Over 1 million tech questions and answers.

Solved: Help with Hijackers, Please!

Q: Solved: Help with Hijackers, Please!

To all-

I came here before to help remove A hijacker from my computer, and Cokkiegal helped me do it, and I've been free since! (Thanks again, Cookiegal!) Now I'm helping a friend with their computer. Here is the Hijack this Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:33:33 PM, on 2/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JOHNSO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\System32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\System32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe
O4 - HKLM\..\Run: [winsysban] C:\\winsysban5.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\Gateway\helpspot\TechTools.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129679761234
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - file://C:\Program Files\Gateway\helpspot\StartFirstControl.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\helpspot\XPLControl.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: httpsecure (Explore HTTP server) - Unknown owner - C:\WINDOWS\lsas.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Any help would be appreciated! Thanks,

Kevin

RELEVANCY SCORE 200
Preferred Solution: Solved: Help with Hijackers, Please!

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Solved: Help with Hijackers, Please!

Read other 14 answers
RELEVANCY SCORE 48

It seems I've ended up with at least 2 hijackers; the one that redirects from Google search results, and another one that randomly seems to pick several links on a page (but not all) and redirect them as web searches. Even if I copy/paste the shortcut to a new browser window, it still ends up redirecting those specific links.
Logfile of HijackThis v1.99.1
Scan saved at 11:01:10 AM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Dell Photo A... Read more

A:Solved: Yay, Hijackers!

Read other 6 answers
RELEVANCY SCORE 48

Dear friends,
everytime I start my computer, I get Best Search as my start page. I tried to change this. I used HijackThis, Spybot, Ad-aware, WinPatrol, EasyCleaner and Norton Anti-virus. Some of these have located and fixed the problem, but it is still there on every reboot. I even ran regedit and changed the values manually (Current Users/Microsoft/Internet Explorer/Main) back to my preferred start page. Nothing. What can I do?
something else worth mentioning is that ever since that happened, I can't open html files that have been stored to my disk. The Windows explorer crashes displaying the message that explorer.exe encountered a problem and mentioning something about the file mshtml.dll. How can I deal with this?
I am running Windows XP Professional, Office 2000 Professional, Internet Explorer 6.

Thank you in advance,
Maria
 

A:[Solved] IE hijackers

Read other 12 answers
RELEVANCY SCORE 47.6

On the 19th I did a routine AdAware scan and it picked up and did away two AOL Hijackers. Later that day, I received a pop under for a product called Privacy Protector that claimed to protect my adult viewings habits (don't have any so that was really funny). Knowing it was probably malware I simply exited and thought nothing more about it. I got the same pop under a couple of days later and this time, when I tried to just exit, the site opened anyway. The next time I tried to go to a URL I must have in my work (I work from home and dispatch drivers and I cannot give the URL in a public forum) it defaulted to a search and threw up 3 results. I thought I'd keyed it wrong so just keyed it again and got the proper site. However, the next time I tried to go there, I got the search result again. Tried to re-key and it defaulted again. I tried going in the long way with an extended URL and got an error screen telling me it could not be opened. I figured there was something up so I did an AVG anti-spyware and hijacker.IFrame.n showed up. AVG quarantined this and cleansed the file, but did not delete the file. My machine then proceeded to hang and would not end task, had to be booted. After the boot, I could get to my site with the short URL the first time, but it began redirecting after that. I could get in on the long URL once, as well, but not again. Looking at the results showed they were most likely porn sites - one a teen porn site at that. I'm sure this Privacy ... Read more

A:Solved: Multiple Hijackers

Read other 7 answers
RELEVANCY SCORE 46.8

hi!

Today I got an email from our University Network administrator.
He told me my computer is broadcasting sh*t und scanning ports
all day. Now my network account will be blocked if i can't fix this till 8pm .. thats 4 1/2 hours from now [GMT].
I have been searching/deleting all day and I found a hell of a lot nasty things on my computer.
Sophos AntiVirus and AVG Antivirus say my system is clean but somehow i don't trust them.
The trendmicro online scanner (http://housecall.trendmicro.com/) found a Worm_RBot.CW in the
lssrv.exe and was not able to fix this.
I used HijackThis and this is my (commented) log:

Logfile of HijackThis v1.97.7
Scan saved at 14:55:11, on 22.07.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuosdial.exe
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\lssrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Winregs32.exe
C:\Programme\Sophos SWEEP for NT\ICMON.EXE
C:\Programme\Sophos\Remote Update\imonitor.exe
C:\PROGRA~1\AVG6\avgserv.exe
C:\Programme\Sophos\Remote Up... Read more

A:[solved]Hijackers on my System... very urgent!

Read other 6 answers
RELEVANCY SCORE 46.8

I recently downloaded CCleaner and was invaded by several hijack programs. They are Trovi, searchnu and rocket-find. They do not appear on my program list nor can I find them when I do a search but they pop up constantly, especially in Google Chrome. They have also invaded IE 8 running on WindowsXP. I would appreciate any help I can get in getting rid of these pests and any help on how to spot them prior to downloading any software. Thank you.

