[Solved] Hijacked

[khaom]

hi
i have the same problem

i tried cwshredder, ad-aware, spybot searh&destroy, antivir, hijack this and some manual stuff. nothing works

i deleted some suspect exe files and the dll file that was created in my system32 folder. after i rebooted the exe file was gone but a new dll was in the system32 folder. don't know what to do now...

 

[mjack547]

Need to post a new Hijackthis log for us to look at again

 

[Flrman1]

Hi khoam

Welcome to TSG!

I have split your post off into your own thread. In the future if you have a Question/Problem please start a "New Thread". It get's too confusing trying to address two different people's problem in the same thread and you may get overlooked.


Please do this. Click here to download Hijack This. Click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

*Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.

 

[khaom]

here we go

Logfile of HijackThis v1.97.7
Scan saved at 13:45:31, on 08.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\NEOLEC\NEOLEC Mouse1.1\MOUSE32A.EXE
C:\Programme\NEOLEC\Wireless Desktop\KbdAp32A.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Kruzader.KRUZADER-2XR13F\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {20E35652-F2D8-422A-9B9E-A5E7DF8CACDA} - C:\WINDOWS\System32\kgpiba.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\NEOLEC\NEOLEC Mouse1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programme\NEOLEC\Wireless Desktop\KbdAp32A.exe
O4 - HKLM\..\Run: [ytnicw] rundll32 C:\WINDOWS\System32:ytnicw.dll,Init 1
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [*ytnicw] rundll32 C:\WINDOWS\System32:ytnicw.dll,Init 1
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38084.633912037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{83631B10-DB83-4D78-8D89-D5C02C8EEAA0}: NameServer = 212.185.252.73 194.25.2.129

 

[Flrman1]

First go to Start > Run and copy and paste the following lone in the Run box:

rundll32 C:\WINDOWS\System32:ytnicw.dll,Uninstall

Click OK or hit the Enter Key.


After that please do this:

Navigate to the C:\Windows\system32 folder and locate the kgpiba.dll file. Right click it and choose "Send to compressed (zipped) folder". The zipped folder will appear there in the System32 folder. Attach a copy of that zipped folder and send it to me here. Please include a link to this thread so I'll remember where it came from.

This file may be hidden so click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Now run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {20E35652-F2D8-422A-9B9E-A5E7DF8CACDA} - C:\WINDOWS\System32\kgpiba.dll

Restart to safe mode and delete:

The C:\WINDOWS\System32\kgpiba.dll file

How to start your computer in safe mode

 

[khaom]

didn't work :\

i did all the stuff after i restarted from safe mode it was back with a new dll file

 

[Flrman1]

Let's see another log please.

 

[khaom]

i was wrong, there is no new dll file. after i ran hijack this one more time and fixed all the bad stuff it seems like it's finally dead

if the hijacker should come back i'll post again
for now everything looks just fine

thanx for your help

 

[Flrman1]

My pleasure!

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

 

[Flrman1]

I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".

 

[Flrman1]

I've re-opened the thread. Please post another Hijack This log.

 

[khaom]

Logfile of HijackThis v1.97.7
Scan saved at 18:04:14, on 08.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\NEOLEC\NEOLEC Mouse1.1\MOUSE32A.EXE
C:\Programme\NEOLEC\Wireless Desktop\KbdAp32A.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Browser Hijack Blaster\bhblaster.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Windows NT\Zubehör\WORDPAD.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\NEOLEC\NEOLEC Mouse1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programme\NEOLEC\Wireless Desktop\KbdAp32A.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38084.633912037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{83631B10-DB83-4D78-8D89-D5C02C8EEAA0}: NameServer = 212.185.252.73 194.25.2.129

 

[Flrman1]

This is a new variant of CWS. Merijn (the developer of CWShredder) is working on an update to CWShredder right now that will hopefully be able to remove this one. I guess we will have to wing it until the update is released.

Let's try removing it in safe mode.

Restart to safe mode.

In safe mode run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Now find and delete the C:\WINDOWS\System32\plkija.dll file

 

[khaom]

ok i ran hijack this in safe mode. everything is ok now, but i don't know how long this will last. would be good to know where it came from. hope it's not a site that i visit everyday ...

 

[Flrman1]

Wlle I'll keep this thread open for a while this time. Please reboot a couple of times and see if it returns.

Also did you check out the link I posted before and set your IE security settings as suggested there. Also it would be a good idea to install the other programs suggested there as well.

I do believe this particular variant of CWS uses the mhtml exploit. Unfortunately MS has not yet released a patch for this vulnerability.