Hijacked, Need Help Please

[Siyamak]

Hello, I'm new to this forum and I need some serious help with my computer.

Ever since October 14, 2008 - my search engine and internet are malfunctioning.

Yahoo/Google search engines will pull up my search results I requested, but when I click the link to view my search results I get redirected to another so called 'search' website displaying references for my search results instead of the information I actually requested.

Could you please help me out? Whatever is going on, is seemingly blocking some websites completely, and it will not let me update my AVG or SpybotSD programs. I'll post the logs so you can review them and hopefully find a solution for me.

 

[Siyamak]

Can anyone help me?

 

[BillAllen55]

Please see this website and follow the 8-step process. https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[Siyamak]

I did, but I could not download some of the components, it seems this 'hijacker' has blocked certain websites from my access. And, it will not allow my spybot, or AVG to update.

 

[rf6647]

Oy vey! That is quite interesting HJT log. I think you are describing clickjacking.
The following recommendation is NOT a solution. This is an attempt to hobble the malware on your computer.
It is hoped that you can load the MBAM & SAS programs (tools) afterwards.

Re-run HJT. Check / fix the following.
DO NOT delete the associated files.
Two entries related to FF seem to be logical choices.

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKCU\..\Run: [appchk.exe] C:\WINDOWS\system32\appchk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\dh0hgdus.Default User\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles/dh0hgdus.Default User\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

If L: is a usb thumb drive - remove it.
Check / fix this O23 entry. This merely "stops" the process from auto starting.

nProtect KeyCrypt Manager Service - nProtect KeyCrypt Manager Service - INCA Internet Co., Ltd.
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - L:\Nexon\Mabinogi\npkcmsvc.exe

Some game sites consider this a breach of the TOS. They want to protect their interests. I cannot predict what measure they employ to detect that the service was not properly suspended. You can decide this.

If this proves useful, obtain & run the tools. Post the logs.
Safe mode with networking may be another approach for obtaining tools - no relavant experience on my part.

This premature use of HJT may require some re-work after the prelims.

The selection of some of O4 entries is to get a few of the unnecessary startup programs out of the way. All of the Lexmark stuff can go as well.

Late add to list. No attempt to research secondary sources.
Could be part of the O23 package
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe ------>multimedia keyboard?
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe -----> no description