A:[SOLVED] Hijackers have invaded my computer

Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post/attach the logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

------------------------------------------------------

Read other 3 answers
RELEVANCY SCORE 46.8

Logfile of HijackThis v1.99.1
Scan saved at 12:04:36 PM, on 5/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mfcob.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsc... Read more

A:Solved: Trojans, browser hijackers, etc. HJT log

Read other 9 answers
RELEVANCY SCORE 46.4

Last night ran Adaware and Ewido, this morning ran AVG anti-virus software, but computer still crawling. Please check HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:27:14 AM, on 9/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\mike\LOCALS~1\Temp\Rar$EX01.969\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - H... Read more

A:Solved: 2 Hijackers removed but still at a crawl - HJT log included here

Read other 8 answers
RELEVANCY SCORE 46.4

My system has been taken over by hijackers , including "oneclicksearches", and others. Found a thread discussing removal of same, which indicated that Limwire & Weatherbug should be removed using Add/Remove. Removed Weatherbug, but when I try to remove Limewire I get this message: "error #0X80040707", then "access is denied" .

If you can help me remove Limewire, perhaps you'll also help me get rid of these hijackers. Have tried Spybot, AdAware, Trend, to no avail. Thinking of taking my computer to the nearest bridge and giving it a toss!

Please help!!!
Thank you!
 

A:Solved: Desperate to remove Limewire & hijackers

Read other 16 answers
RELEVANCY SCORE 40.8

Here's the hijack this log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spy vs Spy\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Micro... Read more

A:Solved: "E-finder" homepage hijackers

Read other 9 answers
RELEVANCY SCORE 37.6

Hello,

I started another thread but I'm haven't got a reply usually you guys have answered by now..... busy time of the year I'm guessing

Here is my Thread http://forums.techguy.org/security/522556-infection-hijackers-phishing-site-help.html

and here is a NEW HTJ log after I did all the scans

Logfile of HijackThis v1.99.1
Scan saved at 10:34:57 AM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp... Read more

A:HELP PLEASE!!!! Hijackers

Read other 16 answers
RELEVANCY SCORE 37.6

Hi - I had a lot of Hi-jackers on my computer. I am thinking I got rid of them using some of the tools mentioned on this site, but I wanted to be sure. Can someone please let me know if there's anything else that needs to be fixed. Thanks a lot!

-- Jill

Logfile of HijackThis v1.99.1
Scan saved at 5:18:49 PM, on 3/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\So... Read more

A:Had a lot of Hijackers, are they gone yet??

Hi jdot and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Read other 5 answers
RELEVANCY SCORE 37.6

Here is my hijackthis file....if anyone can help please do.....not exactly computer literate so talk to me like i am 2

Logfile of HijackThis v1.99.1
Scan saved at 8:01:08 PM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\weasel\Application Data\neac.exe
C:\WINDOWS\System32\n?tdde.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\abasa5jrp.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\weasel\Desktop... Read more

A:Help me get rid of the Hijackers!!!

i guess this houlda been posted in the Hijack This sib forum.

Read other 4 answers
RELEVANCY SCORE 37.6

I need help with this hijackthis log file?Logfile of HijackThis v1.99.1
Scan saved at 12:09:36 PM, on 8/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\program files\quicktime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Uninstaller\Tray icon tool.exe
C:\Program Files\TracksCleaner\Scheduler daemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\AD-AWARE.EXE
C:\Documents and Settings\Basrah\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - H... Read more

A:Hijackers

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running. Ad-Aware? SE Personal Edition
Spybot Search & Destroy
CWShredder

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)


Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it?s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Ma... Read more

Read other 3 answers
RELEVANCY SCORE 37.6

I was wondering if I have a hijacker ?
Sometimes when I am doing A search and I click on a site I am prompted to log on to the internet but I am already connected
can you help please thank you
I have broadband DSL sympatico no I do not have any network
yes I see a login with username and password box
 

A:hijackers ?

Hi, We will need some details> what type of Internet service, dialup or broadband such as cable or DSL do you have?

Do you network with other computers where you are connecting from, through a router or modem that allows several computers to have Internet access at the same time?

Exactly what do you see, a Login box that you type your username and password into, or is it a connection retry message, that tells you to click Connect? That usually is controlled by either the network card settings or the ISP...a timeout period, where if you are not actively surfing, the modem may disconnect you. If I get up and go do something, not every time but sometimes, my connection tells me I am not online, to click Connect, it did not always do that so I think the recent updates my cable provider did set this up.

If you would also like to check the startups for malware, now is a good time and you are in the right forum to post a Hijackthis log:

Would like to have you post a log from HijackThis, a program (very tiny) that we use to see what problems exist.

There are directions here to do it: There are .zip form and .exe form, take your pick.

Download it here:

http://radiosplace.com/

Or here.
It's a direct download so be ready with the folder for it.

