Computer Has Been Hijacked

Posted on 2004-11-03
Medium Priority
Last Modified: 2010-04-12
I know I had the ads 234 sypware and have tried to remove everything associated with it but think there's still spyware lurking. I have my hijackthis.log
ogfile of HijackThis v1.98.2
Scan saved at 11:53:02 AM, on 11/03/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\System Soap Pro\soap.exe
C:\Documents and Settings\MWA\Application Data\autp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Documents and Settings\MWA\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: mwasql01
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {34F86A70-9764-2396-825A-625504807816} - C:\WINDOWS\System32\ifrxr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: psic Class - {B6598677-4B54-42A9-BA67-8B64E3FCD92D} - C:\WINDOWS\System32\psic1.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\MWA\Local Settings\Temp\4bHq.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [pdfMachine dispatcher] c:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe -printer="pdfMachine" -port="PDFPORT1:"
O4 - HKLM\..\Run: [Apply Upgrades] c:\mwa\fx\aplup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MemScanner] C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [7F7O3me] ircmonui.exe
O4 - HKLM\..\Run: [e4bcfefd6914] C:\WINDOWS\System32\ati3d2ag.exe
O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\Reyd5kLs.exe
O4 - HKLM\..\Run: [bdsl1k] C:\WINDOWS\System32\bdsl1k.exe
O4 - HKLM\..\Run: [etn] C:\WINDOWS\System32\etn.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
O4 - HKCU\..\Run: [Uahe] C:\Documents and Settings\MWA\Application Data\autp.exe
O4 - HKCU\..\Run: [Jsqtx] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: triptriv.exe.lnk = C:\mwa\tripprom\triptriv.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: woodmenu.exe.lnk = C:\MWA\Menu\woodmenu.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .zip: c:\PROGRA~1\PKWARE\PKZIPP\nppkzip.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {38911EED-5726-41B4-9612-265534EC7A13} (Address Magic Web Edition Download Stub) - http://www.returnpath.net/ecoaservices/address_book/WebEdition.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {999715EC-EDC8-44A7-8521-17A2EC4A755B} - http://download-ak.systemsoap.com/instilla/systemsoap/instilla.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4383/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Question by:Becky_Hickenbottom
LVL 65

Accepted Solution

SheharyaarSaahil earned 375 total points
ID: 12485059
Hello Becky_Hickenbottom =)

Plzz post ur log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
LVL 65

Expert Comment

ID: 12485073
and then Download these tools and install them !!

AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Peperfix.exe >> http://downloads.subratam.org/PeperFix.exe
Stinger ==> http://vil.nai.com/vil/stinger

Turn off ur System Restore >> http://www.pchell.com/virus/systemrestore.shtml
Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that here are some "canned" Instructions of mine, If u want u can follow them to check if they can work for u or not :)

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here
(ofcourse im assuming that u have already saved all the login passwords for ur websites :)
8. Goto C:\Windows\Temp and delete all files present here
9. Reboot back in Normal Mode and check if problems are gone or not
10.Post Back and Good Luck :)

Author Comment

ID: 12493124
Thanks for pointing me to the helpful resources. Was able to use them to clear out more items. Computer is much better - however, everytime I reboot I get a Run Time Error 9 Subscript out of range. Can't determine what's calling it.
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

LVL 65

Expert Comment

ID: 12493643
If this error doesn't come in safemode, then try this in normal mode,

Goto Start>Run>msconfig>Startup, and click on Disable All
now goto Services section, and tick Hide Microsoft Services
and now untick all those third party services
restart and now check if the same error ??
if NO then u can re-enable each application\service at a time to trace out the culprit one !!

Expert Comment

ID: 12512079
i suggest 2 reformat all ur hard drive because no matter what u do these spyware and adware problem r bound 2 remain on ur drives

before u do this or decide 2 do this ther is a anti virus which is called kaspersky personal download it from www.download.com it is 30 day trial version u will see that there r a lot of viruses that 2 there on ur drive that hv never shown up when u scan em using ur regular anti virus scanner also there is a tool called escan tool kit utility version(4.6.1), download this and scan ur computer completely it is just a scanner it will give a details reports of all the errors,the viruses,registry problem and other details after this u decide for urself whether u want 2 continue or reformat us computer.

there r a lot of diff types od adware/malware/viruses/dropper viruses/coolwebsearch and other cookies which one software program find it's diff 2 detect

i suggest u install spybot with ie helper, install spyblaster,download cws shredder, spy gaurd,webroot  spy sweeper, spy subtract, ad  adware remover personal all these software can be found on downloads.com

as far as anti virus scanner i suggest avg anti virus free addition,and kasparsky personal trial verion

hope this helps
LVL 27

Expert Comment

by:Asta Cu
ID: 12513284
I believe the information that Shehar provided should help you resolve this, but interested in the outcome.  I sure would not take the reformat option, I prefer to deal with the issues, troubleshoot the cause and update SW, firewalls, WindowsUpdate and so on to ensure that I'm protected and that I understand how the problem first occurred.  Just to do a reformat and start all over again only to find the problem intruding again in the future just doesn't work for me, in my humble opinion.

I love XP SP2, and its added protections and added functionality, so sharing a few links in those regards.

***** This is an excellent link, very informative, and thanks to
Fatal_Exception for showing me this! It includes a step-by-step video about XP SP2 and the new features and configuration option overview. Top Notch! *****
Free XP SP2 Help and Support
What to Know Before You Download and Install Windows XP Service Pack 2

Detailed Windows XP Service Pack 2 installation walkthrough
Getting and Installing Windows XP Service Pack 2
Repair XP or other options; check cautions, quite informative.

Also, Shehar's links above about Spyware and the HijackThis tool and use are excellent.  This is kind of the way I've felt I can control my environment best in XP SP2; also have a router with a hardware firewall.

This is a cut/paste from one of my personal reference files, so if I've repeated anything said previously, no offense meant, just no time today to edit further, but wanted to get this out.

Prior to working with Spyware removal tools, highly recommend that a good Viruscan Program be installed, updated with the most current virus definition files and scanning all drives. If running an Operating System with System Restore, be sure to turn it off first, or the problems will return.  Then, once system is cleaned, be sure to turn it back on. Start-Control Panel - System - System Restore.

Hijack this related link and recommended process.

Download the most current version of HijackThis here...
http://www.majorgeeks.com/download3155.html or here

Scan your system and then cut/paste the log to this free analyzer service English by default, change where there, if needed)
It will provide you details on what is unknown and what is "Nasty" .... and some will be fixed within the HijackThis process, but you'll see then when you check the results. Some have had problems just arbitrarily removing things, so be cautious. If you're unclear about anything, cut/paste that line here for review.

Re. Spyware, this central link here compiled by many of us with tools and links:

My choices are AdAware SE Professional from Lavasoft. Once updated, be sure to configure it to do deep scanning of all drives, including archives and include the HOSTS file. Then, highly recommend using Spybot S&D, most current version and get all updates first. Then be sure, after scanning your system, you use the "Immunize" function to blocks more than 2,500 spyware/malware/malicious BHO intrusions.   **If you've already installed the most current version of Spybot S&D, be sure to use the Immunize function again, to ensure that the most recent intrusions are also blocked.**

http://www.mvps.org/winhelp2002/hosts.htm - very helpful to me as well.

Family day, so won't return until tomorrow; hopes this adds some help to you.


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Screencast - Getting to Know the Pipeline
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question