Hi, my browser has been hijacked, and every time I click an result in Google I get redirtectyed to an undesirable site, have ran nod32 and spy sweeper both as administrator in safe mode without result.
Here is the latest hijsckthis is as follows


gfile of HijackThis v1.99.1
Scan saved at 21:09:50, on 3/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mio Technology\MioSync\mioSync.exe
C:\Program Files\Philips\SPC 200NC PC Camera\TrayMin200.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\hupla\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com (http://go.microsoft.com/fwlink/?LinkId=69157)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search (http://go.microsoft.com/fwlink/?LinkId=54896)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search (http://go.microsoft.com/fwlink/?LinkId=54896)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com (http://go.microsoft.com/fwlink/?LinkId=69157)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\.. \Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\.. \Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\.. \Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\.. \Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\.. \Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\.. \Run: [HPWG myPrintMileage Agent] "C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe"
O4 - HKLM\.. \Run: [IMJPMIG9.0] "C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EX E" /Preload /Migration32
O4 - HKLM\.. \Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\.. \Run: [BigDogPath] "C:\WINDOWS\VM_STI.EXE" Philips SPC 200NC PC Camera
O4 - HKLM\.. \Run: [cFosSpeed] "C:\Program Files\cFosSpeed\cFosSpeed.exe"
O4 - HKLM\.. \Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl, BluetoothAuthenticationAgent
O4 - HKLM\.. \Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\.. \Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\.. \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\.. \Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\.. \Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\.. \Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\.. \Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\.. \Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MioSync.lnk = C:\Program Files\Mio Technology\MioSync\mioSync.exe
O4 - Global Startup: TrayMin200.exe.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link with AEE - res://C:\Program%20Files\Tweak%20Marketing\Advanced%20Em ail%20Extractor%20Pro\AeePMsie.dll/link.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe" -s "C:\Program Files\MioNet\wrapper.conf (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



Please help
Thanks
Joe

When was the last time you did some serious system maintenance on your machine ?
Here's my usual C&P for cases like this:


When was the last time you did some serious maintenance on your system ?

System maintenance includes:
Defrag
FULL patching
Virus scanning
Spyware scanning
removal of rubish files

Defrag is an inbuilt function in XP.
Open My Computer > Right click C: > Tools Tab and its there.

To make sure everything is running fine run both anti virus and anti spyware apps in normal AND safe modes. (make sure that they are updated first ! ;)) (AVG (http://free.grisoft.com/doc/1) is good and free AV)
(A couple of good removal tools are Spybot (http://www.safer-networking.org/) and Adaware (http://www.lavasoftusa.com/software/adaware/))

ALso an on line virus and spyware scanner is Trend Housecall (http://housecall.trendmicro.com/)

Just a note: actively running two AV's on one machine can cause problems.
So if you are thinking about it make sure your current one is disabled first.
Same thing applies to online scanners as well.

Removal of junk files is easy with CCleaner (http://www.ccleaner.com) a free app that does exactly what

If all this fails then a repair install may be in order:

Here's (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx) the official Micro$oft way of doing it,
and Here's (http://www.geekstogo.com/forum/index.php?showtopic=138) one with screen shots.

Basically this installs windows over the top of your current setup.
So you don't loose any information you already have.

This lot should resolve your issue.

Hi Curlyben,
I have ran both spy sweeper and Nod32 in safe and normal modes several times, (I have been fighting this thing on and off for 4 days now), I also have SpyBot installed and updated. I regularly defrag my system, and surely will get ridd of junk files , thanks for the suggestion. But, I'm sure that is not going to fix my problems, however, I will try this free cleaner, as it's the only one I have yet to run.

Will get back to you in a min.

Thanks again
Joe

My recommendation of Adaware and Spybot is from experience as they catch 99.9% of malware.

While you are in Safe Mode change you browsers home page and use Spybot to LOCK it down.
Spybot does a lot more than just scanning your system, it stops infection, locks important system files and has a real time scanner (teatimer).

Also try using Firefox instead of the insecure IE ;)

Try running your log though this scanner -- note the disclaimer please -- Savage
HiJackThis! Log auto analyzer V2 (http://hjt.networktechs.com/)

Ran Ad aware , cclean and still no result, I still get the stupid excuse for a browser site + a pop up advertising adult content, I also have spy ware terminator (currently this abled) Windows defender (enabled), but when I tried Google after getting rid of some cookie files etc I still got diverted? Help!
Joe

Please try what I suggested. Make sure SpyBot is fully updated first, the use it in safe mode.

I finally just broke down and bought the Norton protection center, and it works great. Worth every penny.

Matt, you must be one of the lucky ones as I have found that Norton and XP aren't good bed fellows.

I personally don't like Norton very much, find it really slows down everything, I was very happy for the last couple of years with Nod32, but delayed the new registration for a couple of weeks and that's when I got infected!
I guess the only way is trough some guy who knows his hijackthis very well, I have ran spybot several times, and also all the others as I said, so I really feel that its not something which will be detected, rather something that I have installed unknowingly, and clicking yes to something totally different but that's what was hidden underneath ( I guess)
Any other sugestions?

Thanks for yr help

Joe

Maybe a registry fixer. I have had some problems with that. Or there is always the option of wiping your PC.