HiJack this, browser hijacking

#1 (**permalink**) 12-22-2008

Here is the output. I cannot find this hijack program but get randomly
redirected to stupid 'web tv' sites and other junk sites.

Please help, this is incredibly annoying and disruptive. Windows
Defender and AVG all back back clean.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:10 PM, on 12/21/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AIM6\aim6.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper -
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft
Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper -
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows
Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft
Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
/STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio
Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE
C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows
Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d
locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media
Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows
Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe
oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
/RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows
Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1612267895-1955296070-1519447551-1000\..\Run:
[Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User
'Alison')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
/RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
/RUNONCE (User 'Default user')
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF}
- C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo
Uploader 5 Control) -
http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {35B0504D-F257-4E56-ACE1-B52E39B7C4F2} (ICSWeb Class) -
https://ednet.wachovia.com/ics_EDNet...ents/icsax.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture
Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl
Class) -
http://tools.ebayimg.com/eps/wl/acti..._v1-0-27-0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClient
Control) - https://juniper.net/dana-cached/sc/J...etupClient.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{8EA3FE5F-77A6-40C0-9CB2-95AFE0EF548F}:
NameServer = 24.25.5.148 24.25.5.147
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
linksys,linksys,linksys,linksys,linksys,linksys,li nksys,linksys,linksys,linksys
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
linksys,linksys,linksys,linksys,linksys,linksys,li nksys,linksys,linksys,linksys
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD}
- C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT,
s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program
Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program
Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions
- C:\Program Files\Common Files\Roxio
Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common
Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions
- C:\Program Files\Common Files\Roxio
Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 8323 bytes

--
shamusfu
------------------------------------------------------------------------
shamusfu's Profile: http://forums.techarena.in/members/shamusfu.htm
View this thread: http://forums.techarena.in/vista-help/1091339.htm

http://forums.techarena.in

#2 (**permalink**) 12-22-2008

Download, install, update Malwarebytes and Spybot Search & Destroy.
When you have done that, reboot your computer into Safe mode and scan your
system with them, and with your AVG(just to be sure).
All info below.

http://www.spybot.info/en/index.html

Spybot Search & Destroy 1.6 is a very good, FREE Anti-Spyware Program.
Download, install, update, and immunize your System with it.
Then SCAN with it.
Update it, and scan your System once a fortnight.

http://www.malwarebytes.org/mbam.php

Malwarebytes is as the name says, a Malware Remover!
For the Free version scroll down their page to either download from
Download.com, or Major Geeks.com

Download, install, and update.

Important re: Safe Mode
If you happen to find a problem that you canâ€™t uninstall / delete, reboot
the computer, and go into Safe Mode.
To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow
key to get to Safe Mode from list of options, then hit ENTER.
RESCAN your computer with your Anti-Virus, Malwarebytes and Spybot S & D
while in Safe Mode.

--
Mad Mike

"shamusfu" wrote:

