Jump to content


Photo

HIJACKED


  • This topic is locked This topic is locked
3 replies to this topic

#1 vicegripj

vicegripj

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 12 June 2004 - 09:13 AM

Will someone please tell me what's going on with my system.

Thank you in advance.


Logfile of HijackThis v1.97.7
Scan saved at 4:20:39 PM, on 6/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SYSTEM32\winhlp32.dll.exe
C:\PROGRA~1\THIRDM~1\window skip phone.exe
C:\Program Files\Alarm\Alarm Tray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\WINDOWS\SYSTEM32\winhlp32.dll.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\My Downloads\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\JAMES ANDREWS\Application Data\Mozilla\Profiles\default\z055hj9h.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\JAMES ANDREWS\Application Data\Mozilla\Profiles\default\z055hj9h.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Show missed alarms] C:\Program Files\Alarm\Alarm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [winhlp32.exe] C:\WINDOWS\SYSTEM32\winhlp32.dll.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\System32\lockctrl.exe C:\WINDOWS\System32\wgp.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Alarm Clock Icon.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Verizon Online Account Setup.lnk = C:\Program Files\Verizon Online\VOLSW\Accstp4.0.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6C31790D-1EDF-4B05-83DC-925B3A8E2318} (Reactivator Class) - http://mp3downloadin...sh/winhlp32.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.p...trol/avxnew.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312

#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 12 June 2004 - 01:54 PM

Tap Ctrl+Alt+Delete, click the Processes tab, and end the following process:

winhlp32.dll.exe

Close all programs, tick the following for removal in HJT, and click "Fix Checked:"

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINDOWS\SYSTEM32\winhlp32.dll.exe

Reboot.

Find and delete this file:

C:\WINDOWS\SYSTEM32\winhlp32.dll.exe

Scan again with HJT and post the new log. Update Panda's signature file while you're at it.
Signature file is under revision. This will be back shortly.

#3 vicegripj

vicegripj

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 June 2004 - 09:50 AM

Task Manager does not stay on my desktop long enough the end the process: winhlp32.dll.exe. It looks as though I was able to remove: o4 -HKLM\..\Run: [winhlp32.exe] C:\WINDOWS\SYSTEM32\winhlp32.dll.exe. I tried deleting C:\WINDOWS\SYSTEM32\winhlp32.dll.exe only to get a message stating: Can't delete winhlp32.dll: Acess is denied. And finally, I updated Panada's signature file and Scan again with HJT.

My homepage is still being controled by: http://search200.com...ellnet.msn.com/

I also ran Spybot S&D Ver.1.2 and got rid of the following: Advertising.com, Avenue A, Inc, BackWeb lite, C2.lop, DoubleClick and HitBox. But they keep returning.

There were no problems found when I ran Ad-ware, CWshredder, Spywareblaster and TweakNow Regcleaner.




Logfile of HijackThis v1.97.7
Scan saved at 9:52:45 AM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\THIRDM~1\window skip phone.exe
C:\WINDOWS\System32\GGG.EXE
C:\WINDOWS\SYSTEM32\winhlp32.dll.exe
C:\Program Files\Alarm\Alarm Tray.exe
C:\WINDOWS\SYSTEM32\winhlp32.dll.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\winlogon.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\My Downloads\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\JAMES ANDREWS\Application Data\Mozilla\Profiles\default\z055hj9h.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\JAMES ANDREWS\Application Data\Mozilla\Profiles\default\z055hj9h.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Show missed alarms] C:\Program Files\Alarm\Alarm.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Winsock2 driver] GGG.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] GGG.EXE
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Alarm Clock Icon.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Verizon Online Account Setup.lnk = C:\Program Files\Verizon Online\VOLSW\Accstp4.0.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6C31790D-1EDF-4B05-83DC-925B3A8E2318} (Reactivator Class) - http://mp3downloadin...sh/winhlp32.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.p...trol/avxnew.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312

#4 The_Egg

The_Egg

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 July 2004 - 11:31 AM

Hi

I just registered here after seeing your post.
Did you resolve the matter?

We have a thread over at the Winamp Forums which deals with this very same issue:
http://forums.winamp...threadid=180475

Winhlp32.dll / winhlp32.dll.exe is a drive-by Reactivator Class ActiveX malware from mp3downloading.com | mp3university.com.
It is silently installed when you visit their Demo page...
When executed, it hooks and then sends WM_USER+2 messages to every window in the system.

I have already reported this issue to all of Adaware, SpybotSD, Wilders.org, Symantec, Trend, and more.


If you can't get Task Manager to stay open long enough to End Process for
C:\WINDOWS\SYSTEM32\winhlp32.dll.exe

Then close all browser and Explorer Windows, run HJT again,
put a check next to the following entries and click Fix Checked:

O4 - HKLM\..\Run: [winhlp32.exe] C:\WINDOWS\SYSTEM32\winhlp32.dll.exe

O16 - DPF: {6C31790D-1EDF-4B05-83DC-925B3A8E2318} (Reactivator Class) - http://mp3downloadin...sh/winhlp32.exe

Now go to:
Internet Control Panel > General tab > Temporary Internet Files > Delete
Checkmark "delete all offline content" and click OK

Next, click the Settings button > View Objects.
If the winhlp32.exe Reactivator Class file is still present in the DPF folder, delete it.

Now reboot into Safe Mode
and delete C:\WINDOWS\SYSTEM32\winhlp32.dll.exe


Further info / instructions can be found via the thread at Winamp Forums.


Good luck, and I hope this helps.



I furthermore apologize for reviving an old thread after almost a month,
but I strongly feel that this issue warrants further and more immediate attention.


-Egg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button