Custom Search
Join the PC homebuilding revolution! Read the all-new, FREE 200-page online guide: How to Build Your Own PC!
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
Results 1 to 8 of 8

Thread: hijacked

  1. #1
    Join Date
    May 2002
    Location
    Barcelona, Spain
    Posts
    197

    hijacked

    Hi everybody, I'm visiting my parents in Miami for some days, and found their computer loaded with trash. It is a Pentium 2, 200 mhz., with a 2gb hdd running Windows 95, so I'm afraid to install too many anti-spyware programs for lack of space and resources. I installed Spybot and Hijackthis, and removed some things, but I'm not familiar with Hijackthis, so I'm posting the log hoping some of you wise people help me make a good cleaning job.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:01:08 PM, on 2/22/04
    Platform: Windows 95 B (Win9x 4.00.1111)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\RunDLL.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\PROGRAM FILES\CYBERMEDIA FIRST AID\FAWGRD32.EXE
    C:\PROGRAM FILES\CYBERMEDIA FIRST AID\FA_GD32.EXE
    C:\PROGRAM FILES\CYBERMEDIA FIRST AID\RTFIXM32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\tapiexe.exe
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {684c8900-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL
    O2 - BHO: (no name) - {060DA6E3-FFA3-52DA-3DC4-7C57B7810BC6} - C:\windows\system\rngrwydy.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - (no file)
    O3 - Toolbar: hstiewyqhly - {684c8901-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Startup: Windows Guardian.lnk = C:\Program Files\CyberMedia First Aid\FAWGRD32.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - WWW. Prefix: http://
    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030...verContent.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/a...ll/xscan53.cab

  2. #2
    Join Date
    Sep 2000
    Location
    Third rock from the Sun
    Posts
    6,802
    Blog Entries
    1
    I see several I question but can't find any information on any of them.

    Definitely fix this one:
    O13 - WWW. Prefix: http://

    DON'T FIX THESE...until some of the other folks here have a look and confirm them, but I suspect these are also bad news. Can't find any info though, and Tony Klein's BHO List didn;t seem to list the ones I tried to look up either, at least not by ID Number.

    O2 - BHO: (no name) - {684c8900-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL
    O2 - BHO: (no name) - {060DA6E3-FFA3-52DA-3DC4-7C57B7810BC6} - C:\windows\system\rngrwydy.dll
    O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - (no file)
    O3 - Toolbar: hstiewyqhly - {684c8901-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL

    It's probably safe to let HJT fix those, but wait for confirmation from others more competent with HJT logs than I Am.
    Why do I drive way out here to see the wildlife when all the animals live in town?

    Note: Please post your questions on the forums, not in my email. Otherwise I may sic my armed bear on you!

    My Photography

  3. #3
    Join Date
    Aug 2001
    Location
    Stanley NC
    Posts
    3,950
    Pete's got it These look like LOP left overs to me dump them

    O2 - BHO: (no name) - {684c8900-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL
    O2 - BHO: (no name) - {060DA6E3-FFA3-52DA-3DC4-7C57B7810BC6} - C:\windows\system\rngrwydy.dll
    O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - (no file)
    O3 - Toolbar: hstiewyqhly - {684c8901-8df1-11d7-bceb-baca9e72f375} - C:\WINDOWS\APPLICATION DATA\SSOADRYBLPGL.DLL

    Also

    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/0203...everContent.cab
    Last edited by YODA74; 02-22-2004 at 10:11 AM.
    Want my weapons molon labe

  4. #4
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    And this one definitely needs to be fixed:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe

    Also, since you are noting that they have limited resources, you may want to fix these too. They are not malware, but they eat up resources and are not necessary:

    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    Once you complete your fixes, please reboot, run HJT again, open your browser and post the new log here so we can make sure it is clean...
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  5. #5
    Join Date
    May 2002
    Location
    Barcelona, Spain
    Posts
    197
    Hi, thank you Paleo Pete, Yoda and Budfred for your help. I removed all the entries you told me, I also removed a program called Cybermedia First Aid, which belonged to the previous owner of the computer (my cousin) and my parents didn't like particularly. I hope I didn't miss anything. I rebooted, and this is the new log:


    Logfile of HijackThis v1.97.7
    Scan saved at 5:49:13 AM, on 2/23/04
    Platform: Windows 95 B (Win9x 4.00.1111)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\RunDLL.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\tapiexe.exe
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/a...ll/xscan53.cab

  6. #6
    Join Date
    Jul 2002
    Location
    Minn
    Posts
    17,373
    Your log looks clean. This is a good time to set up protection against further attacks. Read the article linked below about how you got infested in the first place. You need an antivirus that is updated, a good firewall and a spyware blocker like SpywareBlaster. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

    Also, be sure to update IE to IE 6 SP1 since earlier versions are vulnerable....
    Budfred ..... Caveat Emptor....

    Helpful links SpywareBlaster... HijackThis... ATF Cleaner...

    Post a complaint about malware here!!
    So how did I get infected in the first place??

    MS MVP 2006 and ASAP member since 2004...

    If you PM me for help, expect an irritated response... Post in the forum...

  7. #7
    Join Date
    May 2002
    Location
    Barcelona, Spain
    Posts
    197
    I was out for a few days, so I didn't answer the post: Thank you Budfred, I will follow your advice. I hadn't installed Spywareblaster because I was afraid to put too much "stuff" in this computer, but I bet it will save it from getting worse "stuff" in. I will upgrade IE, and I already updated the antivirus (Avg). Thank you again.

  8. #8
    Join Date
    Nov 2001
    Location
    ^~^In my mind^~^
    Posts
    992
    Originally posted by yolagp
    I hadn't installed Spywareblaster because I was afraid to put too much "stuff" in this computer
    Spywareblaster is not 'a constant/always running in the background' program. It's sort of use and throw. Install it, update it, Press the "Protect Against Checked Items" button, Exit the program - you're done! til when updates are available (usually around 2 or 3 weeks), when you have to go through the cycle again. The protection will still be there, even if you uninstall the program.

    It is very much essential if you use any version of IE.
    ......_=_
    ....q(-_-)p
    .....'_) (_`
    ../__/ \ __\
    .._ (<_ / )_..
    (__\_\_|_/__)
    "Our life is shaped by our mind; we become what we think. One who conquers himself is greater than another who conquers a thousand times a thousand on the battlefield". Buddha, Siddhartha Gautama

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •