Microsoft
Software
Hardware
Network
Question : Hijacked
Well it has finally happened I clicked on the wrong link and got infected. I have copied the hijackthis log for the experts to anaylize..
Use adware and spybot and windows defender so I don't know how it happened. symptoms are redirect form google search page to and dish network ads popping up :(
I have much work to do today so any help is appreciated. thnks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:51 AM, on 12/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\System32\Ati2ev
xx.exe
C:\WINDOWS\system32\svchos
t.exe
C:\PROGRA~1\Stardock\THINK
D~1\MULTIP
~1\MULTIS~
2.EXE
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\system32\Ati2ev
xx.exe
C:\Program Files\AVG\AVG9\avgchsvx.ex
e
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.ex
e
C:\PROGRA~1\COMMON~1\Stard
ock\SDMCP.
exe
C:\Program Files\Lavasoft\Ad-Aware\AA
WService.e
xe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
v.exe
c:\program files\idt\intelxpv_v103\wd
m\STacSV.e
xe
C:\WINDOWS\system32\netdde
.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
iceService
.exe
C:\Program Files\AVG\AVG9\avgwdsvc.ex
e
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.e
xe
C:\Program Files\Bonjour\mDNSResponde
r.exe
C:\WINDOWS\system32\clipsr
v.exe
C:\WINDOWS\system32\svchos
t.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\Java\jre6\bin\jqs.ex
e
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc
.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter
.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.ex
e
C:\Program Files\IDT\WDM\sttray.exe
C:\PROGRA~1\AVG\AVG9\avgtr
ay.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-
Static\MOM
.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Google\GoogleToolbar
Notifier\G
oogleToolb
arNotifier
.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e
xe
C:\WINDOWS\system32\ctfmon
.exe
C:\Program Files\Cloudmark\SpamNet\OE
\snoe.exe
C:\Program Files\Logitech\SetPoint\Se
tPoint.exe
C:\Program Files\CapsUnlock\CapsUnloc
k.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-
Static\ccc
.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALM
NPR.EXE
C:\Program Files\Lavasoft\Ad-Aware\Ad
-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\AA
WTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
s.exe
C:\WINDOWS\system32\NOTEPA
D.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\ICQ\Icq.exe
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://go.microsoft.com/fw
link/?Link
Id=69157
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL =
http://go.microsoft.com/fw
link/?Link
Id=54896
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Page =
http://go.microsoft.com/fw
link/?Link
Id=54896
R0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://go.microsoft.com/fw
link/?Link
Id=69157
R0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Wi
ndows\Curr
entVersion
\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Common Files\Adobe\Acrobat\Active
X\AcroIEHe
lper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C
042949C621
6} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4
E65E497C8C
0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-9
0988571CEC
B} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B
9E3AAC4465
B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.d
ll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-0
0400523e39
a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
164760863C
6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
F10577473F
7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d
ll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0
445EE16191
0} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
t.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
E66B5AD205
D} - C:\Program Files\Google\GoogleToolbar
Notifier\5
.4.4525.17
52\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
C25C1C588A
9} - C:\Program Files\Java\jre6\bin\jp2ssv
.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-D
C94EC1ACF1
0} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E
ABFE594F69
C} - C:\Program Files\Java\jre6\lib\deploy
\jqs\ie\jq
s_plugin.d
ll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
819E2EAAC9
3} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
t.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2
B52B6139FC
7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0
0400523e39
a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-0
09027A5CD4
F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d
ll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8
A89D322906
8} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-
Static\CLI
Start.exe"
MSRun
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\stt
ray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtr
ay.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTA
L~1\UPDATE
~1\isuspm.
exe -startup
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe
\ADOBEV~1\
Server\bin
\VERSIO~2.