Basically, you must create a new folder, the desktop is OK provided you make a folder, name it something like HJT, and download TO that folder, run hijackthis.exe from there. If there ARE other users of the computer who migh... Read more

Read other 1 answers
RELEVANCY SCORE 37.6

Logfile of HijackThis v1.99.1Scan saved at 17:53:46, on 25/10/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exec:\APPS\Powercinema\Kernel\TV\CLCapSvc.exec:\APPS\Powercinema\Kernel\TV\CLSched.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exeC: ... Read more

A:Hijackers

Sorry for the delay. If you still need help with your log please post a brand new HJT log as a reply to this topic and I will help you clean it up as necessary.

Read other 1 answers
RELEVANCY SCORE 37.6

ComboScan v20070306.20 run by barry on 2007-03-09 at 13:00:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as barry.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:00:09 PM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video Access ActiveX Object\isamntr.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\P... Read more

A:cant get rid of these hijackers

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

---------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"


Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On... Read more

Read other 1 answers
RELEVANCY SCORE 37.6

Noticed norton keeps popping up with downloader trojan and a few other viruses. I ran adaware and norton antivirus as well as panda active scan but they keep comming back. I did a google search that lead me here. Seems there are some people doing good here. Last year I got some experience with spywhere looks like I am having a new experience with it now.

Logfile of HijackThis v1.97.7
Scan saved at 10:36:19 PM, on 9/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
G:\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Pag... Read more

A:hijackers

Howdy!

The log is clean. There could still be something in the system, but a clean log narrows it down pretty well.

What kind of symptoms is the machine showing?

Is it possible that the other security progs already took care of the problems?

Read other 4 answers
RELEVANCY SCORE 37.6

hello
I post my logfile,
I think something must be fixed
thank you!


Logfile of HijackThis v1.99.0
Scan saved at 14:30:47, on 24.04.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Spamihilator\spamihilator.exe
C:\Programmi\Lexmark X1100 Series\lxbkbmon.exe
C:\Programmi\NielsenNetratings\bin\insight.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\sysye.exe
C:\WINDOWS\mfcja.exe
C:\... Read more

A:hijackers in my pc

Hello and Welcome

Please print out or copy this page to notepad for easy reference when carrying out the instructions. Make sure to work through the fixes in the exact order they are listed. If you have any questions feel free to ask before carrying out the fixes.

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis and run it.

Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version.

1. If it gives you an intro screen, just choose Do a system scan and save a logfile.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Show Hidden and System files:
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

For the options that you have checked/enabled, you may uncheck them after your log is clean.
If we ask you to fix a program that you... Read more

Read other 4 answers
RELEVANCY SCORE 37.6

Logfile of HijackThis v1.98.2
Scan saved at 11:59:52 AM, on 9/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP4 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\ekkrhsr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\documents and settings\administrator\local settings\temp\m9CkLPQs.exe
C:\WINNT\system32\IEHost35.exe
C:\PROGRA~1\INTERN~3\inetmgr.exe
C:\WINNT\system32\ccfgnt71.exe
C:\PROGRA~1\INTERN~3\inetsvc.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\asffo.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\PROGRA~1\ClearSearch\Loader.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\Common... Read more

A:HELP!!! HELP!!! HELP!!!! The hijackers got me on my other PC

Please DO NOT post multiple threads for the same problem. You have been answered here:

http://forums.techguy.org/t277057.html

Make all posts regarding this matter in that thread.

This thread is closed.
 

Read other 1 answers
RELEVANCY SCORE 37.6

I did Logfile of HijackThis and this is the results.Can anyone tell me what to fix and what not to fix. v1.99.1
Scan saved at 6:32:00 PM, on 5/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\quicktime\qttask.exe
C:\WINDOWS\iprx.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Basrah\Local Settings\Temporary Internet Files\Content.IE5\CDUZUPGL\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lojqs... Read more

A:Hijackers

Hi and Welcome....
The biggest problem that you have is that you really need to make your computer more secure from malware. I would advise you update your Windows and IE Browser security to SP1a or SP2.Is there any reason why you dont have it ?.This will help prevent malware.You really need to get up to date with your security by getting at least SP1a.You are just wide open to malware that is designed to attack 'raw' XP systems which exploits security 'holes' .You are wide open to infection.

http://www.microsoft.com/windowsxp/sp2/default.mspx
http://www.microsoft.com/windowsxp/d...1/default.mspx

-----------------------------------------------
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes..

Download any of the required programs before attempting to start any of the fixes.

