Options
Please view my log. I have the home shopping hijack thing.
I desperately need help!
Running processes:
ahat.exe
aim.exe
ares.exe
atiptaxx.exe
csrss.exe
defwatch.exe
explorer.exe
iexplorer.exe
KlvxiMAlT.exe
KlvxiMAlT.exe
lsass.exe
msgsys.exe
pds.exe
pdvdserv.exe
rtvscan.exe
rundll32.exe
services.exe
smagent.exe
smax4.exe
smax4pnp.exe
smss.exe
spoolsv.exe
svhost.exe
svhost.exe
svhost.exe
svhost.exe
svhost.exe
system
system idle process
taskmgr.exe
teatime.exe
type32.exe
vptray.exe
winampa.exe
winlogon.exe
wuauclt.exe
xfr.exe
zrJMzPmJ.exe
zrJMzPmJ.exe
Hijact logLogfile of HijackThis v1.99.0
Scan saved at 5:12:10 PM, on 12/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\mfcav.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\documents and settings\admin.marc\local settings\temp\zrJMzPmJ.exe
C:\documents and settings\admin.marc\local settings\temp\KlvxiMAlT.exe
C:\WINDOWS\sdkss.exe
C:\documents and settings\admin.marc\local settings\temp\zrJMzPmJ.exe
C:\documents and settings\admin.marc\local settings\temp\KlvxiMAlT.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Ares\Ares.exe
C:\Documents and Settings\Admin.MARC\Application Data\ahat.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hyjack this\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D57750CD-6BCB-E411-D165-5E29E405BA5F} - C:\WINDOWS\sysuc.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Admin.MARC\Local Settings\Temp\UwfN6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [zrJMzPmJ] C:\documents and settings\admin.marc\local settings\temp\zrJMzPmJ.exe
O4 - HKLM\..\Run: [KlvxiMAlT] C:\documents and settings\admin.marc\local settings\temp\KlvxiMAlT.exe
O4 - HKLM\..\Run: [nHn3f] C:\documents and settings\admin.marc\local settings\temp\nHn3f.exe
O4 - HKLM\..\Run: [sdkss.exe] C:\WINDOWS\sdkss.exe
O4 - HKLM\..\Run: [zrJMzPmJ.exe] C:\documents and settings\admin.marc\local settings\temp\zrJMzPmJ.exe
O4 - HKLM\..\Run: [KlvxiMAlT.exe] C:\documents and settings\admin.marc\local settings\temp\KlvxiMAlT.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Sclr] C:\Documents and Settings\Admin.MARC\Application Data\ahat.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103060670382
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dialer/internazionale_ver4.CAB
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\mfcav.exe
Running processes:
ahat.exe
aim.exe
ares.exe
atiptaxx.exe
csrss.exe
defwatch.exe
explorer.exe
iexplorer.exe
KlvxiMAlT.exe
KlvxiMAlT.exe
lsass.exe
msgsys.exe
pds.exe
pdvdserv.exe
rtvscan.exe
rundll32.exe
services.exe
smagent.exe
smax4.exe
smax4pnp.exe
smss.exe
spoolsv.exe
svhost.exe
svhost.exe
svhost.exe
svhost.exe
svhost.exe
system
system idle process
taskmgr.exe
teatime.exe
type32.exe
vptray.exe
winampa.exe
winlogon.exe
wuauclt.exe
xfr.exe
zrJMzPmJ.exe
zrJMzPmJ.exe
Hijact logLogfile of HijackThis v1.99.0
Scan saved at 5:12:10 PM, on 12/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\mfcav.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\documents and settings\admin.marc\local settings\temp\zrJMzPmJ.exe
C:\documents and settings\admin.marc\local settings\temp\KlvxiMAlT.exe
C:\WINDOWS\sdkss.exe
C:\documents and settings\admin.marc\local settings\temp\zrJMzPmJ.exe
C:\documents and settings\admin.marc\local settings\temp\KlvxiMAlT.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Ares\Ares.exe
