Jump to content


Photo

hitpointer


  • Please log in to reply
3 replies to this topic

#1 andrewma

andrewma

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 July 2004 - 02:35 AM

Hi there,
I am having difficulty removing the hijack which causes some web pages to be redirected to "hitpointer.com". I have tried SpyBot and AdAware without success, and have followed some of the other posts on this site for help but so far no luck.

My logfile is posted below, any help is much appreciated.

Regards,
Andrew.
------------------------------------------------------------------------------------

Logfile of HijackThis v1.98.0
Scan saved at 08:32:26, on 18/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PCD32\client32.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\audcntr.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\windows\system32\qvjokmal.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\GemaTech Ltd\GemaTech Pop Up Client\PopUpClient.exe
C:\ITDeptOnly\IPFinder\IPFinder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.travelcounsellors.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [PC-Duo System Snapshot] C:\PCD32\CLBOOT32.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [GIAVIOIF] c:\windows\system32\giavioif.exe /install
O4 - HKLM\..\Run: [IABGGOLL] c:\windows\system32\iabggoll.exe /install
O4 - HKLM\..\Run: [Audcntr] c:\windows\system32\audcntr.exe
O4 - HKLM\..\Run: [QVJOKMAL] c:\windows\system32\qvjokmal.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Audcntr] c:\windows\system32\audcntr.exe
O4 - Global Startup: GemaTech Pop Up Client.lnk = C:\Program Files\GemaTech Ltd\GemaTech Pop Up Client\PopUpClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Shortcut to IPFinder.lnk = C:\ITDeptOnly\IPFinder\IPFinder.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {3E811492-B320-49DD-9F5D-6C4911563E16} (ActiveX_VTX.VTXControl) - http://litev10.comte...ActiveX_VTX.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 18 July 2004 - 03:44 AM

Hi,
First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files: [required step]
Open the Windows Explorer | Tools | Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, rescan with HijackThis
Place a check in each of the following then click "Fix checked".

O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O4 - HKLM\..\Run: [GIAVIOIF] c:\windows\system32\giavioif.exe /install
O4 - HKLM\..\Run: [IABGGOLL] c:\windows\system32\iabggoll.exe /install
O4 - HKLM\..\Run: [Audcntr] c:\windows\system32\audcntr.exe
O4 - HKLM\..\Run: [QVJOKMAL] c:\windows\system32\qvjokmal.exe /install
O4 - HKCU\..\Run: [Audcntr] c:\windows\system32\audcntr.exe


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\windows\system32\audcntr.exe <--this file
C:\windows\system32\qvjokmal.exe <--this file
c:\windows\system32\giavioif.exe <--this file
c:\windows\system32\iabggoll.exe <--this file

While still in Safe Mode, run SpyBot ...

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 andrewma

andrewma

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 July 2004 - 02:59 AM

Many thanks,

My new log is posted below.

Incidentally, there were a few other similar suspect files in system32 which I deleted - all of about 42k in size and with a green "Q" icon on a yellow background.

The command "audcntr" had an uninstall script - what is it, by the way?

thanks again,
Andrew.
------------------------------------------------------------------------------------

Logfile of HijackThis v1.98.0
Scan saved at 08:56:26, on 19/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PCD32\client32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\GemaTech Ltd\GemaTech Pop Up Client\PopUpClient.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\WINDOWS\System32\svchost.exe
C:\ITDeptOnly\IPFinder\IPFinder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.travelcounsellors.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [PC-Duo System Snapshot] C:\PCD32\CLBOOT32.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: GemaTech Pop Up Client.lnk = C:\Program Files\GemaTech Ltd\GemaTech Pop Up Client\PopUpClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Shortcut to IPFinder.lnk = C:\ITDeptOnly\IPFinder\IPFinder.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 19 July 2004 - 03:55 AM

Hi,
Your log is clean now ... good job!

The command "audcntr" had an uninstall script

I not sure what you mean by that "the command" ...

Last Step:

"Flush System Restore" (see "How To" below)
Basically turn off System Restore, reboot run a full Antivirus scan, reboot and turn System Restore back on and create a new Restore Point.

Posted Image You do not seem to have any Antivirus running? (bad idea)
Download Posted Image AVG 6.0 Anti Virus [freeware]

I would suggest adding some "Defense" to your system ...
Posted Image How To: Prevent this from happening again? :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button