PDA

View Full Version : 'Alt' key not working, PC hijacked ?



amitluis
20-10-2003, 10:55 PM
Hi everyone,
I've got really strange things happening to my PC (Win 98, IE5.5) ever since I've come back after my vacation (the PC was being used in my absence). Besides running extremely slow, I found out that there were numerous (unheard of) programs that ZoneAlarm was given permission to connect. I couldn't run LiveUpdate(Norton Antivirus) or Windows Update. And worst of all, the 'alt' key wouldnt work for anything, so I couldn't see what programs were running (using ctrl+alt+del) or even alt-tab.
I managed to manually install a new def file for NAV and it picked up the W95.MTX virus that it then cleaned from all 65 files. I deleted all the strange programs from ZoneAlarm and managed to run Windows Update(and installed the latest SP2 for IE5.5). However I still can't use my alt key for anything; no conflicts in device manager. What I have noticed is that Qmgr.exe AUTOMATICALLY gives itself permission in Zone Alarm each time and also keeps starting up automatically though I untick it each time in System Config Utility. I have since deleted the actual file (called Qmgrloader or something like that) and it seems to have stopped loading but I still dont have my alt key !! I suspect that somehow I've got one of the backdoor Trojan like problems on my PC but am stumped as to what else I can do to fix this? Is there another way to see what programs are running?
Thanks heaps in advance for all your help.
Kind regards,
Amit

godfather
20-10-2003, 11:05 PM
Go to:

http://www.tomcoyote.org/hjt

Download HijackThis, unzip it and run it.

It will produce a logfile of all running processes.
Ticking the ones you want stopped, and selecting Fix will remove them.

Post the logfile back here if you want others to assist.

whiskeytangofoxtrot
20-10-2003, 11:25 PM
Have you tried using the opposite ALT key on the keyboard?

Sounds more like the ALT key is broken than being "hijacked"

amitluis
21-10-2003, 01:27 AM
Hi Godfather,
I did as you suggested and have posted the logfile here as some of you could make more sense out of it than I could.
whiskeytangofoxtrot, I have tried both 'alt' keys. Thanks though !
Here is the logfile:
Logfile of HijackThis v1.97.3
Scan saved at 1:03:48 AM, on 10/21/2003
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bicurioz.com/s.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bicurioz.com/s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: SeeMore with Lycos! - http://www.lycos.com/seemore/click.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.livepicture.com/ActiveX/LPControl.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {8FBFE5FF-5E98-11D3-80AF-00C04FCFBC72} (SurveyCtl35 Class) - http://activex.microsoft.com/controls/mtswizards/sw35.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C2FCEF4E-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI File information Class) - http://security1.norton.com/sa/1033/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v40/yacscom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {451FCDEE-DCED-11D3-87DD-0090278F1040} (Yahoo! Voicemail Engine) - http://phone.yahoo.com/plugin/yumscom.cab
O16 - DPF: {F08555B0-9CC3-11D2-AA8E-000000000000} - http://d.crackedearth.com/hs/srchhook.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.gateway.com/support/contact/serial/gwCID.CAB
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37913.6045833333
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

amitluis
22-10-2003, 11:40 AM
Hi,
I have posted the logfile above as requested. Is someone able to interpret that for me and see if anything is amiss as I am at my wits end now !!
Thanks in anticiaption !

- Amit

Kame
22-10-2003, 12:20 PM
Does HiJackThis display a GUI interface where you can terminate programs?

http://www.glocksoft.com/process_info.htm maybe a better tool, but also maybe limited as I believe registration is required. Not sure haven't needed to use it.

Now unfortunately, the programs running in process I believe can be infected/altered and can evade Antivirus or Firewalls, the programs are RNAAP.EXE, MPREXE.EXE and KERNEL32.DLL. Also all other EXE files could have become infected which the AV successfully fixed, but the others are probably harder to fix as they are constantly being used and won't allow tampering with them (wonders how viruses do it). If you have a means by booting into DOS mode with CD Support then you could delete those files and replace them with the ones on CD.

Also maybe a DOS boot AV scan if that's possible, that may work, or scanning the hard drive in another computer.

Chris Randal
22-10-2003, 12:29 PM
AVG (http://www.grisoft.com/us/us_index.php) does a DOS boot scan

Pheonix
22-10-2003, 12:47 PM
Delete the following
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bicurioz.com/s.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bicurioz.com/s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll

Pheonix
22-10-2003, 12:50 PM
BTW, DON"T go to the site bicurioz.com as it drops a virus onto you. My AVG picked it up.
If you have XP, then turn off your restore first, clean up those entries, check with Adaware,Spybot and Antivirus before turning restore back on.
Good Hunting :D

Jim B
22-10-2003, 01:05 PM
The W95.mtx is a very difficult virus to remove by all accounts.

http://www.symantec.com/avcenter/venc/data/w95.mtx.html

http://www.pchell.com/virus/mtx.shtml

Kame
22-10-2003, 01:35 PM
Wonders why you would check out bicurioz.com? :P

Because you're curious of course :P nah jokes...

That virus does sound complicated, and I would even suggest the tool from symantec, but it doesn't look too good :(

tommy
22-10-2003, 01:50 PM
I would also suggest removing the following:

O16 - DPF: {F08555B0-9CC3-11D2-AA8E-000000000000} - http://d.crackedearth.com/hs/srchhook.cab

O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll

To perform the operation close all browser windows, scan with HijackThis, put a tick in the noted entries, shutdown and reboot your computer.

I would also suggest that you download and run AdAware and Spybot with their latest reference files.

Gods-Hitman
22-10-2003, 07:41 PM
Obtain a copy of the Fixmtx.exe tool, and save it to the Windows desktop.
Start the computer in Safe mode.
Run the Fixmtx.exe tool from an MS-DOS window.

link to download http://www.symantec.com/avcenter/fixmtx.exe

PoWa
22-10-2003, 08:01 PM
If alt key aint working use Ctrl+Shift+Esc to bring up the task manager, or alternatively right click on the taskbar, and select Task Manager

amitluis
24-10-2003, 10:11 PM
Yes HijackThis does display a GUI where you can terminate programs. I believe you are right when you say that the programs running in process could be altered as this virus keeps trying to create new files. However, are these files that you mentioned, infected by W95.MTX ?

amitluis
24-10-2003, 10:28 PM
I have also deleted those entries that Phoenix and Tommy suggested using HijackThis but still no luck.
I did use the fixmtx tool (from the Symantec site) that was suggested and that cleaned another 56 files AFTER NortonAV initially said it had cleaned ALL the 65 infected files it had found. However after using the tool, I ran NAV and again it found 6 infected files that it cleaned. However this virus appears to be dynamically creating more infected files as it keeps finding 6 infected files, but the file extensions keep increasing from vi1, vi2, vi3 ...etc. The 6 files are mixres32, regtlib, finstall, mickey32, jview and wjview - if that means anything. And the 'alt' key still is disabled.
Thanks again in advance for any further ideas, as this is proving to be an immense challenge !

Thomas
25-10-2003, 01:13 AM
Repair tool here.

http://www.symantec.com/avcenter/venc/data/w95.mtx.html

amitluis
25-10-2003, 07:21 AM
As mentioned above, I have used the repair tool from Symantec but it hasn't managed to get rid of the virus.
thanks !

Jim B
25-10-2003, 07:47 AM
Did you read the information on this link http://www.pchell.com/virus/mtx.shtml I gave previously, they also say this.


Hopefully, the MTX virus will be out of your system at this point. 90% of the time, I've been able to clean it using this method, however I have experienced a couple systems where the virus would return again and again. I had to reformat these systems to absolutely clean it.

Good luck with cleaning the MTX virus. It is a nasty one that is VERY HARD to get rid of. I hope these instructions help.

amitluis
25-10-2003, 07:57 AM
Hi Jim,
Yes I did follow those instructions as regards deleting the registry entries and using the fixmtx tool from Symantec. However, I haven't extracted copies of those 3 system files that was recommended and maybe that was the problem ? I will try this and post back to let everyone know how I went on.
any ideas why my 'alt' key is still out of commission though ? It's not a physical fault as both 'alt' keys are not working ?
Thanks again !!

Thomas
25-10-2003, 10:01 AM
How about giving this mob a go?

http://www.trendmicro.com/en/home/us/enterprise.htm

amitluis
28-10-2003, 11:21 AM
Thanks Thomas ..but that took me only to the home page ?

Thomas
28-10-2003, 11:50 AM
On the home page is the download facility,or at least it is on mine??

Thomas
28-10-2003, 11:54 AM
Yes under virus protection,says free online scan.

amitluis
28-10-2003, 11:06 PM
thanks Thomas, I'm running the scan as I type this. I will also perform the various things suggested by others in the posts above and will let you know how it goes.
However, I still haven't got my 'alt' key to work and I know it's not a 'physical' keyboard problem. Any ideas anyone ?

Kame
29-10-2003, 12:26 PM
amitluis, the files I suggested that are infected will continue spreading the virus, there's no tool that can fix these files once infected apart from removing them and replacing them, because no matter what, the system requires running those files, and when the system runs them, the spreading of the virus continues.

A format would definitely fix the problem, a reinstall could possibly fix the files too if it only uses files found on the CD and does not load any infected files, it's safer to format.

Or if possible, boot to DOS and fix from there. SafeMode will not work.