PDA

View Full Version : Hijacked browser with Hijackthis log

bj_bjonker
Jul 27, 2009, 12:10 PM
Hi there,

I was wondering if anyone could possibly help me with this issue. I sem to have a hijacked browser. Every time I search a site on Google and click on it, it open up another website that I didn't search. My PC also seems to be rnning much slower , like the memory is very low.

Your help would be greatly appreciated in this regard.

Please see the log files from the "hijack this " tool.

Logfile of HijackThis v1.99.1
Scan saved at 19:35:28, on 27/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Citrix\Streaming Client\RadeSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Benton Jonker\Desktop\hijackthis_sfx.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Sky.com - Home (http://www.sky.com)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Bing: (http://search.live.com/sphome.aspx)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing (http://search.live.com)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google (http://www.google.co.uk/)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Bing: (http://search.live.com/sphome.aspx)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = HP United States - Computers, Laptops, Servers, Printers and more (http://www.hp.com/)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDO WS\system32\win32room.exe,C:\WINDOWS\system32\rena tor.exe,C:\WINDOWS\system32\win32z.exe,C:\WINDOWS\ system32\word64main.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\.. \Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\.. \Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\.. \Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\.. \Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\.. \Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\.. \Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\.. \Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\.. \Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\.. \Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\.. \Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\.. \Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\.. \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\.. \Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\.. \Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKCU\.. \Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\.. \Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\.. \Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\.. \Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\.. \Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\.. \Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: santa.bat
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - Sky.com - Home (http://www.sky.com) (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Citrix Diagnostic Facility COM Server (CdfSvc) - Citrix Systems, Inc. - C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
O23 - Service: DVD-RAM_Service - Matsua Electric Industrial Co. Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Citrix Streaming Service (RadeSvc) - Citrix Systems, Inc. - C:\Program Files\Citrix\Streaming Client\RadeSvc.exe
seahwk83
Jul 27, 2009, 03:25 PM
Google is being redirected? If so, what site(s) does it go to?

To help 'speed up' your computer, follow suggestions in the 3rd and 5th post in link below
https://www.askmehelpdesk.com/computers-beginners/frequently-ask-questions-about-computers-233870.html
bj_bjonker
Jul 28, 2009, 12:22 AM
Yes, Google web searches are being redirected to different sites. It's not always the same site but for example, when I search Facebook on Google and click on the link, it brings up a security screen with a grey background and maroon text box saying "This site is restricted and could be a security risk etc". I have not set any security restrictions on my IE as the same happens when I run the Mozilla browser.

Sometimes it also goes to an online casino site or even some pay per click sites etc.

Could you please help with this? A friend told me to run the "HijackThis" tool and post the log files online to help get a solution.
seahwk83
Jul 28, 2009, 12:56 AM
In hijackthis, put check next to items listed below and then choose the fix option at bottom of hihack log and say OK


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O4 - HKLM\.. \Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - Startup: santa.bat

Restart PC after removing above with hijackthis

Next -
Download, install and run Malwarebytes
-Choose the Download Free version, install and run
-Let it 'fix/remove' whatever it finds
Malwarebytes.org (http://www.malwarebytes.org/)

After running malwarebytes and letting it remove what it finds, restart computer again and then try your search again

Hopefully that will help, if not, post a new hijackthis log now that all of the above have been done
bj_bjonker
Jul 30, 2009, 01:28 AM
Hi there, I tried the above mentioned and got the following issue.

Could kill all the above in Hijackthis except the "Santa.bat" file. A message came up saying that this item is being used by another application etc, try and end the process in Task Manager. So when I was looking for this item in Task Manager I noticed there were no "santa.bat" files running. I believe it is something that runs on startup that uses the "santa.bat" file as I did not have anything else open except hijacthis and ran hjthis directly after restarting the PC.

How will Iknow what item to dissable in my startup to get rid of this item? I also noticed a number of cvhost.exe files running in task manager, though I know that this is for my windows services, I am also aware that some viruses can lock itself onto it. If this is the case, how will I know and get rid of it?

You assistance in this regard will be greatly appreciated.

Thanks
bj_bjonker
Jul 30, 2009, 01:28 AM
Hi there, I tried the above mentioned and got the following issue.

Could kill all the above in Hijackthis except the "Santa.bat" file. A message came up saying that this item is being used by another application etc, try and end the process in Task Manager. So when I was looking for this item in Task Manager I noticed there were no "santa.bat" files running. I believe it is something that runs on startup that uses the "santa.bat" file as I did not have anything else open except hijacthis and ran hjthis directly after restarting the PC.

How will Iknow what item to dissable in my startup to get rid of this item? I also noticed a number of cvhost.exe files running in task manager, though I know that this is for my windows services, I am also aware that some viruses can lock itself onto it. If this is the case, how will I know and get rid of it?

You assistance in this regard will be greatly appreciated.

Thanks
seahwk83
Jul 30, 2009, 08:00 AM
Go to the file santa.bat and right click on it
-Now choose Edit

It should open in notepad
-Now you will be able to see what program/file that starts when the santa.bat file is executed

When you see what file that santa is associated with, end that process - go from there

Post back if anything else comes up/or not


Before going to info below, do above to see if that helps and after above, if Cvhost is still active, go to info below

--------------------------------------

Are you sure it is cvhost.exe?

Removal: Cvhost.exe removal tool

Just go till you see
Follow these steps to download and run the tool:
W32.Gaobot Removal Tool | Symantec (http://www.symantec.com/security_response/writeup.jsp?docid=2004-011316-4140-99)