Over 1 million tech questions and answers.

Solved: Help with Hijackers, Please!

Q: Solved: Help with Hijackers, Please!

To all-

I came here before to help remove A hijacker from my computer, and Cokkiegal helped me do it, and I've been free since! (Thanks again, Cookiegal!) Now I'm helping a friend with their computer. Here is the Hijack this Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:33:33 PM, on 2/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JOHNSO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\System32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\System32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe
O4 - HKLM\..\Run: [winsysban] C:\\winsysban5.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\Gateway\helpspot\TechTools.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129679761234
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\helpspot\StartFirstControl.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\helpspot\XPLControl.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: httpsecure (Explore HTTP server) - Unknown owner - C:\WINDOWS\lsas.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Any help would be appreciated! Thanks,

Kevin

RELEVANCY SCORE 200
Preferred Solution: Solved: Help with Hijackers, Please!

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Solved: Help with Hijackers, Please!

Read other 14 answers
RELEVANCY SCORE 48

Dear friends,
everytime I start my computer, I get Best Search as my start page. I tried to change this. I used HijackThis, Spybot, Ad-aware, WinPatrol, EasyCleaner and Norton Anti-virus. Some of these have located and fixed the problem, but it is still there on every reboot. I even ran regedit and changed the values manually (Current Users/Microsoft/Internet Explorer/Main) back to my preferred start page. Nothing. What can I do?
something else worth mentioning is that ever since that happened, I can't open html files that have been stored to my disk. The Windows explorer crashes displaying the message that explorer.exe encountered a problem and mentioning something about the file mshtml.dll. How can I deal with this?
I am running Windows XP Professional, Office 2000 Professional, Internet Explorer 6.

Thank you in advance,
Maria
 

A:[Solved] IE hijackers

Read other 12 answers
RELEVANCY SCORE 48

It seems I've ended up with at least 2 hijackers; the one that redirects from Google search results, and another one that randomly seems to pick several links on a page (but not all) and redirect them as web searches. Even if I copy/paste the shortcut to a new browser window, it still ends up redirecting those specific links.
Logfile of HijackThis v1.99.1
Scan saved at 11:01:10 AM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Dell Photo A... Read more

A:Solved: Yay, Hijackers!

Read other 6 answers
RELEVANCY SCORE 47.2

On the 19th I did a routine AdAware scan and it picked up and did away two AOL Hijackers. Later that day, I received a pop under for a product called Privacy Protector that claimed to protect my adult viewings habits (don't have any so that was really funny). Knowing it was probably malware I simply exited and thought nothing more about it. I got the same pop under a couple of days later and this time, when I tried to just exit, the site opened anyway. The next time I tried to go to a URL I must have in my work (I work from home and dispatch drivers and I cannot give the URL in a public forum) it defaulted to a search and threw up 3 results. I thought I'd keyed it wrong so just keyed it again and got the proper site. However, the next time I tried to go there, I got the search result again. Tried to re-key and it defaulted again. I tried going in the long way with an extended URL and got an error screen telling me it could not be opened. I figured there was something up so I did an AVG anti-spyware and hijacker.IFrame.n showed up. AVG quarantined this and cleansed the file, but did not delete the file. My machine then proceeded to hang and would not end task, had to be booted. After the boot, I could get to my site with the short URL the first time, but it began redirecting after that. I could get in on the long URL once, as well, but not again. Looking at the results showed they were most likely porn sites - one a teen porn site at that. I'm sure this Privacy ... Read more

A:Solved: Multiple Hijackers

Read other 7 answers
RELEVANCY SCORE 46.8

I recently downloaded CCleaner and was invaded by several hijack programs. They are Trovi, searchnu and rocket-find. They do not appear on my program list nor can I find them when I do a search but they pop up constantly, especially in Google Chrome. They have also invaded IE 8 running on WindowsXP. I would appreciate any help I can get in getting rid of these pests and any help on how to spot them prior to downloading any software. Thank you.

A:[SOLVED] Hijackers have invaded my computer

Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post/attach the logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

------------------------------------------------------

Read other 3 answers
RELEVANCY SCORE 46.8

Logfile of HijackThis v1.99.1
Scan saved at 12:04:36 PM, on 5/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mfcob.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsc... Read more

A:Solved: Trojans, browser hijackers, etc. HJT log

Read other 9 answers
RELEVANCY SCORE 46.8

hi!

Today I got an email from our University Network administrator.
He told me my computer is broadcasting sh*t und scanning ports
all day. Now my network account will be blocked if i can't fix this till 8pm .. thats 4 1/2 hours from now [GMT].
I have been searching/deleting all day and I found a hell of a lot nasty things on my computer.
Sophos AntiVirus and AVG Antivirus say my system is clean but somehow i don't trust them.
The trendmicro online scanner (http://housecall.trendmicro.com/) found a Worm_RBot.CW in the
lssrv.exe and was not able to fix this.
I used HijackThis and this is my (commented) log:

Logfile of HijackThis v1.97.7
Scan saved at 14:55:11, on 22.07.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuosdial.exe
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\lssrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Winregs32.exe
C:\Programme\Sophos SWEEP for NT\ICMON.EXE
C:\Programme\Sophos\Remote Update\imonitor.exe
C:\PROGRA~1\AVG6\avgserv.exe
C:\Programme\Sophos\Remote Up... Read more

A:[solved]Hijackers on my System... very urgent!

