hacked by godzilla

[glasgowdude]

hi ppl, on the heading of my webpage i have what says- hacked by godzilla, i done a search and nothing realy came up, im guessin its a virus and im just wondering how i go about deleting it, i have googled it a few times and tryd to find out what it is but im not to clever with comps either. just wondering if anyone knows what and how to get rid of it, thanks

edit- i have av anti-virus and spybot s&d and superantispyware and iv ran them several times and i always get sum tracking cookies but it never gos away

 

[glasgowdude]

i just downlaoded hijackthis and thought i do a scan and post it to maybe help out with my problem, i was going to post in the hijackthis thread but just putting here so ppl can see it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:52:40, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/start
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41B654DC-607D-4FD9-995B-BE2AACDD6B64} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: (no name) - {47A21CDD-DF1D-4577-B84D-5EB6EABE9607} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {CE7ED916-FD46-459D-A6F6-BB5E323E2A8d} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: (no name) - {DAA19863-8C67-45C4-AE25-7EABFB6129AD} - C:\WINDOWS\system32\byxwv.dll (file missing)
O2 - BHO: (no name) - {F01FFFCF-8474-40D8-AA36-1B71C0B05638} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165172454338
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxwv - C:\WINDOWS\system32\byxwv.dll (file missing)
O20 - Winlogon Notify: nnnnlkk - nnnnlkk.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 10149 bytes

 

[Redmo0n]

Is that the computer you are running the website off?

Anyway go through osiris's guide and then delete the following:

O2 - BHO: (no name) - {CE7ED916-FD46-459D-A6F6-BB5E323E2A8d} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: (no name) - {DAA19863-8C67-45C4-AE25-7EABFB6129AD} - C:\WINDOWS\system32\byxwv.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F01FFFCF-8474-40D8-AA36-1B71C0B05638} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: (no name) - {41B654DC-607D-4FD9-995B-BE2AACDD6B64} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O2 - BHO: (no name) - {47A21CDD-DF1D-4577-B84D-5EB6EABE9607} - C:\WINDOWS\system32\hjcyqfrf.dll (file missing)
O20 - Winlogon Notify: nnnnlkk - nnnnlkk.dll (file missing)
20 - Winlogon Notify: byxwv - C:\WINDOWS\system32\byxwv.dll (file missing)


O4 - Global Startup: Digital Line Detect.lnk = ? ****(May be safe but can be deleted)



If your still having problems after removing them and going through the guide post back

 

[glasgowdude]

yes im usen this computer at the moment i bought it from my friend for a reasonable price (its just a pity iv spent two das doing allsorts of scans). do i just delete thos from the hijackthis all aslo go thro the guide, thanks ill give this a bash and see how it goz

 

[Osiris]

1. Double Click on My Computer icon on Desktop and select Tools --> Folder Options
2. When Folder Options cliak at View tab
3. check at Show Hidden files and folders
4. uncheck the Hide extention… and Hide protected operating system file
5. click OK
6. Press Ctrl+Alt+Delete. The Windows Task Manager will dispalay. Click at Processes tab
7. Click menu Image Name (to sort Files)
8. Select wscript.exe (one by one)
9. Click End Process button
10. Open drive (By right click and select Explore. Must not Double Click !) Delete autorun.inf and MS32DLL.dll.vbs (Press Shift+Delete) in all drives include Handy Drive and Floppy disk.
11. Open folder C:\WINDOWS to delete MS32DLL.dll.vbs inside (press Shift+Delete )
12. Go to Start --> Run and enter regedit click OK. Registry Edit dialoq will display.
13. Select HKEY_LOCAL_MACHINE --> Software --> Microsoft --> Windows --> Current Version --> Run to delete MS32DLL (press Delete key on keyboard)
14. Select HKEY_CURRENT_USER --> Software --> Microsoft --> Internet Explorer --> Main to delete Window Title “Hacked by Godzilla” (press Delete key on keyboard)
15. Click Start --> Run and enter gpedit.msc click OK. Group Policy dialoq will display.
16. Select User Configuration --> Administrative Templates --> System --> Double Click on file Turn Off Autoplay then Turn Off Autoplay Properties will display
17. Select Enabled
18. Select All drives
19. Click OK
20. To prevent auto open when we insert CD or plug the Handy Drive that is the way virus infect.
21. ClickStart --> Run and enter msconfig Click OK. the System Configuration Utility dialoq will display
22. Click Startup tab
23. Uncheck MS32DLL
24. Click Apply
25. Clock OK (or Close)
26. When the System Configuration dialoq display select Exit Without Restart
27. Double Click on icon My Computer on Desktop. Then select Tools --> Folder Options
28. On Folder Options dialoq select View tab
29. Check at Hide extention… and Hide protected operating system file
30. Click OK
31. Right Click at Recycle bin. Then select Empty Recycle Bin to make sure the virus is deleted.

 

[glasgowdude]

Press Ctrl+Alt+Delete. The Windows Task Manager will dispalay. Click at Processes tab
Click menu Image Name (to sort Files

i have followed your steps up til there, i opend task manager and clickd processes tab but i dont see the menu image name bit? would it be under a different name. oops never mind i found what u ment

 

[glasgowdude]

sorry i dont seemto have any files named wscript.exe

edit. i also dont have any files named MS32DLL.dll, i do have 1 called msdos.sys, would that be it

 

[glasgowdude]

on step 13 i followed that and again there was no file named ms32dll, do i just continue or would it be named sumthing else

edit- again i followed step 14 and there was no file name hacked by godzilla

edit- step 15, i typed that into run and it came up name not recognised, any idears on that?

p.s sorry if im pain in the butt

 

[Osiris]

run ccleaner, cleanup! and go thru msconfig>startup and uncheck everything but your antivirus and reboot, then post me a new hihackthis log

 

[glasgowdude]

i just followed redooms advice and closed all windows and deleted all the things he said and when i opend a new window it seems to have disapeard.
ok ill run cc, should i re-do steps 3 and 4 again or will it be ok

i ment to say i had a file called autorun.inf that i also deleted going thro ur step guide