Another explorer.exe and winlogon.exe redirec Closed

Question

Hello, 

I have tried it all, including running linux to copy a new copy of explorer.exe and winlogon.exe, but obviously something is copying a hidden copy of the hijacked one every time I boot up...  here is the HijackThis log:

And thanks, in advance.




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:19:47 PM, on 10/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Cerberus LLC\Cerberus FTP Server\CerberusGUI.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32pcnet.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Weather Watcher Live\ww.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Rootkit\sargui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kaisert\Local Settings	emp\gcrgmg.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\kaisert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WeatherWatcherLive] "C:\Program Files\Weather Watcher Live\ww.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.advancedmd.com
O15 - Trusted Zone: *.danhosp.org
O15 - Trusted Zone: *.danhosp.priv
O15 - Trusted Zone: http://*.idxweb
O15 - Trusted Zone: https://www.advancedmd.com
O15 - Trusted Zone: *.siemensmedical.com
O15 - Trusted Zone: *.smshealthconx.net
O15 - Trusted Zone: http://*.touchworksemr
O15 - Trusted Zone: *.webattend.com
O15 - Trusted Zone: *.webtrain.com
O15 - Trusted IP range: http://128.1.60.31
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - http://touchworksemr/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {03E09C47-9C8B-4FDD-B7DB-DD49D8A3B909} (DevCtrl Class) - https://www3.danhosp.org/doc-Link/DevPlugIn.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://rs1.advancedmd.com/rs-current/components/smsx.cab
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://www.webattend.com/components/wt0523.cab
O16 - DPF: {3591A50D-18FD-42BC-8D10-6C93BDAF2DA0} (Data Dynamics #Grid 2.0 (ICursor)) - http://128.1.60.31/exv/pws2/cab/sg20.ocx
O16 - DPF: {3C15B891-041C-46F9-8F36-65FE67D8E502} (Command Class) - http://dashboard.smshealthconx.net/dsh/02020310/html/DshSheller.cab
O16 - DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} (ISiteNonVisual Control 3.3) - http://170.77.132.202/iSite3_3.cab
O16 - DPF: {4B4F8F8F-9CE3-4C54-BDB7-66F44E2F62A1} (IChartDocMngr Control) - http://128.1.60.31/exv/installs/iChartDocMngr.ocx
O16 - DPF: {575AC44B-C254-48B4-8102-20F29D72A60E} (DshSetForegroundWin Class) - http://dashboard.smshealthconx.net/dsh/02020310/html/SMSDSHSETFOREGROUND.CAB
O16 - DPF: {5929AFC0-A272-40BF-AEF1-038521950846} (Sheller Class) - http://dashboard.smshealthconx.net/dsh/02020310/html/SMSDSHSHELLER2.CAB
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://www.catalog.update.microsoft.com/ClientControl/en/x86/MuCatalogWebControl.cab?1283431861718
O16 - DPF: {5EF06782-55B2-4DF3-A57A-3FE8F1D2A181} (PPMDForms.Forms) - https://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdforms.cab
O16 - DPF: {6A6E7E91-B6EB-46B5-A545-12B8EDDD261E} (AMDSControls50.XGroupCategory) - https://app.advancedmd.com/practicemanager/ppmdcontrols/amdscontrols50.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa.org/ecwplugins/NCS.cab
O16 - DPF: {7814BDAA-A125-44BB-A3F4-BE87D8767AFF} (Bridge Class) - http://128.1.60.31/exv/pws2/wordcnt/wordcnt.cab
O16 - DPF: {78C21026-00DD-42FF-8FE3-94BDB929B9B8} (PSMike Control) - http://128.1.60.31/exv/installs/PSMike.cab
O16 - DPF: {792A484F-C378-4B63-AD28-EF4FD490F00E} (IChartLogger Control) - http://128.1.60.31/exv/installs/iChartLogger.ocx
O16 - DPF: {93BE011C-F234-4070-886D-A5F9D4D712AE} (IChartConfig Control) - http://128.1.60.31/exv/installs/iChartConfig.ocx
O16 - DPF: {95A451DA-30B8-4459-87C2-595423821CAE} (IChartPlayer Control) - http://128.1.60.31/exv/installs/iChartPlayer.ocx
O16 - DPF: {9602B3CE-BC91-417D-B4FD-F6538C2ABB3B} (AMDSWSCheck.WSCheck) - https://app.advancedmd.com/practicemanager/ppmdcontrols/amdswscheck.cab