Read other 6 answers
RELEVANCY SCORE 46.4

My system has been taken over by hijackers , including "oneclicksearches", and others. Found a thread discussing removal of same, which indicated that Limwire & Weatherbug should be removed using Add/Remove. Removed Weatherbug, but when I try to remove Limewire I get this message: "error #0X80040707", then "access is denied" .

If you can help me remove Limewire, perhaps you'll also help me get rid of these hijackers. Have tried Spybot, AdAware, Trend, to no avail. Thinking of taking my computer to the nearest bridge and giving it a toss!

Please help!!!
Thank you!
 

A:Solved: Desperate to remove Limewire & hijackers

Read other 16 answers
RELEVANCY SCORE 46.4

Last night ran Adaware and Ewido, this morning ran AVG anti-virus software, but computer still crawling. Please check HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:27:14 AM, on 9/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\mike\LOCALS~1\Temp\Rar$EX01.969\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - H... Read more

A:Solved: 2 Hijackers removed but still at a crawl - HJT log included here

Read other 8 answers
RELEVANCY SCORE 40.8

Here's the hijack this log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spy vs Spy\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Micro... Read more

A:Solved: "E-finder" homepage hijackers

Read other 9 answers
RELEVANCY SCORE 37.6

These popups from wabu.com have been driving me bonkers.
I ran Hijack This but I dont want to delete the wrong files so here they are.................... Please advise on which ones i should delete
Thanks sooooooooooo much

Logfile of HijackThis v1.95.1
Scan saved at 2:40:46 PM, on 7/29/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\RVP\bpc.exe
C:\Program Files\Srng\Srng.exe
C:\Program Files\rb32\rb32.exe
C:\WINDOWS\TVTMD.exe
C:\PROGRA~1\NETRAT~1\Premeter\prmt.exe
C:\Program Files\MemoryMeter\MemoryMeter.exe
C:\Program File... Read more

A:hijackers

You have a LOT of spyware/malware there. I have a feeling that what we see in the HJT log is just the tip of the iceberg. Letís take care of RabidBlaster first

I would suggest that you Read this advisory on RapidBlaster: http://www.wilderssecurity.net/spec...pidblaster.html

Before doing anything else, you NEED to run Javacool's RapidBlaster killer : http://www.wilderssecurity.net/downloads/rbkiller.exe
It's at present the only application that will effectively remove this pest!

Launch the program and hit the Scan button.
RBKiller will find any RapidBlaster variants on your system, kill the process, delete the Registry Run entry, and remove the file itself.

Next go to http://security.kolla.de/index.php?...n&page=download and down load SpyBot. Once Spybot is installed click on 'Online' and download the latest updates. Hold off on using it until we can analyze your HiJackThis log.

Now, close all web browser windows and disconnect from the Internet.
Then run Spybot (click "Check for Problems").
When the results appear, tick everything highlighted in RED .
DELETE all entries in red using Spybot.
After this, REBOOT your PC.

Spybot may appear to 'hang' at certain points. Please allow it several minutes to continue the scan, as it may be carrying out some extensive file checking at these points.

Sometimes, Spybot will show a dialogue box, asking that you run the utility again Ė after rebooting your PC. If you see this box, click &... Read more

Read other 1 answers
RELEVANCY SCORE 37.6

can someone tell me witch ones to delete!!!

C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALTNET\DOWNLOAD MANAGER\ASM.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shopnav.com/search/9886/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shopnav.com/search/9886/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ne2.attbb.net;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nascar.com/... Read more

A:hijackers

Read other 12 answers
RELEVANCY SCORE 37.6

Noticed norton keeps popping up with downloader trojan and a few other viruses. I ran adaware and norton antivirus as well as panda active scan but they keep comming back. I did a google search that lead me here. Seems there are some people doing good here. Last year I got some experience with spywhere looks like I am having a new experience with it now.

Logfile of HijackThis v1.97.7
Scan saved at 10:36:19 PM, on 9/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
G:\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Pag... Read more

A:hijackers

Howdy!

The log is clean. There could still be something in the system, but a clean log narrows it down pretty well.

What kind of symptoms is the machine showing?

Is it possible that the other security progs already took care of the problems?

Read other 4 answers
RELEVANCY SCORE 37.6

Hello,

I started another thread but I'm haven't got a reply usually you guys have answered by now..... busy time of the year I'm guessing

Here is my Thread http://forums.techguy.org/security/522556-infection-hijackers-phishing-site-help.html

and here is a NEW HTJ log after I did all the scans

Logfile of HijackThis v1.99.1
Scan saved at 10:34:57 AM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp... Read more

A:HELP PLEASE!!!! Hijackers

Read other 16 answers
RELEVANCY SCORE 37.6

Logfile of HijackThis v1.98.2
Scan saved at 11:59:52 AM, on 9/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP4 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\ekkrhsr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\documents and settings\administrator\local settings\temp\m9CkLPQs.exe
C:\WINNT\system32\IEHost35.exe
C:\PROGRA~1\INTERN~3\inetmgr.exe
C:\WINNT\system32\ccfgnt71.exe
C:\PROGRA~1\INTERN~3\inetsvc.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\asffo.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\PROGRA~1\ClearSearch\Loader.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\Common... Read more

A:HELP!!! HELP!!! HELP!!!! The hijackers got me on my other PC

Please DO NOT post multiple threads for the same problem. You have been answered here:

http://forums.techguy.org/t277057.html

Make all posts regarding this matter in that thread.

