ive just been hijacked by best-search.us and i cant get rid of it. ive got a hi jack this log file but im not sure what to do. this is the log Logfile of HijackThis v1.99.0 Scan saved at 13:52:50, on 20/12/2004 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINNT\System32\RUNDLL32.EXE C:\Program Files\Winamp\winampa.exe C:\WINNT\System32\CTHELPER.EXE C:\WINNT\system32\xpsp2fw.exe C:\WINNT\System32\cmd64.exe C:\WINNT\System32\internat.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINNT\system32\wuclient.exe C:\WINNT\System32\rundll32.exe C:\Documents and Settings\maria\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://best-search.us/?page=home&pid=sext01 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\medvv.dll/sp.html#29126 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://best-search.us/?page=search&pid=sext01 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\maria\LOCALS~1\Temp\MegaHost.dll O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINNT\System32\netcgf.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WyvernWorks Ad Away] "C:\Program Files\WyvernWorks\Ad Away 2004\Ad Away.exe" -minimized O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\cmd64.exe internat.dll,LoadKeyboardProfile O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted IP range: 206.161.125.149 O15 - Trusted IP range: (HKLM) O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\wkgpjwqu.exe O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab? O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {563ED66E-531B-51D2-5DB0-5080C83DA4EB} - ms-its:mhtml:file://C:\\MAIN.MHT!http://69.50.164.12/exp/mht/sext01.chm::/MegaInstaller.exe O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.slotchbar.com/ist/softwares/remove/ist_remove.cab O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe any help would be great guys.
HijackThis won't actually fix anything, it's just a useful tool for quickly spotting any Hijacks, especially if you know what your looking for. Looking at your list above, you've got more than "best-search.us" to worry about. You've got at least 5 or 6 bits of spyware and search bar hijacks sitting there. 180solutions is one of them and particularly hard to get rid of. I recommend that you download the following: Spyware Blaster ..install it, run it, download any updates (use the "updates" link), and then choose "enable all protection". That will prevent most Spyware from installing and will help you get rid of it too. Then download Spybot Search & Destroy. Install it, download updates and run a full clean (it will take a while). Then download AdAware Personal and run that. That triple whammy will hopefully sort you out. However, I have come across machines that were so badly infested with spyware that nothing but a full rebuild (re-install of Windows) would sort the problem. If you want to avoid getting SpyWare in the future, cut down on those dodgy websites and use FireFox rather than the security nightmare that is IE6. Michael.
Yay! Somebody else has seen the light that is Firefox! *calms down* Seriously though, it is a very nice bit of software and considerably safer than IE6, as well as having tabbed browsing (once you've tabbed, you can't stop) which makes the whole internet experience easier. http://www.mozilla.org/products/firefox/central.html
May I suggest that when you install Spybot S&D that you use the advanced options to lock your machine down and use Teatimer.exe to run in the background as it keeps an eye on your registry keys and will warn whenever they are changed. A move to Mozilla Firefox browser could be considered as this can be set not to run nasty attachmnets unless you give it the ok, it wall also allow you to turn off Java and Java Script as you can then explore the outer edges of the net with some degree of comfort and protection.
Rob If you still have problems log onto this forum http://www.gladiator-antivirus.com/ ( you will have to register to get help) go to security news and then "Read this first message" download their software upload it back to them and they will then tell you what to do . the site is in the usa but if you talk to them tonoght you will proberly have an answer by the morning. They are safe to use I have used them a couple of time and so have other people in your situation that I have pointed in their direction I agree with all the other ideas put forward Best of luck mike