Alright guys
I'm an IT techie with a techie problem, so you know i'm having problems with this one!
Got a guy who's PC when he goes onto Google in either firefox or IE, the search results are hijacked, bringing up crap/dodgey URL's in the results instead of the genuine ones. I've tried the following things
Hijackthis now looks like this
Anyone got any suggestions?
JHACMS5 is the company mailing system so that's not dodgey
Cheers
I'm an IT techie with a techie problem, so you know i'm having problems with this one!
Got a guy who's PC when he goes onto Google in either firefox or IE, the search results are hijacked, bringing up crap/dodgey URL's in the results instead of the genuine ones. I've tried the following things
- Delete Cookies
- Delete Temp
- Delete Temporary internet files Content.ie5 directory subfolders & contents
- Run Ad-aware
- Run Spybot (Some entries removed - cookies mostly)
- Run CWShredder - nothing found
- Run Regcleaner to remove unwanted registry entries
- Run Hijackthis and removed all dodgey entries - bar one which wont go
- Run MSConfig to remove unneeded startup services & applications.
- Checked System32 for any dodgey exe files & program files for dodgey applications
- Re-installed IE7, Firefox 3 & updates
- System Restore Point - (this failed)
Hijackthis now looks like this
- Logfile of HijackThis v1.99.1
Scan saved at 11:23:18, on 17/12/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\JHACMS5\JHACMS5.exe
C:\Documents and Settings\jerome\Desktop\HijackThis - Newer.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=3080328
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by John Hall Associates Limited
O1 - Hosts: 160.43.94.2 fw1.bloomberg.com
O1 - Hosts: 160.43.94.3 fw2.bloomberg.com
O1 - Hosts: 160.43.13.10 lftp1.bloomberg.com
O1 - Hosts: 160.43.13.13 lftp2.bloomberg.com
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = JHAL.local
O17 - HKLM\Software\..\Telephony: DomainName = JHAL.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = JHAL.local
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - (no file) << CANT REMOVE THIS ONE!!
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Unknown owner - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
Anyone got any suggestions?
JHACMS5 is the company mailing system so that's not dodgey
Cheers