home page hijacked have log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

lizardet

Thread Starter
Joined
Mar 17, 2006
Messages
34
safetyhall hijacked Logfile of HijackThis v1.99.1
Scan saved at 11:15:37 AM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Image ActiveX Object\pmsngr.exe
C:\Program Files\Image ActiveX Object\isamonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Image ActiveX Object\pmmon.exe
C:\Program Files\Image ActiveX Object\isamini.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas403b.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\spider.exe
C:\Documents and

Settings\Compaq_Owner\Desktop\KillBox.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=

EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

Bar =

http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcyds

l/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Bar =

http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcyds

l/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Windows Internet Explorer

provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: Yahoo! Toolbar Helper -

{02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) -

{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program

Files\Image ActiveX Object\isaddon.dll
O2 - BHO: CyberDefender Security Toolbar -

{68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} -

C:\Documents and Settings\Compaq_Owner\Local

Settings\Application Data\cdstbar\ssstbar.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: CyberDefender Security Toolbar -

{68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} -

C:\Documents and Settings\Compaq_Owner\Local

Settings\Application Data\cdstbar\ssstbar.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Protection Bar -

{84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program

Files\Image ActiveX Object\iesplugin.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program

Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center]

"C:\Program Files\CyberDefender\AntiSpyware\cdas403b.exe"

/minimize
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

(YInstStarter Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_curr

ent.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0}

(Snapfish Activia) -

http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} -

http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC}

(Facebook Photo Uploader Control) -

http://upload.facebook.com/controls/FacebookPhotoUploader.

cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/

x86/client/muweb_site.cab?1135553887328
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09}

(Get_ActiveX Control) -

https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownl

oadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592}

(ZoneIntro Class) -

http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.

cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}

(PopCapLoader Object) -

http://real.gamehouse.com/games/bejeweled2/popcaploader.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD}

(Photo Upload Plugin Class) -

http://cvs.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv

2.0.0.9.cab?
O20 - Winlogon Notify: WgaLogon -

C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier -

C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: hirtellous -

{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software

(KodakCCS) - Unknown owner -

C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine

(WebrootSpySweeperService) - Webroot Software, Inc. -

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
Joined
Sep 7, 2004
Messages
49,014
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
============================

Please disable WordWrap in notepad before posting any new logs. Otherwise the logs are unreadable.
(Notepad -> Format -> uncheck WordWrap)
============================
Download Hoster from here:
www.funkytoad.com/download/hoster.zip
Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.
===================

Download Superantispyware

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.
 

lizardet

Thread Starter
Joined
Mar 17, 2006
Messages
34
before i saw your reply i ran roguefix and avg spyware and it removed zolb thanks for the response if it comes back i will try
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top