Hello All. I hope someone can help. 3 days ago I somehow picked up a browser hijacker. It seems to be completely random. I will click a link from anywhere, and it will SOMETIMES just go to a totally unrelated page. If I go back, and click the link again, it will go where it should normally.

I have scanned using Avast and Kaperski and one other and came up with nothing.

Here is my HijackThis log. Please let me know if you see anything malicious. Thanks for your help!

By the way, this *seems* to be happening only in Firefox which is the program I was using when I think the setup.exe file that caused this was installed.


Logfile of HijackThis v1.99.1
Scan saved at 10:24:47 AM, on 3/23/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Windows\regedit.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{700A24A3-6798-4444-9A13-6002D97C9789}: NameServer = 217.199.126.2,159.148.60.20
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Uvnc_service - Unknown owner - C:\Program Files\UltraVnc\uvnc_service.exe" -service (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

Sorry, I am very new here. Is the reason I am getting no replies because I broke protocol in some way? Or is the problem just unsolvable?

Hi fruehling, just checking a couple of things.. are you in Riga? .. and is your AV working fully?
Ok, your problem with webbing... do you realise you have microsoft's parental control application running? It intercepts your net traffic and ..what shall I say?... sanitises it. I don't know how it works, or what it does in detail, but because it is running as a layered service provider it operates at a level "beneath" your browser, intercepting all traffic - so it should be browser independent - you might Google it: wpclsp.dll
Nah, you did everything correctly, it's just that your post came when we were all away eating Easter eggs. Crunchie played the bunny.

Thank you so much for your reply! I am glad for your help.

It's funny, but I am not in Riga. However, I was there last summer, and there is a chance that whatever is causing this browser re-direction started with a visit to a Latvian/Russian website.

I am not sure what you mean by AV. If you mean video and audio, then yes, it is all working great. The only thing fishy is the random browser re-direction that started last Friday.

I also just checked parental controls. They show as being off. There is only one user set up on this computer, it is administrator, so there is not allowed to be parental controls by Vista. A few months ago, there was another user set up with parental controls, but that user has since been deleted.

I am about 99% sure this was caused by accidentally installing an exe file from a website. I see in the install log file from Mozilla that a setup.exe was installed on the same day this started happening.

Thanks again for taking a look and your help.

Hi again.. the reason I asked about Riga is because you are connected to the net via Latnet Serviss Ltd, in Latvia. This entry points it out:
O17 - HKLM\System\CCS\Services\Tcpip\..\{700A24A3-6798-4444-9A13-6002D97C9789}: NameServer = 217.199.126.2,159.148.60.20
I have no reason to doubt their being genuine... just hope that you will check your ISP/connection details via control panel.
Vista Parental Control - I am totally in the dark about its operation, as I am about much that is Vista related. But I can see that all your net traffic is going through it [and on out into the wide world via Latvia...].
Anyway, if you wish to remove it [parental control] then we can...
I do not have a setup.exe assoc with FF... check the Date Created time - it should match others...

Thanks for the reply!

So that is very interesting about me being connected via Latvia. I am in the USA using Comcast through my WIFI router!

I went to control panel. I didn't see exactly where to check my ISP/connection details. I went to "Internet Options" and there was nothing set up in the connections tab. I guess it would be a great idea to stop this connection through Latnet somehow?

Yes, please help me to remove that parental control. I went into that feature, but it showed that it is not on, and there is nothing that seems to be blocked anyway.

Here is the fishy entry in the install.log file for FF:

http://prikolnoe.tv/setup.exe -- 2008-03-21 20:26:00
-------------------------------------------------------------------------------


Install completed successfully -- 2008-03-21 20:26:01


Thanks a lot for going through this with me. I am usually not so helpless, well, sometimes.

That link you kindly provided tries to install a browser extension...
.xpi files: This is basically a ZIP file that, when opened by the browser utility, installs a browser extension. This extension applies to both Mozilla and Firefox browsers. ..... file you dl is dv-fox.xpi - search for and delete it, plus the setup .exe file it spawned.

==Download LSPfix from here http://cexx.org/LSPFix.exe -start it by dclicking the .exe....
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "wpclsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.
Next start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{700A24A3-6798-4444-9A13-6002D97C9789}: NameServer = 217.199.126.2,159.148.60.20

Good. Say how things are.

Thank you again for the reply. Good news and bad news. I was able to do steps 2 and 3, but step 1 not so much. I searched and could not find the xpi file, nor any setup.exe file from that date. Any other ideas how to kill it?

Also, is there a way I can put that Latvia entry back into my registry easily? I am thinking it may be something left over from when I was there and used their internet, and I may need to do that again. Could I just do a right click, export, on that entry in regedit?

Also, is there a way I can put that Latvia entry back into my registry easily?... yes you could do that export, or use hijackthis restore funcion: go to Main menu, Backups, and check and restore the entry.
As for the first, no.. I am a little unwilling to run that setup.exe file, but it may be legitimate. I don't know.

Sorry for the slow reply. Thank you for all your help.

It's odd, but I don't see any xpi files on my computer at all. Even searched hidden, etc. How can I find, or see, or something these xpi files. I feel like if I can get at them, I could get at this stupid nasty.

The setup.exe is what is causing this re-direction. It may be partially legitimate, but it also does this stupid stuff.