>
> Here is the output. I cannot find this hijack program but get randomly
> redirected to stupid 'web tv' sites and other junk sites.
>
> Please help, this is incredibly annoying and disruptive. Windows
> Defender and AVG all back back clean.
>
>
>
>
> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 6:42:10 PM, on 12/21/2008
> Platform: Windows Vista SP1 (WinNT 6.00.1905)
> MSIE: Internet Explorer v7.00 (7.00.6001.18000)
> Boot mode: Normal
>
> Running processes:
> C:\Windows\system32\taskeng.exe
> C:\Windows\system32\Dwm.exe
> C:\Windows\Explorer.EXE
> C:\Program Files\Windows Defender\MSASCui.exe
> C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
> C:\Program Files\Grisoft\AVG7\avgcc.exe
> C:\Program Files\Java\jre6\bin\jusched.exe
> C:\Windows\SOUNDMAN.EXE
> C:\Windows\System32\rundll32.exe
> C:\Program Files\Windows Sidebar\sidebar.exe
> C:\Program Files\AIM6\aim6.exe
> C:\Windows\ehome\ehtray.exe
> C:\Program Files\Windows Media Player\wmpnscfg.exe
> C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
> C:\Windows\System32\rundll32.exe
> C:\Program Files\Windows Sidebar\sidebar.exe
> C:\Program Files\AIM6\aolsoftware.exe
> C:\Program Files\Internet Explorer\ieuser.exe
> C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
> C:\Program Files\Internet Explorer\iexplore.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://go.microsoft.com/fwlink/?LinkId=54896
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> http://go.microsoft.com/fwlink/?LinkId=69157
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
> = http://go.microsoft.com/fwlink/?LinkId=54896
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://go.microsoft.com/fwlink/?LinkId=54896
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://go.microsoft.com/fwlink/?LinkId=69157
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
>
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
>
> O1 - Hosts: ::1 localhost
> O2 - BHO: Adobe PDF Reader Link Helper -
> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
> Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
> O2 - BHO: Groove GFS Browser Helper -
> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft
> Office\Office12\GrooveShellExtensions.dll
> O2 - BHO: Java(tm) Plug-In SSV Helper -
> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
> Files\Java\jre6\bin\ssv.dll
> O2 - BHO: Java(tm) Plug-In 2 SSV Helper -
> {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
> Files\Java\jre6\bin\jp2ssv.dll
> O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows
> Defender\MSASCui.exe -hide
> O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
> O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft
> Office\Office12\GrooveMonitor.exe"
> O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
> /STARTUP
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
> Files\QuickTime\QTTask.exe" -atboottime
> O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
> Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
> O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio
> Shared\9.0\SharedCOM\RoxWatchTray9.exe"
> O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
> Files\Java\jre6\bin\jusched.exe"
> O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
> O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE
> C:\Windows\system32\nvsvc.dll,nvsvcStart
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
> C:\Windows\system32\NvCpl.dll,NvStartup
> O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
> C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
> O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows
> Sidebar\sidebar.exe /autoRun
> O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d
> locale=en-US ee://aol/imApp
> O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media
> Player\WMPNSCFG.exe
> O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows
> Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
> O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe
> oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
> O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
> /RUNONCE (User 'LOCAL SERVICE')
> O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows
> Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
> O4 - HKUS\S-1-5-21-1612267895-1955296070-1519447551-1000\..\Run:
> [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User
> 'Alison')
> O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
> /RUNONCE (User 'SYSTEM')
> O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
> /RUNONCE (User 'Default user')
> O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
> O9 - Extra button: Send to OneNote -
> {2670000A-7350-4f3c-8081-5663EE0C6C49} -
> C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
> O9 - Extra 'Tools' menuitem: S&end to OneNote -
> {2670000A-7350-4f3c-8081-5663EE0C6C49} -
> C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
> O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF}
> - C:\Program Files\PokerStars\PokerStarsUpdate.exe
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
> C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O13 - Gopher Prefix:
> O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo
> Uploader 5 Control) -
> http://upload.facebook.com/controls/...oUploader5.cab
> O16 - DPF: {35B0504D-F257-4E56-ACE1-B52E39B7C4F2} (ICSWeb Class) -
> https://ednet.wachovia.com/ics_EDNet...ents/icsax.cab
> O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture
> Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
> O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl
> Class) -
> http://tools.ebayimg.com/eps/wl/acti..._v1-0-27-0.cab
> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
> Object) -
> http://fpdownload2.macromedia.com/ge...sh/swflash.cab
> O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClient
> Control) - https://juniper.net/dana-cached/sc/J...etupClient.cab
> O17 -
> HKLM\System\CCS\Services\Tcpip\..\{8EA3FE5F-77A6-40C0-9CB2-95AFE0EF548F}:
> NameServer = 24.25.5.148 24.25.5.147
> O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
> linksys,linksys,linksys,linksys,linksys,linksys,li nksys,linksys,linksys,linksys
> O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
> linksys,linksys,linksys,linksys,linksys,linksys,li nksys,linksys,linksys,linksys
> O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD}
> - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
> O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
> O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
> O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT,
> s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
> O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
> Corporation - C:\Program Files\Common
> Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
> O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program
> Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
> O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program
> Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
> O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions
> - C:\Program Files\Common Files\Roxio
> Shared\9.0\SharedCOM\RoxLiveShare9.exe
> O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common
> Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
> O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions
> - C:\Program Files\Common Files\Roxio
> Shared\9.0\SharedCOM\RoxWatch9.exe
>
> --
> End of file - 8323 bytes
>
>
> --
> shamusfu
> ------------------------------------------------------------------------
> shamusfu's Profile: http://forums.techarena.in/members/shamusfu.htm
> View this thread: http://forums.techarena.in/vista-help/1091339.htm
>
> http://forums.techarena.in
>
>

