hacked by godzilla - Techist - Tech Forum

Go Back   Techist - Tech Forum > Security | Computer, Devices, Software and Systems > Viruses, Spyware and Malware
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 03-29-2008, 08:37 AM   #1 (permalink)
Newb Techie
 
Join Date: Mar 2008
Posts: 14
Default hacked by godzilla

hi ppl, on the heading of my webpage i have what says- hacked by godzilla, i done a search and nothing realy came up, im guessin its a virus and im just wondering how i go about deleting it, i have googled it a few times and tryd to find out what it is but im not to clever with comps either. just wondering if anyone knows what and how to get rid of it, thanks

edit- i have av anti-virus and spybot s&d and superantispyware and iv ran them several times and i always get sum tracking cookies but it never gos away
__________________

__________________
glasgowdude is offline  
Old 03-29-2008, 08:57 AM   #2 (permalink)
Newb Techie
 
Join Date: Mar 2008
Posts: 14
Default Re: hacked by godzilla

i just downlaoded hijackthis and thought i do a scan and post it to maybe help out with my problem, i was going to post in the hijackthis thread but just putting here so ppl can see it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:52:40, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/start
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41B654DC-607D-4FD9-995B-BE2AACDD6B64} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: (no name) - {47A21CDD-DF1D-4577-B84D-5EB6EABE9607} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {CE7ED916-FD46-459D-A6F6-BB5E323E2A8d} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: (no name) - {DAA19863-8C67-45C4-AE25-7EABFB6129AD} - C:\WINDOWS\system32\byxwv.dll (file missing)
O2 - BHO: (no name) - {F01FFFCF-8474-40D8-AA36-1B71C0B05638} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAuto nomicMonitor
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165172454338
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxwv - C:\WINDOWS\system32\byxwv.dll (file missing)
O20 - Winlogon Notify: nnnnlkk - nnnnlkk.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 10149 bytes
__________________

__________________
glasgowdude is offline  
Old 03-29-2008, 09:49 AM   #3 (permalink)
Techalicious
 
Redmo0n's Avatar
 
Join Date: Aug 2007
Location: Perth, Australia
Posts: 1,566
Send a message via MSN to Redmo0n
Default Re: hacked by godzilla

Is that the computer you are running the website off?

Anyway go through osiris's guide and then delete the following:

O2 - BHO: (no name) - {CE7ED916-FD46-459D-A6F6-BB5E323E2A8d} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: (no name) - {DAA19863-8C67-45C4-AE25-7EABFB6129AD} - C:\WINDOWS\system32\byxwv.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F01FFFCF-8474-40D8-AA36-1B71C0B05638} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: (no name) - {41B654DC-607D-4FD9-995B-BE2AACDD6B64} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: (no name) - {47A21CDD-DF1D-4577-B84D-5EB6EABE9607} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O20 - Winlogon Notify: nnnnlkk - nnnnlkk.dll (file missing)
20 - Winlogon Notify: byxwv - C:\WINDOWS\system32\byxwv.dll (file missing)


O4 - Global Startup: Digital Line Detect.lnk = ? ****(May be safe but can be deleted)



If your still having problems after removing them and going through the guide post back
__________________
Back to stay?
Redmo0n is offline  
Old 03-29-2008, 10:06 AM   #4 (permalink)
Newb Techie
 
Join Date: Mar 2008
Posts: 14
Default Re: hacked by godzilla

yes im usen this computer at the moment i bought it from my friend for a reasonable price (its just a pity iv spent two das doing allsorts of scans). do i just delete thos from the hijackthis all aslo go thro the guide, thanks ill give this a bash and see how it goz
__________________
glasgowdude is offline  
Old 03-29-2008, 10:20 AM   #5 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default Re: hacked by godzilla

