Help - Search - Members
Full Version: Some sort of browser hijack?
Piriform Community Forums > Computer Help and Discussion > Spyware Hell
JAGO
Sep 16 2006, 06:00 AM
When I enter "wiki" into Firefox, it used to take me to Google's I'm Feelin' Lucky page. Now it takes me to "earthlink-help.net" - which is probably illegitimate.

Here's my HJT log.

QUOTE
Logfile of HijackThis v1.99.1
Scan saved at 2:00:10 AM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Standalone\utorrent.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Anthony\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

rridgely
Sep 16 2006, 05:06 PM
Your log is clean. It seems earthlink is doing something new with their DNS return errors(but its causing more problems then helping)
http://slashdot.org/articles/06/09/03/1359221.shtml
http://blogs.earthlink.net/2006/09/update_..._handling_1.php

There is all sorts of complaints on the earthlink blog.
JAGO
Sep 17 2006, 04:01 AM
QUOTE(rridgely @ Sep 16 2006, 01:06 PM) [snapback]49318[/snapback]

Your log is clean. It seems earthlink is doing something new with their DNS return errors(but its causing more problems then helping)
http://slashdot.org/articles/06/09/03/1359221.shtml
http://blogs.earthlink.net/2006/09/update_..._handling_1.php

There is all sorts of complaints on the earthlink blog.

I don't have Earthlink. I have WideOpenWest as my ISP. Is WOW owned by Earthlink?
rridgely
Sep 17 2006, 05:40 AM
I have no clue if its owned by earthlink or not. I just know your not getting redirected by malware.(that site is legitimate)

Maybe your default search engine got changed or something.
QUOTE

If you want to restore the Google “I’m Lucky” search then perform this simple steps:
1. Type about:config in Firefox location bar and press Enter
2. Type keyword in Filter textbox and you will see only the preference keyword.URL.
3. Double-click on keyword.URL and change the value to: http://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=

http://blog.taragana.com/index.php/archive...-search-engine/

Let me know if that works.
JAGO
Sep 17 2006, 03:31 PM
For a legit site, it sure is ad-full.

*Pulls up the FF config* - Whaddya know, it's already set to that. Earthlink is still f***ing making money off of me.
rridgely
Sep 17 2006, 03:46 PM
Yeah the ads are one of the reasons earthlink customers are complaining so much. If your using FF get adblock and filter set g updater and you wont see them.

You might want to contact your ISP and see what they say.
Eldmannen
Sep 17 2006, 05:56 PM
Goto a non-existant page.

such as www.lfkhgfds987gdgldfisgjl34lkdsgfjd.com and see if it takes you to some earthlink site or something.
JAGO
Sep 17 2006, 07:23 PM
It takes me to Earthlink-help.net still. I called Earthlink, they said that that page is not theirs.

Are there any commercial products I can try for spyware cleaning (that work better than ewido / Spybot / Ad-Aware)?

rridgely
Sep 17 2006, 09:11 PM
You could try superantispyware:
Download Superantispyware
  1. Load Superantispyware and click the check for updates button.
  2. Once the update is finished click the scan your computer button.
  3. Check Perform Complete Scan and then next.
  4. Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  5. Make sure that they all have a check next to them and press next.
  6. Click finish and you will be taken back to the main interface.
  7. Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  8. Copy and paste the log onto the forum.
If you run all of the ones you mentioned and superantispyware a commercial program more then likely wouldn't find anything those combined don't.

Is this the page your talking about?
http://earthlink-help.net/
That site is earthlinks(says so in their blog and on slashdot.)
(its also coming up clean in the dr.web link scanner)
JAGO
Sep 18 2006, 04:36 PM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Showed up on my new HJT log.

Will edit post later when done with SUPERAntispyware, it's giving me issues.
JAGO
Sep 18 2006, 04:53 PM
SUPERAntiSpyware Scan Log
Generated 09/18/2006 at 12:52 PM

Core Rules Database Version : 3086
Trace Rules Database Version: 1115

Memory threats detected : 0
Registry threats detected : 0
File threats detected : 0

---

Ehh, now when I boot up, I see the Welcome screen (normally I never see it), and Windows sits for a second before booting my desktop. Any ideas? I'm rather anal about how my computer runs, and I don't like seeing the Welcome screen.
JAGO
Sep 19 2006, 12:26 PM
Ok here's what I did - since *everything* I ran was coming up clean, I switched to OpenDNS.

The good news, I don't see that earthlink-help page anymore. The bad news? More or less, the I'm feeling lucky feature is still disabled. But if I'm not being redirected to that site, this, while less than ideal, is still a satisfactory solution.

Sorry for the triple post, the last one was supposed to be an edit, though this would is a purpose add tongue.gif.

Thanks a bunch rridgely.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.