Help I've Been Hijacked


Recommended Posts

Ok- my symtom is n?otepad.exe running and I can't get rid of it. Rapid blaster does'nt find anything. I've deleted and shredded it with CWshredder but it keeps coming back. Logged into safe mode ran Trend micros free online scan and it removed some stuff then ran Symantec security online check then ran mcfee AVERT stinger. Downloaded and rand up to date ADaware Se and Spybot. Ran cccleaner. After reboot it locks in a black screen, if I reboot it does the same, if I then CTRL-ALT-DEL and log off I can log back on and get in but it puts a spyware warning as an active desktop item (desktop.html) By right clicking way on the edge of the screen I can disable the desktop.html file and get to my desktop. Network access to my other computer is iffy and there is a yellow trianble that keeps popping up a spyware warning. Below is my HijackThis log. Thanks this one is messing with me.

Logfile of HijackThis v1.99.0

Scan saved at 7:20:01 PM, on 2/15/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\mshelp32.exe

C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {2D07800E-E1ED-4AF1-93FE-536B6EE56833} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {57952DE8-9126-B7FD-7B66-99DC4C3FE5C9} - C:\WINNT\system32\wvruqlag.dll

O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINNT\system32\javafix3.dll

O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-7173706D1316} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [mshelp32] C:\WINNT\system32\mshelp32.exe

O4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

O4 - HKCU\..\Run: [Jxe] C:\WINNT\system32\n?tepad.exe

O4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O15 - Trusted IP range: 67.19.185.246

O15 - Trusted IP range: 67.19.185.246 (HKLM)

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NvCplScan - Unknown - C:\WINNT\system32\winasp.exe (file missing)

O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Link to post
Share on other sites

Updated hijackthis 1.99.1 log.

Logfile of HijackThis v1.99.1

Scan saved at 4:10:57 PM, on 2/16/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINNT\System32\svchost.exe

C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {2D07800E-E1ED-4AF1-93FE-536B6EE56833} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {57952DE8-9126-B7FD-7B66-99DC4C3FE5C9} - C:\WINNT\system32\wvruqlag.dll

O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINNT\system32\javafix3.dll

O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-7173706D1316} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

O4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

O15 - Trusted Zone: *.skoobidoo.com (HKLM)

O15 - Trusted Zone: *.slotchbar.com (HKLM)

O15 - Trusted Zone: *.windupdates.com (HKLM)

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Link to post
Share on other sites

Hi mnierman,

I will be reviewing your HijackThis log.

Open HijackThis, press the "Scan" button, and check the following items:

O2 - BHO: (no name) - {2D07800E-E1ED-4AF1-93FE-536B6EE56833} - (no file)

O2 - BHO: (no name) - {57952DE8-9126-B7FD-7B66-99DC4C3FE5C9} - C:\WINNT\system32\wvruqlag.dll

O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINNT\system32\javafix3.dll

O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-7173706D1316} - (no file)

O4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

O4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

O15 - Trusted Zone: *.skoobidoo.com (HKLM)

O15 - Trusted Zone: *.slotchbar.com (HKLM)

O15 - Trusted Zone: *.windupdates.com (HKLM)

Close all windows except HijackThis, and click the "Fix Checked" button.

Reboot into Safe Mode. To do this:

* During reboot immediately begin tapping the F8 key when the OS is starting to load up

* Windows Advanced Options menu appears.

* Use the arrow keys to select Safe mode

* press Enter.

When Safe Mode boots up, find the following file and delete it:

C:\WINNT\System32\spoolsrv32.exe

Reboot and post a new log.

dk

Link to post
Share on other sites

:D THanks, I thought those looked iffy. When I rebooted it gave me an error can't find sytem32\spoolsrv32.exe. I don't see that entry in this current log though.

Logfile of HijackThis v1.99.1

Scan saved at 3:42:53 PM, on 2/18/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\system32\wuauclt.exe

C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Link to post
Share on other sites

No problem. Your log is clean. Follow these steps to keep your computer clean.

Please follow these simple steps in order to keep your computer clean and secure:

  1. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. Here is a great free one: http://www.kerio.com/us/kpf_home.html
  2. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  3. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
  4. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  5. I think that you would benifit from reading "How did I get infected in the first place??".

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help,

dk :)

Link to post
Share on other sites
Guest
This topic is now closed to further replies.