Please do NOT run Hijack This in a TEMPorary folder or on the Desktop. I recommend c:/program files/HJT/

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check ?Turn off System Restore?, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To sh... Read more

Read other 5 answers
RELEVANCY SCORE 37.6

These popups from wabu.com have been driving me bonkers.
I ran Hijack This but I dont want to delete the wrong files so here they are.................... Please advise on which ones i should delete
Thanks sooooooooooo much

Logfile of HijackThis v1.95.1
Scan saved at 2:40:46 PM, on 7/29/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\RVP\bpc.exe
C:\Program Files\Srng\Srng.exe
C:\Program Files\rb32\rb32.exe
C:\WINDOWS\TVTMD.exe
C:\PROGRA~1\NETRAT~1\Premeter\prmt.exe
C:\Program Files\MemoryMeter\MemoryMeter.exe
C:\Program File... Read more

A:hijackers

You have a LOT of spyware/malware there. I have a feeling that what we see in the HJT log is just the tip of the iceberg. Letís take care of RabidBlaster first

I would suggest that you Read this advisory on RapidBlaster: http://www.wilderssecurity.net/spec...pidblaster.html

Before doing anything else, you NEED to run Javacool's RapidBlaster killer : http://www.wilderssecurity.net/downloads/rbkiller.exe
It's at present the only application that will effectively remove this pest!

Launch the program and hit the Scan button.
RBKiller will find any RapidBlaster variants on your system, kill the process, delete the Registry Run entry, and remove the file itself.

Next go to http://security.kolla.de/index.php?...n&page=download and down load SpyBot. Once Spybot is installed click on 'Online' and download the latest updates. Hold off on using it until we can analyze your HiJackThis log.

Now, close all web browser windows and disconnect from the Internet.
Then run Spybot (click "Check for Problems").
When the results appear, tick everything highlighted in RED .
DELETE all entries in red using Spybot.
After this, REBOOT your PC.

Spybot may appear to 'hang' at certain points. Please allow it several minutes to continue the scan, as it may be carrying out some extensive file checking at these points.

Sometimes, Spybot will show a dialogue box, asking that you run the utility again Ė after rebooting your PC. If you see this box, click &... Read more

Read other 1 answers
RELEVANCY SCORE 37.6

Hello, I am having problems with hijackers. I have spygate firewall and running firefox browser. Everday spygate tells that my comp has been hijacked and has scanned several ports. I was trying to find out how can I stop this? As far as I know it's not hurting my comp, but I don't want people (or programs) to know what I have on my comp. Please help! Anything would be appreciated.

A:hijackers

Hello trevorveasey. If you think you have been hijacked then what would be the best would be to submit a HijackThis log to the HijackThis forum for analysis by an expert. Here's a link to tell you how to submit a log:http://www.bleepingcomputer.com/forums/t/956/how-to-submit-a-hijackthis-log/Cheers.OT

Read other 1 answers
RELEVANCY SCORE 37.6

can someone tell me witch ones to delete!!!

C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALTNET\DOWNLOAD MANAGER\ASM.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shopnav.com/search/9886/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shopnav.com/search/9886/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ne2.attbb.net;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nascar.com/... Read more

A:hijackers

Read other 12 answers
RELEVANCY SCORE 37.6

About three days ago, minimized internet explorer windows have been popping up on the taskbar. They are always of a search engine like google, alta vista, yahoo, hotbot, etc. It pop up about every half hour. They reconfigure my IE window settings so that when i open IE, the windows is a very small square in the bottom right hand corner of my screen, and the toolbar is locked so that i have no options, including an address bar. I have been fighting with this for 3 days and i am finally ready to admitt that i can't do it myself. I would really appreciate some help on this. THANKS A MILLION.Logfile of HijackThis v1.99.0Scan saved at 12:10:03 PM, on 1/17/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\Program Files\Sony\Giga Pocket\shwserv.exeC:\WINDOWS\Explorer.EXEc:\PROGRA~1\mcafee.com\vso\mcvsrte.e... Read more

A:I need help with hijackers

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program. If it asks to reboot, do not reboot. Now please create a new Hijackthis Log and post it as a reply.

Read other 13 answers
RELEVANCY SCORE 37.6

please view my hijack this & tell me about the enLogfile of HijackThis v1.99.1
Scan saved at 12:20:49 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MP3 CD Extractor\CD-Extractor.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\WINDOWS\system32\ci... Read more

Read other answers
RELEVANCY SCORE 37.6

This is my girlfriends PC, i need some expertice.

Logfile of HijackThis v1.96.1
Scan saved at 11:08:02 AM, on 9/28/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MEDIAKEY\VERSATO.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\MEDIAKEY\OSD.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\TEMP\HIJACKTHIS.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.client.yahoo.com/... Read more

A:Hijackers die!!!!

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.client.yahoo.com/sbc/user_chooser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyd.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
O2 -... Read more

Read other 3 answers
RELEVANCY SCORE 37.2

I have been trying to get rid of this browser hijacker for a week now. It has created an .exe file (htmlsync.exe), changed my browser homepage and search pages, and added stuff to my favorites. I have tried removing it from registry, startup menu, and deleting the .exe itself. It keeps coming back. I used HJT for the last few days, and it removes it until I reboot. Please help. Here is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 12:09:42 PM, on 3/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\WEATHE~1\weathertray.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.... Read more

A:Can't get rid of browser Hijackers!

Read other 9 answers
RELEVANCY SCORE 37.2

I have been battling these hijackers most of the day and after reading a number of your other threads I decided to try hijackthis and see if you could give me some assistance.

The following is my hijackthis log file.

