Please diagnose hijackthis.log

[Alex Y Wang]

My IE has been hacked. I've tried several ways to get rid of it,
without any success. Here is a hijackthis log. Can anybody help? One
thing I notice is that everytime I open or close IE or windows
explorer, spybot tells me that the IE home page value in my registry
is being modified. Is there any way I can catch the program that's
doing the mod?


Logfile of HijackThis v1.99.1
Scan saved at 7:50:58 AM, on 7/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\My Documents\PortApps\taskswitchxp\TaskSwitchXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\My Documents\PortApps\HoeKey\HoeKey.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin
\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind
\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
E:\My Documents\Downloads\anti-malware\HijackThis.exe

O2 - BHO: (no name) - {21334231-6DED-436B-9E63-E45AAA9DA107} - (no
file)
O2 - BHO: (no name) - {296E2539-1A71-44AE-9864-9C083517BD36} - C:
\WINDOWS\system32\uyoaninvve.dll
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} - C:
\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:
\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no
file)
O2 - BHO: (no name) - {867A1E46-2F7C-4A8F-A1B0-F65BF8915117} - C:
\WINDOWS\system32\wsllvqlxwpqne.dll
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files
\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9B753C26-9E77-4C96-B7A8-4ACB70025974} - C:
\WINDOWS\system32\nbrqpsuzyy.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /
Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP
\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings
\cpqset.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP
\SynTPStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core
\smax4pnp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick
Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google
\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus
\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT
\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro
\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk
\googletalk.exe /autostart
O4 - HKCU\..\Run: [TaskSwitchXP] E:\My Documents\PortApps\taskswitchxp
\TaskSwitchXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search
& Destroy\TeaTimer.exe
O4 - Global Startup: HoeKey.lnk = E:\My Documents\PortApps\HoeKey
\HoeKey.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy
\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program
Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:
\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
- %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-
d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic
\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://www.update.microsoft.com/wind...?1182475630984
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo
Upload Control) - http://redfliyngpig.spaces.live.com/...d/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A0BDF82-
D151-47A2-8D99-9AE280A564A5}: NameServer = 202.96.64.68,202.96.75.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A0BDF82-
D151-47A2-8D99-9AE280A564A5}: NameServer = 202.96.64.68,202.96.75.68
O17 - HKLM\System\CS3\Services\Tcpip\..\{1A0BDF82-
D151-47A2-8D99-9AE280A564A5}: NameServer = 202.96.64.68,202.96.75.68
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:
\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:
\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:
\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} -
C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945}
- C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll
(file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
- C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:
\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) -
Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files
\Common Files\Apple\Mobile Device Support\bin
\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files
\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files
\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET
NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. -
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin
\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC
Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket
Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind
\StarWindServiceAE.exe
O23 - Service: VMware Agent Service (ufad-ws60) - Unknown owner - C:
\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:
\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml (file
missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware,
Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:
\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) -
VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual
Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS
\system32\vmnat.exe

[Leythos]

In article <64613445-395b-4a7f-9a88-
09b19243e92d@t12g2000prg.googlegroups.com>, redflyingpig@gmail.com
says...
> Here is a hijackthis log.
>
you should have posted it to one of the HJ online sites that does this
for you.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

[siljaline]

"Alex Y Wang" wrote:
> My IE has been hacked. I've tried several ways to get rid of it,
> without any success. Here is a hijackthis log. Can anybody help? One
> thing I notice is that everytime I open or close IE or windows
> explorer, spybot tells me that the IE home page value in my registry
> is being modified. Is there any way I can catch the program that's
> doing the mod?
<snip>
Download and run HijackThis;
(http://www.trendsecure.com/portal/en...age=hijackthis)
Read this Tutorial *before* first use;
(http://www.bleepingcomputer.com/foru...howtutorial=42)
Once done > run HijackThis > save a scan log and post it to /any/ of the
following (expert) forums for analysis.
*Note, //registration// *is* required prior to posting a log.
- Not listed in any particular order -
(http://aumha.net/viewforum.php?f=30)
(http://forums.spywareinfo.com/index.php?&showforum=18)
(http://www.spywarewarrior.com/viewforum.php?f=5)
(http://www.bleepingcomputer.com/forums/forum22.html)
(http://www.dslreports.com/forum/cleanup)
(http://forum.malwareremoval.com/viewforum.php?f=11)
(http://www.cybertechhelp.com/forums/...splay.php?f=25)
(http://www.atribune.org/forums/index.php?showforum=9)
(http://www.geekstogo.com/forum/Malwa..._Here-f37.html)
(http://forums.spywareinfo.com/index.php?showforum=18)
(http://www.techmonkeys.co.uk/forums/viewforum.php?f=8)
(http://forum.networktechs.com/forumdisplay.php?f=130)
(http://forums.maddoktor2.com/index.php?showforum=17)
(http://forums.spywaretimes.com/index.php?showforum=2)
(http://www.bluetack.co.uk/forums/ind...?showforum=172)
(http://forums.techguy.org/f54-s.html)
(http://forums.tomcoyote.org/index.php?showforum=27)
(http://forums.subratam.org/index.php?showforum=7)
(http://www.5starsupport.com/ipboard/...p?showforum=18)
(http://www.malwarebytes.org/forums/i...hp?showforum=7)
(http://www.wilderssecurity.com/forumdisplay.php?f=26)
(http://makephpbb.com/phpbb/viewforum.php?f=2)
(http://forums.techguy.org/54-security/)
(http://forums.security-central.us/forumdisplay.php?f=13)
(http://castlecops.com/forum67.html)
(http://gladiator-antivirus.com/forum...?showforum=170)
(http://www.lavasoftsupport.com/index.php?showforum=36)
(http://forum.piriform.com/index.php?showforum=12)

Post back the URL where you posted your log, *not* the entire log.


--
siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[Kayman]

On Fri, 18 Jul 2008 16:54:51 -0700 (PDT), Alex Y Wang wrote:

> My IE has been hacked. I've tried several ways to get rid of it,
> without any success. Here is a hijackthis log. Can anybody help?

<snip>

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is required in any of the below before posting a log

http://www.theeldergeek.com/forum/in...6&showforum=29
http://www.thespykiller.co.uk/index.php?board=3.0
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://forums.tomcoyote.org/index.php?showforum=27
http://www.5starsupport.com/ipboard/...p?showforum=18
http://www.spywarewarrior.com/viewforum.php?f=5

Good luck

[siljaline]

"Kayman" wrote:
> Please, do not post HJT logs to this newsgroup.
> Fora where you can get expert advice for HiJack This! (HJT) logs.
>
> NOTE: Registration is required in any of the below before posting a log
>
> http://www.theeldergeek.com/forum/in...6&showforum=29
> http://www.thespykiller.co.uk/index.php?board=3.0
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://forums.tomcoyote.org/index.php?showforum=27
> http://www.5starsupport.com/ipboard/...p?showforum=18
> http://www.spywarewarrior.com/viewforum.php?f=5
>
See my reply post in this thread - the list of HJT sites is more comprehensive.

Regards,
Silj

--
siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_