Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Dastardly Hijacking Malware, Ahoy

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Dastardly Hijacking Malware, Ahoy

Unread postby glance left » March 6th, 2009, 11:00 am

OK.....I have been summarily reprimanded for going rogue in newbie fashion and trying to apply ComboFix on my own without first going through the preliminary steps outlined in the forum here.
:oops: :joker:

I apologize, recognizing I could have damaged my system. I am now in line.

Here was my situation. My browser, Firefox more than Explorer, was being hijacked relentlessly with sometimes 8...10...and more multiple windows opening up to random advertisement sites. Also, my computer became ridiculously slow...sounding like it was constantly grinding away at some internal problem like it was "lost in thought" or something. :drunken: :bom:

I tried Spy Doctor and Ad Aware.....nothing...problem persisted even though it Spy Doctor does find infections with each scan and removes them according to it's log.

On a impulsive whim, I followed the instructions on another forum for someone who appeared to have the exact same problem....downloaded ComboFix and decided (foolishly) to run it on my own. Luckily, it seems to have fixed the problem....no more hijacking! However, having misgivings about my impulsivity and realizing there still may be residual infections, I came here.

Here is the Hijack This report (done AFTER the Combo Fix....sorry) and here is the Combo Fix log as well, respectively.

I apologize again and will implicitly follow directions from now on. *bows low enough to kiss the floor*

Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:42 AM, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\HP\HP Mouse\panel.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Registration Brothers In Arms.LNK = E:\support\register\RegistrationReminder.exe
O4 - Startup: Registration Myst Uru
O4 - Startup: Registration Myst V
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NewShortcut1.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 9416 bytes


And now, the ComboFix log...again, done before the Hijack This analysis...