This thread is closed.
 

Read other 1 answers
RELEVANCY SCORE 37.6

About three days ago, minimized internet explorer windows have been popping up on the taskbar. They are always of a search engine like google, alta vista, yahoo, hotbot, etc. It pop up about every half hour. They reconfigure my IE window settings so that when i open IE, the windows is a very small square in the bottom right hand corner of my screen, and the toolbar is locked so that i have no options, including an address bar. I have been fighting with this for 3 days and i am finally ready to admitt that i can't do it myself. I would really appreciate some help on this. THANKS A MILLION.Logfile of HijackThis v1.99.0Scan saved at 12:10:03 PM, on 1/17/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\Program Files\Sony\Giga Pocket\shwserv.exeC:\WINDOWS\Explorer.EXEc:\PROGRA~1\mcafee.com\vso\mcvsrte.e... Read more

A:I need help with hijackers

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program. If it asks to reboot, do not reboot. Now please create a new Hijackthis Log and post it as a reply.

Read other 13 answers
RELEVANCY SCORE 37.6

ComboScan v20070306.20 run by barry on 2007-03-09 at 13:00:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as barry.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:00:09 PM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video Access ActiveX Object\isamntr.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\P... Read more

A:cant get rid of these hijackers

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

---------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"


Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On... Read more

Read other 1 answers
RELEVANCY SCORE 37.6

I was wondering if I have a hijacker ?
Sometimes when I am doing A search and I click on a site I am prompted to log on to the internet but I am already connected
can you help please thank you
I have broadband DSL sympatico no I do not have any network
yes I see a login with username and password box
 

A:hijackers ?

Hi, We will need some details> what type of Internet service, dialup or broadband such as cable or DSL do you have?

Do you network with other computers where you are connecting from, through a router or modem that allows several computers to have Internet access at the same time?

Exactly what do you see, a Login box that you type your username and password into, or is it a connection retry message, that tells you to click Connect? That usually is controlled by either the network card settings or the ISP...a timeout period, where if you are not actively surfing, the modem may disconnect you. If I get up and go do something, not every time but sometimes, my connection tells me I am not online, to click Connect, it did not always do that so I think the recent updates my cable provider did set this up.

If you would also like to check the startups for malware, now is a good time and you are in the right forum to post a Hijackthis log:

Would like to have you post a log from HijackThis, a program (very tiny) that we use to see what problems exist.

There are directions here to do it: There are .zip form and .exe form, take your pick.

Download it here:

http://radiosplace.com/

Or here.
It's a direct download so be ready with the folder for it.

Basically, you must create a new folder, the desktop is OK provided you make a folder, name it something like HJT, and download TO that folder, run hijackthis.exe from there. If there ARE other users of the computer who migh... Read more

Read other 1 answers
RELEVANCY SCORE 37.6

Hi - I had a lot of Hi-jackers on my computer. I am thinking I got rid of them using some of the tools mentioned on this site, but I wanted to be sure. Can someone please let me know if there's anything else that needs to be fixed. Thanks a lot!

-- Jill

Logfile of HijackThis v1.99.1
Scan saved at 5:18:49 PM, on 3/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\So... Read more

A:Had a lot of Hijackers, are they gone yet??

Hi jdot and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Read other 5 answers
RELEVANCY SCORE 37.6

Hello, I am having problems with hijackers. I have spygate firewall and running firefox browser. Everday spygate tells that my comp has been hijacked and has scanned several ports. I was trying to find out how can I stop this? As far as I know it's not hurting my comp, but I don't want people (or programs) to know what I have on my comp. Please help! Anything would be appreciated.

A:hijackers

Hello trevorveasey. If you think you have been hijacked then what would be the best would be to submit a HijackThis log to the HijackThis forum for analysis by an expert. Here's a link to tell you how to submit a log:http://www.bleepingcomputer.com/forums/t/956/how-to-submit-a-hijackthis-log/Cheers.OT

Read other 1 answers
RELEVANCY SCORE 37.6

Logfile of HijackThis v1.99.1Scan saved at 17:53:46, on 25/10/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exec:\APPS\Powercinema\Kernel\TV\CLCapSvc.exec:\APPS\Powercinema\Kernel\TV\CLSched.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exeC: ... Read more

A:Hijackers

Sorry for the delay. If you still need help with your log please post a brand new HJT log as a reply to this topic and I will help you clean it up as necessary.

Read other 1 answers
RELEVANCY SCORE 37.6

This is my girlfriends PC, i need some expertice.

