I have a browser hijacker!

[pv1yang]

Houston, we have a problem. My browser takes me to some bs search page whenever it starts up, not to the home site I set. I'm wondering if you guys could help me. I've already tried Ad-aware SI Personal but to no avaiil. Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:00:26 AM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Applications\Software Applications\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
F:\Applications\Software Applications\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
F:\Applications\Software Applications\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
F:\Applications\Software Applications\Google\Google Desktop Search\GoogleDesktop.exe
F:\Applications\Software Applications\USBToolbox\Res.EXE
F:\Applications\Software Applications\Chameleon Clock\ChamClock.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Applications\Software Applications\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
F:\Applications\Software Applications\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\Applications\Software Applications\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\System32\svchost.exe
F:\Applications\Software Applications\Google\Google Desktop Search\GoogleDesktopDisplay.exe
F:\Applications\Software Applications\Google\Google Desktop Search\GoogleDesktopCrawl.exe
F:\Applications\Software Applications\MSN Messenger\msnmsgr.exe
F:\Applications\Software Applications\LimeWire\LimeWire.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\dllhost.exe
F:\Applications\Software Applications\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Applications\Software Applications\Mozilla Firefox\firefox.exe
F:\Applications\Software Applications\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.army.mil
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Applications\Software Applications\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - F:\Applications\Software Applications\AiRoboform\roboform.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Applications\Software Applications\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Applications\Software Applications\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Applications\Software Applications\AiRoboform\roboform.dll
O4 - HKLM\..\Run: [Google Desktop Search] "F:\Applications\Software Applications\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USB Storage Toolbox] F:\Applications\Software Applications\USBToolbox\Res.EXE
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] F:\Applications\Software Applications\System Mechanic 5 Professional\SysMech5.exe /COMPLETECACHE
O4 - HKCU\..\Run: [HomeAlarm] F:\Applications\Software Applications\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] F:\Applications\Software Applications\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Applications\Software Applications\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Customize Menu - file://F:\Applications\Software Applications\AiRoboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\APPLIC~1\SOFTWA~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://F:\Applications\Software Applications\AiRoboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://F:\Applications\Software Applications\AiRoboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://F:\Applications\Software Applications\AiRoboform\RoboFormComSavePass.html
O8 - Extra context menu item: Search Current News - file://\program files\powershell-xp3\search5.htm
O8 - Extra context menu item: Search Encyclopedia - file://\program files\powershell-xp3\search4.htm
O8 - Extra context menu item: Search for Images - file://\program files\powershell-xp3\search3.htm
O8 - Extra context menu item: Search Newsgroups - file://\program files\powershell-xp3\search2.htm
O8 - Extra context menu item: Search the Web - file://\program files\powershell-xp3\search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Applications\Software Applications\AiRoboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Applications\Software Applications\AiRoboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Applications\Software Applications\AiRoboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Applications\Software Applications\AiRoboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Applications\Software Applications\AiRoboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Applications\Software Applications\AiRoboform\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\APPLIC~1\SOFTWA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117562803610
O17 - HKLM\System\CCS\Services\Tcpip\..\{55ACEFCC-D545-415D-A55B-97B8D708C592}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Applications\Software Applications\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - F:\Applications\Software Applications\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Applications\Software Applications\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Applications\Software Applications\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - F:\Applications\Software Applications\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

Thank you for your help.

 

[MicroBell]

Hi and Welcome to TF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

• Ad-Aware® SE Personal Edition
  *Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
  
• Spybot Search & Destroy
• CWShredder

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Run hijackthis and fix the following entrys...

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.army.mil
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Reboot the PC and see if your still being hijacked. If so..proceed below.

Download: StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'Mark All'

UN-Check the 'NT-Services & NT-Kernel...' boxes only:
Press 'Ok'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post.