Logfile of HijackThis v1.98.0
Scan saved at 3:25:55 AM, on 11/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\AL JOYNER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_p...ount_id=153636
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_p...ount_id=153636
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=153636
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet ... Read more

A:Have browser Hijackers

Hi
You will need to put HJT in a folder of its own and not on the desktop.

After that...
Make sure you have already run Adaware, Spybot S & D(check for updates) as these will do a preliminary clean first.Some files below may not be present after running the above programs.

Then....
Turn off your System Restore SEE HERE Reinstate it when your log is cleaned and then create a new restore point.Close your browser window and run hjt in safe mode... HOW TO RUN SAFE MODE and have "Hijack This" fix all the following items by placing a check in the appropriate boxes and selecting "fix checked".
Folders that have been highlighted RED in the log will need to be uninstalled.Check first as some folders maybe uninstalled via the Add/Remove program. Files highlighted in BLACK in the log will need to be removed from your hard drive. Make sure to have your system set to show hidden files and folders.. HOW TO SHOW FILES ..Please post a new log when finished...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=153636
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=153636
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=153636
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=153636
O2 - BHO: (no n... Read more

Read other 3 answers
RELEVANCY SCORE 37.2

Hi, im having trouble with browser hijackers, each time i try to load a page (even this one), it redirects me to something else. This page actually doesnt load at all. Ive looked at my hosts files in windows\system32\drivers\etc\ and the only thing in the hosts file (now) is 127.0.0.1 localhost... (Spybot had added it appeared, quite a lot of redirects (immunities i s'pose), but i deleted them (seen as how spybot can always add them again later), and set all the files to read only. Still having the redirect problem. Netstat reports an established connection to akamaitechnologies and reverse.ltdomains

I tried to tskill the PID associated with them, but access was denied. (svhost was the image name or sumfin like that)

Anyways, heres my HJT log, i checked the obvious stuff and clicked fix, but still having problems. Tried coreforce to find out where the redirects were coming from but to no avail

Please, please help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:53 PM, on 11/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Windows Live\Mail\wlmail.exe
G:\WINDOWS\system32\ctfmon.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\Explor... Read more

Read other answers
RELEVANCY SCORE 37.2

Hi, I think i recently pulled a few hijackers/unwated programs and was wondering if someone could look at my HJ-This analyzed log and tell me what's happening. Thanks in advance.

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 1/7/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Nor... Read more

A:Hidden Hijackers..

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

The Temp folders should be cleaned out periodically as inst... Read more

Read other 1 answers
RELEVANCY SCORE 37.2

I used "Hijack This" for IE on WinXP
My problems are basically...
1) home page assumes CoolWebSearch/ about:blank, or something.
2) my google/yahoo searches give advertisements disguised as search results.

ThanX in advance!
Logfile of HijackThis v1.97.7
Scan saved at 10:27:18 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\documents and settings\owner\local settings\temp\KwQdG.exe
C:\WINDOWS\zhbgdn.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\Program Fil... Read more

A:What to delete/fix from hijackers???

Download and run CWS shredder first from here.

http://www.soft32.com/download_19014.html

It'll get rid of your coolwebsearch nasty. If you want to do another highjack this log then after, maybe someone could check it for any other nasties for you.
 

Read other 1 answers
RELEVANCY SCORE 37.2

I am having a hell of a time trying to kill this hijacker.Any help would be greatly appreciated. I have tried multiple scanning tools and come just short of getting rid of it.I believe the main one is called look2me,at least that is what spyware Dr. said it was. Here is my hijack this log:Logfile of HijackThis v1.99.1Scan saved at 12:29:40 AM, on 4/12/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\windows\System32\smss.exeC:\windows\system32\winlogon.exeC:\windows\system32\services.exeC:\windows\system32\lsass.exeC:\windows\system32\svchost.exeC:\windows\System32\svchost.exeC:\windows\system32\spoolsv.exeC:\windows\Explorer.EXEC:\windows\system32\Ati2evxx.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeC:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exeC:\Program Files\Spyware Doctor\sdhelp.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\windows\system32\svchost.exeC:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exeC:\Pro... Read more

A:Look2me And Other Hijackers Please Help

Please download Look2Me-Destroyer.exe to your desktop.Close all windows before continuing.Double-click Look2Me-Destroyer.exe to run it.Put a check next to Run this program as a task.You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OKWhen Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.Once it's done scanning, click the Remove L2M button.You will receive a Done Scanning message, click OK.When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.Your computer will then shutdown.Turn your computer back on.Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.If you receive a message from your firewall about this program accessing the internet please allow it.If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Read other 14 answers
RELEVANCY SCORE 37.2

Hi,

I don't know much about the kind of virus hence I have to resort to using the title of the thread. I used to have pop up stopper to block pop ups but recently I noticed that that pop-ups were not being blocked so I tried to open the program again and it turned out it was deleted from my system. Not only that but Yahoo messenger was gone as well. I also noticed that my Task Manager was disabled as I was getting message "Task Manager has been disabled by the Adminnistrator". A couple of days letter browser hijackers started to their magic making my life difficult. Here is log of the required files. Please help.

ComboScan.txt

ComboScan v20070221.16 run by buddah on 2007-02-25 at 08:58:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as buddah.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 08:58:42, on 25/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Inte... Read more

A:Help with Browser Hijackers

Hi, I am not trying to bump my thread but I have also installed a secondary hard disk and moved my data over there. I can see 2 drives now and have transferred my work files over to F: drive while I would format my C: drive (old drive) if I didn't sort this browser problem soon.

Is there anything I should take care of in doing that?

A little more about the problem. The browser opens pop up for loopylove.com or some porn sites and some time movies sites. The speed of the internet seems very slow.

I can't open explorer after connecting my internet connection as my first page is directed to open hotmail.com but it gives an error that window encountered some problem and if I want to report it or not. As soon as I choose one option it closes down the explorer window. Therefore, I open the explorer and press esc immediately afterwards. Then I choose other links but not hotmail. I open hotmail by using messenger and then click email option from there and it doesn't give the previous problem.

My HijackThis has started to hang as well since my removal of files from C drive. I can't see any images as Microsoft Image viewer is deleted nor even the preview in folders.

Please Please help soon.

Thanks

Read other 18 answers
RELEVANCY SCORE 37.2

Logfile of HijackThis v1.99.1Scan saved at 4:17:08 PM, on 5/4/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\brsvc01a.exeC:\WINDOWS\system32\brss01a.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\stsystra.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallSh... Read more

A:Need Help With Hijackers And Popups, Please

1. Please download Ewido Anti-MalwareInstall ewido anti-malwareLaunch ewido, there should be an icon on your desktop, double-click it.The program will now open to the main screen.When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.On the left hand side of the main screen click update.Then click on Start Update.The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")Exit Ewido, do not run the scan yet!If you are having problems with the updater, you can use this link to manually update ewido.ewido manual updates2. Please download Brute Force Uninstaller to your desktop.Right click the BFU folder on your desktop, and choose Extract AllClick "Next"In the box to choose where to extract the files to,Click "Browse"Click on the + sign next to "My Computer"Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder"Type in BFUClick "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU).Do not do anything with these yet!Re... Read more

Read other 8 answers
RELEVANCY SCORE 37.2

Hello,
 
I'm pretty sure that hijackers have remote control ability of my laptop. For the past few days my lptp has been running unusually slow. Also for the past two days my webcam light at the top of the screen had been coming on and staying on for hours. I looked in my task manager to kill the camera and did not see it running. I even deleted the webcam app that came with this lptp to kill it and the light still comes on. Then yesterday while in Chrome all of my tabs started flickering and the lptp froze until i shut it down. When I reopened I could see someone was accessing control settings, a dialog box popped up asking about audio settings, and it seems they had turned on the audio command for the blind to have all keyboard moves vocalized. So im guessing they couldnt see so needed to hear what i was doing? Then it started to read out the website i was on which was Amazon! The lptp again started freezing as I struggled to gain control and prevent take over of my lptp. Different items began to be moved around by another cursor.
 
So I ran a few antiviruses.  It is hard to know which one I have.  I know that there has got to be many on here. I ran Anvi smart defender which told me I had 65 malicious extensions. Unfortunately, I don't know if it was the hijackers, but it took almost a day to run the complete Full scan for some odd reason.  On the next day just as I was approaching 70% scan completion. The system froze out and threw me out in the mi... Read more

A:Hijackers and Trojans! Help

hi emperative,
 
If you still need help you can do two things. First download and run the free version of Malwarebytes. Second create a log with FRST and copy/paste the logs in your reply.
 
Iam usually only on this site once or twice per day so you may not get a response back from me until the following day.
 
1)  Please download Malwarebytes Anti-Malware 2.0.3.1025 Final to your desktop.
     http://data-cdn.mbamupdates.com/v2/mbam/consumer/data/mbam-setup-2.0.3.1025.exe
 
    Double-click mbam-setup-2.0.3.1025.exe and follow the prompts to install the program.
    At the end, be sure a checkmark is placed next to the following:
        Launch Malwarebytes Anti-Malware
        A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish     the scanning and removal  capabilities of the program.
    Click Finish.
    On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
    Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
    A Threat Scan will begin.
    With some infections, you may see this message box.
        'Could not lo... Read more

Read other 1 answers
RELEVANCY SCORE 37.2

Hello!

I'm ripping what's left of my hair out! I've apparantly picked up several hijackers including searchmyrequest and myexexex. My computer has slowed down so much and my home page keeps changing, it's like I'm living with Sybil! My wife is ready to kill me and the children thinking that we're somehow downloading this porn!

I've run Adaware, CWShredder, Spybot S&D and my Norton AV (all most recent and up to date, but I can't get rid of the blasted things. Can anyone help?

