| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 38854 | 2003-10-20 09:55:00 | 'Alt' key not working, PC hijacked ? | amitluis (4153) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 185135 | 2003-10-20 09:55:00 | Hi everyone, I've got really strange things happening to my PC (Win 98, IE5.5) ever since I've come back after my vacation (the PC was being used in my absence). Besides running extremely slow, I found out that there were numerous (unheard of) programs that ZoneAlarm was given permission to connect. I couldn't run LiveUpdate(Norton Antivirus) or Windows Update. And worst of all, the 'alt' key wouldnt work for anything, so I couldn't see what programs were running (using ctrl+alt+del) or even alt-tab. I managed to manually install a new def file for NAV and it picked up the W95.MTX virus that it then cleaned from all 65 files. I deleted all the strange programs from ZoneAlarm and managed to run Windows Update(and installed the latest SP2 for IE5.5). However I still can't use my alt key for anything; no conflicts in device manager. What I have noticed is that Qmgr.exe AUTOMATICALLY gives itself permission in Zone Alarm each time and also keeps starting up automatically though I untick it each time in System Config Utility. I have since deleted the actual file (called Qmgrloader or something like that) and it seems to have stopped loading but I still dont have my alt key !! I suspect that somehow I've got one of the backdoor Trojan like problems on my PC but am stumped as to what else I can do to fix this? Is there another way to see what programs are running? Thanks heaps in advance for all your help. Kind regards, Amit |
amitluis (4153) | ||
| 185136 | 2003-10-20 10:05:00 | Go to: www.tomcoyote.org Download HijackThis, unzip it and run it. It will produce a logfile of all running processes. Ticking the ones you want stopped, and selecting Fix will remove them. Post the logfile back here if you want others to assist. |
godfather (25) | ||
| 185137 | 2003-10-20 10:25:00 | Have you tried using the opposite ALT key on the keyboard? Sounds more like the ALT key is broken than being "hijacked" |
whiskeytangofoxtrot (438) | ||
| 185138 | 2003-10-20 12:27:00 | Hi Godfather, I did as you suggested and have posted the logfile here as some of you could make more sense out of it than I could. whiskeytangofoxtrot, I have tried both 'alt' keys. Thanks though ! Here is the logfile: Logfile of HijackThis v1.97.3 Scan saved at 1:03:48 AM, on 10/21/2003 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\STARTER.EXE C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = bicurioz.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = bicurioz.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = red.clientapps.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = red.clientapps.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = red.clientapps.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = red.clientapps.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm O8 - Extra context menu item: SeeMore with Lycos! - www.lycos.com O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\ Yahoo! \Common/ycsrch.htm O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\ Yahoo! \Common/ycdict.htm O9 - Extra button: Wallpaper (HKLM) O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - download.macromedia.com O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - www.livepicture.com O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - www.installfromtheweb.com O16 - DPF: {8FBFE5FF-5E98-11D3-80AF-00C04FCFBC72} (SurveyCtl35 Class) - activex.microsoft.com O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - security.symantec.com O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - security.symantec.com O16 - DPF: {C2FCEF4E-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI File information Class) - security1.norton.com O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - security.symantec.com O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - us.chat1.yimg.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - download.macromedia.com O16 - DPF: {451FCDEE-DCED-11D3-87DD-0090278F1040} ( Yahoo! Voicemail Engine) - phone.yahoo.com O16 - DPF: {F08555B0-9CC3-11D2-AA8E-000000000000} - d.crackedearth.com O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - www.gateway.com O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - dist02.chargitdial.com O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - a1540.g.akamai.net O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - v4.windowsupdate.microsoft.com O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - www.cult3d.com O16 - DPF: Yahoo! Chess - download.games.yahoo.com O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - us.dl1.yimg.com O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - www-secure.symantec.com O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - download.yahoo.com O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - security.symantec.com |
amitluis (4153) | ||
| 185139 | 2003-10-21 22:40:00 | Hi, I have posted the logfile above as requested. Is someone able to interpret that for me and see if anything is amiss as I am at my wits end now !! Thanks in anticiaption ! - Amit |
amitluis (4153) | ||
| 185140 | 2003-10-21 23:20:00 | Does HiJackThis display a GUI interface where you can terminate programs? www.glocksoft.com maybe a better tool, but also maybe limited as I believe registration is required. Not sure haven't needed to use it. Now unfortunately, the programs running in process I believe can be infected/altered and can evade Antivirus or Firewalls, the programs are RNAAP.EXE, MPREXE.EXE and KERNEL32.DLL. Also all other EXE files could have become infected which the AV successfully fixed, but the others are probably harder to fix as they are constantly being used and won't allow tampering with them (wonders how viruses do it). If you have a means by booting into DOS mode with CD Support then you could delete those files and replace them with the ones on CD. Also maybe a DOS boot AV scan if that's possible, that may work, or scanning the hard drive in another computer. |
Kame (312) | ||
| 185141 | 2003-10-21 23:29:00 | AVG (www.grisoft.com) does a DOS boot scan | Chris Randal (521) | ||
| 185142 | 2003-10-21 23:47:00 | Delete the following R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = bicurioz.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = bicurioz.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - dist02.chargitdial.com |
Pheonix (280) | ||
| 185143 | 2003-10-21 23:50:00 | BTW, DON"T go to the site bicurioz.com as it drops a virus onto you. My AVG picked it up. If you have XP, then turn off your restore first, clean up those entries, check with Adaware,Spybot and Antivirus before turning restore back on. Good Hunting :D |
Pheonix (280) | ||
| 185144 | 2003-10-22 00:05:00 | The W95.mtx is a very difficult virus to remove by all accounts. www.symantec.com www.pchell.com |
Jim B (153) | ||
| 1 2 3 | |||||