#3 (**permalink**) 12-22-2008

From: "shamusfu" <shamusfu.3ksyfc@DoNotSpam.com>

| Here is the output. I cannot find this hijack program but get randomly redirected to
| stupid 'web tv' sites and other junk sites.

| Please help, this is incredibly annoying and disruptive. Windows Defender and AVG all
| back back clean.

| Logfile of Trend Micro HijackThis v2.0.2

Please - Do NOT post the HJT Log here !

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/i...hp?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

#4 (**permalink**) 12-22-2008

Just for grins you might want to try another browser to see if you still
have the issue. For example, in Firefox, you can go to
Tools>Options>Advanced and set for a warning when a site tries to redirect
you. That could help narrow it down a bit e.g. browser? sites visited?
common to all? In any event, I can highly recommend a couple of Dave's
suggestions. Castlecops and BleepingComputer both have great resources
online and you can do a lot to help yourself. You might start by searching
on each of your HJT log entries to see known issues. Good luck.

"shamusfu" <shamusfu.3ksyfc@DoNotSpam.com> wrote in message
news:shamusfu.3ksyfc@DoNotSpam.com...
>
> Here is the output. I cannot find this hijack program but get randomly
> redirected to stupid 'web tv' sites and other junk sites.
>
> Please help, this is incredibly annoying and disruptive. Windows
> Defender and AVG all back back clean.
>
>
>
>
> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 6:42:10 PM, on 12/21/2008
> Platform: Windows Vista SP1 (WinNT 6.00.1905)
> MSIE: Internet Explorer v7.00 (7.00.6001.18000)
> Boot mode: Normal
>
> Running processes:
> C:\Windows\system32\taskeng.exe
> C:\Windows\system32\Dwm.exe
> C:\Windows\Explorer.EXE
> C:\Program Files\Windows Defender\MSASCui.exe
> C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
> C:\Program Files\Grisoft\AVG7\avgcc.exe
> C:\Program Files\Java\jre6\bin\jusched.exe
> C:\Windows\SOUNDMAN.EXE
> C:\Windows\System32\rundll32.exe
> C:\Program Files\Windows Sidebar\sidebar.exe
> C:\Program Files\AIM6\aim6.exe
> C:\Windows\ehome\ehtray.exe
> C:\Program Files\Windows Media Player\wmpnscfg.exe
> C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
> C:\Windows\System32\rundll32.exe
> C:\Program Files\Windows Sidebar\sidebar.exe
> C:\Program Files\AIM6\aolsoftware.exe
> C:\Program Files\Internet Explorer\ieuser.exe
> C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
> C:\Program Files\Internet Explorer\iexplore.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://go.microsoft.com/fwlink/?LinkId=54896
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> http://go.microsoft.com/fwlink/?LinkId=69157
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
> = http://go.microsoft.com/fwlink/?LinkId=54896
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://go.microsoft.com/fwlink/?LinkId=54896
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://go.microsoft.com/fwlink/?LinkId=69157
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
>
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
>
> O1 - Hosts: ::1 localhost
> O2 - BHO: Adobe PDF Reader Link Helper -
> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
> Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
> O2 - BHO: Groove GFS Browser Helper -
> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft
> Office\Office12\GrooveShellExtensions.dll
> O2 - BHO: Java(tm) Plug-In SSV Helper -
> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
> Files\Java\jre6\bin\ssv.dll
> O2 - BHO: Java(tm) Plug-In 2 SSV Helper -
> {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
> Files\Java\jre6\bin\jp2ssv.dll
> O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows
> Defender\MSASCui.exe -hide
> O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
> O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft
> Office\Office12\GrooveMonitor.exe"
> O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
> /STARTUP
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
> Files\QuickTime\QTTask.exe" -atboottime
> O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
> Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
> O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio
> Shared\9.0\SharedCOM\RoxWatchTray9.exe"
> O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
> Files\Java\jre6\bin\jusched.exe"
> O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
> O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE
> C:\Windows\system32\nvsvc.dll,nvsvcStart
