locked
Internet hijacking RRS feed

  • Question

  •  think i have been victim of internet hijacking. about a week ago i was surfing the net and a popup of Scanmypc came up and checked the red cross.(should have closed the browser) It started to scan my pc as i clicked to another site without thinking, oblivious to what was scanning behind the page, silly me. After that I was getting redirected to other add sites other than the one requested, but that seems to have stopped Now some sites on internet is slower and some sites won't open.
    I have noticed when i am googling, the search thru at the bottom left of the browser, comes up with billsearch.org or bigsalefinder.com
    I am using Vista premium, and was using Nortons internet security trial and Google Chrome. I have scanned with Nortons but, still same. so i unistalled chrome ad started using IE7 , same, so unistalled nortons, and installed AVG-and updated & scannned- still the same, installed Adaware AE-updated & scanned but would only scan for 10secs,then stops. installed spybot-updated & scanned- Still the same, installed Zonealarm-installed and updated-same. now i'm really getting angry.
    i found a program at msconfig/startup called Runit.exe -googled it and found it was malware so i deleted it. also deleted from add and remove (program &features).
    now i'am also getting notepad every time i boot on my desktop with this-----
    [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787



     Zonealarm preferences, if you can help on a rule of thumb on what & not to allow. suspicious prgram- Host process for windows services--- string---C:\windows\system32\lsass.exe
    i have also have this Hijackthis log for anyone that can help.
    much appreciated in advance.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:26:01 AM, on 14/09/2009
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\ZoneLabs\vsmon.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Windows\system32\lxbkcoms.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\AVG\AVG8\avgtray.exe
    C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\FinePixViewer\QuickDCF2.exe
    C:\Program Files\GIGABYTE\Gamer HUD Lite\HUD.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Optus Wireless Broadband\Optus Wireless Broadband.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: GIGABYTE Gamer HUD Lite.lnk = C:\Program Files\GIGABYTE\Gamer HUD Lite\HUD.exe
    O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E1DD056A-8043-4696-B8EF-B01312C3B274}: NameServer = 61.88.88.88 61.88.88.88
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: C:\Windows\System32\,avgrsstx.dll,C:\Windows\System32\dmintf32.dll
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
    Sunday, September 13, 2009 9:07 PM

All replies

  • mozfab,

    Please do not post any logs of this sort to the MS newsgroups and forums. Thanks.

    1. Follow to the letter all the directions in this thread: How to get rid of malware

    2. If still no joy you can find Microsoft MVPs and other trained analysts at the following help sites:
    Aumha.org
    Atribune.org
    SpywareHammer
    BleepingComputer
    Safer-Networking

    3For information about Security updates, visit the Microsoft Virus Solution and Security Center for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit Support for Microsoft Update for resources and tools to keep your PC updated with the latest updates.

     


    Hope this helps,


    Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~~~ My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo

    • Edited by Sabrina Shen Friday, April 6, 2012 2:11 AM PCSafety Center update
    Monday, September 14, 2009 4:58 AM
  • Thanks Vincenzo, i'll get to that and try it!!
     sorry for inconvienice, I'm new to this forum. so I'm learning the protocol.
     By the way are you Italian as My name is Maurizio- I 'm from Australia, Born in Italy ,Calabria (south  Italy) , little town called Serria Aiello.
     I have My own Business of Electronic repair, in Australia , NSW.now i have expanded to computers  so now  feeling my way with IT work. i have this pc in with internet prob. Manual Virus Removal was not a subject at computer college, so I'm trying to learn what to do..I'll get back to you. with outcome.
     good workk you are doing
    Thursday, September 17, 2009 3:40 AM
  • Hi Maurizio,

    You are welcome. Glad to help and thank you very much for your feedback and kind words.

    Yes, I'm italian (I live in Pescara).

    Please keep us posted.

    Cheers and good luck,
    Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~~~ My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo
    Thursday, September 17, 2009 4:57 AM
  •  Hi vincenzo, 
    thank you for the welcome,
     I from Newcastle Australia,have been to Italy 2 times to vist relatives and some site seeing, never been on the east side though.  maybe one lottery winning day.
      as i am a novice in IT, I need all the help I can get, so thank you for the HOW TO GET RID OF MALWARE tip. seems to be working.  Been on the Internet and doesn't semed to redirecting me to other sites, i Use IE7.  Just wondering do i still keep using IE or should i use another Browser, some people on the internet say should use other and some say stick to IE. If you can help, the proceedure that I did will it seek out rootkits.  If not,  can you suggest a program for rootkits. I'm now scanning with my antivirus, AVG free. All seems to be working  ok, but you Just never know if they cover all types of viruses. also wondering if u can suggest  some good antiviruses for me. Thanks In advance, much appreciated.
     Mozfab

    Thursday, September 17, 2009 10:51 PM
  • All scans are finished and all seems OK as i acn surf the net without being redirected. but have only more thing to ask. i have Note pad thar always comes up at startup. i gone to MSconfig/startup but thare nothing there i have prog  called Autorun but can not find there either. this notepad has this inside.-------


    [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
     

    ----------------bottom part has only  came up  as a link when  i pasted here.         ............so beware of where it goes to!


    Thank you again mozfab.
    Friday, September 18, 2009 3:13 AM
  • All scans are finished and all seems OK as i acn surf the net without being redirected. but have only more thing to ask. i have Note pad thar always comes up at startup. i gone to MSconfig/startup but thare nothing there i have prog  called Autorun but can not find there either. this notepad has this inside.-------
    [...]
    Thank you again mozfab.
    Hi again Maurizio,

    You can find Microsoft MVPs and other trained analysts at the following help sites:
    Aumha.org
    Atribune.org
    SpywareHammer
    BleepingComputer
    Safer-Networking

    Thank you and good luck!
    Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~~~ My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo
    Saturday, September 19, 2009 8:06 AM
  • Thanks Vincenzo
     i found out what it was by doing a full search. and going to all notepads found this one it was sitting next to my HUD video accelerator configuration. just deleted it and now  no problem.
     thanks for your help will keep in touch.
     regards  maurizio.
    Sunday, September 20, 2009 5:47 AM
  • Hi again Maurizio,

    You're welcome. Glad you got it resolved and thank you for your feedback.

    Cheers,
    Vincenzo Di Russo
    Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003.
    My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo
    Sunday, September 20, 2009 7:10 AM