Hijacked by something called K2qy.exe??

Discussion in 'adware, spyware & hijack cleaning' started by campco, Feb 22, 2004.

Thread Status:
Not open for further replies.
  1. campco

    campco Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    21
    Well I'm certain my machine has been "Hi-jacked" since it's slower than snails bait. Other unusual attributes are that I'm locked out of functions of Explore and Find/Search. On every boot-up I get popups that comeup on their own without ever clicking anything (i.e. popupper.com; about:blank; and a very interesting advertisement that warns that I may have adware and/or spyware on my machine and to please click here for more info which I will not do of course). Another interesting item is that upon closing I get a warning message that a file is still operating and has not ended yet (using Win2000Pro) and it's called "K2qy.exe". I have no idea what that exe file is but I would bet it has something to do with whatever I've picked up.

    I have run Adaware and Spybot both and ran them in Safe Mode as well as within the regular Windows mode (in Win2K) and it finds nothing. Below is my HiJack This file contents that I just ran. Will someone please help me out of this mess. My machine is totally messed up.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:49:36 AM, on 02/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\WFXSVC.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\mobsync.exe
    C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINNT\system32\wfxsnt40.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINNT\k2qy.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\aaa\Security\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://start.verizon.net/vzn.isp/welcome.htm?ver=12048&
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =

    http://start.verizon.net/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} -

    C:\WINNT\Downloaded Program Files\CONFLICT.1\lexbar.dll
    O2 - BHO: (no name) - {F92145AD-05E4-4A32-AEEE-7A7575A42B63} -

    C:\WINNT\nc6y8orY.dll
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no

    file)
    O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} -

    C:\WINNT\Downloaded Program Files\CONFLICT.1\lexbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

    C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [D066UUtility] C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH

    Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [QBCD Autorun] E:\autorun.exe restart TIMER_SEQUENCE

    first
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

    C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Zone Labs Client]

    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [h07NgQ] C:\WINNT\k2qy.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

    C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Controller.LNK = C:\Program

    Files\Symantec\WinFax\WFXCTL32.EXE
    O8 - Extra context menu item: Search &Dictionary - C:\Program

    files\Lexico\Toolbar\dictionary.htm
    O8 - Extra context menu item: Search &Thesaurus - C:\Program

    files\Lexico\Toolbar\thesaurus.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet

    Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet

    Explorer\PLUGINS\npqtplugin4.dll
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} -

    http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5

    bd11b40367/wmavax.CAB
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class)

    -

    https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http

    ://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.07.02&http://

    www2.mazdausa.com/MusaWeb/rx8/tour/noplugin.html
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX

    Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201}

    (ddm_download.ddm_control) -

    http://download.rfwnad.com/cab/ddm_control.CAB
    O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} -

    http://www.tnc4u.com/MCInst.cab
    O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194}

    (limmyloding.limmyform) - http://bins.roings.com/crack.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class)

    - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

    http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/h

    ousecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243}

    (SecureLogin.SecureControl) -

    http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37704.3

    828935185
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) -

    http://www.microsoft.com/security/controls/DoomCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

    Object) -

    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl

    Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -

    http://dictionary.reference.com/tools/toolbar/lexico.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi campco,

    O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\CONFLICT.1\lexbar.dll
    O2 - BHO: (no name) - {F92145AD-05E4-4A32-AEEE-7A7575A42B63} - C:\WINNT\nc6y8orY.dll
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\CONFLICT.1\lexbar.dll

    O4 - HKLM\..\Run: [QBCD Autorun] E:\autorun.exe restart TIMER_SEQUENCE first

    O4 - HKLM\..\Run: [h07NgQ] C:\WINNT\k2qy.exe

    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/ddm_control.CAB
    O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://www.tnc4u.com/MCInst.cab
    O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} (limmyloding.limmyform) - http://bins.roings.com/crack.cab
    O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab

    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) -
    http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

    Then reboot and delete:
    C:\WINNT\nc6y8orY.dll
    C:\WINNT\k2qy.exe

    You may want to reinstall the Lexicon Toolbar since it seems it didn't quite work out as it should the first time. ( CONFLICT.1 )

    Regards,

    Pieter
     
  3. campco

    campco Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    21
    Ok Pieter thanks for the reply but I'm afraid you're assuming I know what your reply means. I'm not familiar with "HiJackThis" enough yet so does your previous reply mean for me to delete those respective lines you put in your replyo_O If there is any other steps necessary other than the last ones given at the bottom of your reply please let me know. Also, what is a "Lexicon Toolbar" same reasono_O I'm curious also, is this particular type of hijack a recent one or has it been around before??
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi campco,

    When you run the Scan in HijackThis you will see the entries from the log.
    Put a checkmark in front of the ones I listed and, after closing all other windows, click Fix checked.

    The toolbar I found in your log is this one: http://dictionary.reference.com/tools/toolbar/
    but the install didn't go very well, from the looks of your log.

    Regards,

    Pieter
     
  5. campco

    campco Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    21
    I'm not familiar with any dictionary software being loaded at all. Should I delete that as well? Did the dictionary line refer to the "Lexicon Toolbar"? Also, I was looking at another message thread within this specific forum (Hijacked This I believe from Kurt) who mentioned that his troubles started right after getting a recent upgrade to Zone Alarm. My troubles started right after that as well having obtained a recent upgrade in the last 3-4 days if that's of any help in spreading the word.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I can't imagine this being spread through a ZA update. I would have to ask if there was a legitimate one.

    But I can imagine this sneaking in if you stayed online while installing that upgrade, assuming that you would have to disable the firewall in order to install the upgrade.

    Regards,

    Pieter
     
  7. campco

    campco Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    21
    It just seemed too coincidental that it all started after obtaining the latest upgrade from ZA. And then there was the constant pop-up that kept trying to warn of adware & spyware and to click yes to search for it and the ad was clearly trying to indicate that it was from ZA when they never have such popups.

    In any event, I've completed all the tasks you've laid out for me and it appears that my machine has been cleared of the hijack that had started it all. Speed is back up and I can regain access to sections I was locked out of before. Would you mind checking the last "HiJackThis Log" below that I ran after completing all the tasks and a final reboot. You have been great. I really appreciate the help you have given me here Pieter. Thanks again to you and all the other Wilders.Org folks who help us.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:09:18 PM, on 02/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\WFXSVC.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINNT\system32\wfxsnt40.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\aaa\Security\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://start.verizon.net/vzn.isp/welcome.htm?ver=12048&
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =

    http://start.verizon.net/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

    C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [D066UUtility] C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH

    Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

    C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Zone Labs Client]

    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

    C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Controller.LNK = C:\Program

    Files\Symantec\WinFax\WFXCTL32.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet

    Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet

    Explorer\PLUGINS\npqtplugin4.dll
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} -

    http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5

    bd11b40367/wmavax.CAB
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class)

    -

    https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http

    ://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.07.02&http://

    www2.mazdausa.com/MusaWeb/rx8/tour/noplugin.html
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX

    Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

    http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/h

    ousecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37704.3

    828935185
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) -

    http://www.microsoft.com/security/controls/DoomCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

    Object) -

    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl

    Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -

    http://dictionary.reference.com/tools/toolbar/lexico.cab
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Nice clean up. :)

    Glad we could help,

    Pieter
     
  9. campco

    campco Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    21
    To say I couldn't have done it without you is such an understatement but there it is, thanks.

    George ;)
     
Thread Status:
Not open for further replies.