Nasty Persistant Hijack - gb10.hpwis.com

Oh, forgot to add that as well as doing all the above I was also deleting all contents of temporary folders and IE history, and also emptying the recycle bin before rebooting. And HijackThis is in its own folder.

These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
(Description: Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers )

O4 - HKLM\..\Run: [ms ownage] winPE.exe
(Description: W32/Rbot-AJL WORM)

O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
(Description: W32/Rbot-AJL WORM)

Suggestions

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
(Description: HP monitoring tool. Unnecessary. Remove this to free up some system resources.)

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
(Description: HP software update checker and wizard launcher.)

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
(Description: HP software update checker and wizard launcher.)

O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
(Description: ADSL modem monitor from Eicon Networks (as used by BT for its Broadband internet service for example). Can safely be disabled without affecting the connection - all this does is give an indication of connectivity and access to the diagnostic facilities. Removing this entry will free up some system resources.)

O4 - HKLM\..\Run: [Reminder] \"C:\Windows\Creator\Remind_XP.exe\"
(Description: Subscription reminder to unlock unkimited use for SoftThinks CD Creator CD/DVD rewriting software, usually supplied with HP PC's as a pre-installed package. Unnecessary. Removing this will free up a small amount of system resources. )

1) Press the "Fix checked" button. Then close HijackThis.

2) Then reboot your computer.

3) Search for and delete the file Alcxmntr.exe

4) Delete the file winPE.exe which resides in C:\WINDOWS\System32\ or C:\WINDOWS\System\

5) Empty your recycle bin.

6) Run Windows Update and install all critical updates.

7) Make sure your anti-virus program is up to date with the latest patches. If you do not have an anti-virus program, download and install AVG Personal Edition Anti-Virus, which is free.

8) Reboot one last time. Your PC should now be free from spyware!
We suggest that you run HijackThis again, just to make sure that none of the entries that you removed suddenly reappeared. If they haven't, print out our HijackThis log and put it somewhere safe. You can refer to it later if your PC starts acting up.

Thanks for replying so quickly - your help is appreciated. Unfortunately I am no better off. I did everything that you said above, including downloading and installing all available Windows updates, and double checking that Norton Antivirus was up to date. I had already deleted Alcxmntr.exe and winPE.exe, all temporary files and emptied my recycle bin.

After all this, my IE is still being hijacked. Here is my latest HJT log:-

Logfile of HijackThis v1.99.1
Scan saved at 21:12:57, on 15/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [ms ownage] winPE.exe
O4 - HKLM\..\RunServices: [ms ownage] winPE.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\Msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Interestingly (though I don't know if it means anything) even the additional registry keys that you advised me to delete are back again.

Anyone got any other ideas I could try please?

Ok try this site: http://www.sophosantivirus.org/virusinfo/analyses/w32rbotajl.html
Look at the Recovery and Advanced tabs

Also, if you have XP then download a trial version of Ewido.

You can download a trial version of Ewido here: http://www.ewido.net/en/

Be sure you update it before using it, and when it finds a problem, be sure to select the check box to do the same action (clean) when it finds a problem, otherwise, you will have to click continue, to keep scanning with every problem it finds.

Thanks again for your quick reply.
I could not download any of the patches as they are older than the software my system already has in place (they are SP1, I have SP2). I downloaded Ewido, updated it and ran it with some interesting results (you could see the ms ownage registry keys reinstalling within seconds of being deleted). However nothing has changed. IE still resets to gb10blahblah and all the dodgy registry keys come back even after deletion.

Anyone got any other ideas?

Well this is all I have left. Create a folder in C: and name it: Autoruns. Now, download this program: http://www.sysinternals.com/Files/Autoruns.zip to that folder, and unzip it in that folder. When you use the >exe file to run Autoruns, use the top most exe file.

Now go to this site and follow their directions: http://www.bleepingcomputer.com/forums/How_to_remove_a_Trojan_Virus_Worms_or_other_Malware-tut101.html

If that doesn't work, then the only thing else that I can suggest, is to zero the hard drive, fdisk, format, and reinstall Windows.

Thanks for that. I already have used Autoruns as well as AVG which a friend recommended to remove it. This thing isn't going anywhere :( I already had done a destructive restore using the HP software, but it looks like I'm going to have to get dirty. The only problem is that if I lose the HP programmes I am worried about losing my Windows XP licence number etc as there is no record of it on the PC or in any documentation. I'm really annoyed that the Norton software I am paying good money for is useless in this situation.

Download Everest, it should give you your XP key: http://www.lavalys.com/products.php?lang=en

I am not a Norton fan, get AVG free, in fact, if you do a clean install, leave Norton off, below is a list of programs I recommend.

I only list here, the programs that I have used and I’m satisfied with, I know there are other great programs, but these are just the ones that I use, and can verify, as being worthy.

SYSTEM INVENTORY
Everest: http://www.lavalys.com/products.php?lang=en

SPYWARE
AdAware: http://www.lavasoftusa.com/software/adaware/
Spybot S&D: http://www.safer-networking.org/en/index.html
SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
Microsoft AntiSpyware (XP only): http://www.microsoft.com/athome/security/spyware/software/default.mspx

VIRUS PROTECTION
AVG Free: http://www.majorgeeks.com/download886.html

VIRUS and SPYWARE DETECTION
Ewido (XP only - trial version): http://www.ewido.net/en/
HijackThis: http://www.majorgeeks.com/download3155.html

ONLINE HijackThis ANALYZERS
HijackThis analyzer #1: (website) http://www.hijackthis.de/index.php?langselect=english
HijackThis analyzer #2: (website) http://www.help2go.com/modules.php?name=HJTDetective
HijackThis analyzer #3: (website) http://hjt.iamnotageek.com/

ONLINE VIRUS SCAN WEBSITE
Trend Micro: http://housecall.trendmicro.com/

Miscellaneous Tools
Starter: http://www.snapfiles.com/download/dlstarter.html
Icon Restore: http://www.majorgeeks.com/download4125.html
Erunt (XP only): http://www.larshederer.homepage.t-online.de/erunt/
MemTest86: http://www.memtest86.com/
A-Squared: http://www.emsisoft.com/en/software/download/
CWShredder: http://www.softpedia.com/get/Intern...WShredder.shtml

IT'S GONE!!! - in the most bizarre way

I pasted my HJT logs into the first analysis site you suggested, went into safe mode and deleted the keys that they thought were bad or suspicious. Then I went straight from that into System Restore without normal boot-up first. After restore the system was clean...until I started Adwatch! As soon as Adwatch started up all the nasty registry entries reinstalled. So I deleted Adaware and Adwatch, and will use Spybot instead. I went through the exact same process again and so far there has been no reappearance of anything bad. It seems that somehow the infection was linked to Adwatch.

All I know is that I now have a clean PC with some nice analytical bits to play with (I really like Ewido).

Thanks tons for your help. It meant a lot that someone bothered to reply to my desperate plea.

*hugz*

Jeppie

We're all glad we could help...good luck. If you you download the spyware and AVG programs that I recommend, and do an update and scan once a week with each, then you will keep your system safe. If you are on broadband, I would suggest you get a decent firewall, if you don't have one already.