Hey guys I need help with a hijacked system.

I've already had her delete this
O4 - HKLM\..\Run: [00kk03qo.dll] RUNDLL32.EXE 00kk03qo.dll,b 173862359
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe


Here is the log file.




Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\csvas.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\adtech2006.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\email alert\sailormoon\sailalert.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iMesh\iMesh5\iMesh.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pjrpg.com/vb
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\2.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [00kk03qo.dll] RUNDLL32.EXE 00kk03qo.dll,b 173862359
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [sailormoon email alert] C:\Program Files\email alert\sailormoon\sailalert.exe -auto
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://plato.d91.k12.id.us/Pathways/pway_iis.dll/PWLN/02040611/fullcab/pwlninst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\jrj0251mg.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Service Cvasvr (Service Cvas) - Unknown owner - C:\WINDOWS\csvas.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Right click on My Computer, left click properties and Uncheck the system restore option to disable it.


Well first of all I'd recommend you going to www.webroot.com and download the trial version of spysweeper. After you install it, click Yes to update the definitions, then when its done go to options, go to sweep options, Check everything except where it says to Ignore the System restore files.


go to www.microsoft.com and get the newest version of their ms antispyware beta. Install it and when it asks to start the program , put a check and click continue, click next for the next few options , when you get to the screen where it asks to scan now, click on don't scan now and continue into the program. When it opens, click on File, then check for Updates, click on scan and click on scanning options and set it to a full system scan with save settings checked


go to www.lavasoftusa.com and get adaware se don't let it run a scan, just check off the option to get the new updates

go to www.safer-networking.org and get spybot

after everything is updated and installed, I'd try rebooting in safe-mode and run a scan, then reboot and post up a revised Hijack this log

You can also find some detailed instructions from mnosteele here as well for further tweaking of Spybot and Adaware.

Pie

Thanks Pie. Already ran them all but spysweeper and I'm not sure we can install another trial over the one that has expired.

Basically it's a popup problem so I figured the browser got hijacked.

Looks as if jrj0251mg.dll is a bad file as well.

I use that regedit program to find some odd looking software or startup files and remove them worked pretty good so far seein as how adaware scanners sometimes won't pick up things.

Right off the bat...iMesh...YUCK....hit Add/Remove programs...and uninstall all references to that, and other eAnthology junk.

You'll want to nuke (as well find all references launching it) adtech2006.exe

The Sailormoon....that e-mail alert thing...probably legit..poked around a bit, seems to be software tied to some fan club website of whatever this Sailormoon anime thing is.

Run CCLeaner (crap cleaner)
Microsoft Antispyware...get the lastest (a new one came out this month), have it updated, clean up...and poke around in advanced settings/system explorer. In there you can restore IE to default settings also. As well as check BHOs, LSP hooks, peek at the hosts file, etc.

I'd also do an online scan at Kapersky, and TrendMicro..as this machine only has Symantec on it...so who knows what it has for infections.

Thanks Pie. Already ran them all but spysweeper and I'm not sure we can install another trial over the one that has expired.

Basically it's a popup problem so I figured the browser got hijacked.

Looks as if jrj0251mg.dll is a bad file as well.
Oh Im sory Sid. I never have been able to use Hijack with any success without first cleaning. If you use hijackthis it just comes right back. You need to remove everything with antispyware and antivirus first then do a cleanup with hijackthis. If you know how to use regedit look under the software keys for webroot and delete the key and try using the newest trial version. As an FYI if you go to their site and download the trial..after you install it you get a coupon code for 10.00 off and it brings the price down to 19.00 for 1 yr or 29.00 for 2 years of updates and support. Spysweeper is great.
Edit: heres the code NPQVBCJ


Pie

Sid = not a rookie :nope:

Yeah I had her hack the registry and then delete the files. Just need to know which other files look like bad news.

Stone, she had the salormoon stuff for years, it's safe. I guess someone sent her a file via AOHell messenger and it was infected. As you can tell this online speed is at a crawl so I was trying to manually remove the adware before an online virus scan.

Thanks guys for the help so far.

BTW I'm doing this over the phone and won't be able to get my hands on it till X-mass time.

BTW I'm doing this over the phone and won't be able to get my hands on it till X-mass time.

Ouch...how about setting up some remote control software, like VNC. Reverse control it even to make it easier, you host but take control of her computer as she connects..that way you deal with your firewall and not hers.