Options

Hijacked and frustrated! - Run Spybot, AdAware, CW Shredder, Hijack-No Luck!

Unknown
edited June 2004 in Spyware & Virus Removal
My home page and search pages keep getting hijacked. I have run spybot, ad-aware, and Hijack-This. Here is the log. My home page changes to a variety of things, usually something like://gxjqj.dll/index.html#1164797765. I also seem to have words highlighted in my emails as links. I have removed the R1 entries (see below) but the minute I open a browser window, he same or similar entries re-appear.

HELP (and THANK YOU SO MUCH!)!

Logfile of HijackThis v1.97.7
Scan saved at 5:06:40 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\msql.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\sysop.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gxjqj.dll/sp.html#1164797765
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gxjqj.dll/index.html#1164797765
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gxjqj.dll/index.html#1164797765
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gxjqj.dll/sp.html#1164797765
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gxjqj.dll/index.html#1164797765
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gxjqj.dll/sp.html#1164797765
O2 - BHO: (no name) - {0601199D-BBFC-C41A-BEDC-81B78A121204} - C:\WINDOWS\system32\javatr32.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [sysop.exe] C:\WINDOWS\system32\sysop.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [msql.exe] C:\WINDOWS\system32\msql.exe
O4 - HKLM\..\RunOnce: [javawr.exe] C:\WINDOWS\system32\javawr.exe
O4 - HKLM\..\RunOnce: [winvp.exe] C:\WINDOWS\system32\winvp.exe
O4 - HKLM\..\RunOnce: [sysyg32.exe] C:\WINDOWS\system32\sysyg32.exe
O4 - HKLM\..\RunOnce: [msvt32.exe] C:\WINDOWS\system32\msvt32.exe
O4 - HKLM\..\RunOnce: [crbe.exe] C:\WINDOWS\crbe.exe
O4 - HKLM\..\RunOnce: [sysfg32.exe] C:\WINDOWS\sysfg32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

Comments

  • grandciel
    edited June 2004
    Hi! I am having EXACTLY the same type of problem and have tried everything (see post under Grandciel. Only thing is mine keeps changing..sometimes it's xpkt.dll, sometimes gxjqj.dll, sometimes mshp.dll. Just when I think I have it fixed I get a new one. HELP TOO!
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited June 2004
    Posting in two threads will not help you get answers faster. It only upsets those who are going to help you, and then I have to remove the clutter from the other thread, slowing down your respone.

    Please be patient. It takes a long time to look up all unfamiliar entries in a hijack log. And I like to eat dinner. Will post soon.
  • shwaipshwaip bluffin' with my muffin Icrontian
    edited June 2004
    That having been said, first, put hijackthis in it's own folder on your c:\ drive (c:\hjt, for example). This will allow you to restore anything mistakenly removed

    next, boot into safe mode and remove these with hijackthis:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gxjqj.dll/sp.html#1164797765
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gxjqj.dll/index.html#1164797765
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gxjqj.dll/index.html#1164797765
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gxjqj.dll/sp.html#1164797765
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gxjqj.dll/index.html#1164797765
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gxjqj.dll/sp.html#1164797765
    O2 - BHO: (no name) - {0601199D-BBFC-C41A-BEDC-81B78A121204} - C:\WINDOWS\system32\javatr32.dll
    O4 - HKLM\..\RunOnce: [msql.exe] C:\WINDOWS\system32\msql.exe
    O4 - HKLM\..\RunOnce: [javawr.exe] C:\WINDOWS\system32\javawr.exe
    O4 - HKLM\..\RunOnce: [winvp.exe] C:\WINDOWS\system32\winvp.exe
    O4 - HKLM\..\RunOnce: [sysyg32.exe] C:\WINDOWS\system32\sysyg32.exe
    O4 - HKLM\..\RunOnce: [msvt32.exe] C:\WINDOWS\system32\msvt32.exe
    O4 - HKLM\..\RunOnce: [crbe.exe] C:\WINDOWS\crbe.exe
    O4 - HKLM\..\RunOnce: [sysfg32.exe] C:\WINDOWS\sysfg32.exe

    now, delete those files, and only those files, from their respective directories.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited June 2004
    Yes, please be patient. We don't do this for a living. This is a hobby and we are real people with lives (hard as that may be to believe :) )
  • grandciel
    edited June 2004
    Sorry about posting in two threads....when I did technical support we cross posted all of the time...it tended to help with the workload as we might be able to answer two questions with one answer. I wasn't being impatient, just a new user. Guess I wasn't thinking. In any case, it WORKED! Thanks a bunch guys!! I really appreciate it.

    BTW, I did a new virus scan and cleared a bunch of trojans too. Between that and deleting what you suggested, I seem to be back in business. Might be the last time I plug into a supposedly "safe" network at a clients though!

    Thanks again. Have a great night!
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited June 2004
    Please don't be a stranger. We feel used when that happens :(;D

    This is a great community with experts on many different subjects. We also have one of the premiere folding teams in the world. We ALWAYS appreciate new members :)
Sign In or Register to comment.