1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

My computer has been Hijacked

Discussion in 'Virus & Other Malware Removal' started by Dodd, Jan 24, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Dodd

    Dodd Thread Starter

    Joined:
    Jan 21, 2005
    Messages:
    2
    I have attracted a virus that takes over the background of my desktop and I can't change it. This is what it says:

    ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.

    Every site you or somebody or even something, like spyware, opened in your browser, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!


    SECURE YOURSELF RIGHT NOW!

    At the end of the message, it says click here for removal instructions in which it then takes me to a web site. The web site is:

    http://213.159.117.130/?affid=NAT-1

    I have ran the spykiller and here is what comes up:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\WINDOWS\System32\mshelp32.exe
    C:\WINDOWS\githolbu.exe
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    C:\WINDOWS\System32\vmss\vmss.exe
    C:\windows\system32\zgaccp.exe
    C:\windows\system32\packager.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\Documents and Settings\Administrator\Application Data\osoa.exe
    C:\WINDOWS\System32\d?xplore.exe
    C:\WINDOWS\System32\ctlstmib.exe
    C:\WINDOWS\SYSfit.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
    C:\PVSW\Bin\W3DBSMGR.EXE
    C:\WINDOWS\System32\regsvr32.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://government.dellnet.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
    O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {768A885C-BC07-4F9C-93F5-D8080B211696} - C:\WINDOWS\System32\paebbaa.dll (file missing)
    O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
    O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\System32\mshelp32.exe
    O4 - HKLM\..\Run: [QkWbN] C:\WINDOWS\githolbu.exe
    O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKLM\..\Run: [zgaccp] c:\windows\system32\zgaccp.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe
    O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Administrator\Application Data\osoa.exe
    O4 - HKCU\..\Run: [Tfkd] C:\WINDOWS\System32\d?xplore.exe
    O4 - HKCU\..\Run: [dox9RWZmV] ctlstmib.exe
    O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
    O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.slotchbar.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: 67.19.185.246 (HKLM)
    O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://coahdc/officescan/ClientInstall/WinNTChk.cab
    O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://coahdc/officescan/clientinstall/setupini.cab
    O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://coahdc/officescan/clientinstall/setup.cab
    O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://coahdc/officescan/clientinstall/RemoveCtrl.cab
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/1/loader2.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = COAH.local
    O17 - HKLM\Software\..\Telephony: DomainName = COAH.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = COAH.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = COAH.local
    O23 - Service: ASF Agent - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
    O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

    Please help!!!!
     
  2. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described


    CWshredder from http://www.subratam.org/?page=removal
    Spybot - Search & Destroy from http://security.kolla.de
    Download Adaware SE http://www.lavasoftusa.com/support/download/


    then
    Run CWSHREDDER,

    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
    and make sure you have all of Microsoft security updates

    then reboot &

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &


    Run ADAWARE

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)


    Restart your computer.
    then post a new hijackthis log
     
  3. Dodd

    Dodd Thread Starter

    Joined:
    Jan 21, 2005
    Messages:
    2
    I have done all those things with no luck. There is a common file that I can't get rid of. Everytime I go to delete it I am told I have to shut down a currently running porgram and the problem is there are no prgrams running, so I am assuming this may be the problem. The file name is:

    C:\Program Files\ISTsvc

    Does this look familiar and how can I get rid of it?
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Are you scanning with Trend as one of the fixes we will do is virus releated and are the definitions current.

    Istsvc http://securityresponse.symantec.com/avcenter/FxIstbar.exe

    From Symantec
    Note:
    · The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.
    · The removal tool may terminate Internet Explorer and Windows Explorer. It is recommended that users save their work and log out of these programs before running the removal tool.
    · The removal tool will reset the Internet start page to a blank page. The start page can be modified by clicking on Tools > Internet Options in Internet Explorer.
    · The removal tool will not delete some harmless Temporary Internet files, which Adware.Istbar created, in C:\Documents and Setings\Administrator\Local Settings\Temporary Internet Files.
    These can be manually deleted using the following steps:
    a. Start Internet Explorer.
    b. Click Tools > Internet Options.
    c. In the Temporary Internet Files section, then click the Delete Files button.
    d. Check Delete all offline content, and then click OK.

    CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html
    Close all browser windows, Open cwshredder.exe then click "Fix" and let
    it run.


    Then download http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen.

    Then print this out and boot to safe mode

    Fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

    R3 - Default URLSearchHook is missing
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll

    O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll

    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)

    O2 - BHO: (no name) - {768A885C-BC07-4F9C-93F5-D8080B211696} - C:\WINDOWS\System32\paebbaa.dll (file missing)

    O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL

    O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll

    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile

    O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\System32\mshelp32.exe

    O4 - HKLM\..\Run: [QkWbN] C:\WINDOWS\githolbu.exe

    O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe

    O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

    O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe

    O4 - HKLM\..\Run: [zgaccp] c:\windows\system32\zgaccp.exe

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\

    O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe

    O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Administrator\Application Data\osoa.exe

    O4 - HKCU\..\Run: [Tfkd] C:\WINDOWS\System32\d?xplore.exe

    O4 - HKCU\..\Run: [dox9RWZmV] ctlstmib.exe

    O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe

    O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe

    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.slotchbar.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: 67.19.185.246 (HKLM)

    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/1/loader2.ocx

    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files
    C:\WINDOWS\BTGrab.dll
    C:\WINDOWS\Helper101.dll
    C:\WINDOWS\System32\DSMANA~1.DLL
    C:\WINDOWS\system32\javafix3.dll
    C:\WINDOWS\System32\cmd32.exe
    C:\WINDOWS\System32\ internat.dll
    C:\WINDOWS\System32\mshelp32.exe
    C:\WINDOWS\githolbu.exe
    C:\WINDOWS\System32\tibs3.exe
    C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    C:\WINDOWS\System32\vmss\vmss.exe
    c:\windows\system32\zgaccp.exe
    c:\windows\jjfixer.exe
    C:\Documents and Settings\Administrator\Application Data\osoa.exe
    C:\WINDOWS\System32\d?xplore.exe ç=== it must have the ? in the file name
    C:\WINDOWS\SYSfit.exe

    Delete these folders

    C:\Program Files\ISTsvc\
    C:\Program Files\DR_S

    Temp

    START – RUN – key in %temp% - Edit – Select all – File – Delete

    Empty the recycle bin

    Boot and post a new log
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/322918

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice