My brother's computer browser is being hijacked and I'm trying to help him get what ever is doing this removed from his computer.

Please help me pick the right ones to remove that's doing this. Any other advice would be great. Thanks...Matt

Here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:42 PM, on 9/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EFBA2A9-651C-43A6-940A-AAFA2E3258F8} - C:\WINDOWS\system32\AVMETE.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - (no file)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1026.dll,InstantAccess
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3409EE8-2D54-479F-9F4E-2CE5D424F2D2}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11963 bytes

I'm not sure what you mean by "being hijacked". Are searches being redirected, ads popping up randomly? I'll just see what I can find in the report.

A few things I've noticed from your report...

- From the report, I can't tell if he uses Firefox, Safari, or Google Chrome. So... I'll assume he uses IE, in which case he should consider switching to a better browser. (Like the above mentioned ones!)

- Internet Explorer is out of date. (6sp2) The latest version is IE7.

- He has Musicmatch installed. Yahoo! discontinued that software years ago. If he doesn't use it, I suggest uninstalling it to free up space. If he does use it, he might want to consider switching to Winamp.

- Not sure if "SUPERAntiSpyware" is really necessary. Norton Antivirus detects malware just like it does viruses.

- He has the Yahoo! toolbar and a PeoplePC (dialup internet) toolbar. Both of these can be uninstalled via Add/Remove Programs. He can also use IE to disable the toolbars.

- His version of Java is out of date.

- His IE homepage and search engine are set to Dell & PeoplePC pages. (totally lame) He should know that he can customize what site loads when IE starts. When he upgrades to IE7, he'll be offered the opportunity to change his default search engine to replace the PeoplePC search.

- He has lots of printer drivers - A Kodak printer, a Dell, and a Canon Pixma. If he isn't using some or all of these printers anymore, remove the software via Add/Remove programs.

- He has RealPlayer installed. If he doesn't use it, uninstall it. If he does make use of it, replace it with RealPlayer Enterprise, which doesn't have the extra baggage of its consumer-oriented twin.

Hope that was somewhat helpful!

quote:

- Not sure if "SUPERAntiSpyware" is really necessary. Norton Antivirus detects malware just like it does viruses.

Thats what caught My eye too

Delete this and install Avast!AntiVirus www.avast.com and Spywareblaster too www.spywareblaster.com

Could be your "Hijacker" is the above program Half dealt with a threat or have a false positive on the computer?
Question is it updated daily? Avast is(Automatically)
Spywareblaster is a 1 per month Manual update unless there is a New threat (Populates the restricted sites list too)

Also advise downloading/installing Easycleaner from ToniArts and running it on the Registry Cleaner ,Unnecessary, and Cookie clearance too Means you have to login manually next time

http://personal.inet.fi/business/toniarts/ecleane.htm

And I agree updating to IE 7.0 is a good move (and it is stable)
Norton can be a bit cranky too.Support updated can be spotty.
All the above programs are Free, and they do better in most cases than the "Paid for" software

quote:

Originally posted by JWooden271:
I'm not sure what you mean by "being hijacked". Are searches being redirected, ads popping up randomly? I'll just see what I can find in the report.

A few things I've noticed from your report...

- From the report, I can't tell if he uses Firefox, Safari, or Google Chrome. So... I'll assume he uses IE, in which case he should consider switching to a better browser. (Like the above mentioned ones!)

- Internet Explorer is out of date. (6sp2) The latest version is IE7.

- He has Musicmatch installed. Yahoo! discontinued that software years ago. If he doesn't use it, I suggest uninstalling it to free up space. If he does use it, he might want to consider switching to Winamp.

- Not sure if "SUPERAntiSpyware" is really necessary. Norton Antivirus detects malware just like it does viruses.

- He has the Yahoo! toolbar and a PeoplePC (dialup internet) toolbar. Both of these can be uninstalled via Add/Remove Programs. He can also use IE to disable the toolbars.

- His version of Java is out of date.

- His IE homepage and search engine are set to Dell & PeoplePC pages. (totally lame) He should know that he can customize what site loads when IE starts. When he upgrades to IE7, he'll be offered the opportunity to change his default search engine to replace the PeoplePC search.

- He has lots of printer drivers - A Kodak printer, a Dell, and a Canon Pixma. If he isn't using some or all of these printers anymore, remove the software via Add/Remove programs.

- He has RealPlayer installed. If he doesn't use it, uninstall it. If he does make use of it, replace it with RealPlayer Enterprise, which doesn't have the extra baggage of its consumer-oriented twin.

Hope that was somewhat helpful!

Sorry, What I mean by being hijacked is that if he does a search on Goggle like for example if he searches for his school's website, Morehead State University and he clicks one of the results from goggle instead of going to what he clicked like his school's website, it takes him to some stupid advertising page instead.

We both tried installing spyware and adware removers but they don't work. That what SUPERAntiSpyware is, one of the non-working spyware removers.

Yes, He computer is out of date. He's too busy with school and work to take time to update it. With dial-up internet it's a super slow process. I need to take time to try to update date it for him.

He really has little virus protection . His Norton Antivirus has not been updated in awhile and I added Avira AntiVir to help remove any viruses on his computer.

Can anyone spot the spywear or adwear on the log above so I can remove it?

Thanks you help was very helpful...Matt

quote:

Originally posted by bedstor:

quote:

- Not sure if "SUPERAntiSpyware" is really necessary. Norton Antivirus detects malware just like it does viruses.

Thats what caught My eye too

Delete this and install Avast!AntiVirus www.avast.com and Spywareblaster too www.spywareblaster.com

Could be your "Hijacker" is the above program Half dealt with a threat or have a false positive on the computer?
Question is it updated daily? Avast is(Automatically)
Spywareblaster is a 1 per month Manual update unless there is a New threat (Populates the restricted sites list too)

Also advise downloading/installing Easycleaner from ToniArts and running it on the Registry Cleaner ,Unnecessary, and Cookie clearance too Means you have to login manually next time

http://personal.inet.fi/business/toniarts/ecleane.htm

And I agree updating to IE 7.0 is a good move (and it is stable)
Norton can be a bit cranky too.Support updated can be spotty.
All the above programs are Free, and they do better in most cases than the "Paid for" software

Thanks for your help too. I plan on updating his computer.

quote:

O2 - BHO: (no name) - {3EFBA2A9-651C-43A6-940A-AAFA2E3258F8} - C:\WINDOWS\system32\AVMETE.dll

Now that I look at it again... the AVMETE.dll BHO looks a little suspicious. You should be able to disable it fairly easily.

If his Norton subscription has expired, and is no longer up to date, go ahead and remove Norton. Once an antivirus product is out of date, its useless. Glad that you at least have Avira up and running now.

Again, I would recommend that you push him to switch to a different web browser. It prevents re-infection by closing off the point of entry.

If you are having frustrations with dialup speed, I would suggest taking a flash drive to your local library and using their connection (typically high-speed) to download the software. Or if its a laptop with wifi, some chain restaurants such as McDonalds and Krystal offer free wifi.

quote:

Now that I look at it again... the AVMETE.dll BHO looks a little suspicious. You should be able to disable it fairly easily.

Some more info here (yes it is a known pest)
www.file.net/process/avmete.dll.html