ComboFix 09-03-04.01 - Compaq_Owner 2009-03-05 16:34:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.82 [GMT -6:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\bqpldg.dll
c:\windows\system32\chfefa.dll
c:\windows\system32\cuapophw.dll
c:\windows\system32\cxyngwxm.dll
c:\windows\system32\DKTwHRqr.ini
c:\windows\system32\DKTwHRqr.ini2
c:\windows\system32\fealbmic.ini
c:\windows\system32\gonpidwl.ini
c:\windows\system32\gpmecvum.dll
c:\windows\system32\iosahxvt.dll
c:\windows\system32\iqwuxetk.ini
c:\windows\system32\jkmryl.dll
c:\windows\system32\kipqlhhc.ini
c:\windows\system32\ktexuwqi.dll
c:\windows\system32\lxfiegfy.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mgdsxqhu.ini
c:\windows\system32\MSVolume.dll
c:\windows\system32\muvcempg.ini
c:\windows\system32\mxwgnyxc.ini
c:\windows\system32\njslbeyu.ini
c:\windows\system32\nlewwxgx.ini
c:\windows\system32\nmeyil.dll
c:\windows\system32\onctmppc.ini
c:\windows\system32\oyowrdrj.ini
c:\windows\system32\pleewk.dll
c:\windows\system32\pljtotni.dll
c:\windows\system32\pynvubjf.dll
c:\windows\system32\qhjetmpg.ini
c:\windows\system32\qxalkyak.dll
c:\windows\system32\riluki.dll
c:\windows\system32\tgzgpq.dll
c:\windows\system32\twznwf.dll
c:\windows\system32\txkxdb.dll
c:\windows\system32\ujnmfmxn.ini
c:\windows\system32\vaintetl.ini
c:\windows\system32\vdpnsskm.dll
c:\windows\system32\vsugdtrk.dll
c:\windows\system32\vwrindnv.ini
c:\windows\system32\wpvbppog.ini
c:\windows\system32\xwhqkhdn.ini
c:\windows\system32\yfgeifxl.ini
c:\windows\system32\yjpelfre.ini
c:\windows\Tasks\wftdbbya.job
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-03-05 13:29 . 2009-03-05 13:30 <DIR> d-------- c:\program files\ATI Technologies
2009-03-05 13:29 . 2004-11-03 21:10 516,096 --------- c:\windows\system32\ati2sgag.exe
2009-03-05 13:29 . 2004-12-20 15:30 294,912 -ra------ c:\windows\system32\atiiiexx.dll
2009-03-05 13:29 . 2004-12-20 15:30 192,512 -ra------ c:\windows\system32\ATIDEMGR.dll
2009-03-05 13:29 . 2004-12-20 15:30 9,054 -ra------ c:\windows\system32\atifglpf.xml
2009-03-05 13:05 . 2009-03-05 13:05 23,392 --a------ c:\windows\system32\nscompat.tlb
2009-03-05 13:05 . 2009-03-05 13:05 16,832 --a------ c:\windows\system32\amcompat.tlb
2009-03-05 12:42 . 2009-03-05 12:42 10 --a------ c:\windows\WININIT.INI
2009-03-01 21:25 . 2009-03-01 21:25 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-24 09:16 . 2009-02-24 09:16 38,208 --a------ c:\windows\system32\drivers\TfSysMon.sys
2009-02-24 09:16 . 2009-02-24 09:16 33,088 --a------ c:\windows\system32\drivers\TfNetMon.sys
2009-02-24 09:15 . 2009-02-24 09:15 51,520 --a------ c:\windows\system32\drivers\TfFsMon.sys
2009-02-24 09:15 . 2009-02-24 09:15 12,608 --a------ c:\windows\system32\drivers\TfKbMon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 22:49 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-05 22:42 --------- d-----w c:\program files\Steam
2009-03-05 22:22 --------- d-----w c:\program files\Spyware Doctor
2009-03-05 22:07 --------- d-----w c:\program files\Lavasoft
2009-03-05 22:07 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-05 21:33 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Skype
2009-03-05 19:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-05 19:10 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\skypePM
2009-03-05 19:05 --------- d-----w c:\program files\Yahoo!
2009-03-05 19:01 --------- d-----w c:\program files\Windows Media Connect 2
2009-03-05 18:58 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-05 18:56 --------- d-----w c:\program files\Common Files\Real
2009-03-05 18:53 --------- d-----w c:\program files\WildTangent
2009-03-05 18:53 --------- d-----w c:\program files\Puppy Luv
2009-03-05 18:52 --------- d-----w c:\documents and settings\All Users\Application Data\ATI MMC
2009-03-05 18:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-05 18:48 --------- d-----w c:\program files\Quicken
2009-03-05 18:47 --------- d-----w c:\program files\Electronic Arts
2009-03-05 18:47 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-03-05 18:46 --------- d-----w c:\program files\ValuSoft
2009-02-25 04:37 --------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-02-02 15:55 --------- d-----w c:\program files\Barbie(R) idesign(TM) Ultimate Stylist(TM)
2009-01-31 16:32 66,952 ----a-w c:\windows\system32\drivers\iksysflt.sys
2009-01-31 16:31 81,288 ----a-w c:\windows\system32\drivers\iksyssec.sys
2009-01-31 16:31 40,840 ----a-w c:\windows\system32\drivers\ikfilesec.sys
2009-01-31 16:15 --------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-01-27 21:57 --------- d-----w c:\program files\Common Files\PC Tools
2009-01-27 21:48 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\PC Tools
2009-01-27 21:41 --------- d-----w c:\program files\Common Files\Download Manager
2009-01-19 22:55 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\BFGTOOLBAR
2009-01-19 15:15 --------- d-----w c:\program files\AdwarePro
2009-01-18 21:30 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-01-15 14:37 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop
2009-01-15 04:10 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Move Networks
2009-01-11 20:27 --------- d-----w c:\program files\Google
2009-01-10 23:01 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Apple Computer
2009-01-10 21:41 --------- d-----w c:\program files\Bonjour
2009-01-10 21:40 --------- d-----w c:\program files\iTunes
2009-01-10 21:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-10 21:39 --------- d-----w c:\program files\iPod
2009-01-10 21:39 --------- d-----w c:\program files\Common Files\Apple
2009-01-10 21:37 --------- d-----w c:\program files\QuickTime
2009-01-10 21:13 --------- d-----w c:\program files\Safari
2008-03-09 21:37 0 ----a-w c:\program files\temp01
2006-10-08 14:38 8,808 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2005-05-18 05:09 774,144 ----a-w c:\program files\RngInterstitial.dll
2005-05-11 06:01 56 --sh--r c:\windows\system32\1B42EE0825.sys
2008-08-13 13:05 88 --sh--r c:\windows\system32\2508EE421B.sys
2008-08-13 13:05 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2005-06-10 18:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 06:00 57856 7435b108b935e42ea92ca94f59c8e717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 18:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2005-06-10 17:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\system32\spoolsv.exe
2005-06-10 17:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"Steam"="c:\program files\Steam\Steam.exe" [2008-12-14 1410296]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-01-31 1168264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 344064]
"VTTimer"="VTTimer.exe" [2004-10-22 c:\windows\system32\VTTimer.exe]
"SiSPower"="SiSPower.dll" [2004-09-24 c:\windows\system32\SiSPower.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-09-22 692224]
NewShortcut1.lnk - c:\program files\HP\HP Mouse\panel.exe [2007-06-05 233472]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-05-29 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\SteamApps\\glance_left\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:c:\\Program Files\\Internet Content Filter\\TheApp.exe

