Browsers, E-mail, & Web Apps forum

General discussion

Browser Hijack

by alrc2 / January 25, 2010 8:01 AM PST

I am using Firefox 3.6, recently released. When I click on a link from a Google search, I am redirected. I've run Malware Bytes, Spybot, AVG and Hijack This to assist in locating the malware/virus, to no avail.

Here is a log of Hijack This:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 5:41:04 PM, on 1/25/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Mozilla Firefox 3.6 Beta 3\firefox.exe
C:\Program Files\Hijack\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - (no file)
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - (no file)
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O11 - Options group: [PAC] Automatic Proxy Configuration
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) -
O16 - DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} (PCPitstop AntiVirus) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{E246068D-FB31-4680-BB19-87B81FC93136}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\..\{E246068D-FB31-4680-BB19-87B81FC93136}: NameServer =,
O17 - HKLM\System\CS2\Services\Tcpip\..\{E246068D-FB31-4680-BB19-87B81FC93136}: NameServer =,
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

End of file - 8020 bytes

I have located a couple of items, yet when I google them, they could be either virus or programme-specific processes. Which ones require removal?

Post a reply
Discussion is locked
You are posting a reply to: Browser Hijack
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Browser Hijack
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Redirected where?
by John.Wilkinson / January 26, 2010 2:53 AM PST
In reply to: Browser Hijack

That can reveal at lot about the source of the issue. Also, does this issue only occur in Firefox, or does it affect IE as well?

We normally do not review HJT logs here, leaving it to forums that specialize in HJT analysis, but the O11 and O17 entries lead me to wonder about custom networking settings, particularly with regard to third-party proxy software. Bad proxies can cause such redirection in search results, so my initial suggestion is to disable such software/reverse the settings changes and optionally delete those four entries. Also, try running Windows in Safe Mode and see if the problems continue, indicating whether third-party startup applications are a factor.

Let us know.

Collapse -
Redirections in Browser Links, IE8 and Firefox 3.6
by alrc2 / January 26, 2010 3:20 AM PST
In reply to: Redirected where?


Thank you for responding. The problem persists in Safe Mode with both browsers. I had tried IE8 and I was getting no redirections until I uninstalled Firefox then reinstalled it, only importing bookmarks. Now both browsers suffer from the redirection.

Which lines do you suggest fixing or deleting?

Collapse -
IE8 and Firefox 3.6 Browser Redirection Follow-Up
by alrc2 / January 26, 2010 3:23 AM PST
In reply to: Redirected where?

The lines including DNS servers are those that I put in to use the Google DNS servers rather than those of my ISP. I've had no problems until the redirections.
Honestly, I was downloading a torrent file, then attempted to play the .avi file and was prompted to install a new codec. This was when I began experiencing the redirections.
If you see anything else suspicious in those lines, I can modify those or fix them.

Collapse -
A few things...
by John.Wilkinson / January 26, 2010 4:02 AM PST

-> Try performing a System Restore to a time prior to the start of the redirection issues.

-> Post the link(s) that you are being redirected to from Google; they can indicate the source of the problem.

-> Just as a test, try using your ISP's DNS servers temporarily; although Google's DNS service is certainly trustworthy, it would be nice to rule it out as a contributing factor.

-> Is the O11 entry related to the DNS changes you made or a third-party proxy application you installed?

-> The AVI download and subsequent "codec" installation are telling, though it does not provide clues as to the exact cause or resolution.

-> SuperAntiSpyware is a good compliment to MBAM; running a full scan with it would not be excessive.


Collapse -
IE8 Firefox 3.6 Misdirection
by alrc2 / January 26, 2010 4:12 AM PST
In reply to: A few things...

No, I don't believe that line 11 has anything to do with Google DNS servers. I don't recall having installed anything and specifying automatic proxy configurations unless it may have been the bit torrent application. I have quite learned my lesson and will uninstall that completely, although I cannot imagine that it would be the cause of the misdirection. I used it numerous times prior to this codec thing.
I shall default to the ISP DNS servers additionally to see if the redirection continues.
I ran full scans again last night using both MBAM and SuperAntiVirus, and found only tracking cookies after I reinstalled Firefox.
I am using REVO Uninstaller to clean up registry entries when I remove programmes.
I will do a prior state restoral if the above steps don't clear off the redirections, and I will keep you posted once I arrive home tonight and can do this.

Collapse -
IE8 and Firefox redirection issue solved
by alrc2 / January 26, 2010 8:34 AM PST
In reply to: A few things...


I believe that the proxy issue was something with the bit torrent application. I uninstalled that and ran another utility called Hitman Pro 3.5, which seemed to pick up the items that neither Malware Bytes nor SuperAntiVirus, nor AVG could locate and neutralised them, rescanned after a reboot and all traces were gone. I then uninstalled or disabled the AVG toolbar in both browsers, checked proxy settings to be sure that they hadn't been changed, and all seems well.

Thank you for your assistance!

Collapse -
Redirections in IE8 and Firefox 3.6, Other search pages
by alrc2 / January 26, 2010 3:26 AM PST
In reply to: Redirected where?

And additionally, when I attempt to go to any links produced by Google searches, I am taken to other search pages that sometimes list what I was Googling.

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions

CNET Holiday Gift Guide

Looking for great gifts under $100?

Trendy tech gifts don't require a hefty price tag. Choose from these CNET-recommended useful and high-quality gadgets.