Help! Do I have a Virus of some sorts?!

**brennuvargr** · 22-06-2004

It all started off today, when I deleted my entire 'Prefetch' folder (there wasn't a vast amount of files in that folder anyway) after finding some porn spyware on my pc (named Pleasure something....). Whenever I open up Internet Explorer, the opening website is " res://kokqy.dll/index.html#37049 ". Now when I go into Internet Options and try to change it to another website, it won't let me do it!

It's also planted some stupid ****ing pop-up thing on my pc too, called "Only the best" (I've tried searching for an 'Only the Best' file, but my PC cannot find such a thing). It also tries to link the word's 'game', 'forum', 'Spyware' (hah!) etc. up to "http://get-data.net/?go=games" :\ . Here is an example via screen shot:

The most annoying thing is that whenever I type, for example 'pub137.ezboard.com/bcradleoffilthonline' into the Internet Explorer toolbar, it redirects me to another 'res://' (I can't right-click on any of these 'res://' websites either) website.

Do I have a virus or is this something I can delete manually? Argh..!

**jephree** · 23-06-2004

Download HiJackThis here:

HiJackThis

Follow instructions there and post the log back here. Someone will be along to read it.

**brennuvargr** · 23-06-2004

Here is my HiJack This log:

Logfile of HijackThis v1.97.7
Scan saved at 15:06:20, on 23/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\ntvs.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\NVATray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\system32\redirect2.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hkpbjb.exe
C:\WINDOWS\system32\ieyi32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\docume~1\mrsmeh~1\locals~1\temp\wmplayer.exe
C:\docume~1\mrsmeh~1\locals~1\temp\explorer.exe
C:\WINDOWS\system32\Plugin\mmgru.exe
C:\Program Files\CConnect\CConnect.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\docume~1\mrsmeh~1\locals~1\temp\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\owercfgp.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\Mrs Mehta\My Documents\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kokqy.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kokqy.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kokqy.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kokqy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kokqy.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kokqy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchwww.com/bar.html
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {865E429D-BFA4-C656-5DF9-DD49CC5D9CC7} - C:\WINDOWS\sdklw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [redirect] C:\WINDOWS\system32\redirect2.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [KazaaBooster] C:\Program Files\Kazaa FasterDownload\KazaaFasterDownload.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [iendipolzykcu] C:\WINDOWS\System32\hkpbjb.exe
O4 - HKLM\..\Run: [ieyi32.exe] C:\WINDOWS\system32\ieyi32.exe
O4 - HKLM\..\Run: [owercfgp] C:\WINDOWS\System32\owercfgp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [wmplayer.exe] C:\docume~1\mrsmeh~1\locals~1\temp\wmplayer.exe
O4 - HKCU\..\Run: [explorer.exe] c:\docume~1\mrsmeh~1\locals~1\temp\explorer.exe
O4 - HKCU\..\Run: [taskmgr] C:\WINDOWS\system32\NOTEPAD.EXE
O4 - HKLM\..\RunOnce: [msoh.exe] C:\WINDOWS\msoh.exe
O4 - HKLM\..\RunOnce: [ntvs.exe] C:\WINDOWS\system32\ntvs.exe
O4 - HKLM\..\RunOnce: [atlan32.exe] C:\WINDOWS\system32\atlan32.exe
O4 - HKLM\..\RunOnce: [mfcfk32.exe] C:\WINDOWS\system32\mfcfk32.exe
O4 - HKLM\..\RunOnce: [mfchn.exe] C:\WINDOWS\mfchn.exe
O4 - HKLM\..\RunOnce: [atlpi32.exe] C:\WINDOWS\atlpi32.exe
O4 - HKLM\..\RunOnce: [crbj32.exe] C:\WINDOWS\system32\crbj32.exe
O4 - HKLM\..\RunOnce: [apibv.exe] C:\WINDOWS\apibv.exe
O4 - HKLM\..\RunOnce: [ntdi32.exe] C:\WINDOWS\system32\ntdi32.exe
O4 - HKLM\..\RunOnce: [addbg32.exe] C:\WINDOWS\system32\addbg32.exe
O4 - HKLM\..\RunOnce: [winkk32.exe] C:\WINDOWS\winkk32.exe
O4 - HKLM\..\RunOnce: [sdkvr32.exe] C:\WINDOWS\system32\sdkvr32.exe
O4 - HKLM\..\RunOnce: [javaqa.exe] C:\WINDOWS\system32\javaqa.exe
O4 - HKLM\..\RunOnce: [sdkqc32.exe] C:\WINDOWS\system32\sdkqc32.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: explorer.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Search.vbs
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://glass.webmaster.com:8000/java/cr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FA53CFF8-B253-49DE-9B13-3A6129830AF0} - http://216.182.10.243/player/allcast022303_18.cab

**jephree** · 23-06-2004

I am not a very experienced reader of these logs but it looks like kokqy.dll definitly is in control of your browser.
I would download and run both Ad-Aware & Spy Bot (links below) & let them erase what they want (check for latest updates).
Also I would recommend uninstalling kazza, as it is a known source of spyware.
Then run HijackThis again & re-post log. Hopefuly someone more experienced will be along

Ad Aware

Spy Bot

Spy Bot (mirror)

**brennuvargr** · 24-06-2004

Cheers man; I've already got Ad Aware & I know for sure this spyware definately didn't arrive via Kazaa. I'll wait for a more experienced user to look at my post....cheers again though.

Help! Do I have a Virus of some sorts?!

Help! Do I have a Virus of some sorts?!

Similar Threads

Highjackthis log PLEASE HELP ALL SORTS OF ISSUES

Virus that won't let me open or run any anti-virus software

Virus help please

ITUNES sorts into alphabetical!!! NO THANKS!

Virus