Browser hijacker help.

Rev

hans_2 wrote: »

Try HitmanPro

When scan finishes Click on the “Activate free license” button to begin the free 30 days trial, and remove all the malicious files from your computer.

Thanks. Tried that and no change.

esuhl

Okay -- another suggestion that has always worked well for me is to create an Avast Rescue Disk. This creates a bootable CD/DVD or USB stick, so Avast can run without Windows (and any malware) running at the same time.
https://www.avast.com/faq.php?article=AVKB114

You might need to run adwCleaner and MalwareBytes again afterwards to clean up any remnants of malware.

Your uncle might also like to install SpywareBlaster. It won't remove malware, but it can stop it from being downloaded in the first place.
https://www.brightfort.com/spywareblaster.html

Rev

esuhl wrote: »

Okay -- another suggestion that has always worked well for me is to create an Avast Rescue Disk. This creates a bootable CD/DVD or USB stick, so Avast can run without Windows (and any malware) running at the same time.
https://www.avast.com/faq.php?article=AVKB114

You might need to run adwCleaner and MalwareBytes again afterwards to clean up any remnants of malware.

Your uncle might also like to install SpywareBlaster. It won't remove malware, but it can stop it from being downloaded in the first place.
https://www.brightfort.com/spywareblaster.html

Thanks. Will give that a go when I get back home.

Kendall80

Download and run HijackThis.


It'll give you a list of items including those listed as BHOs. (browser 'helper' objects)


The offending entry will likely be clearly visible. Just remove this and any others that appear linked. Then you should be all sorted.


I'd also download and run CCleaner - also running its integral registry cleaner option.

Rev

Kendall80 wrote: »

Download and run HijackThis.


It'll give you a list of items including those listed as BHOs. (browser 'helper' objects)


The offending entry will likely be clearly visible. Just remove this and any others that appear linked. Then you should be all sorted.


I'd also download and run CCleaner - also running its integral registry cleaner option.

Thanks. Will upload the hijack this log in a few.


I've already ran CCleaner's registry cleaner.

outofworksch

Could it be worth trying a system restore to a earlier date?

Rev

Kendall80 wrote: »

Download and run HijackThis.


It'll give you a list of items including those listed as BHOs. (browser 'helper' objects)


The offending entry will likely be clearly visible. Just remove this and any others that appear linked. Then you should be all sorted.


I'd also download and run CCleaner - also running its integral registry cleaner option.

Hijack this log

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 14:24:31, on 02/10/2016
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)

FIREFOX: 49.0.1 (x86 en-GB)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Users\Owner\AppData\Local\Programs\Google\MusicManager\MusicManager.exe
C:\Users\Owner\AppData\Local\MEGAsync\MEGAsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKCU\..\Run: [MusicManager] "C:\Users\Owner\AppData\Local\Programs\Google\MusicManager\MusicManager.exe"
O4 - HKCU\..\Run: [SpybotPostWindows10UpgradeReInstall] "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1475859723-4161739446-3993868821-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1475859723-4161739446-3993868821-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\RunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 (User 'Default user')
O4 - Startup: MEGAsync.lnk = C:\Users\Owner\AppData\Local\MEGAsync\MEGAsync.exe
O16 - DPF: {2A293777-79CA-4DD9-A545-0E1718C0D3CF} (KeyBox Class) - https://bg.itronenergypoint.net/IHVConnect2/KeyboxControl.cab
O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} (Creative Software AutoUpdate Support Package 2) - http://files.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
O16 - DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} (Creative Software AutoUpdate 2) - http://files.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://files.creative.com/Web/softwareupdate/ocx/150323/CTPID.cab
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Avast Antivirus (avast! Antivirus) - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: DbxSvc - Windows (R) Win 7 DDK provider - C:\Windows\system32\DbxSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: OpenVPN Service (OpenVPNService) - The OpenVPN Project - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe

--
End of file - 6196 bytes

esuhl

Kendall80 wrote: »

I'd also download and run CCleaner - also running its integral registry cleaner option.

Eek! I wouldn't use a registry cleaner unless you know exactly what you're doing and check every entry you intend to delete.

Registry cleaners haven't really been necessary since Windows 98. They can often cause more problems than they resolve.

Rev

Think I've got it sorted.

I googled again and there were three more articles that weren't there last night. One suggested trying unhijack me. So installed that and scanned and it found and removed a number of loadstart.net files.


Just running the avast rescue disk as a precaution but I think that's got it. Will know for sure when the laptop restarts.

heisele

Hello Rev !
I have the same problem like you.Has the removal of loadstart.net finally worked with your method ?
If yes,could you please explain again,how you have done it ? I would be very thankful !

Best regards
Herbert