Can't figure out which is the trojan/hijacking program

Posted on 2006-05-09
Last Modified: 2013-12-04
I have a computer that has its home page hijacked by either malware or a trojan.  Here is the Hijaack this log:
Logfile of HijackThis v1.99.1
Scan saved at 6:05:36 PM, on 5/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =*
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpB1A3.tmp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TrustSoftAntiSpyware] C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

I am running AVG virus software, and have scanned the computer with Ad Aware and Spykiller and Symantec's online virus scanner.  All say no problems. Yet when I open IE, it goes to a site selling security software and there is an icon in the system tray that ominously warns of the computer being infected with a virus.

Any help will be greatly appreciated!
Question by:jhruzek
    LVL 32

    Accepted Solution

    I posted you log to and the saved analyzed page is at:

    I would suggest fixing the following entries with HJT itself:

     R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
     R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
     O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpB1A3.tmp
    Also, I notice you're running SpyKiller. I believe this a known adware that pretends to be a useful program. Un-install that if possible.
    If you can't figure out how to uninstall it then have HJT remove this entry:

     O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

    Good luck.
    LVL 47

    Assisted Solution


    Your hijackthis log shows smitfraud infection.
    Please download SmitfraudFix:
    Extract the content (a folder named SmitfraudFix) to your Desktop.
    Next, please reboot your computer in Safe Mode by rebooting the computer,
    and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
    the options listed.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected
    You will be prompted : "Registry cleaning - Do you want to clean the
    registry?" answer "Yes" by typing Y and press "Enter" in order to remove
    the Desktop background and clean registry keys associated with the
    The tool will now check if wininet.dll is infected. You may be prompted to
    replace the infected file (if found); answer "Yes" by typing Y and press
    The tool may need to restart your computer to finish the cleaning process;
    if it doesn't, please restart it into Normal Windows.

    Let us know if problem persists.

    Author Comment

    Well, I tried to fix the problems.  Unfortunately, it will not boot into safe mode.  I finally gave up and reformatted the disk.  I do not understand why it wouldn't boot into safe mode?  It appeared to be loading all of the drivers, but would hang with the text on the screen.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    A high-level exploration of how our ever-increasing access to information has changed the way we do our jobs.
    This article describes how to use the timestamp of existing data in a database to allow Tableau to calculate the prior work day instead of relying on case statements or if statements to calculate the days of the week.
    This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.
    Using Adobe Premiere Pro, the viewer will learn how to set up a sequence with proper settings, importing pictures, rendering, and exporting the finished product.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now