Reply
New Visitor
Posts: 2
Registered: ‎07-24-2004

Re: READ THIS FIRST IF YOU'VE BEEN HIJACKED HAVE SPYWARE OR YOUR PC'S INFECTED

My computer is infected with the mypoiskovik.com hijacker and I've tried everything short of reformatting my hard drive to get rid of it but the little bugger keeps showing up.

I've installed Browser Hijack Blaster so I'm able to stop it from resetting my home page although I can't stop it from adding 4 porn sites to my favorites page. I've run HiJack This, Ad-Aware, and CWShredder too many times to count. Also have installed and run SpyBot and Spyware Doctor, all to no avail.

I've done several online virus scans from the Symantec site. The first one showed an infection of the ByteVerify trojan which I removed by deleting the infected files. Subsequent scans show no infection. No does the AVG Anti-Virus system installed show an infection.

I installed Norton's firewall, after the fact, because I thought the Comcast firewall would protect me. I'm also very careful about downloading anything unless it's from a site I trust such as Microsoft or Hewlett-Packard.

If I have to, I'll reformat my hard drive but I'd prefer to avoid that drastic a solution. Listed below is the latest Hijack log. Any help you can give will be appreciated

Logfile of HijackThis v1.98.2
Scan saved at 11:45:37 PM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\HiJackThis Antispyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: Ati2mdxx.exe
O4 - HKLM\..\Run: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: ALCXMNTR.EXE
O4 - HKLM\..\Run: C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: C:\PROGRA~1\HPINST~1\Pavilion\XPENABF3EN\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: winlgn.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
Recognized Contributor
johnd
Posts: 4,409
Registered: ‎06-30-2003

Re: READ THIS FIRST IF YOU'VE BEEN HIJACKED HAVE SPYWARE OR YOUR PC'S INFEC

Anon836127,

1. Please click on the "Settings" link above and assign yourself a forum name. Do not use you real name or e-mail name.


2. Reboot into Safe Mode - How do I boot into "Safe" mode?

3. Make sure your Windows Explorer Folder Settings are as follows:

(To access them, go "Tools" > "Folder Options" > "View")

a. "Show hidden files and folders" should be checked.
b. "Hide extensions for known file types" should be unchecked.
c. "Hide protected operating system files" should be unchecked.


4. Make sure all application windows are closed. Run another HijackThis scan from its permanent location. Check the below items for removal. Once all are checked, click the "Fix checked" button. When the fix completes, close HijackThis.

Fix these:
----------------------------------------------

---> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm

---> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm

---> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm

---> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm

---> O4 - HKLM\..\Run: ALCXMNTR.EXE

---> O4 - Global Startup: winlgn.exe

----------------------------------------------


5. While still in "Safe Mode", remove the following files/folders:

a. The file "ALCXMNTR.EXE" in "C:\WINDOWS".

b. The file "winlgn.exe" in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup".


6. Reboot into Normal Mode, run another HijackThis scan and post the new log.
New Visitor
Posts: 2
Registered: ‎07-24-2004

Re: READ THIS FIRST IF YOU'VE BEEN HIJACKED HAVE SPYWARE OR YOUR PC'S INFECTED

Thank you so much. I followed your instructions and was finally able to get rid of this pest. As you requested I'm attaching a copy of the HiJackThis log I ran after making the changes. Again, thank you for your help.

Logfile of HijackThis v1.98.2
Scan saved at 7:06:17 PM, on 8/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\HiJackThis Antispyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: Ati2mdxx.exe
O4 - HKLM\..\Run: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: C:\PROGRA~1\HPINST~1\Pavilion\XPENABF3EN\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
Recognized Contributor
johnd
Posts: 4,409
Registered: ‎06-30-2003

Re: READ THIS FIRST IF YOU'VE BEEN HIJACKED HAVE SPYWARE OR YOUR PC'S INFEC

Looks good. But careful what you let downloaded on to your computer in the future. Consider installing and using Mozilla's FireFox in place of Internet Explorer.