[Solved] Hijacked

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

khaom

Thread Starter
Joined
Apr 7, 2004
Messages
37
hi
i have the same problem

i tried cwshredder, ad-aware, spybot searh&destroy, antivir, hijack this and some manual stuff. nothing works

i deleted some suspect exe files and the dll file that was created in my system32 folder. after i rebooted the exe file was gone but a new dll was in the system32 folder. don't know what to do now...
 
Joined
Jul 26, 2002
Messages
46,349
Hi khoam

Welcome to TSG! :)

I have split your post off into your own thread. In the future if you have a Question/Problem please start a "New Thread". It get's too confusing trying to address two different people's problem in the same thread and you may get overlooked.


Please do this. Click here to download Hijack This. Click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

*Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
 

khaom

Thread Starter
Joined
Apr 7, 2004
Messages
37
here we go

Logfile of HijackThis v1.97.7
Scan saved at 13:45:31, on 08.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\NEOLEC\NEOLEC Mouse1.1\MOUSE32A.EXE
C:\Programme\NEOLEC\Wireless Desktop\KbdAp32A.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Kruzader.KRUZADER-2XR13F\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {20E35652-F2D8-422A-9B9E-A5E7DF8CACDA} - C:\WINDOWS\System32\kgpiba.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\NEOLEC\NEOLEC Mouse1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programme\NEOLEC\Wireless Desktop\KbdAp32A.exe
O4 - HKLM\..\Run: [ytnicw] rundll32 C:\WINDOWS\System32:ytnicw.dll,Init 1
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [*ytnicw] rundll32 C:\WINDOWS\System32:ytnicw.dll,Init 1
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38084.633912037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{83631B10-DB83-4D78-8D89-D5C02C8EEAA0}: NameServer = 212.185.252.73 194.25.2.129
 
Joined
Jul 26, 2002
Messages
46,349
First go to Start > Run and copy and paste the following lone in the Run box:

rundll32 C:\WINDOWS\System32:ytnicw.dll,Uninstall

Click OK or hit the Enter Key.


After that please do this:

Navigate to the C:\Windows\system32 folder and locate the kgpiba.dll file. Right click it and choose "Send to compressed (zipped) folder". The zipped folder will appear there in the System32 folder. Attach a copy of that zipped folder and send it to me here. Please include a link to this thread so I'll remember where it came from.

This file may be hidden so click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Now run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\kgpiba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {20E35652-F2D8-422A-9B9E-A5E7DF8CACDA} - C:\WINDOWS\System32\kgpiba.dll


Restart to safe mode and delete:

The C:\WINDOWS\System32\kgpiba.dll file

How to start your computer in safe mode
 

khaom

Thread Starter
Joined
Apr 7, 2004
Messages
37
didn't work :\

i did all the stuff after i restarted from safe mode it was back with a new dll file
 

khaom

Thread Starter
Joined
Apr 7, 2004
Messages
37
i was wrong, there is no new dll file. after i ran hijack this one more time and fixed all the bad stuff it seems like it's finally dead

if the hijacker should come back i'll post again
for now everything looks just fine

thanx for your help :)
 
Joined
Jul 26, 2002
Messages
46,349
My pleasure! :)

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
 
Joined
Jul 26, 2002
Messages
46,349
I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".
 

khaom

Thread Starter
Joined
Apr 7, 2004
Messages
37
Logfile of HijackThis v1.97.7
Scan saved at 18:04:14, on 08.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\NEOLEC\NEOLEC Mouse1.1\MOUSE32A.EXE
C:\Programme\NEOLEC\Wireless Desktop\KbdAp32A.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Browser Hijack Blaster\bhblaster.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Windows NT\Zubehör\WORDPAD.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\NEOLEC\NEOLEC Mouse1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programme\NEOLEC\Wireless Desktop\KbdAp32A.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38084.633912037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{83631B10-DB83-4D78-8D89-D5C02C8EEAA0}: NameServer = 212.185.252.73 194.25.2.129
 
Joined
Jul 26, 2002
Messages
46,349
This is a new variant of CWS. Merijn (the developer of CWShredder) is working on an update to CWShredder right now that will hopefully be able to remove this one. I guess we will have to wing it until the update is released.

Let's try removing it in safe mode.

Restart to safe mode.

In safe mode run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\plkija.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank


Now find and delete the C:\WINDOWS\System32\plkija.dll file
 

khaom

Thread Starter
Joined
Apr 7, 2004
Messages
37
ok i ran hijack this in safe mode. everything is ok now, but i don't know how long this will last. would be good to know where it came from. hope it's not a site that i visit everyday ...
 
Joined
Jul 26, 2002
Messages
46,349
Wlle I'll keep this thread open for a while this time. Please reboot a couple of times and see if it returns.

Also did you check out the link I posted before and set your IE security settings as suggested there. Also it would be a good idea to install the other programs suggested there as well.

I do believe this particular variant of CWS uses the mhtml exploit. Unfortunately MS has not yet released a patch for this vulnerability.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top