think i have been victim of internet hijacking. about a week ago i was surfing the net and a popup of Scanmypc came up and checked the red cross.(should have closed the browser) It started to scan my pc as i clicked to another site without thinking, oblivious to what was scanning behind the page, silly me. After that I was getting redirected to other add sites other than the one requested, but that seems to have stopped Now some sites on internet is slower and some sites won't open.I have noticed when i am googling, the search thru at the bottom left of the browser, comes up with billsearch.org or bigsalefinder.comI am using Vista premium, and was using Nortons internet security trial and Google Chrome. I have scanned with Nortons but, still same. so i unistalled chrome ad started using IE7 , same, so unistalled nortons, and installed AVG-and updated & scannned- still the same, installed Adaware AE-updated & scanned but would only scan for 10secs,then stops. installed spybot-updated & scanned- Still the same, installed Zonealarm-installed and updated-same. now i'm really getting angry. i found a program at msconfig/startup called Runit.exe -googled it and found it was malware so i deleted it. also deleted from add and remove (program &features). now i'am also getting notepad every time i boot on my desktop with this-----[.ShellClassInfo]LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787Zonealarm preferences, if you can help on a rule of thumb on what & not to allow. suspicious prgram- Host process for windows services--- string---C:\windows\system32\lsass.exei have also have this Hijackthis log for anyone that can help.much appreciated in advance.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:26:01 AM, on 14/09/2009Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v7.00 (7.00.6002.18005)Boot mode: NormalRunning processes:C:\Windows\System32\smss.exeC:\Windows\system32\csrss.exeC:\Windows\system32\csrss.exeC:\Windows\system32\wininit.exeC:\Windows\system32\winlogon.exeC:\Windows\system32\services.exeC:\Windows\system32\lsass.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\System32\svchost.exeC:\Windows\system32\Ati2evxx.exeC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\system32\Ati2evxx.exeC:\Windows\System32\ZoneLabs\vsmon.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\taskeng.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Windows\system32\lxbkcoms.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\System32\svchost.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\WUDFHost.exeC:\Program Files\Spybot - Search & Destroy\SDWinSec.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\AVG\AVG8\avgtray.exeC:\Program Files\Lexmark X1100 Series\LXBKbmgr.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Lexmark X1100 Series\lxbkbmon.exeC:\Program Files\FinePixViewer\QuickDCF2.exeC:\Program Files\GIGABYTE\Gamer HUD Lite\HUD.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exeC:\Program Files\Optus Wireless Broadband\Optus Wireless Broadband.exeC:\Windows\System32\mobsync.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\Lavasoft\Ad-Aware\AAWTray.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\SearchFilterHost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\wbem\wmiprvse.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllR3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O1 - Hosts: ::1 localhostO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dllO3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dllO4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenterO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - Startup: GIGABYTE Gamer HUD Lite.lnk = C:\Program Files\GIGABYTE\Gamer HUD Lite\HUD.exeO4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{E1DD056A-8043-4696-B8EF-B01312C3B274}: NameServer = 61.88.88.88 61.88.88.88O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: C:\Windows\System32\,avgrsstx.dll,C:\Windows\System32\dmintf32.dllO23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exeO23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exeO23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

mozfab,Please do not post any logs of this sort to the MS newsgroups and forums. Thanks.1. Follow to the letter all the directions in this thread: How to get rid of malware2. If still no joy you can find Microsoft MVPs and other trained analysts at the following help sites:Aumha.org Atribune.org SpywareHammer BleepingComputer Safer-Networking 3. If you need more help with virus-related issues, contact Microsoft Product Support Services. For support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338). For support outside the United States and Canada, visit the Product Support Services Web page. 4. If you need more assistance for the virus/wormpostto the Microsoft Newsgroup - Security - Viruses.Via your newsreader:news://msnews.microsoft.com/microsoft.public.security.virusVia Web:http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.security.virus Hope this helps, Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~~~ My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo

Thanks Vincenzo, i'll get to that and try it!! sorry for inconvienice, I'm new to this forum. so I'm learning the protocol. By the way are you Italian as My name is Maurizio- I 'm from Australia, Born inItaly ,Calabria (south Italy) , little town called Serria Aiello. I have My own Business of Electronic repair, in Australia , NSW.now i have expanded to computers so now feeling my way with IT work. i have this pc in with internet prob. Manual Virus Removal was not a subject at computer college, so I'm trying to learn what to do..I'll get back to you. with outcome. good workk you are doing

Hi Maurizio,You are welcome. Glad to help and thank you very much for your feedback and kind words.Yes, I'm italian (I live in Pescara).Please keep us posted.Cheers and good luck, Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~~~ My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo

Hi vincenzo, thank you for the welcome, I from Newcastle Australia,have been to Italy 2 times to vist relatives and some site seeing, never been on the east side though. maybe one lottery winning day. http://maps.google.it/maps?hl=it&source=hp&q=pescara+abruzzo&ie=UTF8&split=0&gl=it&ei=ksCxSuesDJGC_Ab0_szZDA&ll=42.47235,14.214249&spn=3.654379,7.042236&t=h&z=7 as i am a novice in IT, I need all the help I can get, so thank you for the HOW TO GET RID OF MALWARE tip. seems to be working. Been on the Internet and doesn't semed to redirecting me to other sites, i Use IE7. Just wondering do i still keep using IE or should i use another Browser, some people on the internet say should use other and some say stick to IE. If you can help, the proceedure that I did will it seek out rootkits. If not, can you suggest a program for rootkits. I'm now scanning with my antivirus, AVG free. All seems to be working ok, but you Just never know if they cover all types of viruses. also wondering if u can suggest some good antiviruses for me. Thanks In advance, much appreciated. Mozfab

All scans are finished and all seems OK as i acn surf the net without being redirected. but have only more thing to ask. i have Note pad thar always comes up at startup. i gone to MSconfig/startup but thare nothing there i have prog called Autorun but can not find there either. this notepad has this inside.-------[.ShellClassInfo]LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787 ----------------bottom part has onlycame up as a link when i pasted here. ............so beware of where it goes to!Thank you again mozfab.

All scans are finished and all seems OK as i acn surf the net without being redirected. but have only more thing to ask. i have Note pad thar always comes up at startup. i gone to MSconfig/startup but thare nothing there i have prog called Autorun but can not find there either. this notepad has this inside.-------[...]Thank you again mozfab. Hi again Maurizio,You can find Microsoft MVPs and other trained analysts at the following help sites:Aumha.org Atribune.org SpywareHammer BleepingComputer Safer-Networking Thank you and good luck! Vincenzo Di Russo - Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. ~~~ My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo

Thanks Vincenzoi found out what it was by doing a full search. and going to all notepads found this one it was sitting next to my HUD video accelerator configuration. just deleted it and now no problem. thanks for your help will keep in touch. regards maurizio.

Hi again Maurizio,You're welcome. Glad you got it resolved and thank you for your feedback.Cheers,Vincenzo Di Russo Microsoft MVP Windows Internet Explorer, Windows Desktop Experience & Security - Since 2003. My MVP Profile: https://mvp.support.microsoft.com/profile/Vincenzo