Jump to content


Photo

f*&$@%ing Hijacked


  • Please log in to reply
1 reply to this topic

#1 johnrm

johnrm

    Member

  • New Member
  • Pip
  • 1 posts

Posted 05 July 2004 - 02:45 PM

OK,
As per the direction i ran Spybot S & D and then ran hijack this. I have tried to clean the systme only to have this hijacking reoccur. I have run about buster also. Spybot and Trojan finder have found two files in the system tray that it is unable to delete but are prime suspects for a trojan type hijack. I've tried to delete these files but im prompted tha the files cant be deleted because windows is using them.

Heres my hijack log please help..

ogfile of HijackThis v1.98.0
Scan saved at 12:36:49 PM, on 7/5/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\ATLRT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\NETQE.EXE
C:\TROJANHUNTER 3.9\THGUARD.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\TEMP\TD_0007.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rfkti.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rfkti.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rfkti.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rfkti.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rfkti.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rfkti.dll/index.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\temp\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Class - {7572E089-B1FF-8266-C5C3-33B8232C7FF7} - C:\WINDOWS\ATLTU32.DLL (file missing)
O2 - BHO: Class - {55B602D6-4282-BE22-DEE6-C95DFCA166A1} - C:\WINDOWS\D3QC32.DLL (file missing)
O2 - BHO: Class - {CED100A0-4E14-896F-604D-9E36D6D2550E} - C:\WINDOWS\SYSTEM\SYSRD32.DLL (file missing)
O2 - BHO: Class - {A486CC8D-4D69-0934-1BCA-4CAF770BA94E} - C:\WINDOWS\SYSTEM\APIAX32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\TROJANHUNTER 3.9\THGUARD.EXE"
O4 - HKLM\..\Run: [NETQE.EXE] C:\WINDOWS\SYSTEM\NETQE.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ATLRT32.EXE] C:\WINDOWS\SYSTEM\ATLRT32.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM (file missing)
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

#2 808chick

808chick

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 262 posts

Posted 11 July 2004 - 11:03 AM

Hi john,
You are running HijackThis out of a Temp folder. This is not recommended since the backups created by HijackThis can be deleted without your knowledge.
Create a new folder in C: & name it HJT, or something similar (EX: C:\HJT)
Download HijackThis & save it to the new HJT folder (here's the link for the download if you need it=http://www.spywarein.../HijackThis.exe

I've also noticed that SpyBot Search & Destroy is being run out of a Temp folder. Please move it to C: (EX: C:\ProgramFiles\SpyBot Search & Destroy).

Download RubbeR DuckY's AboutBuster from here=http://www.downloads...AboutBuster.zip & unzip it to your Desktop.
Do not run AboutBuster yet.

Please print out these instructions for easy reference.

Run HijackThis & put a check in the boxes next to these lines, be sure to close all browsers and windows (including this one) and hit ‘Fix’:
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {7572E089-B1FF-8266-C5C3-33B8232C7FF7} - C:\WINDOWS\ATLTU32.DLL (file missing)
O2 - BHO: Class - {55B602D6-4282-BE22-DEE6-C95DFCA166A1} - C:\WINDOWS\D3QC32.DLL (file missing)
O2 - BHO: Class - {CED100A0-4E14-896F-604D-9E36D6D2550E} - C:\WINDOWS\SYSTEM\SYSRD32.DLL (file missing)
O2 - BHO: Class - {A486CC8D-4D69-0934-1BCA-4CAF770BA94E} - C:\WINDOWS\SYSTEM\APIAX32.DLL

O4 - HKLM\..\Run: [NETQE.EXE] C:\WINDOWS\SYSTEM\NETQE.EXE
O4 - HKLM\..\RunServices: [ATLRT32.EXE] C:\WINDOWS\SYSTEM\ATLRT32.EXE


Reboot into Safe Mode.
Run AboutBuster.exe, click OK, then start, then OK. Make a copy of the log once it finishes. Then run aboutbuster.exe again. Make a copy of that log.

Find and delete the files in bold:
C:\WINDOWS\SYSTEM\NETQE.EXE
C:\WINDOWS\SYSTEM\ATLRT32.EXE
These files may not be there. If they are, just delete the file in bold.
C:\WINDOWS\ATLTU32.DLL
C:\WINDOWS\D3QC32.DLL
C:\WINDOWS\SYSTEM\SYSRD32.DLL
C:\WINDOWS\SYSTEM\APIAX32.DLL

Reboot out of Safe Mode.
Run HijackThis & post a new log here, along with the two reports from AboutBuster.

Edited by 808chick, 16 July 2004 - 02:31 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button