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - http://touchworksemr/AHSWeb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B15C3921-CCFA-4403-9E6F-4470839E835E} (Leadtools.XLead) - https://app.advancedmd.com/practicemanager/ppmdcontrols/leadtools.cab
O16 - DPF: {CB320D1A-2077-4C5C-94E1-5BDA366593EE} (IChartRtfViewer Control) - http://128.1.60.31/exv/installs/iChartRtfViewer.ocx
O16 - DPF: {CC99A86F-EA5D-414A-8231-7C3F1B10A644} (AMDSAudio.XAudio) - https://app.advancedmd.com/practicemanager/ppmdcontrols/amdsaudio.cab
O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (RingCentral Message Player Control) - https://service.ringcentral.com/ActiveX/RingCentral_Message_Player.cab
O16 - DPF: {D8035C2D-08CF-462F-B73E-B4798A079E21} (CoActivUpdaterActiveX Control) - http://downloads.exampacs.net/coactivupdater/CoActivUpdaterActiveX.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eclinicalworks.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://my.newmilfhosp.org/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EE8CEFA4-1F91-11D4-B31E-00C04F1D37E6} (PPMDVBDownload.XShowReady) - https://app.advancedmd.com/practicemanager/ppmdcontrols/ppmdvbdownload.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://touchworksemr/AHSWeb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://connect.danhosp.org/dana-cached/sc/JuniperSetupClient.cab
O16 - DPF: {F60EA672-8783-4643-80A7-FC250647DBD2} (IChartLifeSupport Control) - http://128.1.60.31/exv/installs/iChartLifeSupport.ocx
O16 - DPF: {F88F142A-96AE-40CC-B562-4C91B5E5A5CD} (IkmControlDownloader Control) - http://m0hedocumentmanagement.asp.siemensmedical.com/M0HE/HTML/download/IkmControlDownloader.cab
O16 - DPF: {FA2C5799-38ED-46BC-9504-C9AE718BD847} (DshEndBrowserSession Class) - http://dashboard.smshealthconx.net/dsh/02020310/html/SMSDSHENDSESSION.CAB
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://rs1.advancedmd.com/rs-current/components/RSClientPrint.cab
O16 - DPF: {FD0ECA0C-6403-48CB-91C0-6C73EF7771AA} (Download Class) - http://dashboard.smshealthconx.net/dsh/02020310/html/SMSDSHDOWNLOAD.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\PGPmapih.dll PGPmapih.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Cerberus FTP Server - Cerberus, LLC - C:\Program Files\Cerberus LLC\Cerberus FTP Server\CerberusGUI.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32pcnet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Ambucias · Answer

Greetings Timothe,

The log, good thinking.

Please launch Hyjackthis and request a scan no log.

Check the following items:

O20 - AppInit_DLLs: C:\WINDOWS\system32\PGPmapih.dll PGPmapih.dll

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

There are other questions about your log.

Do you know and trust all the applications listed in the 016 serie?  If not, they should also be checked.

Once checked, click on fix checked and close Hyjackthis.

Then...for a good scrubby dubdub:

Download, install and run Malwarebyte which you can find on this site: 

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware 

Ensure you make an update.

Please request a FULL system scan, which may take from 20 minutes to hours.  Do not interfere no matter how long in takes.  The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.

If Malwarebyte restarts your system, launch it again to finish the Full scan. 

When the scan is completed, delete all items found.

Once your computer is clean and working normally just to be on the safe side 
*Turn off system restore and wait 30 seconds, 
*Turn it back on and create a new restore point. 

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed. 
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process. 
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.

Let me know how is your system is performing.

Another explorer.exe and winlogon.exe redirec

1 response

Similar discussions

Subscribe To Our Newsletter!