HELP PLEASE my browser gets hijacked by HITPOINTER

  BrianColneRoad 14:36 21 Sep 2004
Locked

Spybot & Adaware do not solve the problem. I understand that if certain items are removed from a log generated by something called HIJACK THIS it could solve my problem. My problem is I dont know which??

  nick_j007 16:18 21 Sep 2004

Post a log of your results here (may be in two batches) and someone might well come to your rescue.

Also, search under 'hijackthis forums' or something like that on Google as you will find people posting logs up all the time somewhere.

HTH,

Nick

  Lionheart ? 16:26 21 Sep 2004

You could try this click here a favourite of VoG™ .

  rawprawn 16:35 21 Sep 2004

click here Download and run this program, turn system restore off before you scan. It takes quite a while to scan about 90 minutes but it is very thorough and it may solve your problem.

  VoG II 17:18 21 Sep 2004

How to post a HJT log click here

As above, you will need to do this in "chunks" because of the 800 word per post limit on this site.

  BrianColneRoad 17:29 21 Sep 2004

Logfile of HijackThis v1.98.2
Scan saved at 17:28:21, on 21/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\system32\AEIWLSTA.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\DllHost.exe
C:\PROGRA~1\Abacast\Abaclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\glwjmgeb.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Documents and Settings\Brian Cooke\Desktop\HijackThis.exe

  BrianColneRoad 17:31 21 Sep 2004

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = click here*click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = click here*click here
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = click here*click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = click here*click here
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = click here*click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

  BrianColneRoad 17:35 21 Sep 2004

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [glwjmgeb] c:\windows\system32\glwjmgeb.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: Radio Free Virgin Player - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - C:\Program Files\Radio Free Virgin Player\Radio Free Virgin.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

  BrianColneRoad 17:36 21 Sep 2004

O14 - IERESET.INF: START_PAGE_URL=click here
O16 - DPF: symsupportutil - click here
O16 - DPF: Yahoo! Chat - click here
O16 - DPF: Yahoo! Towers 2.0 - click here
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - click here
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - click here
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - click here
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - click here
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - click here
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - click here
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - click here
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - click here
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - click here
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - click here
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - click here
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - click here
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - click here
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - click here
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - click here
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - click here
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - click here
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - click here
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - click here
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{33BB71AE-3877-44E8-AC9C-BE9F543713AD}: NameServer = 194.168.4.100 194.168.8.100

  BrianColneRoad 17:37 21 Sep 2004

Thats the complete log

  Nellie2 18:45 21 Sep 2004

Hello :)

Could you run hijackthis again and make sure all browsers and windows are closed, including this one, put a tick against the following and click 'fix checked'

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/ *hxxp://click here

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/
*hxxp://click here

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/ *hxxp://click here

O4 - HKLM\..\Run: [glwjmgeb] c:\windows\system32\glwjmgeb.exe /install

O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe -a <-- this looks like it has been installed from the web as the following O16 is the installer... if you didn't download this then fix it.

O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - hxxp://down.plaxo.com/down/release/instub.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - hxxp://software-dl.real.com/06d05e81772e6bfffb05/netzip/RdxIE601.cab

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - hxxp://offers.brightstreet.com/cif/download/bin/actxcab.cab

Then boot into safe mode and enable hidden files and folders, see click here and click here for instructions, and delete the following,

c:\windows\system32\glwjmgeb.exe <-- file

Then reboot and let me know if it is any better, you can post a fresh log for me to check over if you like

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

OnePlus 5 review

Alice Saey's mesmerising animation for Dutch singer Mark Lotterman

iPad Pro 10.5in (2017) review

Comment faire une capture d’écran sur un Mac ?