1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

home page hijacked have log

Discussion in 'Virus & Other Malware Removal' started by lizardet, Jan 28, 2007.

Thread Status:
Not open for further replies.
  1. lizardet

    lizardet Thread Starter

    Joined:
    Mar 17, 2006
    Messages:
    34
    safetyhall hijacked Logfile of HijackThis v1.99.1
    Scan saved at 11:15:37 AM, on 1/28/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Image ActiveX Object\pmsngr.exe
    C:\Program Files\Image ActiveX Object\isamonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Image ActiveX Object\pmmon.exe
    C:\Program Files\Image ActiveX Object\isamini.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\CyberDefender\AntiSpyware\cdas403b.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\WINDOWS\system32\spider.exe
    C:\Documents and

    Settings\Compaq_Owner\Desktop\KillBox.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet

    Explorer\Main,Default_Search_URL =

    http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=

    EN_US&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

    Bar =

    http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcyds

    l/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Page_URL =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Search_URL =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

    Bar =

    http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcyds

    l/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

    Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

    Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet

    Explorer\Main,Window Title = Windows Internet Explorer

    provided by Yahoo!
    R3 - URLSearchHook: Yahoo! Toolbar -

    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

    Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O1 - Hosts: 207.68.172.246 msn.com
    O1 - Hosts: 207.68.172.246 msn.com
    O1 - Hosts: 207.68.172.246 msn.com
    O1 - Hosts: 207.68.172.246 msn.com
    O1 - Hosts: 207.68.172.246 msn.com
    O1 - Hosts: 207.68.172.246 msn.com
    O1 - Hosts: 207.68.172.246 msn.com
    O1 - Hosts: 207.68.172.246 msn.com
    O1 - Hosts: 207.68.172.246 msn.com
    O1 - Hosts: 207.68.172.246 msn.com
    O1 - Hosts: 207.68.172.246 msn.com
    O2 - BHO: Yahoo! Toolbar Helper -

    {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

    Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: (no name) -

    {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program

    Files\Image ActiveX Object\isaddon.dll
    O2 - BHO: CyberDefender Security Toolbar -

    {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} -

    C:\Documents and Settings\Compaq_Owner\Local

    Settings\Application Data\cdstbar\ssstbar.dll
    O2 - BHO: SSVHelper Class -

    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

    Files\Java\jre1.5.0_10\bin\ssv.dll
    O3 - Toolbar: CyberDefender Security Toolbar -

    {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} -

    C:\Documents and Settings\Compaq_Owner\Local

    Settings\Application Data\cdstbar\ssstbar.dll
    O3 - Toolbar: Yahoo! Toolbar -

    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

    Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Protection Bar -

    {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program

    Files\Image ActiveX Object\iesplugin.dll
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program

    Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe]

    C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [CyberDefender Early Detection Center]

    "C:\Program Files\CyberDefender\AntiSpyware\cdas403b.exe"

    /minimize
    O9 - Extra button: (no name) -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: AIM -

    {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

    Files\AIM\aim.exe
    O9 - Extra button: (no name) -

    {e2e2dd38-d088-4134-82b7-f2ba38496583} -

    %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

    {e2e2dd38-d088-4134-82b7-f2ba38496583} -

    %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

    (YInstStarter Class) -

    http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_curr

    ent.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0}

    (Snapfish Activia) -

    http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} -

    http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC}

    (Facebook Photo Uploader Control) -

    http://upload.facebook.com/controls/FacebookPhotoUploader.

    cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

    (MUWebControl Class) -

    http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/

    x86/client/muweb_site.cab?1135553887328
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09}

    (Get_ActiveX Control) -

    https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownl

    oadManager.ocx
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592}

    (ZoneIntro Class) -

    http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.

    cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}

    (PopCapLoader Object) -

    http://real.gamehouse.com/games/bejeweled2/popcaploader.cab
    O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD}

    (Photo Upload Plugin Class) -

    http://cvs.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv

    2.0.0.9.cab?
    O20 - Winlogon Notify: WgaLogon -

    C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier -

    C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: hirtellous -

    {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
    O23 - Service: InstallDriver Table Manager (IDriverT) -

    Macrovision Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. -

    C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software

    (KodakCCS) - Unknown owner -

    C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP -

    C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Webroot Spy Sweeper Engine

    (WebrootSpySweeperService) - Webroot Software, Inc. -

    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
    ============================

    Please disable WordWrap in notepad before posting any new logs. Otherwise the logs are unreadable.
    (Notepad -> Format -> uncheck WordWrap)
    ============================
    Download Hoster from here:
    www.funkytoad.com/download/hoster.zip
    Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.
    ===================

    Download Superantispyware

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.
     
  3. lizardet

    lizardet Thread Starter

    Joined:
    Mar 17, 2006
    Messages:
    34
    before i saw your reply i ran roguefix and avg spyware and it removed zolb thanks for the response if it comes back i will try
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/539061

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice