Browser Hijacking

Have Ad-Aware,Spybot , Spyguard, AVG, XP Security ON , But Highjackthis finds these Bo's every time I run it

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vgsfvgsqmhyuf.net/7LRmOk_iqgEqBqWVbJUagrE27gMmYMgtqn2ByoKKTLGFNvBxDsR3bPthFuZVdjwL.htm

How do I stop them , PLEASE and help will be gratefully appreciated !!!

Logfile of HijackThis v1.97.7
Scan saved at 1:52:46 PM, on 18/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ozemail.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vgsfvgsqmhyuf.net/7LRmOk_iqgEqBqWVbJUagrE27gMmYMgtqn2ByoKKTLGFNvBxDsR3bPthFuZVdjwL.htm
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix /autoclose
O4 - HKLM\..\Run: [memo user] C:\PROGRA~1\INTERN~2\jumpmess.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

Hi grant154...

Please post your whole HijackThis log for review.

 

Your entire log will be needed, as that R0 is being put there by something you have running and are unaware of.

 

Browser Highjaking

Thanks for your response
Logfile of HijackThis v1.97.7
Scan saved at 1:52:46 PM, on 18/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ozemail.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vgsfvgsqmhyuf.net/7LRmOk_iqgEqBqWVbJUagrE27gMmYMgtqn2ByoKKTLGFNvBxDsR3bPthFuZVdjwL.htm
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix /autoclose
O4 - HKLM\..\Run: [memo user] C:\PROGRA~1\INTERN~2\jumpmess.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

Remove these, the second item I could not find any info on what it is.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vgsfvgsqmhyuf.net/7LRmOk...PthFuZVdjwL.htm
O4 - HKLM\..\Run: [memo user] C:\PROGRA~1\INTERN~2\jumpmess.exe

 

Browser Highjaking

Mark, Thanks for your response. I have used Highjackthis to remove them but they keep reappearing next time I run Highjackthis.

 

We may have to dig a little further but for now, get the latest version of HJT (v1.98.2) and do another log.

Also, put HJT in a folder other than a temp folder or the desktop. Maybe create c:\hjt or something.

Interesting that your entries stop with the 04 ones. Maybe the new version will do better.

 

Browser Highjack

Saved HJThis to Program Files
Ran new scan

Logfile of HijackThis v1.98.2
Scan saved at 9:11:42 PM, on 18/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ozemail.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.spkomwnjrrmu.net/7LRmOk_iqgEqBqWVbJUagrE27gMmYMgtqn2ByoKKTLGgYaAHatffY/thFuZVdjwL.html
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe "
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [memo user] C:\PROGRA~1\INTERN~2\jumpmess.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

Browser Highjack

A search reveales a clue = uninstall Messenger Plus............hey presto the BO's did not yet reappear on HKT log !!!

 

Interesting. When Messenger Plus is running (and it is a bad thing) we normally see an entry like

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe "

 

MSN Messenger Plus

Why is it a bad thing!!
When I also deleted msn plus from another machine and ran high jack this, the b o's disappeared also.
thanks for your help
duncan

 

The app itself is not a bad thing at all. Could have potentially been a nice add-on.

However, it brings a shed load of other spyware-type stuff along with it and the license agreement is ... well, I'll bet you didn't read what you agreed to when you checked it.

 

Good point -- many thanks..........Duncan