  1. Double Click on My Computer icon on Desktop and select Tools --> Folder Options
  2. When Folder Options cliak at View tab
  3. check at Show Hidden files and folders
  4. uncheck the Hide extention… and Hide protected operating system file
  5. click OK
  6. Press Ctrl+Alt+Delete. The Windows Task Manager will dispalay. Click at Processes tab
  7. Click menu Image Name (to sort Files)
  8. Select wscript.exe (one by one)
  9. Click End Process button
  10. Open drive (By right click and select Explore. Must not Double Click !) Delete autorun.inf and MS32DLL.dll.vbs (Press Shift+Delete) in all drives include Handy Drive and Floppy disk.
  11. Open folder C:\WINDOWS to delete MS32DLL.dll.vbs inside (press Shift+Delete )
  12. Go to Start --> Run and enter regedit click OK. Registry Edit dialoq will display.
  13. Select HKEY_LOCAL_MACHINE --> Software --> Microsoft --> Windows --> Current Version --> Run to delete MS32DLL (press Delete key on keyboard)
  14. Select HKEY_CURRENT_USER --> Software --> Microsoft --> Internet Explorer --> Main to delete Window Title “Hacked by Godzilla” (press Delete key on keyboard)
  15. Click Start --> Run and enter gpedit.msc click OK. Group Policy dialoq will display.
  16. Select User Configuration --> Administrative Templates --> System --> Double Click on file Turn Off Autoplay then Turn Off Autoplay Properties will display
  17. Select Enabled
  18. Select All drives
  19. Click OK
  20. To prevent auto open when we insert CD or plug the Handy Drive that is the way virus infect.
  21. ClickStart --> Run and enter msconfig Click OK. the System Configuration Utility dialoq will display
  22. Click Startup tab
  23. Uncheck MS32DLL
  24. Click Apply
  25. Clock OK (or Close)
  26. When the System Configuration dialoq display select Exit Without Restart
  27. Double Click on icon My Computer on Desktop. Then select Tools --> Folder Options
  28. On Folder Options dialoq select View tab
  29. Check at Hide extention… and Hide protected operating system file
  30. Click OK
  31. Right Click at Recycle bin. Then select Empty Recycle Bin to make sure the virus is deleted.
__________________
Osiris is offline  
Old 03-29-2008, 10:38 AM   #6 (permalink)
Newb Techie
 
Join Date: Mar 2008
Posts: 14
Default Re: hacked by godzilla

Press Ctrl+Alt+Delete. The Windows Task Manager will dispalay. Click at Processes tab
Click menu Image Name (to sort Files

i have followed your steps up til there, i opend task manager and clickd processes tab but i dont see the menu image name bit? would it be under a different name. oops never mind i found what u ment
__________________
glasgowdude is offline  
Old 03-29-2008, 10:41 AM   #7 (permalink)
Newb Techie
 
Join Date: Mar 2008
Posts: 14
Default Re: hacked by godzilla

sorry i dont seemto have any files named wscript.exe

edit. i also dont have any files named MS32DLL.dll, i do have 1 called msdos.sys, would that be it
__________________
glasgowdude is offline  
Old 03-29-2008, 10:58 AM   #8 (permalink)
Newb Techie
 
Join Date: Mar 2008
Posts: 14
Default Re: hacked by godzilla

on step 13 i followed that and again there was no file named ms32dll, do i just continue or would it be named sumthing else

edit- again i followed step 14 and there was no file name hacked by godzilla :@

edit- step 15, i typed that into run and it came up name not recognised, any idears on that?

p.s sorry if im pain in the butt
__________________
glasgowdude is offline  
Old 03-29-2008, 11:09 AM   #9 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default Re: hacked by godzilla

run ccleaner, cleanup! and go thru msconfig>startup and uncheck everything but your antivirus and reboot, then post me a new hihackthis log
__________________
Osiris is offline  
Old 03-29-2008, 11:17 AM   #10 (permalink)
Newb Techie
 
Join Date: Mar 2008
Posts: 14
Default Re: hacked by godzilla

i just followed redooms advice and closed all windows and deleted all the things he said and when i opend a new window it seems to have disapeard.
ok ill run cc, should i re-do steps 3 and 4 again or will it be ok

i ment to say i had a file called autorun.inf that i also deleted going thro ur step guide
__________________

__________________
glasgowdude is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Leopard Hacked To Run On A PC Osiris Apple and Mac 34 02-29-2008 10:41 PM
Hacked GOP Site Infects Visitors with Malware Osiris Viruses, Spyware and Malware 0 09-16-2007 05:20 PM
Bank Site Hacked, Dispensing Malware Osiris Viruses, Spyware and Malware 0 09-01-2007 11:25 AM
Selling Kind of Broke Hacked PSP w/2gb mem stick and Tekken game! Sora Buy/Sell/Trade and Hot Deals 2 05-29-2007 12:52 AM
Hacked by Comaat Group Charvell Internet Software and Browsers 1 04-12-2007 02:57 PM



Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 06:33 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2018, vBulletin Solutions, Inc.