Hijacked and need help

Discussion in 'adware, spyware & hijack cleaning' started by Grubb, Jun 22, 2004.

Thread Status:
Not open for further replies.
  1. Grubb

    Grubb Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1
    Hi there,

    Like most other people posting here i need help with my computer. I believe i've been hijacked. My homepage keeps changing to the following site.

    res://awrcc.dll/index.html#96676

    and i'm getting these pop-ups constantly showing on my computer, yet they aren't detected by my pop-up killer.

    Any assistance is appreciated.

    Below is my log from.

    Thanx in advance.

    g.

    ---

    Logfile of HijackThis v1.97.7
    Scan saved at 7:32:36 AM, on 6/22/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\logonui.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\LogWatNT.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\crjy.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe
    C:\Program Files\PopUp Killer\PopUpKiller.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\ntem.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Immersion Corporation\TouchSense\Server\TouchSense.exe
    C:\Program Files\Brownie\brstswnd.exe
    C:\Program Files\Brownie\Brcdcmon.exe
    C:\PROGRA~1\COMMON~1\Logitech\WebColct\WebColct.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\Alex\My Documents\Downloads\popup killer\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awrcc.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://awrcc.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://awrcc.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awrcc.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://awrcc.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\awrcc.dll/sp.html#96676
    O2 - BHO: (no name) - {DF668E96-27EB-767C-CDC7-40ADB11675F2} - C:\WINDOWS\system32\ieiz.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1721.0\en-ca\msntb.dll
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IDesktop.2.5] C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe 1
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [ntem.exe] C:\WINDOWS\ntem.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [crjy.exe] C:\WINDOWS\system32\crjy.exe
    O4 - HKLM\..\RunOnce: [appju.exe] C:\WINDOWS\system32\appju.exe
    O4 - HKLM\..\RunOnce: [crtb32.exe] C:\WINDOWS\system32\crtb32.exe
    O4 - HKLM\..\RunOnce: [msqv32.exe] C:\WINDOWS\msqv32.exe
    O4 - HKLM\..\RunOnce: [crkb32.exe] C:\WINDOWS\crkb32.exe
    O4 - HKLM\..\RunOnce: [ntqs32.exe] C:\WINDOWS\system32\ntqs32.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Flash2X Flash Hunter (HKCU)
    O9 - Extra 'Tools' menuitem: &Launch Flash Hunter (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1082818363279
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/171e2e0325a57dcf1c21/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37383.9197106482
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Grubb,

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\system32\crjy.exe
    C:\WINDOWS\ntem.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awrcc.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://awrcc.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://awrcc.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\awrcc.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://awrcc.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\awrcc.dll/sp.html#96676
    O2 - BHO: (no name) - {DF668E96-27EB-767C-CDC7-40ADB11675F2} - C:\WINDOWS\system32\ieiz.dll

    O4 - HKLM\..\Run: [ntem.exe] C:\WINDOWS\ntem.exe

    O4 - HKLM\..\RunOnce: [crjy.exe] C:\WINDOWS\system32\crjy.exe
    O4 - HKLM\..\RunOnce: [appju.exe] C:\WINDOWS\system32\appju.exe
    O4 - HKLM\..\RunOnce: [crtb32.exe] C:\WINDOWS\system32\crtb32.exe
    O4 - HKLM\..\RunOnce: [msqv32.exe] C:\WINDOWS\msqv32.exe
    O4 - HKLM\..\RunOnce: [crkb32.exe] C:\WINDOWS\crkb32.exe
    O4 - HKLM\..\RunOnce: [ntqs32.exe] C:\WINDOWS\system32\ntqs32.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/171e2e0325a57dcf1c21/netzip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\system32\crjy.exe
    C:\WINDOWS\ntem.exe
    C:\WINDOWS\system32\ieiz.dat
    C:\WINDOWS\awrcc.dll

    Check this post for additional instructions:
    https://www.wilderssecurity.com/showpost.php?p=198412&postcount=26

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.