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-19 64160]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-02-24 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-02-24 38208]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-27 160792]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-27 356920]
R3 HidMouse;HidMouse;c:\windows\system32\drivers\HidMouse.sys [2007-06-05 29184]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-02-24 33088]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S3 ldiskl;ldiskl;\??\c:\docume~1\COMPAQ~1\LOCALS~1\Temp\ldiskl.sys --> c:\docume~1\COMPAQ~1\LOCALS~1\Temp\ldiskl.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D1499A38-1DC5-4EE7-B54A-7873687FD3F1} - c:\windows\system32\rqRHwTKD.dll
HKCU-Run-PhotoShow Deluxe Media Manager - c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-AdwareProMFCT - c:\program files\AdwarePro\StartApp.exe
Notify-cattcp - c:\windows\java\cattcp.dll
Notify-vgabas - c:\windows\java\trustlib\vgabas.dll
Notify-wvUkHBtr - wvUkHBtr.dll


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\senk26dn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.firefox.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\senk26dn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npWTHost.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 16:45:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
c:\program files\Spyware Doctor\TFEngine\TFNI.dll

- - - - - - - > 'lsass.exe'(732)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PSIService.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
c:\program files\Spyware Doctor\TFEngine\TFService.exe
c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\update\update.exe
.
**************************************************************************
.
Completion time: 2009-03-05 16:57:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-05 22:57:35

Pre-Run: 157,649,858,560 bytes free
Post-Run: 157,417,771,008 bytes free

283 --- E O F --- 2009-01-15 09:02:21
glance left
Active Member
 
Posts: 3
Joined: March 5th, 2009, 7:15 pm
Advertisement
Register to Remove

Re: Dastardly Hijacking Malware, Ahoy

Unread postby muppy03 » April 5th, 2009, 2:04 am

Hello and welcome to the Malware Removal Forums

I will be assisting you with your Malware issues. If you still require help please post a New HJT log along with an uninstall list as explained below.

IMPORTANT

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean!
  • If you have any questions or are unsure in anyway, please let me know. I will try my best to help you!
  • Please reply to this thread. Do not start a new topic.
  • As I am still in training, everything that I post to you, must be checked by one of the teachers. Therefore, there may be a slight delay between posts.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply along with NEW HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Dastardly Hijacking Malware, Ahoy

Unread postby NonSuch » April 9th, 2009, 11:19 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 49 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware