Browser hijacked * Help please *

I'm having a very difficult time with a browser hijack. I believe I
was viewing an e-mail and I clicked on a site and Explorer took off, I
use Firefox so I'm not sure what happened, ever since then I've been
hijacked to: Orbit MySafeTrip.com and WinAntivirus.com. The Spyware
programs that I have and several that I've downloaded on a trial
bases, none find anything except SpyNoMore and I'm not so sure about
it. I have used Spyware Doctor, AsAware, Symantic, and stand alone
Symantic Fix Vundo, Avast cleaner, and Xoffspy I have run them on safe
mode.
Enclosed is a copy of my log using Hijack This. It's been several days
now so I hope someone spots something, or has a solution to my dilemma
because I ran out of ideas.
Thanks for your time
TheBoz

Logfile of HijackThis v1.99.1
Scan saved at 7:38:07 PM, on 9/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
D:\Download\hijackthis\HijackThis.exe

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} -
C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program
Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor -
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher -
{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common
Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher -
{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common
Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://update.microsoft.com/windowsu...?1141707882250
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) -
http://speedtest.adelphia.net/custom...ESTACTIVEX.CAB
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis -
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) -
Symantec Corporation - C:\Program Files\Symantec
AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero
BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program
Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research
Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software,
Inc. - C:\WINDOWS\system32\wwSecure.exe

From: "TheBoz" <TheBoz@invalid.net>

| I'm having a very difficult time with a browser hijack. I believe I
| was viewing an e-mail and I clicked on a site and Explorer took off, I
| use Firefox so I'm not sure what happened, ever since then I've been
| hijacked to: Orbit MySafeTrip.com and WinAntivirus.com. The Spyware
| programs that I have and several that I've downloaded on a trial
| bases, none find anything except SpyNoMore and I'm not so sure about
| it. I have used Spyware Doctor, AsAware, Symantic, and stand alone
| Symantic Fix Vundo, Avast cleaner, and Xoffspy I have run them on safe
| mode.
| Enclosed is a copy of my log using Hijack This. It's been several days
| now so I hope someone spots something, or has a solution to my dilemma
| because I ran out of ideas.
| Thanks for your time
| TheBoz
|
| Logfile of HijackThis v1.99.1
| Scan saved at 7:38:07 PM, on 9/14/2006
| Platform: Windows XP SP2 (WinNT 5.01.2600)
| MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
|

< snip >

lease do not post HJT logs to this News Group. It is a violation of this News Groups FAQ
section #7 [ http://shplink.com/misc/FAQ.htm ]
--------------------------------------------------------------------------------

< snip >


---
7. Are there any posting restrictions, rules or guidelines?
---

We encourage you not to post HijackThis! logs here. HijackThis! logs
will most likely be ignored. Responses to logs or URLs posted on forums
may come from people with questionable credentials and expertise. The
possibility exists that the combination of such a powerful tool and
dubious advice will damage your system. You will be much safer and wiser
to seek analysis at an (expert) Web Forum that handles HijackThis! logs.
See Appendix 2 for a list.

Also, unless requested, do not post the URL where you suspect you
obtained your adware spyware malware / parasite infection.
Instead, alter the URL in some way so as to make it human-readable but
NOT clickable, such as "h**p://www.removethis.example.c*m".
Why? Unsuspecting or inexperienced lurkers might just click on the URL
and get unwittingly hijacked. Note that this request applies only to
suspect URLs, and is not meant to discourage the posting of information
about possibly rogue web sites. Please DO tell us about them; just do so
safely.


--------------------------------------------------------------------------------

< snip >

Extracted from Appendix 2.
Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/i...hp?showforum=5


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

First read this http://www.pcbutts1.com/downloads then download Superfix.
http://www.pcbutts1.com/downloads/superfixsetup.zip


