Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I am infected! - hidden files, redirects, the lot!

  • Please log in to reply
1 reply to this topic

#1 thedazzler


  • Members
  • 1 posts
  • Local time:10:48 AM

Posted 10 April 2011 - 09:13 AM

Hi folks,
I'm a newbie here although I've managed to disinfect my PC's and laptops myself over the years thanks to great advice on forums like this, I'm about beat with this one so can i have a hand please?

Never understood hijackthis but I've downloaded it and below is the most recent report.
I installed latest AVG which found bugs, as did Malwarebytes and bitdefender online, but desktop is not as it was and redirects keep happening. Avoiding fixcombo etc that I've seen on other forums as this time it's the misses laptop!:) and I really don't want to get it wrong... believe me!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:50:02, on 11/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tadaa.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HNUvOXRpw+] C:\DOCUME~1\user\LOCALS~1\Temp\nvsvc32.exe
O4 - HKLM\..\Run: [HNUvOXRsre] C:\DOCUME~1\user\LOCALS~1\Temp\wininst.exe
O4 - HKLM\..\Run: [HNUvOXRrtc] C:\DOCUME~1\user\LOCALS~1\Temp\sysedit.exe
O4 - HKLM\..\Run: [HNUvOXRqyS] C:\DOCUME~1\user\LOCALS~1\Temp\olutspr9.exe
O4 - HKLM\..\Run: [MKctc] C:\WINDOWS\msmgm.exe
O4 - HKLM\..\Run: [HNUvOXRrxe] C:\DOCUME~1\user\LOCALS~1\Temp\system.exe
O4 - HKLM\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
O4 - HKLM\..\Run: [HNUGROXRnoc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\debug.exe
O4 - HKLM\..\Run: [HNUGROXRnZ] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cmd.exe
O4 - HKLM\..\Run: [HNUGROXRrvc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\setup.exe
O4 - HKLM\..\Run: [MKfpe] C:\WINDOWS\winamp.exe
O4 - HKLM\..\Run: [HNUGROXRrrb] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\taskmgr.exe
O4 - HKLM\..\Run: [HNUGROXRoMc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gdi32.exe
O4 - HKLM\..\Run: [HNUGROXRnsc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\drweb.exe
O4 - HKLM\..\Run: [HNUvOXRptc] C:\DOCUME~1\user\LOCALS~1\Temp\msmgm.exe
O4 - HKLM\..\Run: [HNUvOXRnoc] C:\DOCUME~1\user\LOCALS~1\Temp\debug.exe
O4 - HKLM\..\Run: [HNUvOXRsPc] C:\DOCUME~1\user\LOCALS~1\Temp\win16.exe
O4 - HKLM\..\Run: [MKfPc] C:\WINDOWS\win16.exe
O4 - HKLM\..\Run: [HNUvOXRnZ] C:\DOCUME~1\user\LOCALS~1\Temp\cmd.exe
O4 - HKLM\..\Run: [HNUvOXRrwe] C:\DOCUME~1\user\LOCALS~1\Temp\sysmgm.exe
O4 - HKLM\..\Run: [MKfa] C:\WINDOWS\win.exe
O4 - HKLM\..\Run: [HNUGROXRotc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hexdump.exe
O4 - HKLM\..\Run: [HNUGROXRprc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\login.exe
O4 - HKLM\..\Run: [MKaoc] C:\WINDOWS\debug.exe
O4 - HKLM\..\Run: [HNUGROXRruf] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\spoolsv.exe
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [\\dazza\EPSON Stylus DX4000 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\DOCUME~1\user\LOCALS~1\Temp\E_S2C5.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S2B9.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [\\dazza\EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\DOCUME~1\user\LOCALS~1\Temp\E_S2D2.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Auto EPSON Stylus DX4000 Series (Copy 1) on dazza] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S2C9.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Auto EPSON Stylus DX4000 Series on dazza] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S2CC.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [thRixofiUClbj] C:\Documents and Settings\All Users\Application Data\thRixofiUClbj.exe
O4 - HKCU\..\Run: [HNUvOXRpw+] C:\DOCUME~1\user\LOCALS~1\Temp\nvsvc32.exe
O4 - HKCU\..\Run: [HNUvOXRsre] C:\DOCUME~1\user\LOCALS~1\Temp\wininst.exe
O4 - HKCU\..\Run: [HNUvOXRrtc] C:\DOCUME~1\user\LOCALS~1\Temp\sysedit.exe
O4 - HKCU\..\Run: [HNUvOXRqyS] C:\DOCUME~1\user\LOCALS~1\Temp\olutspr9.exe
O4 - HKCU\..\Run: [MKctc] C:\WINDOWS\msmgm.exe
O4 - HKCU\..\Run: [HNUvOXRrxe] C:\DOCUME~1\user\LOCALS~1\Temp\system.exe
O4 - HKCU\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
O4 - HKCU\..\Run: [HNUGROXRoMc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gdi32.exe
O4 - HKCU\..\Run: [HNUGROXRssc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [MKfpe] C:\WINDOWS\winamp.exe
O4 - HKCU\..\Run: [HNUGROXRnZ] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cmd.exe
O4 - HKCU\..\Run: [HNUGROXRnsc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\drweb.exe
O4 - HKCU\..\Run: [HNUGROXRrrb] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\taskmgr.exe
O4 - HKCU\..\Run: [HNUGROXRrvc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\setup.exe
O4 - HKCU\..\Run: [HNUGROXRnoc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\debug.exe
O4 - HKCU\..\Run: [HNUvOXRssc] C:\DOCUME~1\user\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [HNUvOXRptc] C:\DOCUME~1\user\LOCALS~1\Temp\msmgm.exe
O4 - HKCU\..\Run: [HNUvOXRnoc] C:\DOCUME~1\user\LOCALS~1\Temp\debug.exe
O4 - HKCU\..\Run: [HNUvOXRsPc] C:\DOCUME~1\user\LOCALS~1\Temp\win16.exe
O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win16.exe
O4 - HKCU\..\Run: [HNUvOXRnZ] C:\DOCUME~1\user\LOCALS~1\Temp\cmd.exe
O4 - HKCU\..\Run: [HNUvOXRrwe] C:\DOCUME~1\user\LOCALS~1\Temp\sysmgm.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1301175887765
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

End of file - 11869 bytes

Edited by hamluis, 10 April 2011 - 12:57 PM.
Moved from XP to Malware Removal Logs.

BC AdBot (Login to Remove)


#2 shelf life

shelf life

  • Malware Response Team
  • 2,680 posts
  • Gender:Male
  • Location:@localhost
  • Local time:06:48 AM

Posted 16 April 2011 - 07:28 AM

hi thedazzler,

Based on your log you are "pwned" you shouldnt be using the computer until its clean. It also should have no connectivity, if your not sure how to stop that then I would just power it off. Simply reply back, if you still need help with a DDS log, which will provide more information:

Please download DDS and save it to your desktop.
Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Please Copy/paste both logs in your reply.

How Can I Reduce My Risk to Malware?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users