0

Hullo everyone!
I'm hoping someone out there can give me some advice about nasties.
A few weeks ago I began to suspect my computer had been hijacked. None of the symptoms mentioned in this forum occurred, eg pop-ups, but I could not close down Windows (98) and when I tried to go into my control panel to investigate, I discovered that I cannot access anything in the control panel.
Following advice on these threads, I've used Spy-bot, Adaware, and installed EZ armour (previously used zone alarm). I've also uninstalled Kazaa-Lite. I've downloaded Hijack This and gone through the tutorial - nothing seems suspicious (though I cannot copy and paste log).
Can a virus change my settings like this? If this is possible, and I've removed the virus, can I change settings back without doing a complete reboot?

Any help would be very much appreciated!

3
Contributors
12
Replies
13
Views
12 Years
Discussion Span
Last Post by dlh6213
0

Hullo again!

I've figured out how to paste the log (I hope!) after reading the bleeping computer tutorial. Here it is...

Logfile of HijackThis v1.99.1
Scan saved at 14:49:26, on 18/05/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2014.0200)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ZIPCD\DIRECTCD.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\HIJACK THIS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080;gopher=http://www-cache.freeserve.net:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ZIPCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [Runtt1] C:\WINDOWS\SYSTEM\Internat.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Startup: PowerReg SchedulerV2.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.net/
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://hani.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab

PS the 'hani' entry near the end enables my girlfriend to use korean text. Reckon I can blame her for this mess? :D

0

First of all you should go to Windows Update and get all the Critical Updates for your system.

Then, get about:Buster from here:
http://www.majorgeeks.com/download4289.html

Unzip it to your desktop, run it, and:

Click Update, and then Check For Update, and Download Update; wait for the updates to be installed.

After the udates have been installed, click Start
(Wait for the initial ADS scan to complete.)

Click Yes to shutdown any IE session currently open when asked
(Wait for the about:blank scan to complete.)

Click OK to scan once more when prompted

Click Yes to shutdown any IE sessions currently open, and then Yes to begin the second pass

Click Save log

Click Exit, and then Exit again

Reboot

Scan with hijackthis and have it fix the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080;gopher=http://www-cache.freeserve.net:8080
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.net/

Be sure to close all windows, other then hijackthis, before hitting Fix checked.

Reboot, close any open browser windows, scan with hijackthis, and post a new hijackthis log and the about:Buster log.

Can you tell us where Dropper/Yinwin.49577 is located on your computer?

0

Thank you very much!

I will get busy on this....

In the meantime, rundll32.exe is in C:\WINDOWS , and hzdll.dll and hoo.dll are both in C:\WINDOWS\SYSTEM.

0

1. C:\Windows\rundll32.exe and C:\Windows\System\Internat.exe are real Windows files. The virus may have overwritten or altered them, which means that you may have to install fresh copies of the originals to replace the infected versions of the files. We should determine that before going any further.

Please do the following:

- Open Windows Explorer and locate rundll32.exe.
- Right click on the file and click Properties.
- In the Properties window, note the file's exact size, its version, and its creation date. Post that information here.

On my Win98 (SE) machine I show the following information for the "real" rundll32.exe:

size: 24,576 Bytes
version: 4.10.0.1998
created: Fri. 4/23/99 10.22.PM

- Repeat for Internat.exe. This is the info I have for that file:

size: 28,672 Bytes
version: 4.10.0.2222
created: no date listed

0

In addition to what DMR has suggested, try to delete hzdll.dll and hoo.dll (you may need to boot into Safe Mode)

Also, do a search for internet.exe and, if found, give us the same info as requested for internat.exe and rundll32.exe.

One more thing you may want to try... do a search by size for any files that are 49577 bytes, and give us the results (unless there's a looong list) -- actually looking for rundll32 and/or internet.exe files this size, but it's possible there could be a new name.

0

In addition to what DMR has suggested, try to delete hzdll.dll and hoo.dll (you may need to boot into Safe Mode)

Oops- I forgot that part...

If you can't delete the ddls even in safe mode, try unregistering them before attempting deletion:

Open a DOS window, type the following two commands at the prompt, hitting enter after each:

regsvr32 /u C:\WINDOWS\SYSTEM\hzdll.dll
regsvr32 /u C:\WINDOWS\SYSTEM\hoo.dll

0

Thank you so much for all your help - the problem has ....... I won't say been resolved...... but will in the near future have a happy ending!

I started going through your list of things to do, dhl, got the updates from windows, downloaded them, and started installing them. Then, Windows crashed and I got a message saying I'd have to use my reboot cds to get it going again! So my computer is well and truly £$%^ed, I don't even seem to have an ip address at the minute! (Typing this in the library!)

But alls well that ends well, I've come to terms with it and decided it was a piece of crap anyway and I'm going to go out and get myself a proper new pc!

Thanks again for all your help,it's re-affirmed my faith in human nature!

ginger

0

ps and make sure it has state of the art anti-virus and fire wall etc!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.