 10,000
3-25-05 to 3-26-05 = 5765
3-26-05 to 3-27-05 = 977
3-27-05 to 3-28-05 = 1275

Also ran Panda...after an hour and a half it had only checked 345 files and it stated that 26 were infected.

Tried to install Defender Pro and got this error messege
DPAS caused an invalid page fault in
module DPAS.EXE at 0177:0041389d.
Registers:
EAX=00000000 CS=0177 EIP=0041389d EFLGS=00010297
EBX=7801065d SS=017f ESP=0283de38 EBP=004320ac
ECX=00000046 DS=017f ESI=00000000 FS=59b7
EDX=00001beb ES=017f EDI=0283e45b GS=0000
Bytes at CS:EIP:
8a 84 14 dd 05 00 00 42 3a c3 75 f4 42 3b d1 7c
Stack dump:
0283eab7 02a7be90 00bad0c0 000000e6 0283de34 656e6567 00006972 0000000c 00000001 7270253c 6172676f 0000206d 005c3a43 00000000 00000000 00429fa0

Would it better to just crash the system and start over?
There is thousands upon thousands of dll's now with new exe files showing up every day.

I am ready to blow this thing up!!!

Any other ideas?

LittleLady · « **Reply #5 on:** March 28, 2005, 03:05:50 PM »

Question
Should all antivirus and firewalls be turned off when doing this
Have Norton, ZoneAlarms and Defender Pro Firewall.

guestolo · « **Reply #6 on:** March 28, 2005, 08:40:20 PM »

You only need one Firewall running at ALL times
Having more than one can cause conflicts
There is no need in running more than one
Disable 2 of them or uninstall them

I stress very much, when fixing with Hijackthis
ALL other windows MUST be closed, including Browsers

Let's check for a hidden infection

Download STARTDRECK

Unzip it to it's own folder

run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post this log

Also
Download DLLCompare

Start the Program and click the Run Locate.com
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button and post it back here

Also post a fresh Hijackthis log

TheTechGuide Forum

News:

Author Topic: Computer Hijacked (Read 1310 times)

LittleLady

Computer Hijacked

guestolo

Computer Hijacked

LittleLady

Computer Hijacked

guestolo

Computer Hijacked

LittleLady

Computer Hijacked

LittleLady

Computer Hijacked

guestolo

Computer Hijacked