0

Everytime I type in a url in the address bar it won't go to the page. It will have http:///?%20www.web page name. I'm unable to go to any webpage at all. I have ran ad aware, spybot S & D. Have searched all search engines. But no such thing on them. Can you help me? :rolleyes:

4
Contributors
9
Replies
10
Views
12 Years
Discussion Span
Last Post by damjan_hr
0

It sounds like your browser has been hijacked; get Hijackthis from here:

http://www.merijn.org/files/hijackthis_sfx.exe

Close all browser windows, scan with hijackthis, save the log, copy and paste it here in this thread.

reply form cajunsunshine
Logfile of HijackThis v1.99.0
Scan saved at 6:48:29 PM, on 2/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\scvhosting.exe
C:\WINDOWS\System32\videosd32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Brian\Application Data\bf????.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:80
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\qnjtji.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKLM\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files 2\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe
O4 - HKCU\..\Run: [Aorb] C:\Documents and Settings\Brian\Application Data\x????.exe
O4 - HKCU\..\Run: [Lptdibpi] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Brian\Application Data\bf????.exe
O4 - HKCU\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - Global Startup: Instant Update Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: *.mozilla.org
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D2762E7-00C3-4608-AF1A-BD6D2F390804}: NameServer = 205.152.132.235 205.152.37.254

0

Remember to close all browser windows when scanning with hijackthis (you had IE and Mozilla open when you did that scan).

Do you have any idea what this is?
C:\Documents and Settings\Brian\Application Data\bf????.exe <---

I strongly suspect it's not good; if you're not sure, find it, right-click on it, go to Properties, and post all the info on it you can find.

Scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\qnjtji.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKLM\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe
O4 - HKCU\..\Run: [Lptdibpi] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: (HKLM)

Close all windows other then hijackthis before hitting the Fix button

Reboot into Safe Mode

Go to the indicated folder and delete the highlighted files:
C:\WINDOWS\System32\qnjtji.exe
C:\WINDOWS\System32\dktime.exe
C:\WINDOWS\System32\m?iexec.exe

Do a search for, and delete any instances found of:
videosd32.exe
scvhosting.exe

Reboot normally, close all browser windows, scan with HJT, and post a new log please.

0

It sounds like your browser has been hijacked; get Hijackthis from here:

http://www.merijn.org/files/hijackthis_sfx.exe

Close all browser windows, scan with hijackthis, save the log, copy and paste it here in this thread.

THIS IS THE NEWEST HIJACK LOG. i CLOSED ALL WINDOWS THIS TIME, SORRY ABOUT THAT.

Also I found out about C://Documents and Settings/Brian/Application Data/bfcyoo.exe. It is iunder the registry key:
HKEY_CURRENT_USER/SOFTWARE/MICROSOFT/SEARCH ASSISTANT/ACMru/5603(name-000, type-REG_SZ, data,bfcyoo.exe, I did a search and was unable to find it anywhere else.


Logfile of HijackThis v1.99.0
Scan saved at 8:11:33 PM, on 2/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\scvhosting.exe
C:\WINDOWS\System32\videosd32.exe
C:\WINDOWS\System32\m?iexec.exe
C:\Documents and Settings\Brian\Application Data\bf????.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:80
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\qnjtji.exe
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunOnce: [starter] scvhosting.exe
O4 - HKLM\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [DKTime] C:\WINDOWS\System32\dktime.exe
O4 - HKCU\..\Run: [Aorb] C:\Documents and Settings\Brian\Application Data\x????.exe
O4 - HKCU\..\Run: [Lptdibpi] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Brian\Application Data\bf????.exe
O4 - HKCU\..\RunOnce: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\RunOnce: [starter] scvhosting.exe
O4 - Global Startup: Instant Update Reminder.lnk = ?
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: *.mozilla.org
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: (HKLM)

:rolleyes:

0

It sounds like your browser has been hijacked; get Hijackthis from here:

http://www.merijn.org/files/hijackthis_sfx.exe

Close all browser windows, scan with hijackthis, save the log, copy and paste it here in this thread.

This is the very last hijack log I've done here at 9:30 pm. I didn't do it right in the last reply I made to you. Here it is -------

Logfile of HijackThis v1.99.0
Scan saved at 9:27:56 PM, on 2/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:80
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - Global Startup: Instant Update Reminder.lnk = ?
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: *.mozilla.org

0

It sounds like your browser has been hijacked; get Hijackthis from here:

http://www.merijn.org/files/hijackthis_sfx.exe

Close all browser windows, scan with hijackthis, save the log, copy and paste it here in this thread.

11:19 PM Sunday night

Last Post Tonight--------Everything is back to normal. Thanks so much. Have a great evening. cajunsunshine.

0

Looks like you went ahead and fixed a few things on your own there :)

Looks good to me, let us know if you have any more problems

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.