Logfile of HijackThis v1.96.1
Scan saved at 11:08:02 AM, on 9/28/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MEDIAKEY\VERSATO.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\MEDIAKEY\OSD.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\TEMP\HIJACKTHIS.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.client.yahoo.com/... Read more

A:Hijackers die!!!!

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.client.yahoo.com/sbc/user_chooser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyd.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
O2 -... Read more

Read other 3 answers
RELEVANCY SCORE 37.6

Here is my hijackthis file....if anyone can help please do.....not exactly computer literate so talk to me like i am 2

Logfile of HijackThis v1.99.1
Scan saved at 8:01:08 PM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\weasel\Application Data\neac.exe
C:\WINDOWS\System32\n?tdde.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\abasa5jrp.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\weasel\Desktop... Read more

A:Help me get rid of the Hijackers!!!

i guess this houlda been posted in the Hijack This sib forum.

Read other 4 answers
RELEVANCY SCORE 37.6

I need help with this hijackthis log file?Logfile of HijackThis v1.99.1
Scan saved at 12:09:36 PM, on 8/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\program files\quicktime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Uninstaller\Tray icon tool.exe
C:\Program Files\TracksCleaner\Scheduler daemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\AD-AWARE.EXE
C:\Documents and Settings\Basrah\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - H... Read more

A:Hijackers

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running. Ad-Aware? SE Personal Edition
Spybot Search & Destroy
CWShredder

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)


Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it?s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Ma... Read more

Read other 3 answers
RELEVANCY SCORE 37.6

I did Logfile of HijackThis and this is the results.Can anyone tell me what to fix and what not to fix. v1.99.1
Scan saved at 6:32:00 PM, on 5/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\quicktime\qttask.exe
C:\WINDOWS\iprx.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Basrah\Local Settings\Temporary Internet Files\Content.IE5\CDUZUPGL\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lojqs... Read more

A:Hijackers

Hi and Welcome....
The biggest problem that you have is that you really need to make your computer more secure from malware. I would advise you update your Windows and IE Browser security to SP1a or SP2.Is there any reason why you dont have it ?.This will help prevent malware.You really need to get up to date with your security by getting at least SP1a.You are just wide open to malware that is designed to attack 'raw' XP systems which exploits security 'holes' .You are wide open to infection.

http://www.microsoft.com/windowsxp/sp2/default.mspx
http://www.microsoft.com/windowsxp/d...1/default.mspx

-----------------------------------------------
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes..

Download any of the required programs before attempting to start any of the fixes.

Please do NOT run Hijack This in a TEMPorary folder or on the Desktop. I recommend c:/program files/HJT/

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check ?Turn off System Restore?, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To sh... Read more

Read other 5 answers
RELEVANCY SCORE 37.6

please view my hijack this & tell me about the enLogfile of HijackThis v1.99.1
Scan saved at 12:20:49 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MP3 CD Extractor\CD-Extractor.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\WINDOWS\system32\ci... Read more

Read other answers
RELEVANCY SCORE 37.6

hello
I post my logfile,
I think something must be fixed
thank you!


Logfile of HijackThis v1.99.0
Scan saved at 14:30:47, on 24.04.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Spamihilator\spamihilator.exe
C:\Programmi\Lexmark X1100 Series\lxbkbmon.exe
C:\Programmi\NielsenNetratings\bin\insight.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\sysye.exe
C:\WINDOWS\mfcja.exe
C:\... Read more

A:hijackers in my pc

Hello and Welcome

Please print out or copy this page to notepad for easy reference when carrying out the instructions. Make sure to work through the fixes in the exact order they are listed. If you have any questions feel free to ask before carrying out the fixes.

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis and run it.

Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version.

1. If it gives you an intro screen, just choose Do a system scan and save a logfile.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Show Hidden and System files:
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

For the options that you have checked/enabled, you may uncheck them after your log is clean.
If we ask you to fix a program that you... Read more

Read other 4 answers
RELEVANCY SCORE 37.2

hey guys... here's my deal: I just purchased a new system so I'm giving my old one to my little brother. However, I get quite a few popups for no good reason and I'd like to take care of the problem before I turn this thing over to him. thanks for your help :)

Logfile of HijackThis v1.97.7
Scan saved at 12:30:56 AM, on 12/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\documents and settings\jake\local settings\temp\hwx.exe
C:\WINDOWS\System32\master39.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\... Read more

A:damn hijackers...

Hi and Welcome to TSF

Your getting these because your IE settings are too low, no firewall, no antivirus software (in your log) and your OS and IE have not been updated with the latest service packs. Consider installing SP1/SP2 service packs for both XP and IE6. Anyway..on to the fix. Please update your version of hijackthis as your using an old version.

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log?..

You have the Peper infection. Download PeperUninstall. Make sure you are connected online to run this program. Run it once and reboot. Then run it again for the second time. Download PeperFix and save it to your Desktop. Run it and click Find and Fix (reboot if prompted).


Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following an... Read more

Read other 6 answers
RELEVANCY SCORE 37.2

Hi, a few days ago you guys helped me out, but now it seems the spyware is back. Every now and then, none of my broswers will work, but occassionally it does, it's very strange. I'm tired of it, so here's my new log, thanks!Logfile of HijackThis v1.98.2Scan saved at 20:58:14, on 20/09/2004Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exeC:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartService.exeC:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exeC:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXEC:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exeC:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXEC:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\System32\hkcmd.exeC:\WINDOWS\BCMSMMSG.exeC:\Archivos de programa... Read more

A:Return of the hijackers!

Hi valeria_nick,

There is nothing suspect in in your log.

Did you have the same problem before installing XP SP2 ?

Read other 3 answers
RELEVANCY SCORE 37.2

During the last week of Dec. 2004, I got accidentally invaded with spyware/malware. I have spent many days trying to reverse this personal tragety, but some of the problems persist; here is a list:1-Computer boots up randomly without my command, about once every few hours;2-Program shortcuts (like Dating Online and Block Spyware to name a couple) keep appearing on my desktop especially after reboot;3-When in Internet Explorer, I still get a few annoying popups, but I also get browser redirects after I try a search.And here is what I have done so far:1-Ran Spybot S&D and Adaware 6.0 several times, before and after updating them to the latest available free versions;2-installed a couple of freeware popup blockers, but discovered that those too had spywares built in, and promptly removed them (but I don't know how completely);3-Installed a purchased copy of Spyware Doctor, and ran it; then I updated it to the newest online version and re-ran it; I clean up in excess of 100 problems found by the software. I also turned the immunization and spyguard utilities on;4-after all of this work the computer seemed back to normal, but much to my chagrin, the listed problems above persist.I finally broke down and ran HijackThis after carefully reading an associated tutorial on the subject. Below is the log (I am running a Windows 2000 Professional machine)---------------Logfile of HijackThis v1.99.0Scan saved at 3:15:51 PM, on 1/3/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE:... Read more

A:The latest Hijackers

Hi You have a Look2Me infection and your recycle bin is damaged. If you delete a file it will be lost forever.Please Download LSPFix from: LSP-FixDisconnect from the Internet and close all Internet Explorer windows. Run then program, check the "I know what I'm doing" button and place all listings ofaklsp.dllcalsp.dllinto the remove section by clicking on the button that points to the right. Do not remove any others. When all instances of this dll are in the Remove section. Press the Finish button.Reboot your machine.To see a tutorial on how to use this program click the link below:Using LSP-Fix to remove LSP Spyware & HijackersDownload Find It NT-2K-XP.zip.Unzip the contents of Find It NT-2K-XP.zip to a folder, for example c:\findit Navigate to the c:\findit folder and double-click on find.bat.A command prompt will open and it will search your computer for malicious files.Once it has finished a Notepad window will pop up with output.txt.Copy the entire contents of output.txt into your next post.From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.My timezone is GMT +2. I think you can run find.bat and post the log tomorrow morning or tomorrow afternoon/evening. It's 3 am now and I'm going to sleep ...

Read other 3 answers
RELEVANCY SCORE 37.2

Hello!

I'm ripping what's left of my hair out! I've apparantly picked up several hijackers including searchmyrequest and myexexex. My computer has slowed down so much and my home page keeps changing, it's like I'm living with Sybil! My wife is ready to kill me and the children thinking that we're somehow downloading this porn!

I've run Adaware, CWShredder, Spybot S&D and my Norton AV (all most recent and up to date, but I can't get rid of the blasted things. Can anyone help?

Here's the Hijack file

Logfile of HijackThis v1.97.7
Scan saved at 6:53:26 PM, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WIN... Read more

A:So Many Hijackers-So Little Patience

Welcome to TSG, skyejaz

Close all windows, restart Hijack this and put a check mark against the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.237.45.18 ad.doubleclick.net
O1 - Hosts: 64.237.45.18 aff.weatherbug.com
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 my.search
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O1 - Hosts: 209.87.155.230 date.com
O1 - Hosts: 209.87.155.230 dating.com
O1 - Hosts: 209.87.155.230 freedating.com
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: Elitum EliteBar - {FA6548E9-78F5-4025-9D7B-FC1367789C38} - C:\WINDOWS\EliteBar\EliteBar.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - H... Read more

Read other 2 answers
RELEVANCY SCORE 37.2

I am following through the tutorial on how to analyze a HJT log and I've come to the section O18 - Extra protocols and protocol hijackers. It says to delete anything in here. I have a log that has about 70 entries for what looks like something from Logitech, (there is a logitech keyboard/mouse combo on this system). For example this is the first one:

O18 - Protocol: offline-8876480 - {2DB4C761-7D9D-11D9-9287-0008C7226EE4} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL

I've been googling the dll name trying to confirm that they are or are not evil things but I've got conflicting information.

Most of what I'm finding are log analysis threads. None say directly to remove the entries using HJT but most do not show them present after running a variety of tools.

However I also found a thread that advised the originator that their log was clean and all of the O18 entries were still there.

Are these valid Logitech entries or ?????

Thanks ...weeG
 

A:Are these protocol hijackers?

