Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Windows Explorer May Have Been Hijacked

  • Please log in to reply
4 replies to this topic

#1 Scooter McGavin

Scooter McGavin

  • Members
  • 3 posts
  • Local time:12:47 PM

Posted 28 February 2006 - 06:35 AM


Firstly, I would like to thank you all for the work you do here. I have found this site to be invaluable in assisting me with the removal of virus/spyware by reading your replies to other peoples posts. i think you are doing a selfless & honourable job and you are an asset to the community, keep up the good work!!

Yesterday i was having some problems with my computer - it kept locking up on a regular basis & even shut down by itself after displaying a "pink" stop screen that was so glitched i couldn't read it. The lock ups happened while playing UT2004 online, Battlefront offline & Day of Defeat. GTA: Vice City ran without a hitch, (all are original games). Shut down occured during UT2004 online after having left it off for a good hour or more. i have run every scan under the sun (AVG, Pest Patrol, AdAware & ALL of the scans in the "prior to posting" sticky) of which there were some files they could not remove, see below for report details.

As for the possible Hijack please read below:
When i open a directory or folder in Windows Explorer, it makes a clicking sound (default wav file). After all this happened yesterday, when i have it open (just idling) it continually makes this clicking sound but nothing moves on screen. As if somone else is viewing directories/folders in the background. This is not a sound delay & the sound is repeated (irregularly) many more times than directories/folders i have opened.

The computer seems to be running OK at the moment, i have had it running for the last 5hrs and even played UT2004 with a couple of 10sec pauses, but continued without locking up. i would like someone to please check my AV reports to make sure there is nothing lying dormant and also advise on how to delete the remaining files.

Any help would be much appreciated.
Thank you in advance

Panda report:

Spyware:Cookie/BurstNet Not disinfected
C:\Documents and Settings\Scot\Application Data\Mozilla\Firefox\Profiles\se7feuxi.default\cookies.txt[]

Spyware:Cookie/2o7.net Not disinfected
C:\Documents and Settings\Scot\Cookies\scot@112.2o7[1].txt

Spyware:Cookie/Com.com Not disinfected
C:\Documents and Settings\Scot\Cookies\scot@gamearena.com[2].txt

Adware:adware/popuper Not disinfected
C:\Documents and Settings\Scot\Favorites\spyware removal.url

Virus:Eicar.Mod Not disinfected
C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]

Trend Micro:
picked up some spyware which it happily cleaned & 2 that i had to fix manually:

1) Vulnurability in Word Perfect - i followed the instructions & successfully fixed
2) Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) - i followed this link but it came up with what looked like the encyclopedia of viruses & i could not find this one. Please advise on how to fix.

No viruses found.

McAfee AVERT Stinger Version 2.5.9 built on Feb 2 2006

Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Feb 2 2006.

Ready to scan for 55 viruses, trojans and variants.

Scan initiated on Tue Feb 28 19:58:20 2006

Number of clean files: 269093

Other Security:
AVG - clean
Spybot - clean (IE protection & tea timer running)
Pest Patrol - found & deleted an AlphaCleaner variant
Spyware Blaster - up to date & running
Windows - up to date
Kerio Personal Firewall - running

Logfile of HijackThis v1.99.1
Scan saved at 8:51:40 PM, on 28/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ie tweaks applied 10_01_06
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D3033CE-B203-4A1D-B7C4-7AF6BC35666C}: NameServer =
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


Thank you for your time

BC AdBot (Login to Remove)


#2 OldTimer


    Malware Expert

  • Members
  • 11,092 posts
  • Gender:Male
  • Location:North Carolina
  • Local time:10:47 PM

Posted 05 March 2006 - 12:55 PM

Hello Scooter McGavin and welcome to the BC HijackThis forum. I do not see any signs of viruses or malware in the log. It is clean.

I would suggest doing a little standard cleanup as described below and see if that helps. If not, and the problem is primarily with playing games, then post a question in the games forum and see what they have to say.

Download ATF Cleaner and start the program. On the Main page click the Select All checkbox and then click the Empty Selected button. Now click on the Firefox menu item and click the Celect All checkbox and then click the Empty Selected button. Close the program.

In regards to the "Buffer Overrun in JPEG Processing" message, see this link to determine if any updates are required for this system and which ones they are.

Other than that you are good to go.


I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.

Posted Image

#3 Scooter McGavin

Scooter McGavin
  • Topic Starter

  • Members
  • 3 posts
  • Local time:12:47 PM

Posted 06 March 2006 - 03:25 AM

G'Day Old Timer,

Thanks for your response.

I have run ATF & am currently downloading the update for Office.
i am still concerned about the files that Panda has reported as "Not Disinfected", can i just manually delete these files? Is deleting them going to cause issues for other programs?


#4 OldTimer


    Malware Expert

  • Members
  • 11,092 posts
  • Gender:Male
  • Location:North Carolina
  • Local time:10:47 PM

Posted 06 March 2006 - 05:25 AM

Hi Scooter McGavin. The ATF Cleaner should take care of those when it cleans out the cookies. The Eicar file is a test virus used by most anti-virus companies to test if the program is functioning properly so that one is not a problem.

Let me know if you have any other questions.


I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.

Posted Image

#5 Scooter McGavin

Scooter McGavin
  • Topic Starter

  • Members
  • 3 posts
  • Local time:12:47 PM

Posted 07 March 2006 - 01:52 AM

Ok, great!! No more questions.

Thank-you very much for help OldTimer, much appreciated.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users