Computer Has Been Hijacked

Posted on 2004-11-03
Last Modified: 2010-04-12
I know I had the ads 234 sypware and have tried to remove everything associated with it but think there's still spyware lurking. I have my hijackthis.log
ogfile of HijackThis v1.98.2
Scan saved at 11:53:02 AM, on 11/03/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\System Soap Pro\soap.exe
C:\Documents and Settings\MWA\Application Data\autp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Documents and Settings\MWA\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: mwasql01
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {34F86A70-9764-2396-825A-625504807816} - C:\WINDOWS\System32\ifrxr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: psic Class - {B6598677-4B54-42A9-BA67-8B64E3FCD92D} - C:\WINDOWS\System32\psic1.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\MWA\Local Settings\Temp\4bHq.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [pdfMachine dispatcher] c:\Program Files\BroadGun Software\pdfMachine\mapisnd.exe -printer="pdfMachine" -port="PDFPORT1:"
O4 - HKLM\..\Run: [Apply Upgrades] c:\mwa\fx\aplup.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MemScanner] C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [7F7O3me] ircmonui.exe
O4 - HKLM\..\Run: [e4bcfefd6914] C:\WINDOWS\System32\ati3d2ag.exe
O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\Reyd5kLs.exe
O4 - HKLM\..\Run: [bdsl1k] C:\WINDOWS\System32\bdsl1k.exe
O4 - HKLM\..\Run: [etn] C:\WINDOWS\System32\etn.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
O4 - HKCU\..\Run: [Uahe] C:\Documents and Settings\MWA\Application Data\autp.exe
O4 - HKCU\..\Run: [Jsqtx] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: triptriv.exe.lnk = C:\mwa\tripprom\triptriv.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: woodmenu.exe.lnk = C:\MWA\Menu\woodmenu.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .zip: c:\PROGRA~1\PKWARE\PKZIPP\nppkzip.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) -
O16 - DPF: {38911EED-5726-41B4-9612-265534EC7A13} (Address Magic Web Edition Download Stub) -
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} -
O16 - DPF: {999715EC-EDC8-44A7-8521-17A2EC4A755B} -
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) -
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -,0,0,4383/
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -

Question by:Becky_Hickenbottom
    LVL 65

    Accepted Solution

    Hello Becky_Hickenbottom =)

    Plzz post ur log at this site >>
    and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
    To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

    HJT Log Tutoriol >>

    CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
    LVL 65

    Expert Comment

    and then Download these tools and install them !!

    AdAware ==>
    SpyBot  ==>
    CoolWebShredder ==>
    Peperfix.exe >>
    Stinger ==>

    Turn off ur System Restore >>
    Then Disable ur Messenger Service if its running >>
    After that here are some "canned" Instructions of mine, If u want u can follow them to check if they can work for u or not :)

    1. Restart ur machine in safemode and Login as Administrator
    2. Run the AntiVirus tool and delete all viruses it found
    3. Run the Spyware Removal tools and delete everything they detect
    4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
    5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
    6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
    7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here
    (ofcourse im assuming that u have already saved all the login passwords for ur websites :)
    8. Goto C:\Windows\Temp and delete all files present here
    9. Reboot back in Normal Mode and check if problems are gone or not
    10.Post Back and Good Luck :)

    Author Comment

    Thanks for pointing me to the helpful resources. Was able to use them to clear out more items. Computer is much better - however, everytime I reboot I get a Run Time Error 9 Subscript out of range. Can't determine what's calling it.
    LVL 65

    Expert Comment

    If this error doesn't come in safemode, then try this in normal mode,

    Goto Start>Run>msconfig>Startup, and click on Disable All
    now goto Services section, and tick Hide Microsoft Services
    and now untick all those third party services
    restart and now check if the same error ??
    if NO then u can re-enable each application\service at a time to trace out the culprit one !!

    Expert Comment

    i suggest 2 reformat all ur hard drive because no matter what u do these spyware and adware problem r bound 2 remain on ur drives

    before u do this or decide 2 do this ther is a anti virus which is called kaspersky personal download it from it is 30 day trial version u will see that there r a lot of viruses that 2 there on ur drive that hv never shown up when u scan em using ur regular anti virus scanner also there is a tool called escan tool kit utility version(4.6.1), download this and scan ur computer completely it is just a scanner it will give a details reports of all the errors,the viruses,registry problem and other details after this u decide for urself whether u want 2 continue or reformat us computer.

    there r a lot of diff types od adware/malware/viruses/dropper viruses/coolwebsearch and other cookies which one software program find it's diff 2 detect

    i suggest u install spybot with ie helper, install spyblaster,download cws shredder, spy gaurd,webroot  spy sweeper, spy subtract, ad  adware remover personal all these software can be found on

    as far as anti virus scanner i suggest avg anti virus free addition,and kasparsky personal trial verion

    hope this helps
    LVL 27

    Expert Comment

    by:Asta Cu
    I believe the information that Shehar provided should help you resolve this, but interested in the outcome.  I sure would not take the reformat option, I prefer to deal with the issues, troubleshoot the cause and update SW, firewalls, WindowsUpdate and so on to ensure that I'm protected and that I understand how the problem first occurred.  Just to do a reformat and start all over again only to find the problem intruding again in the future just doesn't work for me, in my humble opinion.

    I love XP SP2, and its added protections and added functionality, so sharing a few links in those regards.

    ***** This is an excellent link, very informative, and thanks to
    Fatal_Exception for showing me this! It includes a step-by-step video about XP SP2 and the new features and configuration option overview. Top Notch! *****
    Free XP SP2 Help and Support
    What to Know Before You Download and Install Windows XP Service Pack 2

    Detailed Windows XP Service Pack 2 installation walkthrough;en-us;875364
    Getting and Installing Windows XP Service Pack 2
    Repair XP or other options; check cautions, quite informative.

    Also, Shehar's links above about Spyware and the HijackThis tool and use are excellent.  This is kind of the way I've felt I can control my environment best in XP SP2; also have a router with a hardware firewall.

    This is a cut/paste from one of my personal reference files, so if I've repeated anything said previously, no offense meant, just no time today to edit further, but wanted to get this out.

    Prior to working with Spyware removal tools, highly recommend that a good Viruscan Program be installed, updated with the most current virus definition files and scanning all drives. If running an Operating System with System Restore, be sure to turn it off first, or the problems will return.  Then, once system is cleaned, be sure to turn it back on. Start-Control Panel - System - System Restore.
    Hijack this related link and recommended process.

    Download the most current version of HijackThis here... or here

    Scan your system and then cut/paste the log to this free analyzer service English by default, change where there, if needed)
    It will provide you details on what is unknown and what is "Nasty" .... and some will be fixed within the HijackThis process, but you'll see then when you check the results. Some have had problems just arbitrarily removing things, so be cautious. If you're unclear about anything, cut/paste that line here for review.

    Re. Spyware, this central link here compiled by many of us with tools and links:

    My choices are AdAware SE Professional from Lavasoft. Once updated, be sure to configure it to do deep scanning of all drives, including archives and include the HOSTS file. Then, highly recommend using Spybot S&D, most current version and get all updates first. Then be sure, after scanning your system, you use the "Immunize" function to blocks more than 2,500 spyware/malware/malicious BHO intrusions.   **If you've already installed the most current version of Spybot S&D, be sure to use the Immunize function again, to ensure that the most recent intrusions are also blocked.** - very helpful to me as well.

    Family day, so won't return until tomorrow; hopes this adds some help to you.


    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now