Add remove programs - remove logitech desktop messenger
 

Read other 1 answers
RELEVANCY SCORE 37.2

Hi,

I don't know much about the kind of virus hence I have to resort to using the title of the thread. I used to have pop up stopper to block pop ups but recently I noticed that that pop-ups were not being blocked so I tried to open the program again and it turned out it was deleted from my system. Not only that but Yahoo messenger was gone as well. I also noticed that my Task Manager was disabled as I was getting message "Task Manager has been disabled by the Adminnistrator". A couple of days letter browser hijackers started to their magic making my life difficult. Here is log of the required files. Please help.

ComboScan.txt

ComboScan v20070221.16 run by buddah on 2007-02-25 at 08:58:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as buddah.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 08:58:42, on 25/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Inte... Read more

A:Help with Browser Hijackers

Hi, I am not trying to bump my thread but I have also installed a secondary hard disk and moved my data over there. I can see 2 drives now and have transferred my work files over to F: drive while I would format my C: drive (old drive) if I didn't sort this browser problem soon.

Is there anything I should take care of in doing that?

A little more about the problem. The browser opens pop up for loopylove.com or some porn sites and some time movies sites. The speed of the internet seems very slow.

I can't open explorer after connecting my internet connection as my first page is directed to open hotmail.com but it gives an error that window encountered some problem and if I want to report it or not. As soon as I choose one option it closes down the explorer window. Therefore, I open the explorer and press esc immediately afterwards. Then I choose other links but not hotmail. I open hotmail by using messenger and then click email option from there and it doesn't give the previous problem.

My HijackThis has started to hang as well since my removal of files from C drive. I can't see any images as Microsoft Image viewer is deleted nor even the preview in folders.

Please Please help soon.

Thanks

Read other 18 answers
RELEVANCY SCORE 37.2

Hello,
 
I'm pretty sure that hijackers have remote control ability of my laptop. For the past few days my lptp has been running unusually slow. Also for the past two days my webcam light at the top of the screen had been coming on and staying on for hours. I looked in my task manager to kill the camera and did not see it running. I even deleted the webcam app that came with this lptp to kill it and the light still comes on. Then yesterday while in Chrome all of my tabs started flickering and the lptp froze until i shut it down. When I reopened I could see someone was accessing control settings, a dialog box popped up asking about audio settings, and it seems they had turned on the audio command for the blind to have all keyboard moves vocalized. So im guessing they couldnt see so needed to hear what i was doing? Then it started to read out the website i was on which was Amazon! The lptp again started freezing as I struggled to gain control and prevent take over of my lptp. Different items began to be moved around by another cursor.
 
So I ran a few antiviruses.  It is hard to know which one I have.  I know that there has got to be many on here. I ran Anvi smart defender which told me I had 65 malicious extensions. Unfortunately, I don't know if it was the hijackers, but it took almost a day to run the complete Full scan for some odd reason.  On the next day just as I was approaching 70% scan completion. The system froze out and threw me out in the mi... Read more

A:Hijackers and Trojans! Help

hi emperative,
 
If you still need help you can do two things. First download and run the free version of Malwarebytes. Second create a log with FRST and copy/paste the logs in your reply.
 
Iam usually only on this site once or twice per day so you may not get a response back from me until the following day.
 
1)  Please download Malwarebytes Anti-Malware 2.0.3.1025 Final to your desktop.
     http://data-cdn.mbamupdates.com/v2/mbam/consumer/data/mbam-setup-2.0.3.1025.exe
 
    Double-click mbam-setup-2.0.3.1025.exe and follow the prompts to install the program.
    At the end, be sure a checkmark is placed next to the following:
        Launch Malwarebytes Anti-Malware
        A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish     the scanning and removal  capabilities of the program.
    Click Finish.
    On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
    Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
    A Threat Scan will begin.
    With some infections, you may see this message box.
        'Could not lo... Read more

Read other 1 answers
RELEVANCY SCORE 37.2

I've run everything. Malwarebytes, rkill, etc. but the hijacker keeps coming. Nothing seems to detect it. Any help would be great, I'm at wit's end and I'm tempted to gamble on combofix. I'm in Win7 64-bit I'll post some logs as instructed from a similar thread: Security Check:  Results of screen317's Security Check version 0.99.83   Windows 7 Service Pack 1 x64 (UAC is disabled!)   Internet Explorer 11  ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled!  ESET NOD32 Antivirus 5.0    Antivirus out of date!  `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300   JavaFX 2.1.1     Java 7 Update 51   Java version out of Date! Adobe Flash Player 13.0.0.214   Adobe Reader 10.1.4 Adobe Reader out of Date!   Mozilla Firefox (29.0.1) Google Chrome 34.0.1847.131   Google Chrome 34.0.1847.137  ````````Process Check: objlist.exe by Laurent````````   ESET NOD32 Antivirus egui.exe   ESET NOD32 Antivirus ekrn.exe   Malwarebytes Anti-Malware mbam.exe  `````````````````System Health check````````````````` Total Fragmentation on Drive C: 7%````````````````````End of Log``````````````````````

 Farbar: Farbar Service Scanner Version: 14-05-2014Ran by Aaron (administrator) o... Read more

A:Speedial hijackers

Welcome aboard   Download Temp File Cleaner (TFC)Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exeDouble click on TFC.exe to run the program.Click on Start button to begin cleaning process.TFC will close all running programs, and it may ask you to restart computer. Please download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on adwcleaner.exe to run the tool.Click on Scan button.When the scan has finished click on Clean button.Your computer will be rebooted automatically. A text file will open after the restart.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[S1].txt as well. Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message. Please run a free online scan with the ESET Online ScannerDisable your antivirus programClick on "Run ESET Online Scanner" button.Tick the box next to YES, I accept the Terms of UseClick StartAccept any security warni... Read more

Read other 1 answers
RELEVANCY SCORE 37.2

I followed the steps you listed and download the hijackers log but one of the following malware's I have on my computer is currently blocking me from installing ANY programs.

Trojan.Perffcoo
Hacktool.Rootkit
Downloader.MisleadAPP
Antivirus Pro 2009

I even tried to re install my entire C drive but when I tried to boot from the CD the following errors comes up informing me that their are virus preventing me from being able to proceed.

Stop: 0x0000007b, 0xc0000034, 0x00000000

At this point I am ready to dump my entire C drive but it seems like I need help in removing some viruses before I can do that. Please any help you can give me is greatly appreciated.
 

A:Malware so bad I can't run Hijackers Log

Read other 16 answers
RELEVANCY SCORE 37.2

I have been trying to get rid of this browser hijacker for a week now. It has created an .exe file (htmlsync.exe), changed my browser homepage and search pages, and added stuff to my favorites. I have tried removing it from registry, startup menu, and deleting the .exe itself. It keeps coming back. I used HJT for the last few days, and it removes it until I reboot. Please help. Here is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 12:09:42 PM, on 3/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\WEATHE~1\weathertray.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.... Read more

A:Can't get rid of browser Hijackers!

Read other 9 answers
RELEVANCY SCORE 37.2

I used "Hijack This" for IE on WinXP
My problems are basically...
1) home page assumes CoolWebSearch/ about:blank, or something.
2) my google/yahoo searches give advertisements disguised as search results.

ThanX in advance!
Logfile of HijackThis v1.97.7
Scan saved at 10:27:18 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\documents and settings\owner\local settings\temp\KwQdG.exe
C:\WINDOWS\zhbgdn.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\Program Fil... Read more

A:What to delete/fix from hijackers???

Download and run CWS shredder first from here.

http://www.soft32.com/download_19014.html

It'll get rid of your coolwebsearch nasty. If you want to do another highjack this log then after, maybe someone could check it for any other nasties for you.
 

Read other 1 answers
RELEVANCY SCORE 37.2

Please help me get rid of a search portal hijacker and other ads that are interfereing with my Internet access.

Yesterday I found flrman1's response to FADEDrocks's request for help on 21 July and followed those instructions. I already completed the Adaware review and fixed all of the bad files from my Hijackthis scan, using the guidance provided in the Hijackthis tutorial and the info on Tony Klein's page. But even after I follow all of steps in the safe boot mode, I can't get rid of this search.portal.info homepage hijacker! I've gone through this drill four times in the last 24 hours

Would greatly appreciate any assistance in resolving this frustrating problem!

Here's my latest HJT logfile. From using the Tony Klein info, I put a mad smilie next to the items I want to get rid of but:

Logfile of HijackThis v1.98.2
Scan saved at 7:50:42 AM, on 8/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Netwo... Read more

A:Need help to get rid of homepage hijackers

Read other 12 answers
RELEVANCY SCORE 37.2

I was hoping that someone could please help me out. I am trying to help a friend out who's computer has been hijacked. Here is the log, please help if you can. Thank you.


Logfile of HijackThis v1.99.1
Scan saved at 5:09:44 PM, on 4/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE... Read more

A:Computer taken over by Hijackers

Hello Synapseguru and welcome to TSF...

In order to assist you better, we recommend that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Desktop. This is required because HijackThis will create backups and we don't want them to be deleted.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk... Read more

Read other 1 answers
RELEVANCY SCORE 37.2

Hi, im having trouble with browser hijackers, each time i try to load a page (even this one), it redirects me to something else. This page actually doesnt load at all. Ive looked at my hosts files in windows\system32\drivers\etc\ and the only thing in the hosts file (now) is 127.0.0.1 localhost... (Spybot had added it appeared, quite a lot of redirects (immunities i s'pose), but i deleted them (seen as how spybot can always add them again later), and set all the files to read only. Still having the redirect problem. Netstat reports an established connection to akamaitechnologies and reverse.ltdomains

I tried to tskill the PID associated with them, but access was denied. (svhost was the image name or sumfin like that)

Anyways, heres my HJT log, i checked the obvious stuff and clicked fix, but still having problems. Tried coreforce to find out where the redirects were coming from but to no avail

Please, please help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:53 PM, on 11/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Windows Live\Mail\wlmail.exe
G:\WINDOWS\system32\ctfmon.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\Explor... Read more

Read other answers
RELEVANCY SCORE 37.2

Any ideas out there to get rid of this nasty little guy that has jumped on board to give me problems here is the hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 10:38:17 AM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comcast\Security Manager\app\Prism.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spdr.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\sys219.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Off... Read more

A:Hijackers on board

What scans have you done ? i.e. Spybot , Adaware ?
 