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
> C:\Windows\system32\NvCpl.dll,NvStartup
> O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
> C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
> O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows
> Sidebar\sidebar.exe /autoRun
> O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d
> locale=en-US ee://aol/imApp
> O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media
> Player\WMPNSCFG.exe
> O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows
> Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
> O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe
> oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
> O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
> /RUNONCE (User 'LOCAL SERVICE')
> O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows
> Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
> O4 - HKUS\S-1-5-21-1612267895-1955296070-1519447551-1000\..\Run:
> [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User
> 'Alison')
> O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
> /RUNONCE (User 'SYSTEM')
> O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
> /RUNONCE (User 'Default user')
> O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
> O9 - Extra button: Send to OneNote -
> {2670000A-7350-4f3c-8081-5663EE0C6C49} -
> C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
> O9 - Extra 'Tools' menuitem: S&end to OneNote -
> {2670000A-7350-4f3c-8081-5663EE0C6C49} -
> C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
> O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF}
> - C:\Program Files\PokerStars\PokerStarsUpdate.exe
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
> C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
> O13 - Gopher Prefix:
> O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo
> Uploader 5 Control) -
> http://upload.facebook.com/controls/...oUploader5.cab
> O16 - DPF: {35B0504D-F257-4E56-ACE1-B52E39B7C4F2} (ICSWeb Class) -
> https://ednet.wachovia.com/ics_EDNet...ents/icsax.cab
> O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture
> Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
> O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl
> Class) -
> http://tools.ebayimg.com/eps/wl/acti..._v1-0-27-0.cab
> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
> Object) -
> http://fpdownload2.macromedia.com/ge...sh/swflash.cab
> O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClient
> Control) - https://juniper.net/dana-cached/sc/J...etupClient.cab
> O17 -
> HKLM\System\CCS\Services\Tcpip\..\{8EA3FE5F-77A6-40C0-9CB2-95AFE0EF548F}:
> NameServer = 24.25.5.148 24.25.5.147
> O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
> linksys,linksys,linksys,linksys,linksys,linksys,li nksys,linksys,linksys,linksys
> O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
> linksys,linksys,linksys,linksys,linksys,linksys,li nksys,linksys,linksys,linksys
> O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD}
> - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
> O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
> O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
> C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
> O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT,
> s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
> O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
> Corporation - C:\Program Files\Common
> Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
> O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program
> Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
> O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program
> Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
> O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions
> - C:\Program Files\Common Files\Roxio
> Shared\9.0\SharedCOM\RoxLiveShare9.exe
> O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common
> Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
> O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions
> - C:\Program Files\Common Files\Roxio
> Shared\9.0\SharedCOM\RoxWatch9.exe
>
> --
> End of file - 8323 bytes
>
>
> --
> shamusfu
> ------------------------------------------------------------------------
> shamusfu's Profile: http://forums.techarena.in/members/shamusfu.htm
> View this thread: http://forums.techarena.in/vista-help/1091339.htm
>
> http://forums.techarena.in
>

HiJack this, browser hijacking

microsoft.public.windows.vista.general