Have I been Hijacked

Unknown

Hi Guys

I'm wondering if someone has the time and inclination to help an old geezer (I'm 60 years old, and struggling to keep up with modern technology, but I'm at least trying, or as my wife would say, I'm very trying).

My computer even when not connected to the Internet, seems to want to connect to the Internet of its own accord, and after reading some of what has already been posted and discussed on this site, I'm getting the feeling I have been, or at least my computer has been Hijacked.

I have run Hijack and this is the log, (I'm hoping I got this bit correct)

Logfile of HijackThis v1.97.7
Scan saved at 02:00:54, on 27/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\WINDOWS\xfyyy.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~2\PPMemCheck.exe
C:\PROGRA~1\PESTPA~2\CookiePatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bob\Desktop\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bt.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15555AD8-6E33-14EC-27FB-482F802D380F} - C:\PROGRA~1\MULTIM~1\soapvga.dll
O2 - BHO: (no name) - {4E2406F9-F5FC-4EB9-82B3-259BABAE5C2F} - C:\WINDOWS\ndub.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Bolt Sect - {2BED0E16-F950-E0A4-E751-85C3EC72CA36} - C:\PROGRA~1\MULTIM~1\soapvga.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [nzpk] C:\WINDOWS\xfyyy.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~2\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~2\CookiePatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Startup: Forget Me Not Reminders.lnk = C:\CACARD\FMREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://eq2beta.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/ieplug.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C3ADE5E-A5AE-4A66-85C6-D2AA98BF6155}: NameServer = 194.72.9.44 194.74.65.85

What if anything in the above is suspect ?.

Yours in anticipation

Straight_Man

I would tell HJT to delete everything thast has soapvga.dll in the line it occurs in. I'm a tib younger, another continent, about 50.5 years old. soapvga or soapvga.dll does not even Google at all. It is not a common file name used by Windows normally, I am reasonably sure. I'll let e few other pairs of eyes attached to very smart brains glance over the log also, though.

Kwitko

Welcome to Short-Media, Cujimmy. We'll get you fixed up in a jiffy. Make sure you place the HiJackThis program in its own folder in case you have to restore anything from backups. Next, boot into safe mode, run HiJackThis, and delete the following:

O2 - BHO: (no name) - {15555AD8-6E33-14EC-27FB-482F802D380F} - C:\PROGRA~1\MULTIM~1\soapvga.dll
O2 - BHO: (no name) - {4E2406F9-F5FC-4EB9-82B3-259BABAE5C2F} - C:\WINDOWS\ndub.dll
O3 - Toolbar: Bolt Sect - {2BED0E16-F950-E0A4-E751-85C3EC72CA36} - C:\PROGRA~1\MULTIM~1\soapvga.dll
O4 - HKLM\..\Run: [nzpk] C:\WINDOWS\xfyyy.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/ieplug.cab

These items can be safely removed to help free up resources.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

I notice you have PestPatrol. Was it able to find anything?

Cujimmy

:celebrate

Thank you so much Mr. Kwitko, that got rid of it.

I will see if theres anything I can do to help out the folding team.

Nope Pest patrol didnt find it for some reason.

:celebrate

shwaip

I suggest that you download and install adaware and spybot search&destroy from here, and update and run them regularly

http://www.short-media.com/download.php?dc=69
Tweaking, Tuning and Handy Utilities - Security - Short-Media.com

profdlp

Cujimmy wrote:

...I will see if theres anything I can do to help out the folding team...

That would not only more than repay the favor done by the fine folks here at Short-Media, it will help the entire human race.

There is a lot of info here. If you have any questions feel free to start a thread in the Team Short-Media Forum - we love to hear from new members.

Just remember: Team 93