EXE
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceMana
ger\CS4Ser
viceManage
r.exe" -launchedbylogin
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar
Notifier\G
oogleToolb
arNotifier
.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e
xe"
O4 - HKCU\..\Run: [WindowBlinds] C:\Program Files\Stardock\Object Desktop\WindowBlinds\WBIns
tall32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Bob Laurence\Local Settings\Application Data\Google\Update\GoogleU
pdate.exe"
/c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe
" /background
O4 - Startup: CapsUnlock.lnk = C:\Program Files\CapsUnlock\CapsUnloc
k.exe
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Common Files\logishrd\eReg\SetPoi
nt\eReg.ex
e
O4 - Global Startup: Cloudmark Desktop for Outlook Express.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\Se
tPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppend.h
tml
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECapture.
html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppend.h
tml
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECaptureS
elLinks.ht
ml
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppendSe
lLinks.htm
l
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECapture.
html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
t.dll/Acro
IEAppend.h
tml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
t.dll/Acro
IECapture.
html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustom
izeIEMenu.
html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
\Office12\
EXCEL.EXE/
3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillFo
rms.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleTo
olbarDynam
ic_mui_en_
60D6097707
281E79.dll
/cmsidewik
i.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowTo
olbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePa
ss.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D
9FCDDC9D60
0} - C:\Program Files\Windows Live\Writer\WriterBrowserE
xtension.d
ll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D
9FCDDC9D60
0} - C:\Program Files\Windows Live\Writer\WriterBrowserE
xtension.d
ll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C
5DBF3571F4
6} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillFo
rms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C
5DBF3571F4
6} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillFo
rms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C
5DBF3571F4
9} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePa
ss.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C
5DBF3571F4
9} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePa
ss.html
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-A
FF36D6C704
0} - C:\Program Files\WinHTTrack\WinHTTrac
kIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-A
FF36D6C704
0} - C:\Program Files\WinHTTrack\WinHTTrac
kIEBar.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-4
7cb894244c
d} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-4
7cb894244c
d} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-0
0400523e39
a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowTo
olbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-0
0400523e39
a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowTo
olbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
C9C571A826
3} - C:\PROGRA~1\MICROS~2\OFFIC
E11\REFIEB
AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-2
20476A3203
4} (System Requirements Lab) -
http://intel-drv-cdn.syste
mrequireme
ntslab.com
/multi/bin
/
sysreqlab
_srlx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F
CFDF33E833
C} (WUWebControl Class) -
http://update.microsoft.co
m/microsof
tupdate/v6
/V5Control
s/en/
x86/c
lient/wuwe
b_site.cab
?125625266
0109
O16 - DPF: {6E32070A-766D-4EE6-879C-D
C1FA91D2FC
3} (MUWebControl Class) -
http://update.microsoft.co
m/microsof
tupdate/v6
/V5Control
s/en/
x86/c
lient/muwe
b_site.cab
?125625265
1406
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
060082AA75
C} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
BDDE494F8D
1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
830C7DD7F5
D} - C:\PROGRA~1\COMMON~1\Skype
\SKYPE4~1.
DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrss
tx.dll
O20 - Winlogon Notify: Multi - C:\Program Files\Stardock\ThinkDesk\M
ultiplicit
y\MultiWin
32.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-1
8F378FEA26
4} - C:\Program Files\Stardock\Object Desktop\Fences\FencesMenu.
dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueC
S3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
iceService
.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2ev
xx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg
ag.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.ex
e
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
r.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingServ
ice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\Google
Update.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterServi
ce.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex
e
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA
WService.e
xe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\logishrd\Bluetooth\L
BTServ.exe
O23 - Service: Stardock Multiplicity (Multiplicity) - Unknown owner - C:\PROGRA~1\Stardock\THINK
D~1\MULTIP
~1\MULTIS~
2.EXE
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc
.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wd
m\STacSV.e
xe
--
End of file - 15193 bytes
Answer : Hijacked
Try scanning with malwarebytes. Rename Mbam to bm.exe prior to saving the download
Malwarebytes
http://www.malwarebytes.or
g/mbam-dow
nload.php
Random Solutions
tried to upgrade to svc pk 3, now it won't boot
How to fix Time on PC not matching network?
DNS web forwarding
Schannel EventID: 36888
Cannot Display the folder. Your server administrator has limited number of items you can open simultaneously. Try closing messages, you have opened or removing attachments and images from unsent messa
There isn't enough memory to perform this operation. Close unneeded programs and try the operation again.
Closing an email causes Outlook to crash.
Autofill with letters of the alphabet...
Ms Access 2003 .mdb "may not be safe"
VB.Net - remove first line from textbox
