Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help me please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help me please

Unread postby roberinsky » November 2nd, 2010, 9:45 am

my browser keeps getting highjacked and have tried everything to try to get rid of this malaware. Here's my log and thx in advance.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:37:32 AM, on 02/11/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
H:\Windows\system32\taskhost.exe
H:\Windows\system32\Dwm.exe
H:\Windows\Explorer.EXE
H:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
H:\Program Files\Logitech\SetPointP\SetPoint.exe
H:\Program Files\Microsoft Security Essentials\msseces.exe
H:\Program Files\DAEMON Tools Lite\DTLite.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
H:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
H:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
H:\Users\Catrob\Desktop\HijackThis.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
H:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - H:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - H:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [RtHDVCpl] H:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [EvtMgr6] H:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [MSSE] "h:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "H:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "H:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "H:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - Startup: LimeWire On Startup.lnk = H:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://H:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - H:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Unknown file in Winsock LSP: h:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: h:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - H:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - H:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - H:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: NMSAccess - Unknown owner - H:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - H:\Windows\system32\nvvsvc.exe

--
End of file - 5673 bytes
roberinsky
Active Member
 
Posts: 3
Joined: November 2nd, 2010, 9:40 am
Advertisement
Register to Remove

Re: Help me please

Unread postby Gizzy » November 4th, 2010, 12:52 am

Hello roberinsky and Welcome to Malware Removal! :)
My name is Gizzy and I will be helping you to remove any infection(s) that you may have.

Please note the following:
  • I will be working on your Malware issues, this may or may not solve other issues you have with your computer.
  • The fixes are specific to your problem and should only be used for this issue on this computer.
  • If you don't know or understand something stop and ask! Don't keep going on.
  • Please DO NOT run any tools or scans unless I ask you to.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use, Be assured, any links I give are safe.
  • The process is not instant, Please continue to respond to this thread until I give you the All Clean!. Absence of symptoms does not mean that everything is clear.

Note: As I am still in training, All of my posts must first be checked by an Expert/Teacher, So some delays may be inevitable, please be patient and I will reply again asap.


Uninstall List
  1. Open HijackThis.
  2. Click the Open the Misc Tools section button. (If you don't see that button click the Main Menu button first)
  3. Click the Open Uninstall Manager... button and then click the Save list... button.
  4. Save the uninstall_list.txt file to your HijackThis folder. (C:\Program Files\Trend Micro\HijackThis)
  5. Copy and Paste the contents of uninstall_list.txt in your next reply.
User avatar
Gizzy
Retired Graduate
 
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: Help me please

Unread postby roberinsky » November 4th, 2010, 6:55 pm

thanx for your reply, It all started off like every other second post in this forum (about Google redirecting), so i ran a virus scan and sure enough I had a virus and removed it. That didn't seem to work as I still got redirected, so I uninstalled google toolbar and thought I would be fine nope, nope, nope. When left unnatended for a while my computer wouldn't open up win explorer or any other programs and shut down would just let me hang on a black screen. So I tried malwarebytes(latest updates) and it also finds viruses and malware removed them but still no luck. I run both malwarebytes and virus scans like 2 or 3 times daily always finding the same malware and viruses, removing them but to no avail. Your help woulb much MUCH appreciated. Thanx in advance :P
roberinsky
Active Member
 
Posts: 3
Joined: November 2nd, 2010, 9:40 am

Re: Help me please

Unread postby roberinsky » November 4th, 2010, 6:56 pm

Oops forgot the logfile you asked for
µTorrent
32 Bit HP CIO Components Installer
3D Home Architect Design Suite Deluxe 8
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
CDBurnerXP
Dark Tales 2 Edgar Allan Poes The Black Cat Collectors Edition 1.00
DVD Flick 1.3.0.6
eReg
Family Feud 2010 1.0.4
Garmin MapSource
Garmin USB Drivers
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Haunted Halls Green Hills Sanitarium Collectors Edition 1.00
HP Customer Participation Program 13.0
HP Deskjet All-In-One Driver Software 13.0 Rel. 1
HP Imaging Device Functions 13.0
HP Photosmart Essential 3.5
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
ImgBurn
Java(TM) 6 Update 18
LimeWire 5.5.8
Logitech SetPoint 6.0
Malwarebytes' Anti-Malware
MapSource
MapSource - MetroGuide Canada v4
Medal Of Honor 2010.Limited Edition
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Office Live Add-in 1.5
Microsoft Office XP Professional with FrontPage
Microsoft Security Essentials
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery Case Files - Ravenhearst 1.00
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA PhysX
PVSonyDll
Realtek Ethernet Controller Driver For Windows 7
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Reincarnations 2 Uncover the Past Collectors Edition 1.00
Skype Toolbars
Skype™ 5.0
Twisted Lands Shadow Town Collectors Edition 1.00
Winamp
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Live ID Sign-in Assistant
Wings of Prey 1.0.3.2
WinRAR archiver
roberinsky
Active Member
 
Posts: 3
Joined: November 2nd, 2010, 9:40 am

Re: Help me please

Unread postby Gizzy » November 5th, 2010, 9:30 am

Hi roberinsky,

IMPORTANT: I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
LimeWire 5.5.8


I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Programs and Features and uninstall the programs listed above (in red).
Also take note that remnants of the above program(s) and any other P2P program found will be removed when cleaning.


Fix HijackThis Entries
  1. Open HijackThis (Right-click and select Run as administrator)
  2. Click Scan
  3. Tick the box next to the following entries (if present)

    • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

  4. Close all open windows/browsers and click Fix checked


TFC (Temp File Cleaner)
  1. Please download TFC from here and save it to your desktop.
  2. Save any unsaved work, TFC will close all open application windows.
  3. Right-click TFC.exe and select Run as administrator to run the program.
  4. Click the Start button in the bottom left of TFC
  5. If prompted, click Yes to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.


Download and Run RSIT
  1. Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  2. Right-click on RSIT.exe and select Run as administrator to run RSIT
  3. Click Continue at the disclaimer screen
  4. Once it has finished, two logs will open, log.txt (<<will be maximized) and info.txt (<<will be minimized)
  5. Copy & paste the contents of both logs in your next reply


Malwarebytes' Anti-Malware log
Please copy and paste the log where Malwarebytes' Anti-Malware found something in your next reply, It can be found here:
  • C:\Users\Username\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Please reply with:
  • RSIT logs (log.txt and info.txt)
  • Malwarebytes' Anti-Malware log
User avatar
Gizzy
Retired Graduate
 
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: Help me please

Unread postby Gizzy » November 7th, 2010, 9:44 am

Hi roberinsky,

Do you still require assistance?
If you do not reply to this topic within 24 hours of this post, it will be closed due to inactivity.
User avatar
Gizzy
Retired Graduate
 
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: Help me please

Unread postby Elrond » November 8th, 2010, 10:40 am

Due to lack of activity this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware