Sygate: application hijacking

Sygate is telling me: Application Hijacking has been detected
The application: C:\WINDOWS\Temp\_ISTMP2.DIR\_ISTMP0.DIR\NOVG.EXE try to launch another application: C:\Program Files\Internet Explorer\IEXPLORE.EXE to go to remote host www.onlineregister.com

does this mean that someone has succeeded in hijacking my pc or it still trying to get access? has it done anything yet?

 

It means Sysgate detected a .exe in IE's temp folder trying to direct IE to go to that site.

You deny of course.

Disconect from the Net.

Start > Control Panel > Internet options > General tab > Temporary Internet Files and delete.

That'll clear the temp folders.

Then to make sure nothing happened:

Download and run HijackThis:

Download from here http://radiosplace.com/ latest version 1.99.1

Download it to it's own folder, for example create a folder C:\HijackThis

unzip (double click on zipped folder)

click on the execute

click on Do a system scan and save a logfile and save to the folder you just created

copy resultant .txt file and paste into your next post

I or someone else will move your thread to the Removal section if appropriate.

Regards - Charles

 

Reread your post:

C:\WINDOWS\Temp is not the Browser cache, but good idea clean it out anyway.

Go into that folder C:\WINDOWS\Temp and in Safe Mode delete anything found there. Some files may not delete.

Definitely post a HJT log.

Regards - Charles

 

NOVG.EXE is the registration reminder for the game Joint Operations: Typhoon Rising. After registering it shouldn't attempt to access the Internet again. It is supposed to be a RunOnce deal.

 

I didn't manage to delete the temporary files....pc stops working each time....is there anyotherway I can do it? I ran Hijackthis in Normal mode and this is the log:

Logfile of HijackThis v1.99.1
Scan saved at 09:43:05, on 14/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Claudine\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LBPWS Toolbar - {4E7BD74F-2B8D-469E-E4C0-DB50EBC2B831} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: LBPWS Toolbar - {4E7BD74F-2B8D-469E-E4C0-DB50EBC2B831} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

 

Hi Claudine,

I'm moving your thread to the Removal section. There the security folks will look at it.

Did you install a game?

You have at least one questionable tool bar and a Browser add-on.

Regards - Charles

 

yes I installed a game and didn't even run can you give me the link to the removal section so that I can find it please unless I will be notified on any reply?

what browser addon?

 

Hi bombagirl.

The browser add on is also called a browser helper object

The one I see which is not really suspicious is from VMN.net. You would have had some sort of anti spyware alert to this install. I'm not sure what the F-Prot software does in these instances.

It may have been part of an install, it may not have been. we can fix it with HJT and see if any of your software loses any functionality. However it is imperative you move HijackThis! to it's own folder just in case we need to recover the BHO.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Move HijackThis.exe into this folder (C:\HJT\HijackThis.exe). When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.


Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O2 - BHO: LBPWS Toolbar - {4E7BD74F-2B8D-469E-E4C0-DB50EBC2B831} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL

O3 - Toolbar: LBPWS Toolbar - {4E7BD74F-2B8D-469E-E4C0-DB50EBC2B831} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL


O4 - Startup: PowerReg Scheduler V3.exe


Reboot into Normal mode and post a new HJT log back into this thread please.


To delete all files in temp folders, use this app below.

Download Atribunes ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Tick the following boxes:
  • Windows Temp
  • Current User Temp
  • All User Temp
  • Cookies<<<---By deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.
  • Temporary Internet Files
  • History
  • Prefetch
  • Java Cache
• Click the [Empty Selected] button.

 

I know about the LBPWS toolbar but what is Startup: PowerReg Scheduler V3.exe ?

 

It's relatively harmless see here. Disregard any claims that it is 'dangerous' because it isn't.

It's a generic scheduler which gets added by any number of different applications. Removal will not affect any software at all.