Here's the Hijack file

Logfile of HijackThis v1.97.7
Scan saved at 6:53:26 PM, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WIN... Read more

A:So Many Hijackers-So Little Patience

Welcome to TSG, skyejaz

Close all windows, restart Hijack this and put a check mark against the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.237.45.18 ad.doubleclick.net
O1 - Hosts: 64.237.45.18 aff.weatherbug.com
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 my.search
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O1 - Hosts: 209.87.155.230 date.com
O1 - Hosts: 209.87.155.230 dating.com
O1 - Hosts: 209.87.155.230 freedating.com
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: Elitum EliteBar - {FA6548E9-78F5-4025-9D7B-FC1367789C38} - C:\WINDOWS\EliteBar\EliteBar.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - H... Read more

Read other 2 answers
RELEVANCY SCORE 37.2

I am following through the tutorial on how to analyze a HJT log and I've come to the section O18 - Extra protocols and protocol hijackers. It says to delete anything in here. I have a log that has about 70 entries for what looks like something from Logitech, (there is a logitech keyboard/mouse combo on this system). For example this is the first one:

O18 - Protocol: offline-8876480 - {2DB4C761-7D9D-11D9-9287-0008C7226EE4} - C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BWPLUGPROTOCOL-8876480.DLL

I've been googling the dll name trying to confirm that they are or are not evil things but I've got conflicting information.

Most of what I'm finding are log analysis threads. None say directly to remove the entries using HJT but most do not show them present after running a variety of tools.

However I also found a thread that advised the originator that their log was clean and all of the O18 entries were still there.

Are these valid Logitech entries or ?????

Thanks ...weeG
 

A:Are these protocol hijackers?

Add remove programs - remove logitech desktop messenger
 

Read other 1 answers
RELEVANCY SCORE 37.2

Gday Tech Support Guy,

After running Spybot and Ad-Aware countless times, the same viruses keep embedding themselves in my System (especially Virtumonde-related crap). A few suspicious processes always run from startup: one .dll file changes its name on every occasion and consists of about seven-or-so random letters. Furthermore, every time I try and end the process "eenuggml.exe" it restarts itself immediately; I can't get rid of it.

I know you're very busy but I would greatly appreciate your help in ripping these things out by the roots. At the moment, I reckon my system would go faster if it were operated by a crank, or a mouse in a wheel .

Here's my HijackThis log:
================

Logfile of HijackThis v1.99.1
Scan saved at 10:41:26 PM, on 14/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\eenuggml.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\I... Read more

A:Self-restoring hijackers

Read other 7 answers
RELEVANCY SCORE 37.2

I've run everything. Malwarebytes, rkill, etc. but the hijacker keeps coming. Nothing seems to detect it. Any help would be great, I'm at wit's end and I'm tempted to gamble on combofix. I'm in Win7 64-bit I'll post some logs as instructed from a similar thread: Security Check:  Results of screen317's Security Check version 0.99.83   Windows 7 Service Pack 1 x64 (UAC is disabled!)   Internet Explorer 11  ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled!  ESET NOD32 Antivirus 5.0    Antivirus out of date!  `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300   JavaFX 2.1.1     Java 7 Update 51   Java version out of Date! Adobe Flash Player 13.0.0.214   Adobe Reader 10.1.4 Adobe Reader out of Date!   Mozilla Firefox (29.0.1) Google Chrome 34.0.1847.131   Google Chrome 34.0.1847.137  ````````Process Check: objlist.exe by Laurent````````   ESET NOD32 Antivirus egui.exe   ESET NOD32 Antivirus ekrn.exe   Malwarebytes Anti-Malware mbam.exe  `````````````````System Health check````````````````` Total Fragmentation on Drive C: 7%````````````````````End of Log``````````````````````

 Farbar: Farbar Service Scanner Version: 14-05-2014Ran by Aaron (administrator) o... Read more

A:Speedial hijackers

Welcome aboard   Download Temp File Cleaner (TFC)Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exeDouble click on TFC.exe to run the program.Click on Start button to begin cleaning process.TFC will close all running programs, and it may ask you to restart computer. Please download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on adwcleaner.exe to run the tool.Click on Scan button.When the scan has finished click on Clean button.Your computer will be rebooted automatically. A text file will open after the restart.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[S1].txt as well. Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message. Please run a free online scan with the ESET Online ScannerDisable your antivirus programClick on "Run ESET Online Scanner" button.Tick the box next to YES, I accept the Terms of UseClick StartAccept any security warni... Read more

Read other 1 answers
RELEVANCY SCORE 37.2

I was hoping that someone could please help me out. I am trying to help a friend out who's computer has been hijacked. Here is the log, please help if you can. Thank you.


Logfile of HijackThis v1.99.1
Scan saved at 5:09:44 PM, on 4/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE... Read more

A:Computer taken over by Hijackers

Hello Synapseguru and welcome to TSF...