C:\Documents and Settings\Admin.MARC\Application Data\ahat.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hyjack this\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D57750CD-6BCB-E411-D165-5E29E405BA5F} - C:\WINDOWS\sysuc.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Admin.MARC\Local Settings\Temp\UwfN6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [zrJMzPmJ] C:\documents and settings\admin.marc\local settings\temp\zrJMzPmJ.exe
O4 - HKLM\..\Run: [KlvxiMAlT] C:\documents and settings\admin.marc\local settings\temp\KlvxiMAlT.exe
O4 - HKLM\..\Run: [nHn3f] C:\documents and settings\admin.marc\local settings\temp\nHn3f.exe
O4 - HKLM\..\Run: [sdkss.exe] C:\WINDOWS\sdkss.exe
O4 - HKLM\..\Run: [zrJMzPmJ.exe] C:\documents and settings\admin.marc\local settings\temp\zrJMzPmJ.exe
O4 - HKLM\..\Run: [KlvxiMAlT.exe] C:\documents and settings\admin.marc\local settings\temp\KlvxiMAlT.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Sclr] C:\Documents and Settings\Admin.MARC\Application Data\ahat.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103060670382
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dialer/internazionale_ver4.CAB
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\mfcav.exe
0
Comments
Set your system to Show Hidden Files and folders.
For Windows XP or ME, Disable System Restore.
Reboot into Safe Mode.
Make sure that all Internet Explorer or any other browser windows or internet applications are closed. Do not have any other unnecessary programs running.
If you have rebooted your PC since you posted this log, you will note that some of the entires may have changed. If so, please post a fresh log for me. If not, then proceed with the following.
Run Hijack This. FIX THE FOLLOWING (place a checkmark beside the entries, and then press the Fix Checked button) :
**************
O2 - BHO: (no name) - {D57750CD-6BCB-E411-D165-5E29E405BA5F} - C:\WINDOWS\sysuc.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Admin.MARC\Local Settings\Temp\UwfN6.dll
O4 - HKLM\..\Run: [zrJMzPmJ] C:\documents and settings\admin.marc\local settings\temp\zrJMzPmJ.exe
O4 - HKLM\..\Run: [KlvxiMAlT] C:\documents and settings\admin.marc\local settings\temp\KlvxiMAlT.exe
O4 - HKLM\..\Run: [nHn3f] C:\documents and settings\admin.marc\local settings\temp\nHn3f.exe
O4 - HKLM\..\Run: [sdkss.exe] C:\WINDOWS\sdkss.exe
O4 - HKLM\..\Run: [zrJMzPmJ.exe] C:\documents and settings\admin.marc\local settings\temp\zrJMzPmJ.exe
O4 - HKLM\..\Run: [KlvxiMAlT.exe] C:\documents and settings\admin.marc\local settings\temp\KlvxiMAlT.exe
O4 - HKCU\..\Run: [Sclr] C:\Documents and Settings\Admin.MARC\Application Data\ahat.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\mfcav.exe
**************
After you have cleaned the HJT log, UNPLUG the computer (no proper shutdown - just yank the cord). Do not delete any files first or anything else. I am testing something a little different with your problem and want to see if it works.
Wait a few seconds, plug the cord back in, and boot the computer. Then, reset your home page and search settings in Internet Explorer. Launch Internet Explorer, and click the Tools menu -> Internet Options -> Programs -> Reset Web Settings. Then click the General Tab in that same window, and manually set whatever home page you want by typing in the page address you want in the first field of that tab, and then hitting OK at the bottom.
Close IE and re-open it. Check to see if you are still hijacked. Then run HJT, do a fresh scan, and post the log here for further review. There are still a couple of things you will need to do, but I want to see the results after this pass.
(((OTHER SVT HELPERS, PLEASE DO NOT POST IN THIS THREAD, I AM TESTING A SLIGHTLY DIFFERENT PROCESS HERE.)
Dexter...