Helping a friend with a hijacked PC
I am new at his stuff but I don't intimidate easily and I find it very intereting. I have friend whose PC was really toast, sloooooow. They had no virus software, no firewall, so no protection. I plan on changing that. So I loaded Ad Aware SE and Spybot S&D, which I have run these a number of times. Oh yeah for ease I also have loaded Starter so I can see what processes are running. Seems like every time I tried to update, someone took over my dialer. BY slowly restricting processes via starter, I was finally able to upgrade, spybot, adaware and HJT. I have created a swparate folder for hjt and executed. Can some please take a look at my hjt list and give me some pointers. I would greatly appreciate any assistance. Here's the list:
Logfile of HijackThis v1.97.7
Scan saved at 5:15:42 PM, on 9/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPCTR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\itqdc.dll/sp.html#96676
O2 - BHO: (no name) - {D8EA2F43-4063-63D9-7846-08669B86043F} - C:\WINDOWS\SYSTEM\SDKPZ.DLL
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [IPMN.EXE] C:\WINDOWS\SYSTEM\IPMN.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunOnce: [VcCleanUp.exe] C:\WINDOWS\TEMP\VcCleanUp.exe /F C:\PROGRA~1\COMMON~1\SYMANT~1\LIVEREG\ /RemoveAll
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
From reading a number of entries, I suspect I am heading for safe mode. I am not certain if I need to get rid of all of these entries or not (also, if I have a number of processes restricted by starter is that going to make a difference?)
I am looking forward to your comments and assistance as well as being there to help other poor people who have gotten slammed by these sicko scum bums.
Thanks again,
new-oldie
Logfile of HijackThis v1.97.7
Scan saved at 5:15:42 PM, on 9/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPCTR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\itqdc.dll/sp.html#96676
O2 - BHO: (no name) - {D8EA2F43-4063-63D9-7846-08669B86043F} - C:\WINDOWS\SYSTEM\SDKPZ.DLL
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [IPMN.EXE] C:\WINDOWS\SYSTEM\IPMN.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunOnce: [VcCleanUp.exe] C:\WINDOWS\TEMP\VcCleanUp.exe /F C:\PROGRA~1\COMMON~1\SYMANT~1\LIVEREG\ /RemoveAll
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
From reading a number of entries, I suspect I am heading for safe mode. I am not certain if I need to get rid of all of these entries or not (also, if I have a number of processes restricted by starter is that going to make a difference?)
I am looking forward to your comments and assistance as well as being there to help other poor people who have gotten slammed by these sicko scum bums.
Thanks again,
new-oldie
0
This discussion has been closed.
Comments
First, get rid of these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\itqdc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\itqdc.dll/sp.html#96676
O2 - BHO: (no name) - {D8EA2F43-4063-63D9-7846-08669B86043F} - C:\WINDOWS\SYSTEM\SDKPZ.DLL
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [IPMN.EXE] C:\WINDOWS\SYSTEM\IPMN.EXE
Okay, now this is the fun part:
Close Hijack This, and then PULL THE POWER CORD OUT OF YOUR COMPUTER. Yes, that's right, do NOT properly shut it down, just yank the cord.
Now, turn it back on, and when it starts to boot, rapidly press the F8 key to get to a boot menu before windows starts. Select "Command Prompt Only" (it might be called DOS mode too, can't remember), and then it will boot to something that looks like this:
C:\
At that prompt, type CD WINDOWS
then type CD SYSTEM
Your prompt should look like this:
C:\WINDOWS\SYSTEM
type ATTRIB -H -S ITQDC.DLL
then type DEL ITQDC.DLL
after you do that, reboot the computer (just hit ctrl-alt-delete) and then boot into windows normally, and post a new HJT log for me.
Wow. If you started helping with other logs after this, it would be awesome. We definitely need the help
Also, check out the links in my sig to find out about folding. It is a noble cause and we would love to have you on our team.
primesuspect,
Thanks for the quick response. When I first saw your comment about pulling the power plug, my 1st thought was he is going to tell me to dump this system.
Anyway your instructions seemed simple enough, but after I took her down to to safe mode and ran kht (simple enough). I discovered some new entries (i left them alone) and some of the items you listed weren't there anymore (first 3 HKCU and the BHO). I rechecked and fixed the other entries. When I tried to get to a command (DOS) prompt by pressing F8 rapidly, all I ever got was the Windows menu where I am to select safe mode. I tried to perform the attrib command on itqdc.dll, from safe mode dos prompt but, the system couldn't find it. I returned the system to normal mode and ran hjt. Well what do you know our old buddy showed up there. So I selected it and the HKCU and the associated HKLM entries and fixed them as well as a BHO "addb.dll". I rebooted the system, came up in normal mode and ran another hjt with the results as follows:
Logfile of HijackThis v1.97.7
Scan saved at 9:32:43 PM, on 9/13/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\HJT\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
Did I go to far on my own? Does this look as good as I think it does?
Thanks again for your patience and instruction,
new-oldie
P.S. I did tech support in the telecom industry for many years.
My apologies for not responding sooner. But a couple of hurricanes in Fla. had far reaching impact on my day job. To answer your question: Yes it appears the problem is gone. I returned the PC to my friend and told her to get anti-virus software before she does anything else.
Thanks again.
new-oldie