Help! PC has been Hijacked.

Computing.Net > Forums > Security and Virus > Help! PC has been Hijacked.

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Help! PC has been Hijacked.

Name: snake_eyes1
Date: May 10, 2004 at 20:05:14 Pacific
OS: Windows XP
CPU/Ram: Pentium 4 / 768MB

Comment:

Sabertooth,
Per your request, here is my log file from HijackThis v1.97.7
Ref: http://www.computing.net/windowsxp/wwwboard/forum/104222.html
Logfile of HijackThis v1.97.7
Scan saved at 8:01:01 PM, on 5/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Sony Handheld\HOTSYNC.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Luis\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.exe
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
Greater is HE that is in me, that he that is in the world.

Sponsored Link

Ads by Google

Response Number 1

Name: Sabertooth
Date: May 11, 2004 at 08:50:56 Pacific

Reply:

Snake_eyes1,
Close all browsers and have HijackThis fix the following:
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe.
Then reboot in safemode and delete C:\Program Files\Common files\WinTools folder. You can also run this to make sure you have no VX2 hiding within your PC.

____________________________
The greatest risk is not taking one

Response Number 2

Name: snake_eyes1
Date: May 11, 2004 at 13:54:52 Pacific

Reply:

I ran the small applicatin that you asked and it found a couple of files. Do i highlight and delete these files?
Greater is HE that is in me, that he that is in the world.

Response Number 3

Name: Sabertooth
Date: May 11, 2004 at 16:42:53 Pacific

Reply:

Yep, delete them, and run it again till nothing is found.
____________________________
The greatest risk is not taking one

Response Number 4

Name: snake_eyes1
Date: May 12, 2004 at 00:36:40 Pacific

Reply:

Sabertooth,
I have ran the scan several times. I am able to delete eveything except C\Windows\System32\Azlui.dll. What is this file and is there any other way to delete it?
Greater is HE that is in me, that he that is in the world.

Response Number 5

Name: Sabertooth
Date: May 12, 2004 at 08:57:27 Pacific

Reply:

You can use the recovery console to delete the file or search for and download MoveOnBoot to remove it.

____________________________
The greatest risk is not taking one

awk remove first field microsoft quickbasic download sony clie hotsync software sony clie hotsync 861050-0010 flash player alternative lantastic 8.01 auto search msn response Piranhapad PC PC bottleneck	popup window in flash offline content online scribble pad HTML cell padding asp popup window greatest common divisor assembly wrc pc download microsoft 81ed90eb dd87 4a23 aedc 298a9603b4e4 directx redist #REF! does cold affect cat5
See More

Response Number 6

Name: snake_eyes1
Date: May 12, 2004 at 22:37:56 Pacific

Reply:

Sabertooth,
I have installed the Moveonboot software and I was able to remove the file. Thanks. Would you happen to know what the "Flash Player Debug Console" is. I seem to get this popup window when ever I am in IE.
Greater is HE that is in me, that he that is in the world.

Response Number 7

Name: Sabertooth
Date: May 14, 2004 at 08:58:01 Pacific

Reply:

Try the following:
From IE hit tools >> under general where you have the temporary internet section click delete cookies and hit delete files make sure you put a check in delete offline contents too.
Then again from IE's menu hit tools >> internet options >> advanced and checkmark "disable script
debugging" and make sure "display a notification about every script
error" isn't checked then hit apply and ok.
Start >> run >> type cleanmgr hit ok, select your system drive (C:) hit ok. Make sure you checkmark all the boxes in that dialog window and hit ok too.
Restart and see if it helps.
____________________________
The greatest risk is not taking one

Response Number 8

Name: soyboi
Date: May 20, 2004 at 18:19:45 Pacific

Reply:

I still can't fix the error that says, wtoolsa caused on error on KERNEL32.DLL. I tried using hijackthis and deleted some files but the error keeps on reappearing. What does the error mean. Does deleting the Wintools folder in safe mode harm the system?

Response Number 9

Name: Essie
Date: May 21, 2004 at 15:54:50 Pacific

Reply:

Wtoolsa, Can't get rid of it?

Response Number 10

Name: Mumgranny
Date: May 21, 2004 at 21:10:18 Pacific

Reply:

Got the same problem with wtoolsa. Have removed all reference to wtoolsa except "Win tools for Internet Explorere v2" When I try to remove it I get the following message "An ad-powered software is installed. Please remove it first." Any body got any idea what I can do now. I'm not to 'puter literate. Just struggling along out here in cyber space. Any help GREATLY appreciated.
Mumgranny

Response Number 11

Name: soyboi
Date: May 22, 2004 at 09:34:22 Pacific

Reply:

are you sure about deleting the wintools folder in safe mode? Does it affect the system?

Response Number 12

Name: Rainbow821
Date: May 25, 2004 at 17:14:23 Pacific

Reply:

Im having the same problem with trying to remove the "Wtoolsv2", getting the message that "ad powered software has to be removed first". Any idea which one that is?
Any help would be greatly appreciated !

Sponsored Link

Ads by Google

hacked by find4u.net, nee...

PC Shuts Down

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Help! PC has been Hijacked.

Think my browser has been hijacked.

Summary

www.computing.net/answers/security/think-my-browser-has-been-hijacked/24935.html

My BIOS has been flashed!!

Summary

www.computing.net/answers/security/my-bios-has-been-flashed/6208.html

Has my computers been hijacked?

Summary

www.computing.net/answers/security/has-my-computers-been-hijacked/17436.html

From the Geek Dictionary
bbs - Short for Bulletin Board System, a social networking platform that not only...

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Yes (190)
No (208)
Are you crazy? (277)

Poll Finished
Discuss in The Lounge
Poll History

Recent Posts
dvd burner

Do I need Security Center AND Viruscan?

clickjacking, redirecting, auto-opening

Upgrade CPU to run win 7 64 bit.

monitor blinks

All Awaiting Reply

Tom's News
Google Launches Free Public DNS Service

UK Street May Be Named After Lara Croft

Universal to Release Blu-ray/DVD Combo Disc

Orangutan Takes Pics, Shares via Facebook

Man Suffocates Baby Over Gaming Marathon

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE