Improve company productivity with a Business Account.Sign Up


Browser sessions are being disrupted by "System Doctor"--browser hijack?

Posted on 2006-06-21
Medium Priority
Last Modified: 2013-11-16
Several times recently my internet browser sessions have been interrupted by a very aggressive program calling itself "System Doctor".  Also, there was another program having to do with sports.  I downloaded Hijack This! and ran it.  The log file is below and of course I am hoping someone can tell me what to do with this information.   I also would appreciate some advice about making my computer less vulnerable to this kind of attack.  I am running Norton Internet Security and am allowing it to manage my firewall.

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:53:41 PM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Lou\My Documents\browser hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12d439ff-c2d2-4021-9579-67440ea6d264} - C:\WINDOWS\system32\mciqlib.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: mciqlib - C:\WINDOWS\SYSTEM32\mciqlib.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Question by:monacoassociates
LVL 32

Expert Comment

ID: 16957094
For future reference, you may want to post the HJT log to and click "Analyze" then "Save Analysis" and then just post a link to the analyzed log.

I did this for you, and it is at:

Going over that page, I see the following problem entries:

 O2 - BHO: (no name) - {12d439ff-c2d2-4021-9579-67440ea6d264} - C:\WINDOWS\system32\mciqlib.dll
 O20 - Winlogon Notify: mciqlib - C:\WINDOWS\SYSTEM32\mciqlib.dll
 O4 - Startup: PowerReg Scheduler.exe

Run HJT again and have it fix the above three entries. Then reboot and run HJT again and make sure the entries did not come back. The problem should be fixed.

LVL 47

Accepted Solution

rpggamergirl earned 2000 total points
ID: 16957513

You have the latest variant of vundo there!
And vundofix is not updated for that one yet.

Please go to the forum here -->
and upload this file --> C:\WINDOWS\SYSTEM32\mciqlib.dll

Here are the directions for uploading the file:
Just click "New Topic", fill in the needed details and post a link to your thread here. Subject line just put "Vundo file - Atribune"
Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.

After you've uploaded that file.
Download Pocket Killbox to the desktop (version 
If you already have killbox ensure it is the latest version. ?
*Select the "Delete on Reboot" option.
*Press the "ALL Files" button
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.

Fix these entries afterwards if still present in the hijackthis scan.
O2 - BHO: (no name) - {12d439ff-c2d2-4021-9579-67440ea6d264} - C:\WINDOWS\system32\mciqlib.dll
O20 - Winlogon Notify: mciqlib - C:\WINDOWS\SYSTEM32\mciqlib.dll

Expert Comment

ID: 16997947
you have the powerreg scheduler infection.
This should do the trick,
Its the best solution for tenacious spyware. Better than spybot, adaware, spyware doc, and the rest.

Notes: Download the free version. During install it will ask for name and email. You dont have to put in that
info, just hit next.  Update program before running scan. Select "Perform Complete Scan"

Good luck
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

LVL 47

Expert Comment

ID: 16998170
Sorry, but the only infection he has there is Vundo, :)
PowerReg Scheduler.exe is not an infection, though it is an unnecessary startup entry that can be fixed it isn't malware but a registration reminder.

Filename Description:
PowerReg Scheduler.exe PowerREGISTER from Leadertech. Registration reminder as used by Iomega, Hasbro & Microprose - amongst others

Author Comment

ID: 17025088
Thanks for the input.  Sorry for the delay in responding.  I have been traveling, and trying out your ideas as I could.

I tried your solution r-k, but found that the three files the you identified returned immediately.

I did some research on Vundo and found that it can be identifed  by NAV, so checked my Norton Internet Security and found that it had not run a scan in two months (though it has been informing me daily that everything is fine).  Ran the scan and it detected nothing at all!  This has left me feeling uncertain about Vundo, so I haven't yet tried the solution for it.  rpggamergirl, are you quite sure I have Vundo?

Today I installed Spy Sweeper and ran a scan with it.   Nothing Spy Sweeper identified sounded like it could account for my problem, but I placed alll the identifed files in quarantine anyhow.  I haven't had a problem since then, but that wasn't very long ago, so I am not ready to declare victory just yet.

I googled System Doctor and found some sites that claim to get rid of it, but I don't know which sites to trust, so didn't try any of those as yet.  

In the several days since this problem started, the disruptions to my browser sessions have gradually become less frequent.  The last two or three days there have been two things happening:
1)  Infrequently browser sessions are disrupted by a garish, blinking full-screen ad.  It is possible that I have initiated one or more of these by inadvertently clicking on an ad, but don't think so.  Have been closing these with Task Manager.
2)  Nearly every day I get a small pop-up, a simple white with blue frame that looks like a Windows message, suggesting that I should install System Doctor.   I ignore these.

Any further thoughts will be appreciated.
LVL 47

Expert Comment

ID: 17026348
Yes, I'm sure you have vundo, and to be very specific what you have is conhook the installer.

I've seen some logs where the latest Ewido removes conhook, you can try it if you want.
Hijackthis CAN NOT remove vundo entries on its own because vundo already running even before you logon.
There are many variants of vundo, there is also a vundo rootkit where it doesn't show up in any log.
There are also vundo conhook that has a random CLSID that changes at reboot(hard to remove) i don't know what yours is, you can check by rebooting and checking if the CLSID remain the same.

Please follow my first suggestion and let me know if the file persists.
You can also try Ewido if you want.

Please download Ewido anti-malware free trial version..
Install Ewido
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click "update"
Then click on "Start Update"
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.

Once the updates are installed close the Ewido program.

Then Reboot your computer into "Safe Mode"

Once in safe mode, start Ewido and do the following:

Click on "scanner"
Click on "Complete System Scan" and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report.txt file to your desktop.
LVL 47

Expert Comment

ID: 17026356
These are the obvious signs of conhook vundo, that's what made me say you have vundo infection.

O2 - BHO: (no name) - {12d439ff-c2d2-4021-9579-67440ea6d264} - C:\WINDOWS\system32\mciqlib.dll
O20 - Winlogon Notify: mciqlib - C:\WINDOWS\SYSTEM32\mciqlib.dll

Author Comment

ID: 17043215
OK, rpggamergirl, I used your first solution and it seems to have done the trick.  It's been two days now, and no sign of problems.  Thanks!

As a point of information, the only file I found of the one you listed was mciqlib.dll.
LVL 47

Expert Comment

ID: 17046805
No problem and thanks for the points with "A" grade!

>>"As a point of information, the only file I found of the one you listed was mciqlib.dll."<<

Didn't have any backward files of its .dll? usually Vundo has at least 3 reversed files with the extensions(.bak, .ini, .tmp) though those backwards .dlls are harmless.
Maybe conhook vundo doesn't create backward files of its dll.
Backward files meaning the reversed name of the vundo dll as in -->mciqlib.dll = bilqicm with .bak, .ini, or .tmp extensions.

Anyway, well done of getting rid of it.
Now you just have to update/change your java version and you might not hear vundo again.

Your version of java --> "j2re1.4.2_03" is very vulnerable to vundo infection, you could get re-infected straightaway if you're unlucky.

In Control Panel > Add/Remove Programs
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) and uninstall it.
Then Download and install the newest version from here:


Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
You do not need to be a security expert to make the RIGHT security. You just need some 3D guidance, to help lay out an action plan to secure your business operations. It does not happen overnight. You just need to start now and do the first thin…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question