In recent days, I'm finding my computer hanging more frequently than normal; becoming inundated with pop-ups; and while surfing the web, new browser windows suddenly open without prompting. I looked in Add/Remove Software and discovered Shopping Wizard and Search Assistant in the list. I ran HijackThis - below is the log.

As much as I would like to learn more about the virus removal process, I don't trust my computer programming abilities enough to do it alone. Thus, I'm appealing to anyone out there who can help me - please help!


Logfile of HijackThis v1.99.1
Scan saved at 4:38:34 PM, on 6/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\mfcjj.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\system32\mfczi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Hugh\Desktop\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/persian
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {FF8D1BCC-E9D5-0E11-8C8A-9E40FE12BD0D} - C:\WINDOWS\system32\iexm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mfczi.exe] C:\WINDOWS\system32\mfczi.exe
O4 - HKLM\..\Run: [mfcvj32.exe] C:\WINDOWS\mfcvj32.exe
O4 - HKLM\..\Run: [winhs.exe] C:\WINDOWS\system32\winhs.exe
O4 - HKLM\..\Run: [sdkjg.exe] C:\WINDOWS\sdkjg.exe
O4 - HKLM\..\Run: [nethh32.exe] C:\WINDOWS\system32\nethh32.exe
O4 - HKLM\..\Run: [sdkxi32.exe] C:\WINDOWS\sdkxi32.exe
O4 - HKLM\..\Run: [nthg.exe] C:\WINDOWS\system32\nthg.exe
O4 - HKLM\..\Run: [netld32.exe] C:\WINDOWS\system32\netld32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TechnicalAirSystems.local
O17 - HKLM\Software\..\Telephony: DomainName = TechnicalAirSystems.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TechnicalAirSystems.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TechnicalAirSystems.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcjj.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Hi and welcome to Daniweb :)..

===============

Let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u iexm.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Next, open another command prompt and:

1. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

Network Security Service ( 11Fßä#·ºÄÖ`I) owner ... (C:\WINDOWS\mfcjj.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\mfcjj.exe
C:\WINDOWS\system32\mfczi.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {FF8D1BCC-E9D5-0E11-8C8A-9E40FE12BD0D} - C:\WINDOWS\system32\iexm.dll

O4 - HKLM\..\Run: [mfczi.exe] C:\WINDOWS\system32\mfczi.exe
O4 - HKLM\..\Run: [mfcvj32.exe] C:\WINDOWS\mfcvj32.exe
O4 - HKLM\..\Run: [winhs.exe] C:\WINDOWS\system32\winhs.exe
O4 - HKLM\..\Run: [sdkjg.exe] C:\WINDOWS\sdkjg.exe
O4 - HKLM\..\Run: [nethh32.exe] C:\WINDOWS\system32\nethh32.exe
O4 - HKLM\..\Run: [sdkxi32.exe] C:\WINDOWS\sdkxi32.exe
O4 - HKLM\..\Run: [nthg.exe] C:\WINDOWS\system32\nthg.exe
O4 - HKLM\..\Run: [netld32.exe] C:\WINDOWS\system32\netld32.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcjj.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)


Now, with all windows closed (including Internet Explorer) except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\mfcjj.exe
C:\WINDOWS\system32\mfczi.exe
C:\WINDOWS\system32\iexm.dll
C:\WINDOWS\mfcvj32.exe
C:\WINDOWS\system32\winhs.exe
C:\WINDOWS\sdkjg.exe
C:\WINDOWS\system32\nethh32.exe
C:\WINDOWS\sdkxi32.exe
C:\WINDOWS\system32\nthg.exe
C:\WINDOWS\system32\netld32.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

Hi,

Thanks for helping me out! Here's what has happened so far.

When I applied "Kill process" to
C:\WINDOWS\mfcjj.exe
C:\WINDOWS\system32\mfczi.exe

I got a message saying "could not be killed. It may have already closed, or it may be protected by Windows. This process might be a service, which you can stop from the Service applet in Admin Tools."

It seemed to have gotten rid of the other file, though... :(

What next?

-dhs

Sorry, once I re-read what I wrote, I found that my message above isn't very clear.

I applied "Kill process," and then got the message I described. I hit "Refresh" and it worked only on

C:\WINDOWS\system32\mfczi.exe

but mfcjj.exe was still there. I then highlighted it again and hit "Kill process" and got the message again.

Hope that's clearer.

-dhs

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.