I've been hijacked
 

Any suggestions on what I should delete will be appreciated. I have an older computer which has a partioned drive. I'm out of space on the c: drive where windows is located and can't upgrade the security patches. I don't have the original disk to reformat the drive either.
Thanks for the help.


Logfile of HijackThis v1.99.1
Scan saved at 7:35:52 PM, on 3/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\EarthLink 5.0\updatemgr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\kaka.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\SanDisk\low power 128MB + Wi-Fi CompactFlash Card\WLANUTL.exe
C:\WINDOWS\System32\mrtMngr.EXE
c:\Q92194.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Hijack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://kon4ay.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://kon4ay.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kon4ay.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://kon4ay.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://kon4ay.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kon4ay.biz/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /waitstart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SearchAssistant] c:\Q92194.exe
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Autoupdate Service] C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\kaka.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: SanDisk Wi-Fi.lnk = C:\Program Files\SanDisk\low power 128MB + Wi-Fi CompactFlash Card\WLANUTL.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6ACACC51-430B-47CB-94D6-AFE839AE8797} - http://www.reidownload.com/DemoSoftware/setup.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

Re: I've been hijacked
 

These as you probly guessed are bad its not all and won't get rid of the problem but ill have it figured out in a minute or two.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://kon4ay.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://kon4ay.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kon4ay.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://kon4ay.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://kon4ay.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kon4ay.biz/

Re: I've been hijacked
 

This is bad:

O4 - HKLM\..\Run: [SearchAssistant] c:\Q92194.exe

To remove it reboot your computer in safe mode then goto c:\ and on the top tool bar click folder options then click the view tab then find were it says display hidden files click the yes opition apply it. Then find Q92194.exe in c:\ and delete it and then goto the recyling bin and empty and the rebot in the regular mode.

Re: I've been hijacked
 

this indicates you have sidestep it can be reomve in control panel add and remove programs .
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
a few other things need fixing also .
This need fixing and removal .
O4 - HKCU\..\Run: [Autoupdate Service] C:\DOCUME~1\BRANDO~1\LOCALS~1\Temp\kaka.exe
,,,,,,,,,,,,,,,,,,,,,,,,,
To remove trojans there is a tool which needs to be downloaded and run.

1. Please download Stinger and save it to your desktop

2. Double-click on the stinger.exe file and open the tool

3. Choose your entire hard drive to scan.

4. Choose Scan Now

5. Stinger will fix anything that it finds

6. Click the File menu and select Save report to file

7. Post the log file results here in this thread.

STINGER

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Reboot to SAFE mode to delete files
How to start computer in safe mode

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan Please do an online scan, 2 would be better,

Micro World http://www.mwti.net/antivirus/free_utilities.asp
Trend Micro http://housecall.trendmicro.com/hous...start_corp.asp

Make sure that you choose "fix" or "clean".

Re: I've been hijacked
 

I would suggest going to control panel and uninstall some added programs that you don't use often !
then do you updates ,then you could reinstall the program if you want ,only do it differently this time and change the default install path [usually c:\program files ]so as to install the program on the other partition .you will have to make the path change for each install ,change it to what ever your other drive letter is like ,D:\programs , or what ever the drive letter to the other partition is . it will create the Programs folder and intall the programs into it ,

Re: I've been hijacked
 

Thank you for everyone's input! I believe I just successfully elminated it. The stinger.exe found a blaster worm that had been not found by Trend Micro early last week. I also think deleting the files in the temp folder was helpful.

Afee AVERT Stinger Version 2.5.3 built on Mar 1 2005

Copyright (C) 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Mar 1 2005.

Ready to scan for 53 viruses, trojans and variants.



Scan initiated on Sun Mar 06 10:59:13 2005

C:\WINDOWS\system32\TFTP424

Found the W32/Blaster.worm.a virus !!!

C:\WINDOWS\system32\TFTP424 has been deleted.

Number of clean files: 112726

Number of infected files: 1

Number of files deleted: 1

Re: I've been hijacked
 

You should post another HJT log just to be sure.

I see by your post count and Join Date that you're pretty new here, have you checked out the Geek's Lounge or any of the other forums yet? Have a look around :)