0

Hello All. I hope someone can help. 3 days ago I somehow picked up a browser hijacker. It seems to be completely random. I will click a link from anywhere, and it will SOMETIMES just go to a totally unrelated page. If I go back, and click the link again, it will go where it should normally.

I have scanned using Avast and Kaperski and one other and came up with nothing.

Here is my HijackThis log. Please let me know if you see anything malicious. Thanks for your help!

By the way, this *seems* to be happening only in Firefox which is the program I was using when I think the setup.exe file that caused this was installed.


Logfile of HijackThis v1.99.1
Scan saved at 10:24:47 AM, on 3/23/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Windows\regedit.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{700A24A3-6798-4444-9A13-6002D97C9789}: NameServer = 217.199.126.2,159.148.60.20
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Uvnc_service - Unknown owner - C:\Program Files\UltraVnc\uvnc_service.exe" -service (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

2
Contributors
11
Replies
12
Views
9 Years
Discussion Span
Last Post by fruehling
0

Sorry, I am very new here. Is the reason I am getting no replies because I broke protocol in some way? Or is the problem just unsolvable?

0

Hi fruehling, just checking a couple of things.. are you in Riga? .. and is your AV working fully?
Ok, your problem with webbing... do you realise you have microsoft's parental control application running? It intercepts your net traffic and ..what shall I say?... sanitises it. I don't know how it works, or what it does in detail, but because it is running as a layered service provider it operates at a level "beneath" your browser, intercepting all traffic - so it should be browser independent - you might Google it: wpclsp.dll
Nah, you did everything correctly, it's just that your post came when we were all away eating Easter eggs. Crunchie played the bunny.

0

Thank you so much for your reply! I am glad for your help.

It's funny, but I am not in Riga. However, I was there last summer, and there is a chance that whatever is causing this browser re-direction started with a visit to a Latvian/Russian website.

I am not sure what you mean by AV. If you mean video and audio, then yes, it is all working great. The only thing fishy is the random browser re-direction that started last Friday.

I also just checked parental controls. They show as being off. There is only one user set up on this computer, it is administrator, so there is not allowed to be parental controls by Vista. A few months ago, there was another user set up with parental controls, but that user has since been deleted.

I am about 99% sure this was caused by accidentally installing an exe file from a website. I see in the install log file from Mozilla that a setup.exe was installed on the same day this started happening.

Thanks again for taking a look and your help.

0

Hi again.. the reason I asked about Riga is because you are connected to the net via Latnet Serviss Ltd, in Latvia. This entry points it out:
O17 - HKLM\System\CCS\Services\Tcpip\..\{700A24A3-6798-4444-9A13-6002D97C9789}: NameServer = 217.199.126.2,159.148.60.20
I have no reason to doubt their being genuine... just hope that you will check your ISP/connection details via control panel.
Vista Parental Control - I am totally in the dark about its operation, as I am about much that is Vista related. But I can see that all your net traffic is going through it [and on out into the wide world via Latvia...].
Anyway, if you wish to remove it [parental control] then we can...
I do not have a setup.exe assoc with FF... check the Date Created time - it should match others...

0

Thanks for the reply!

So that is very interesting about me being connected via Latvia. I am in the USA using Comcast through my WIFI router!

I went to control panel. I didn't see exactly where to check my ISP/connection details. I went to "Internet Options" and there was nothing set up in the connections tab. I guess it would be a great idea to stop this connection through Latnet somehow?

Yes, please help me to remove that parental control. I went into that feature, but it showed that it is not on, and there is nothing that seems to be blocked anyway.

Here is the fishy entry in the install.log file for FF:

http://prikolnoe.tv/setup.exe -- 2008-03-21 20:26:00
-------------------------------------------------------------------------------


Install completed successfully -- 2008-03-21 20:26:01


Thanks a lot for going through this with me. I am usually not so helpless, well, sometimes.

0

That link you kindly provided tries to install a browser extension...
.xpi files: This is basically a ZIP file that, when opened by the browser utility, installs a browser extension. This extension applies to both Mozilla and Firefox browsers. ..... file you dl is dv-fox.xpi - search for and delete it, plus the setup .exe file it spawned.

==Download LSPfix from here http://cexx.org/LSPFix.exe -start it by dclicking the .exe....
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "wpclsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.
Next start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{700A24A3-6798-4444-9A13-6002D97C9789}: NameServer = 217.199.126.2,159.148.60.20

Good. Say how things are.

0

Thank you again for the reply. Good news and bad news. I was able to do steps 2 and 3, but step 1 not so much. I searched and could not find the xpi file, nor any setup.exe file from that date. Any other ideas how to kill it?

Also, is there a way I can put that Latvia entry back into my registry easily? I am thinking it may be something left over from when I was there and used their internet, and I may need to do that again. Could I just do a right click, export, on that entry in regedit?

0

Also, is there a way I can put that Latvia entry back into my registry easily?... yes you could do that export, or use hijackthis restore funcion: go to Main menu, Backups, and check and restore the entry.
As for the first, no.. I am a little unwilling to run that setup.exe file, but it may be legitimate. I don't know.

0

Sorry for the slow reply. Thank you for all your help.

It's odd, but I don't see any xpi files on my computer at all. Even searched hidden, etc. How can I find, or see, or something these xpi files. I feel like if I can get at them, I could get at this stupid nasty.

The setup.exe is what is causing this re-direction. It may be partially legitimate, but it also does this stupid stuff.

0

I have no problem with time of reposting..
Could you do this, it may help to see the files.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
After that, it never hurts to clean, so...
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
and then scan again...
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

0

Hi! Sorry again for the long delayed reply time. I was abroad for a few months. I got really fed up with this problem, and decided the best course was to format. So I backed up my important stuff, and did it. As you might guess, that solved the problem.

I am now having another problem, of course. Now both processors in my Core 2 Duo are being maxed out at random times, by somewhat random processes. But I'll start a new thread for that I guess.

Thank you so much for all your help. Sorry again for the slow reply.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.