Options

hijack this log...pls help!

Unknown
edited June 2004 in Spyware & Virus Removal
Hey guys, here is my Log from Hijack This. I dont know what to get rid of. My IE is totally hacked and i cannot keep a home page. And i have to put "www"
in the address bar whenever i go to a site, If i dont then it goes to the wrong site....the same wrong site for every entry without "www"

Hope you guys understand all that. Thanks

HERE IT IS:

Logfile of HijackThis v1.97.7
Scan saved at 9:43:18 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\javauk.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\atlge.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ryan\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wpjio.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wpjio.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wpjio.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wpjio.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wpjio.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wpjio.dll/sp.html#96676
O2 - BHO: (no name) - {F44B61BD-741C-710C-AE71-A8D36A20716A} - C:\WINDOWS\system32\apizm32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [javauk.exe] C:\WINDOWS\system32\javauk.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38145.6964699074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Comments

  • shwaipshwaip bluffin' with my muffin Icrontian
    edited June 2004
    Welcome to short-media. Please feel free to check out the other forums as well.

    Since you didn't say anything about adaware or spybot S&D in your post, I'll assume you haven't read this:

    http://www.short-media.com/forum/showthread.php?t=14915

    please follow the directions there and post a new log.
  • MadBoyMatt
    edited June 2004
    i did all that. i updated everything. and i deleted all the stuff that i thought was bad...teh "wpjio" stuff. in safe mode. but its still all there. so i have no idea what to do?
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited June 2004
    First, put Hijackthis into a folder on your hard drive (c:\hijackthis, c:\hjt, w/e). This will keep stuff organized and allow backups.

    ok...boot into safe mode, and remove the following with hijackthis:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wpjio.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wpjio.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wpjio.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wpjio.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wpjio.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wpjio.dll/sp.html#96676

    Neither of these comes up in any search I do, leading me to believe that they are what's causing your problem
    O2 - BHO: (no name) - {F44B61BD-741C-710C-AE71-A8D36A20716A} - C:\WINDOWS\system32\apizm32.dll
    O4 - HKLM\..\Run: [javauk.exe] C:\WINDOWS\system32\javauk.exe

    also, delete the file C:\windows\system32\wpjio.dll after you remove those entries

    reboot.
  • JGK150
    edited June 2004
    Please report back of your adventure and tell us, were you successful? Feedback! We're hungry!
  • MadBoyMatt
    edited June 2004
    Ok, i did everything that you guys told me to do, and it worked....however, the virus, or whatever, simply evolves and calls itself something else. in this case, it has gone from "wpjio" to "qqfzb". So, I have no idea what to do. here is my new log file. Its attached.
    PLs help me guys!!! This is getting ridiculous.

    hijack log

    Logfile of HijackThis v1.97.7
    Scan saved at 5:12:54 PM, on 6/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\apphv32.exe
    C:\WINDOWS\system32\sdkob32.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\DIGStream\digstream.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Documents and Settings\Ryan\Local Settings\Temp\Temporary Directory 14 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qqfzb.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqfzb.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqfzb.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qqfzb.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qqfzb.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qqfzb.dll/sp.html#96676
    O2 - BHO: (no name) - {66F47A0F-B4AA-B23E-011C-BD3F255CFC72} - C:\WINDOWS\system32\sdkob32.dll
    O2 - BHO: (no name) - {69E5E34F-4D30-BABE-C2EF-EA966D6352FA} - C:\WINDOWS\system32\syska32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [sdkob32.exe] C:\WINDOWS\system32\sdkob32.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKLM\..\RunOnce: [sdkqb.exe] C:\WINDOWS\sdkqb.exe
    O4 - HKLM\..\RunOnce: [atlue.exe] C:\WINDOWS\system32\atlue.exe
    O4 - HKLM\..\RunOnce: [mfcxu.exe] C:\WINDOWS\mfcxu.exe
    O4 - HKLM\..\RunOnce: [ntyl32.exe] C:\WINDOWS\system32\ntyl32.exe
    O4 - HKLM\..\RunOnce: [apins32.exe] C:\WINDOWS\system32\apins32.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38145.6964699074
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited June 2004
    Please place hijackthis.exe into it's own folder on your hard drive, c:\hijackthis . This will allow you to restore backups if necessary

    hrmmm...let's give it another go. I'll see if I can find any info on this on the intarweb, but in the mean time:

    boot into safe mode and remove the following:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qqfzb.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqfzb.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qqfzb.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qqfzb.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qqfzb.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qqfzb.dll/sp.html#96676
    O2 - BHO: (no name) - {66F47A0F-B4AA-B23E-011C-BD3F255CFC72} - C:\WINDOWS\system32\sdkob32.dll
    O2 - BHO: (no name) - {69E5E34F-4D30-BABE-C2EF-EA966D6352FA} - C:\WINDOWS\system32\syska32.dll
    O4 - HKLM\..\Run: [sdkob32.exe] C:\WINDOWS\system32\sdkob32.exe
    O4 - HKLM\..\RunOnce: [sdkqb.exe] C:\WINDOWS\sdkqb.exe
    O4 - HKLM\..\RunOnce: [atlue.exe] C:\WINDOWS\system32\atlue.exe
    O4 - HKLM\..\RunOnce: [mfcxu.exe] C:\WINDOWS\mfcxu.exe
    O4 - HKLM\..\RunOnce: [ntyl32.exe] C:\WINDOWS\system32\ntyl32.exe
    O4 - HKLM\..\RunOnce: [apins32.exe] C:\WINDOWS\system32\apins32.exe

    once you've removed these with hijackthis, manually delete the files from your hard drive.
Sign In or Register to comment.