• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
johnrm

f*&$@%ing Hijacked

2 posts in this topic

OK,

As per the direction i ran Spybot S & D and then ran hijack this. I have tried to clean the systme only to have this hijacking reoccur. I have run about buster also. Spybot and Trojan finder have found two files in the system tray that it is unable to delete but are prime suspects for a trojan type hijack. I've tried to delete these files but im prompted tha the files cant be deleted because windows is using them.

 

Heres my hijack log please help..

 

ogfile of HijackThis v1.98.0

Scan saved at 12:36:49 PM, on 7/5/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\ATLRT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\NETQE.EXE

C:\TROJANHUNTER 3.9\THGUARD.EXE

C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\WINDOWS\TEMP\TD_0007.DIR\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rfkti.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rfkti.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rfkti.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rfkti.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rfkti.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rfkti.dll/index.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\temp\Spybot - Search & Destroy\SDHelper.dll (file missing)

O2 - BHO: Class - {7572E089-B1FF-8266-C5C3-33B8232C7FF7} - C:\WINDOWS\ATLTU32.DLL (file missing)

O2 - BHO: Class - {55B602D6-4282-BE22-DEE6-C95DFCA166A1} - C:\WINDOWS\D3QC32.DLL (file missing)

O2 - BHO: Class - {CED100A0-4E14-896F-604D-9E36D6D2550E} - C:\WINDOWS\SYSTEM\SYSRD32.DLL (file missing)

O2 - BHO: Class - {A486CC8D-4D69-0934-1BCA-4CAF770BA94E} - C:\WINDOWS\SYSTEM\APIAX32.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [THGuard] "C:\TROJANHUNTER 3.9\THGUARD.EXE"

O4 - HKLM\..\Run: [NETQE.EXE] C:\WINDOWS\SYSTEM\NETQE.EXE

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [ATLRT32.EXE] C:\WINDOWS\SYSTEM\ATLRT32.EXE

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM

O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM (file missing)

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM (file missing)

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM (file missing)

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM (file missing)

O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Share this post


Link to post
Share on other sites

Hi john,

You are running HijackThis out of a Temp folder. This is not recommended since the backups created by HijackThis can be deleted without your knowledge.

Create a new folder in C: & name it HJT, or something similar (EX: C:\HJT)

Download HijackThis & save it to the new HJT folder (here's the link for the download if you need it=http://www.spywareinfo.com/~merijn/files/HijackThis.exe

 

I've also noticed that SpyBot Search & Destroy is being run out of a Temp folder. Please move it to C: (EX: C:\ProgramFiles\SpyBot Search & Destroy).

 

Download RubbeR DuckY's AboutBuster from here=http://www.downloads.subratam.org/AboutBuster.zip & unzip it to your Desktop.

Do not run AboutBuster yet.

 

Please print out these instructions for easy reference.

 

Run HijackThis & put a check in the boxes next to these lines, be sure to close all browsers and windows (including this one) and hit ‘Fix’:

R3 - Default URLSearchHook is missing

 

O2 - BHO: Class - {7572E089-B1FF-8266-C5C3-33B8232C7FF7} - C:\WINDOWS\ATLTU32.DLL (file missing)

O2 - BHO: Class - {55B602D6-4282-BE22-DEE6-C95DFCA166A1} - C:\WINDOWS\D3QC32.DLL (file missing)

O2 - BHO: Class - {CED100A0-4E14-896F-604D-9E36D6D2550E} - C:\WINDOWS\SYSTEM\SYSRD32.DLL (file missing)

O2 - BHO: Class - {A486CC8D-4D69-0934-1BCA-4CAF770BA94E} - C:\WINDOWS\SYSTEM\APIAX32.DLL

 

O4 - HKLM\..\Run: [NETQE.EXE] C:\WINDOWS\SYSTEM\NETQE.EXE

O4 - HKLM\..\RunServices: [ATLRT32.EXE] C:\WINDOWS\SYSTEM\ATLRT32.EXE

 

Reboot into Safe Mode.

Run AboutBuster.exe, click OK, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log.

 

Find and delete the files in bold:

C:\WINDOWS\SYSTEM\NETQE.EXE

C:\WINDOWS\SYSTEM\ATLRT32.EXE

These files may not be there. If they are, just delete the file in bold.

C:\WINDOWS\ATLTU32.DLL

C:\WINDOWS\D3QC32.DLL

C:\WINDOWS\SYSTEM\SYSRD32.DLL

C:\WINDOWS\SYSTEM\APIAX32.DLL

 

Reboot out of Safe Mode.

Run HijackThis & post a new log here, along with the two reports from AboutBuster.

Edited by 808chick

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0