I think my browser has been hijacked!!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Marko2112

Thread Starter
Joined
Oct 7, 2006
Messages
29
Could someone please take a look at my Hijack This log and tell me if Ive been hijacked. Strange things have been happening to my browser and I would like to know what that Starware thing is that has taken over my search function. I dont know if thats related to my browser hijack, but I dont think its suppose to be there. Thanx guys in advance, Marko


Logfile of HijackThis v1.99.1
Scan saved at 4:10:19 PM, on 1/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ruth Jeffs\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?pr...10920152330000000113001889556&version=g_4.4.2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108178698375
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exee
 
Joined
Sep 8, 2005
Messages
9,113
Welcome to TSG :)

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
 

Marko2112

Thread Starter
Joined
Oct 7, 2006
Messages
29
Thanks for the reply. Actually this problem is on my mothers computer and I will stop by her place after work and run the program and post the log. Thanx for your help. Marko
 

Marko2112

Thread Starter
Joined
Oct 7, 2006
Messages
29
Thanx sjpritch25, here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 5:40:07 PM, on 1/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ruth Jeffs\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?pr...10920152330000000113001889556&version=g_4.4.2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108178698375
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 

Marko2112

Thread Starter
Joined
Oct 7, 2006
Messages
29
SmitFraudFix v2.135

Scan done at 17:37:21.40, Wed 01/24/2007
Run from C:\Documents and Settings\Ruth Jeffs\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ruth Jeffs


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ruth Jeffs\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\RUTHJE~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
Joined
Sep 8, 2005
Messages
9,113
Looks like your mom possibly has a worm. You will need to printout my instructions because you will not have internet access in safe mode!!!!!

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only


  • Save it to your desktop

    Double-click ATF-Cleaner.exe to run the program.

    Under Main choose: Select All

    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

===========================================

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes. To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". See How to Boot in "SAFE MODE" tutorial if needed.

================================================

Run HijackThis, and press "Do a System Scan Only".
1. When the scan is complete place a check mark next to the following entries:

O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv

2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked."


================================================

Note: You may need to unhide hidden files and folders.
Configure Windows XP to show hide hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Please DELETE the following file(s) IF STILL PRESENT. You can use Windows Explorer to navigate or use Windows Search feature to locate them.

Files:

C:\WINDOWS\services.exe <-- this file


================================
Reboot back into Normal Mode
================================

Download and scan with SUPERAntiSypware Free for Home Users
alternate site
  • Double-click SUPERAntiSypware.exe to install and use the default settings for installation.
  • Run SUPERAntiSypware and update the definitions before scanning by selecting "Check for Udates".
  • When done, select "Scan for Harmful Software".
  • There are three scanning options available. Choose "Perform Complete Scan" and click "Next".
  • When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
  • Place a checkmark next to items you wish to remove/quarantine and Click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • Please post the results of the superantispyware log in your next reply.
  • Select close to exit the program.
Note: If you encounter any problems while downloading the updates, manually download and unzip them from here.


==============================================

Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
  1. Once you are on the Panda site click the Scan your PC button
  2. A new window will open...click the Check Now button
  3. Enter your Country
  4. Enter your State/Province
  5. Enter your e-mail address and click send
  6. Select either Home User or Company
  7. Click the big Scan Now button
  8. If it wants to install an ActiveX component allow it
  9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  10. When download is complete, click on Local Disks to start the scan
  11. When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


In your next reply, please inlcude a fresh Hijackthis log, Super Anti-Spyware log and panda Activescan log. Thanks
 

Marko2112

Thread Starter
Joined
Oct 7, 2006
Messages
29
Thanx sjpritch 25 for all your help. I will make sure that my mom donates to the WORTHY cause. If this goes as good as my first go around with you guys we will be 2 for 2. I will run those fixes Thursday when I get off work and repost. Cheers friend, Marko
 

Marko2112

Thread Starter
Joined
Oct 7, 2006
Messages
29
SUPERAntiSpyware Scan Log
Generated 01/25/2007 at 09:40 PM

