hijacked

[yolagp]

Hi everybody, I'm visiting my parents in Miami for some days, and found their computer loaded with trash. It is a Pentium 2, 200 mhz., with a 2gb hdd running Windows 95, so I'm afraid to install too many anti-spyware programs for lack of space and resources. I installed Spybot and Hijackthis, and removed some things, but I'm not familiar with Hijackthis, so I'm posting the log hoping some of you wise people help me make a good cleaning job.

Logfile of HijackThis v1.97.7
Scan saved at 9:01:08 PM, on 2/22/04
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\RunDLL.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\CYBERMEDIA FIRST AID\FAWGRD32.EXE
C:\PROGRAM FILES\CYBERMEDIA FIRST AID\FA_GD32.EXE
C:\PROGRAM FILES\CYBERMEDIA FIRST AID\RTFIXM32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {684c8900-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL
O2 - BHO: (no name) - {060DA6E3-FFA3-52DA-3DC4-7C57B7810BC6} - C:\windows\system\rngrwydy.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - (no file)
O3 - Toolbar: hstiewyqhly - {684c8901-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Windows Guardian.lnk = C:\Program Files\CyberMedia First Aid\FAWGRD32.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030...verContent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/a...ll/xscan53.cab

[Paleo Pete]

I see several I question but can't find any information on any of them.

Definitely fix this one:
O13 - WWW. Prefix: http://

DON'T FIX THESE...until some of the other folks here have a look and confirm them, but I suspect these are also bad news. Can't find any info though, and Tony Klein's BHO List didn;t seem to list the ones I tried to look up either, at least not by ID Number.

O2 - BHO: (no name) - {684c8900-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL
O2 - BHO: (no name) - {060DA6E3-FFA3-52DA-3DC4-7C57B7810BC6} - C:\windows\system\rngrwydy.dll
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - (no file)
O3 - Toolbar: hstiewyqhly - {684c8901-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL

It's probably safe to let HJT fix those, but wait for confirmation from others more competent with HJT logs than I Am.

[YODA74]

Pete's got it These look like LOP left overs to me dump them

O2 - BHO: (no name) - {684c8900-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL
O2 - BHO: (no name) - {060DA6E3-FFA3-52DA-3DC4-7C57B7810BC6} - C:\windows\system\rngrwydy.dll
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - (no file)
O3 - Toolbar: hstiewyqhly - {684c8901-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL

Also

O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/0203...everContent.cab

[Budfred]

And this one definitely needs to be fixed:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe

Also, since you are noting that they have limited resources, you may want to fix these too. They are not malware, but they eat up resources and are not necessary:

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Once you complete your fixes, please reboot, run HJT again, open your browser and post the new log here so we can make sure it is clean...

[yolagp]

Hi, thank you Paleo Pete, Yoda and Budfred for your help. I removed all the entries you told me, I also removed a program called Cybermedia First Aid, which belonged to the previous owner of the computer (my cousin) and my parents didn't like particularly. I hope I didn't miss anything. I rebooted, and this is the new log:


Logfile of HijackThis v1.97.7
Scan saved at 5:49:13 AM, on 2/23/04
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\RunDLL.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/a...ll/xscan53.cab

[Budfred]

Your log looks clean. This is a good time to set up protection against further attacks. Read the article linked below about how you got infested in the first place. You need an antivirus that is updated, a good firewall and a spyware blocker like SpywareBlaster. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Also, be sure to update IE to IE 6 SP1 since earlier versions are vulnerable....

[yolagp]

I was out for a few days, so I didn't answer the post: Thank you Budfred, I will follow your advice. I hadn't installed Spywareblaster because I was afraid to put too much "stuff" in this computer, but I bet it will save it from getting worse "stuff" in. I will upgrade IE, and I already updated the antivirus (Avg). Thank you again.

[shanmuga]

Originally posted by yolagp

I hadn't installed Spywareblaster because I was afraid to put too much "stuff" in this computer

Spywareblaster is not 'a constant/always running in the background' program. It's sort of use and throw. Install it, update it, Press the "Protect Against Checked Items" button, Exit the program - you're done! til when updates are available (usually around 2 or 3 weeks), when you have to go through the cycle again. The protection will still be there, even if you uninstall the program.

It is very much essential if you use any version of IE.