 |
|
| Browse | Ask | Answer | Search | Join/Login |
|
|
||||
|
hijacked browser with Hijackthis log
Hi there,
I was wondering if anyone could possibly help me with this issue. I sem to have a hijacked browser. Every time I search a site on Google and click on it, it open up another website that I didn't search. My PC also seems to be rnning much slower , like the memory is very low. Your help would be greatly appreciated in this regard. Please see the log files from the "hijack this " tool. Logfile of HijackThis v1.99.1 Scan saved at 19:35:28, on 27/07/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\RegCure\RegCure.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\Iexplore.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\bgsvcgen.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Citrix\Streaming Client\RadeSvc.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Benton Jonker\Desktop\hijackthis_sfx.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Sky.com - Home R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Bing: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Bing: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = HP United States - Computers, Laptops, Servers, Printers and more R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDO WS\system32\win32room.exe,C:\WINDOWS\system32\rena tor.exe,C:\WINDOWS\system32\win32z.exe,C:\WINDOWS\ system32\word64main.exe, O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\.. \Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\.. \Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\.. \Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\.. \Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\.. \Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\.. \Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\.. \Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\.. \Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\.. \Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\.. \Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe O4 - HKLM\.. \Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\.. \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\.. \Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\.. \Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKCU\.. \Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler O4 - HKCU\.. \Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\.. \Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\.. \Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\.. \Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe O4 - HKCU\.. \Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash O4 - Startup: PowerReg Scheduler.exe O4 - Startup: santa.bat O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - Sky.com - Home (file missing) O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Citrix Diagnostic Facility COM Server (CdfSvc) - Citrix Systems, Inc. - C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe O23 - Service: DVD-RAM_Service - Matsua Electric Industrial Co. Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys O23 - Service: Citrix Streaming Service (RadeSvc) - Citrix Systems, Inc. - C:\Program Files\Citrix\Streaming Client\RadeSvc.exe |
||||
|
||||
|
Google is being redirected? If so, what site(s) does it go to? To help 'speed up' your computer, follow suggestions in the 3rd and 5th post in link below https://www.askmehelpdesk.com/comput...rs-233870.html |
||||
|
||||
|
Yes, Google web searches are being redirected to different sites. It's not always the same site but for example, when I search Facebook on Google and click on the link, it brings up a security screen with a grey background and maroon text box saying "This site is restricted and could be a security risk etc". I have not set any security restrictions on my IE as the same happens when I run the Mozilla browser. Sometimes it also goes to an online casino site or even some pay per click sites etc. Could you please help with this? A friend told me to run the "HijackThis" tool and post the log files online to help get a solution. |
||||
|
||||
|
In hijackthis, put check next to items listed below and then choose the fix option at bottom of hihack log and say OK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O4 - HKLM\.. \Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - Startup: santa.bat Next - Download, install and run Malwarebytes -Choose the Download Free version, install and run -Let it 'fix/remove' whatever it finds Malwarebytes.org After running malwarebytes and letting it remove what it finds, restart computer again and then try your search again Hopefully that will help, if not, post a new hijackthis log now that all of the above have been done |
||||
|
||||
|
Hi there, I tried the above mentioned and got the following issue.
Could kill all the above in Hijackthis except the "Santa.bat" file. A message came up saying that this item is being used by another application etc, try and end the process in Task Manager. So when I was looking for this item in Task Manager I noticed there were no "santa.bat" files running. I believe it is something that runs on startup that uses the "santa.bat" file as I did not have anything else open except hijacthis and ran hjthis directly after restarting the PC. How will Iknow what item to dissable in my startup to get rid of this item? I also noticed a number of cvhost.exe files running in task manager, though I know that this is for my windows services, I am also aware that some viruses can lock itself onto it. If this is the case, how will I know and get rid of it? You assistance in this regard will be greatly appreciated. Thanks |
||||
|
||||
|
Hi there, I tried the above mentioned and got the following issue.
Could kill all the above in Hijackthis except the "Santa.bat" file. A message came up saying that this item is being used by another application etc, try and end the process in Task Manager. So when I was looking for this item in Task Manager I noticed there were no "santa.bat" files running. I believe it is something that runs on startup that uses the "santa.bat" file as I did not have anything else open except hijacthis and ran hjthis directly after restarting the PC. How will Iknow what item to dissable in my startup to get rid of this item? I also noticed a number of cvhost.exe files running in task manager, though I know that this is for my windows services, I am also aware that some viruses can lock itself onto it. If this is the case, how will I know and get rid of it? You assistance in this regard will be greatly appreciated. Thanks |
||||
|
||||
|
Go to the file santa.bat and right click on it -Now choose Edit It should open in notepad -Now you will be able to see what program/file that starts when the santa.bat file is executed When you see what file that santa is associated with, end that process - go from there Post back if anything else comes up/or not Before going to info below, do above to see if that helps and after above, if Cvhost is still active, go to info below -------------------------------------- Are you sure it is cvhost.exe? Removal: Cvhost.exe removal tool Just go till you see Follow these steps to download and run the tool: W32.Gaobot Removal Tool | Symantec |
||||
Not your question?
Ask your question
View similar questions
| Question Tools | Search this Question |
Add your answer here.
Check out some similar questions!
Hijackthis log-vista infected
[ 2 Answers ]
Hi,guys. Need help with Vista.Internet is off,security off.Additional scan from flash does not work-locked folders.Hijack was installed and gave me one log,after I turn off restore point,deleted Trend security and that screw hijack this and I cannot reinstall trend. Logfile of Trend Micro...
Browser is being hijacked
[ 10 Answers ]
Hi, my browser has been hijacked, and every time I click an result in Google I get redirtectyed to an undesirable site, have ran nod32 and spy sweeper both as administrator in safe mode without result. Here is the latest hijsckthis is as follows gfile of HijackThis v1.99.1 Scan saved at...
My browser is being hijacked...
[ 6 Answers ]
Every time I open a browser window it changes to "Searchfrombrowser". I google'd it and I think it's part of NewDotNet but I can't find ANYTHING that will get rid of it. Any suggestions? Many thanks! GWI :-/
HijackThis
[ 1 Answers ]
`My friend's computer lags a lot right now, so can any experts please look at this log and tell me what to delete and what to keep?? http://www.freewebs.com/shovelwielder/hijackthis.htm
Hijacked Browser
[ 2 Answers ]
I got to this forum because I did a search for "DSO," which is what spybot said I have. I think I effectively removed it following all previous instructions. Thanks. But, my problem still remains... When ever I open IE browser it is hijacked to http://ssearch.biz/?wmid=1010 and I can't use the...
View more questions Search
|