--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"TheBoz" <TheBoz@invalid.net> wrote in message
news:jcqjg250s6rvr4o8nh572ufhv6qomk88dm@4ax.com...
> I'm having a very difficult time with a browser hijack. I believe I
> was viewing an e-mail and I clicked on a site and Explorer took off, I
> use Firefox so I'm not sure what happened, ever since then I've been
> hijacked to: Orbit MySafeTrip.com and WinAntivirus.com. The Spyware
> programs that I have and several that I've downloaded on a trial
> bases, none find anything except SpyNoMore and I'm not so sure about
> it. I have used Spyware Doctor, AsAware, Symantic, and stand alone
> Symantic Fix Vundo, Avast cleaner, and Xoffspy I have run them on safe
> mode.
> Enclosed is a copy of my log using Hijack This. It's been several days
> now so I hope someone spots something, or has a solution to my dilemma
> because I ran out of ideas.
> Thanks for your time
> TheBoz
>
> Logfile of HijackThis v1.99.1
> Scan saved at 7:38:07 PM, on 9/14/2006
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>

Ask yourself if you really want to trust the advice and files provided
by a person that has all of their posts deleted, hides by 20+ different
identities, and has foul content on their website that they post links
too in Usenet.

Only download software you can validate as uncompromised - in the case
of non-vendor site you have no guarantee that the files are unmodified
or uncompromised. Anyone providing a link to a non-vendors site with a
direct download should not be trusted, the vendors sites are the safest
place to download their application.

No person of sound mind would download files from a hack site that
requires a password to access the unknown files when they are available
directly from the vendors.

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

First, make sure that your Java is updated to the latest version:
http://www.java.com/en/download/index.jsp

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Rogue Fix - This removal tool is the property of Internet Inspiration
http://www.internetinspiration.co.uk/roguefix.htm

Secured2K's AntiPauper (download link/info at)
http://forums.mcafeehelp.com/viewtopic.php?t=65072

AdAwareSE can be found here:
http://www.lavasoft.de/support/download/

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

HiJack can be found here:
http://www.spywareinfo.com/~merijn/downloads.html

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

CrapCleaner can be found at the vendors site here:
http://www.ccleaner.com/ccdownload.asp

CleanUp can be found at the vendors site here:
http://www.stevengould.org/software/.../download.html
or from another reputable source:
http://www.tucows.com/get/405276_152071

The following are two links to Antivirus software in order that I would
use them:

You can also download Symantec Trial version of their Antivirus software
from here:
http://www.symantec.com/downloads/

Download AVG Personal Free edition from here:
http://free.grisoft.com/freeweb.php/doc/2/

These are the actual vendors sites, not some unknown or authorized no-
name site. They also don't artificially increase the hits for sites that
get paid for the amount of traffic they can generate like one poster has
admitted to in this group.

On Thu, 14 Sep 2006 21:19:45 -0700, "pcbutts1" <pcbutts1@seedsv.com>
wrote:

>Actually I just finished my latest, got all the bugs out and updated it.
>Spyerase now has 1100+ signatures to remove all variants of Spyaxe,
>SpyFalcon, SpywareQuake, Security toolbar, Surf sidekick, TitanShield
>Antispyware, TrustCleaner, Virusburst, Search Maid, Virtual Maid,Antivirus
>Gold, Antivirus Golden,BraveSentry,Malwarewipe, PestTrap, Protection Bar,
>RemedyAntispy, Safety Bar, Virtumundo, Zlob, and many more. First read this
>http://www.pcbutts1.com/downloads then download Spyerase at
>http://www.pcbutts1.com/downloads/spyerasesetup.zip

The file you requested was not found on this Web site

In article <WYWdndOYbZR_HZbYnZ2dnUVZ_qKdnZ2d@giganews.com>, pcbutts1
@seedsv.com says...
> Wrong again Stalker.

Unlike the democrats, you won't be able to change history by denying it.

--

spam999free@rrohio.com
remove 999 in order to email me

As I stated to someone who is on this thread: Looks like I stepped on
a hornets nest when I asked for help. Seems this group has some
regulars as all groups do, that just don't get along, and that's too
bad because when a question is asked it goes unanswered. Getting back
to my problem of browser hijacking if I may, I did try just about all
of the programs that were recommended and none stopped my hijacking.
Most of them claimed that they found something that was suspicious but
it didn't cure the hijacking. I noticed a program and tried it, all my
troubles went away. SUPERAntiSpyware. To keep my message short and not
get into a p*ssing contest, if anyone ever asks me for help I'll tell
them in one word. "SUPERAntiSpyware"
Thanks for the help at the beginning of this thread it pointed me in
the right direction, what happened after that?

Thanks again and remember "SuperAntiSpyware"
TheBoz