In order to assist you better, we recommend that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Desktop. This is required because HijackThis will create backups and we don't want them to be deleted.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk... Read more

Read other 1 answers
RELEVANCY SCORE 37.2

Ever since I switched to IE7, I have had a bad case of the spywares. =[

I am suffering from url.cpvfeed.com and toseeka.com and I think I got rid of the ad.doubleclick.net stuff by deleting temp files and cookies.
Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:37:12 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\program files\steam\steam.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Owner\APPLIC~1\YSTEM~1\wuauboot.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGR... Read more

Read other answers
RELEVANCY SCORE 37.2

I threw away an old computer because hijackers and tracking cookies had taken over to the point of no return...so I got a Dell Dimension XPS T600r..I have Windows 98. Not sure what other information you need. Well, after looking at an Eminem website I notice that I'm getting hijacked on the new computer (BullsEye Network was the first I saw)...I ran Yahoo Spyware and deleted several hijackers and adware programs...then I ran Spyhunter (from Enigma Software Group), which was already installed in the Dell...it said it cleared out the bad stuff...however, when I got back online, I checked out what programs were running and saw Tsm2, mpbtn, and ybrwicon running, which I don't recognize. Please help as soon as you can. Thank you.

A:Been attacked by hijackers...again

Greetings!

mpbtn is associated with AT&T Broadband.

ybrwicon is a yahoo broadband file

mpbtn is a hijacker.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless.

I will move your thread to HJT Help.

Read other 1 answers
RELEVANCY SCORE 37.2

I followed the steps you listed and download the hijackers log but one of the following malware's I have on my computer is currently blocking me from installing ANY programs.

Trojan.Perffcoo
Hacktool.Rootkit
Downloader.MisleadAPP
Antivirus Pro 2009

I even tried to re install my entire C drive but when I tried to boot from the CD the following errors comes up informing me that their are virus preventing me from being able to proceed.

Stop: 0x0000007b, 0xc0000034, 0x00000000

At this point I am ready to dump my entire C drive but it seems like I need help in removing some viruses before I can do that. Please any help you can give me is greatly appreciated.
 

A:Malware so bad I can't run Hijackers Log

Read other 16 answers
RELEVANCY SCORE 37.2

During the last week of Dec. 2004, I got accidentally invaded with spyware/malware. I have spent many days trying to reverse this personal tragety, but some of the problems persist; here is a list:1-Computer boots up randomly without my command, about once every few hours;2-Program shortcuts (like Dating Online and Block Spyware to name a couple) keep appearing on my desktop especially after reboot;3-When in Internet Explorer, I still get a few annoying popups, but I also get browser redirects after I try a search.And here is what I have done so far:1-Ran Spybot S&D and Adaware 6.0 several times, before and after updating them to the latest available free versions;2-installed a couple of freeware popup blockers, but discovered that those too had spywares built in, and promptly removed them (but I don't know how completely);3-Installed a purchased copy of Spyware Doctor, and ran it; then I updated it to the newest online version and re-ran it; I clean up in excess of 100 problems found by the software. I also turned the immunization and spyguard utilities on;4-after all of this work the computer seemed back to normal, but much to my chagrin, the listed problems above persist.I finally broke down and ran HijackThis after carefully reading an associated tutorial on the subject. Below is the log (I am running a Windows 2000 Professional machine)---------------Logfile of HijackThis v1.99.0Scan saved at 3:15:51 PM, on 1/3/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE:... Read more

A:The latest Hijackers

Hi You have a Look2Me infection and your recycle bin is damaged. If you delete a file it will be lost forever.Please Download LSPFix from: LSP-FixDisconnect from the Internet and close all Internet Explorer windows. Run then program, check the "I know what I'm doing" button and place all listings ofaklsp.dllcalsp.dllinto the remove section by clicking on the button that points to the right. Do not remove any others. When all instances of this dll are in the Remove section. Press the Finish button.Reboot your machine.To see a tutorial on how to use this program click the link below:Using LSP-Fix to remove LSP Spyware & HijackersDownload Find It NT-2K-XP.zip.Unzip the contents of Find It NT-2K-XP.zip to a folder, for example c:\findit Navigate to the c:\findit folder and double-click on find.bat.A command prompt will open and it will search your computer for malicious files.Once it has finished a Notepad window will pop up with output.txt.Copy the entire contents of output.txt into your next post.From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.My timezone is GMT +2. I think you can run find.bat and post the log tomorrow morning or tomorrow afternoon/evening. It's 3 am now and I'm going to sleep ...

Read other 3 answers
RELEVANCY SCORE 37.2

A while ago this computer got infected with numerous desktop hijackers. I ran CCleaner, Smitfraudfix, and Antivir (in that order).As far as one can tell, the malware is gone. However, the malware had made the system excruciatingly slow, and this is the sole symptom I could not treat.I tried to run Kaspersky. It got to 3% after about 30 min, and remained there for about the net 24 hours, until I killed it.log.txt:Logfile of random's system information tool 1.04 (written by random/random)Run by Owner at 2008-11-30 16:06:02Microsoft Windows XP Home Edition Service Pack 3System drive C: has 21 GB (54%) free of 38 GBTotal RAM: 190 MB (38% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 16:06:24, on 11/30/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wuauclt.exeC:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Pro... Read more

A:Desktop Hijackers

Hello 10nitro,Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.Thanks,tea

Read other 2 answers