Application Version : 3.5.1016

Core Rules Database Version : 3173
Trace Rules Database Version: 1183

Scan type : Complete Scan
Total Scan Time : 00:46:13

Memory items scanned : 537
Memory threats detected : 0
Registry items scanned : 5610
Registry threats detected : 0
File items scanned : 35158
File threats detected : 139

Adware.Tracking Cookie
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][3].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected]_7m7b[1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected]_5x7j[1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][6].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][4].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][4].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt

Trojan.Comet/AutoSearch
C:\DOCUMENTS AND SETTINGS\RUTH JEFFS\LOCAL SETTINGS\TEMP\TEMP.FR1F03\BIN\AUTOSEARCH.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP952\A0072100.DLL

Unclassified.Unknown Origin
C:\WINDOWS\SYSTEM32\FTPUPD.0XE

BKDR_SDBOT.DP Trojan
C:\WINDOWS\SYSTEM32\NAVMGRD.0XE

Worm.Forbot-CC
C:\WINDOWS\SYSTEM32\SVCHOSTING.EXE
 

Marko2112

Thread Starter
Joined
Oct 7, 2006
Messages
29
Hang in there sjpritch25. Ran out of time last night. Had to leave pandascan running til the am and then I will post the pandascan results and the fresh hijack this scan. looks like we may have found something. Thanx again, Marko
 

Marko2112

Thread Starter
Joined
Oct 7, 2006
Messages
29
Incident Status Location

Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ruth Jeffs\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ruth Jeffs\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.fr1F03\Bin\csadzap.dll
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.fr1F03\Bin\csband.dll
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.fr1F03\Bin\cscore.dll
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.fr1F03\Bin\cseng.dll
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.fr1F03\Bin\csietb.dll
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.frBDFD
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\unpack\CC_43.inf
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\unpack\inst43.exe
Adware:adware/comet Not disinfected C:\WINDOWS\Downloaded Program Files\dm.inf
Adware:Adware/Comet Not disinfected C:\WINDOWS\INF\CC_43.inf
Adware:adware program Not disinfected C:\WINDOWS\ss3unstl.exe
Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\SYSTEM32\c.bat
Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\SYSTEM32\cmd.ftp
Virus:W32/Korgo.U.worm Disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\X[1].0XE
Virus:W32/Korgo.U.worm Disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\x[2].0xe
Virus:W32/Kelar.A Disinfected C:\WINDOWS\SYSTEM32\down.0om
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\SYSTEM32\MSNMSGPLUS.0XE
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Virus:W32/Blaster Disinfected C:\WINDOWS\SYSTEM32\TFTP556.0
Virus:W32/Blaster Disinfected C:\WINDOWS\SYSTEM32\TFTP604.0
 

Marko2112

Thread Starter
Joined
Oct 7, 2006
Messages
29
Logfile of HijackThis v1.99.1
Scan saved at 6:28:57 AM, on 1/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ruth Jeffs\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?pr...10920152330000000113001889556&version=g_4.4.2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108178698375
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 
Joined
Sep 8, 2005
Messages
9,113
This should clean most of the stuff found by Panda

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only


  • Save it to your desktop

    Double-click ATF-Cleaner.exe to run the program.

    Under Main choose: Select All

    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.


Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/combofix.exe


Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 

Marko2112

Thread Starter
Joined
Oct 7, 2006
Messages
29
Sorry about the delay in response but I went to the desert and raged on my motorcycle this weekend but alas Im back to reality. I will go by mothers tomorrow after work for the next installment and post the new logs sjpritch25. Oh and by the way, since ive let you in my registry would it be ok to address you common? Thanx alot for all your help and patience. Mark
 

Marko2112

Thread Starter
Joined
Oct 7, 2006
Messages
29
"Ruth Jeffs" - 07-01-29 15:41:57 Service Pack 1
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Ruth Jeffs\Desktop"
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top