Read other 2 answers
RELEVANCY SCORE 37.2

Still have problems with popups and hijackers. Here is my hijackthis file. What am I missing?
Greg

Logfile of HijackThis v1.98.0
Scan saved at 2:08:39 PM, on 7/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://batonrouge.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - ... Read more

A:popups and hijackers

Hi and welcome to TSG,

Please get the hotfix for this new version of Hijack This (1.98) that fixes some bugs in this version). You can get it here:

http://www.majorgeeks.com/download3155.html

Please download and run the following programs:

AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right-hand corner and click on Check for updates now and download the latest reference files.

Make sure the following settings are made and on -------ON=GREEN

From main window: Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right click the window and choose select all from the drop down menu and click Next)

Restart your computer

SPYBOT SEARCH & DESTROY

http://majorgeeks.com/download2471.html

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Adva... Read more

Read other 1 answers
RELEVANCY SCORE 37.2

Hi,

I've volunteered to expunge malware from another friend's computer. Here's some idea of what I was trying to get rid of:

WINDOWS\system32\ssttt.dll -> Trojan.Virtumod
WINDOWS\system32\taskdir.dll -> Proxy.Lager.aq
WINDOWS\nexusexe.exe -> Downloader.Qoologic.at
WINDOWS\system32\aavedjfe.uru -> Hijacker.Small.js
WINDOWS\system32\cflbwvpg.exe -> Downloader.VB.aan
WINDOWS\system32\lqxnmsow.exe -> Trojan.Small
WINDOWS\system32\phqghume.exe -> Trojan.Small
WINDOWS\system32\ssqrp.dll -> Trojan.BHO.c
WINDOWS\system32\tobbkqqr.exe -> Trojan.Small
WINDOWS\wh.exe/whAgent.exe -> Adware.WebHancer


What I put on:
AVG freebie
Ewido freebie
AdAware SE (and vbouncer tool)
Spybot S&D
SpywareGuard
SpywareBlaster
HijackThis

I followed the instructions on the pre-HJT-log-posting instructions, dumped temp file and recycle bin. Ewido and AVG were having a hard time ousting one of the trojans... The HJT log file looks better than it was, but I'm an amateur and not willing to get too click-happy there! Still, there are a few suspicious-looking lines in the log file. Could you please take a look at it for me? Thanks for all the help!

BTW, this pc was unable to connect to the internet when I got it yesterday, and while the lan is working now, the wireless still isn't. Think it might be malware related?

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 2:56:20 PM, on 6/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
M... Read more

A:hijackers and trojans

Please print the below instructions or copy them to Notepad.

Download VundoFix at http://www.atribune.org/ccount/click.php?id=4 and save it to your desktop.
* Double-click VundoFix.exe to run it.
* Put a check next to 'Run VundoFix as a task'.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the 'Scan for Vundo' button.
* Once it's done scanning, click the 'Remove Vundo' button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer. click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt here.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ). Make sure to close any internet browsers that may still be open.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\system32\ssttt.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O9 - Extra button: (no name) - {B6E649FA-5461-40d7-AB4D-54FC3C8DB767} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuite... Read more

Read other 8 answers
RELEVANCY SCORE 37.2

Following is a log from HJt. I had my puter hijaked by internet-optimiser and I thought I had fixed it, now I can't search from the address bar, every time I try it trys to look for a http://"search phrase" of whatever I search for.

Logfile of HijackThis v1.97.7
Scan saved at 19:55:15, on 25/01/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\CREATIVE\WEBCAM CONTROL\CAMTRAY.EXE
C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\SSC\SSC.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:... Read more

A:I hate Hijackers

Hi Morian,

C:\PROGRAM FILES\SSC\SSC.EXE

This one looks iffy. SSC as a Program File is not uncommon, as it's an installation file for Nav. But SSC.EXE isn't a recognised file. I would be pretty sure that any file associated with Norton is going to turn up somewhere in Googleland, but this one doesn't.

Could you please find it, and rename it from...

SSC.EXE

to

SSC.txt

and send a copy to [email protected]

Then, could you please try this to fix the problem..

Go to Start | Settings | Control Panel | Internet Options, click on the Programs tab, and click Reset Web Settings.

Let me know if that has helped. That's two logs in a row, where searches have gone to pot, and the search bar of choice is..

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01

Probably coincidence, but I'm off to see if there are any more occurences of it.

Cheers

Liam
 

Read other 1 answers
RELEVANCY SCORE 37.2

alright, I did a hijackthis scan a few days ago and I saw I had 2 brower hijackers. they didn't really have any effect on me because of my host file, but I just want to be safe. I deleted them with hijack this but they came back.I tried spybot sd, avg-free and eset online scanner but nothing is comming up.my friend told me to use combofix, is this what I should do?

here's a dds log to help you guys out.Thanks!

Deckard's System Scanner v20071014.68
Run by Kathy Borgfjord on 2008-03-10 10:59:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 93% (more than 75%).
Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Kathy Borgfjord.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:10 AM, on 10/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\... Read more

Read other answers