Greetings,
My computer has been hijacked due to me clicking on a link that looked and smelled like youtube. Unfortunately I hit 'run' when it asked. Then the problems began. I've been bearly able to do anything online due to popups and forced webpages. I did finally manage to run pandascan which found a bunch of stuff. However, the main problems still exist. I have an older version of hijackthis thank goodness so I ran it to post here.

Main problems: control panel, my computer (all important stuff) not showing under 'start menu'. Back ground is a gif with 'virus infection warning'. Can't get rid of it because of 'admin restriction'. Can't alt+ctrl+del because 'task manager has been disabled' IE keep bring up a slew of anti-viral software which eventually leads to a screen that I can do nothing with but unplug the computer.

I should admit that I did tinker with what I thought might be a problem but was unsuccessful to remove them. Those were the O6 and O7. The admin restrictions denied hijackthis to remove them.

I appreciate any help.

Here is the file.


Logfile of HijackThis v1.99.1
Scan saved at 20:53: VIRUS ALERT!, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\Anti-threats\hijackthis1973\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www2.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n024p/EN/install/gtdownlr.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/ht...ALStreaming.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {54D53429-945C-4188-B460-C81356541882} (SaveImageFiles Class) - http://photosmart.hpphoto.com/Download/HPe...sLocalPrint.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://bhcsvpn.baylorhealth.edu/dana-cache...uniperSetup.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: eqvwamkl - {4E694FAD-13BA-4D24-92E8-8FC9B573D01B} - C:\WINDOWS\eqvwamkl.dll
O21 - SSODL: wnslvxtf - {06ADAFEB-5141-40B8-9867-E8935999CE38} - C:\WINDOWS\wnslvxtf.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

Looking over your log, back ASAP.

You have signs of a possible Rootkit on your computer.

O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\dnlsvc.exe (file missing)

The fact that HJT says the file is missing should not be taken as an indication that it's not present on your computer, HJT is not always reliable in this regard.

http://www.bleepingcomputer.com/startups/d....exe-15276.html
http://www.sophos.com/security/analyses/vi...jntrootkaa.html

It's presence suggests this will also be present, as they often come together.

http://www.sophos.com/security/analyses/vi.../trojrkfuc.html

There are other infections on your computer, but this is one to be most concerned about.

This means your attacker may have full remote access to your computer and can use it as if he were sat in front of it.

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, and financial institutions. Inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer, because the attacker will get the new passwords and transaction information.

IF YOU USE THIS COMPUTER FOR ONLINE BANKING OR OTHER FINANCIAL TRANSACTIONS, OR HAVE DATA OF A CONFIDENTIAL NATURE ON IT, MY RECOMMENDATION IS THAT YOU RE-FORMAT AND RE-INSTALL YOUR OPERATING SYSTEM AND PROGRAMMES. WE CAN NEVER BE TOTALLY SURE WE HAVE GOT RID OF ALL MODIFICATIONS WHICH MAY HAVE BEEN MADE BY THE ATTACKER, AND THEREFORE CANNOT GUARANTEE THE SAFETY OF YOUR DATA.

Guide to re-formatting and re-installing courtesy of wng_z3r0

If you don't have the resources to reinstall your OS and/or would like me to attempt to clean your machine, I'll be happy to do so.

To help you decide, please take some time to read the following articles, then let me know how you want to proceed.

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should I do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Thanks for reply! Yikes. Ok, I'm calling banks and cards. You've got me concerned enough to reformat. I trust your opinion. I don't think I have software for its preinstallation stuff, but I do have a windows xp disk. Will this be sufficient? Your help for cleaning my machine would be most appreciated.

OK, if you've decided to reformat and re-install there's no need to attempt cleaning your computer, the reformatting process will remove any infection you have.

It's not really possible for me to go through a re-format with you, it's not something I've a great deal of experience with, certainly not enough to remotely guide you through the possible pitfalls.

If you've decided to go this route and you've not done it before, then it's better if you post in the Windows or Hardware forums and ask for help there, they're better equipped to help you.

http://forums.whatthetech.com/Microsoft_Windows_f119.html
http://forums.whatthetech.com/General_Hardware_f126.html

Let them know what has happened and why you've decided to re-format, and refer them to this thread if they need to contact me for any reason. Alternately if you're not confident of doing it yourself, you might consider paying for a pro to do it for you, most repair stores will be prepared to do this, usually it's not overly expensive.

Don't forget to back up any personal data, as it will be lost in the re-formatting procedure. There's some risk retaining these files, but personal stuff is not usually where the infection resides.

Good luck.

This post has been edited by Gary R: Jul 29 2008, 08:42 AM

Thanks Gary,
I have decided to reformat, so I will go find help at the other forum. I do have another question though. I want to get a few family pictures off of it before formatting. The C: drive has become unavailable to me. Even if I try to access it by DOS it says 'access denied'. Is there a way around this without having to go thru a complete 'fix'?

Without knowing why your C: drive is not available to you it's hard to say, I don't really have too much information to work with at the moment.

Can you access it if you boot into safe mode?

Reboot your computer into Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

Note: if you cannot boot into safe mode using this method, DO NOT attempt to do so by using MSConfig, this could result in your computer becoming unbootable.

Other than that it would probably involve you having to slave your C: drive to another computer. The guys in Hardware would be the best to ask for that kind of help.

If you want we can start to "fix" your computer, at least to the stage where you might be able to access your data, after which you can reformat.

This post has been edited by Gary R: Jul 30 2008, 12:03 AM

Gary,
Thanks for all your help and prompt replies. I haven't done the reformat yet, but I was finally able to get my stuff off of the c: drive. It was allowing me acess to deskstop stuff so I opened a file in excel which has the stored history of my recently opened documents. This allowed me to open a file on the c: drive and then use 'save as' to my see the c: drive. Then I just made a shortcut of everything to my desktop.

Now that I have that squared away, I'm going to look at some of the links you gave me for formatting.

Cheers,
Michael

Glad you managed to access your files, good luck with re-formatting your computer.

As you're going to be dealt with in the other forums, I'll close this thread now.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.