1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I think my browser has been hijacked!!!

Discussion in 'Virus & Other Malware Removal' started by Marko2112, Jan 23, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Marko2112

    Marko2112 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    29
    Could someone please take a look at my Hijack This log and tell me if Ive been hijacked. Strange things have been happening to my browser and I would like to know what that Starware thing is that has taken over my search function. I dont know if thats related to my browser hijack, but I dont think its suppose to be there. Thanx guys in advance, Marko


    Logfile of HijackThis v1.99.1
    Scan saved at 4:10:19 PM, on 1/23/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ruth Jeffs\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?pr...10920152330000000113001889556&version=g_4.4.2
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Yahoo! Pager] 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108178698375
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exee
     
  2. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    Download SmitfraudFix (by S!Ri) to your Desktop.
    http://siri.urz.free.fr/Fix/SmitfraudFix.zip
    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    [​IMG]
    Select option #1 - Search by typing 1 and press Enter
    [​IMG]
    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm

    IMPORTANT: Do NOT run any other options until you are asked to do so!
     
  3. Marko2112

    Marko2112 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    29
    Thanks for the reply. Actually this problem is on my mothers computer and I will stop by her place after work and run the program and post the log. Thanx for your help. Marko
     
  4. Marko2112

    Marko2112 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    29
    Thanx sjpritch25, here are the logs:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:40:07 PM, on 1/24/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Ruth Jeffs\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?pr...10920152330000000113001889556&version=g_4.4.2
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Yahoo! Pager] 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108178698375
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
     
  5. Marko2112

    Marko2112 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    29
    SmitFraudFix v2.135

    Scan done at 17:37:21.40, Wed 01/24/2007
    Run from C:\Documents and Settings\Ruth Jeffs\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ruth Jeffs


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ruth Jeffs\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\RUTHJE~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  6. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Looks like your mom possibly has a worm. You will need to printout my instructions because you will not have internet access in safe mode!!!!!

    Please download ATF Cleaner by Atribune.

    This program is for XP and Windows 2000 only


    • Save it to your desktop

      Double-click ATF-Cleaner.exe to run the program.

      Under Main choose: Select All

      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    ===========================================

    Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes. To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". See How to Boot in "SAFE MODE" tutorial if needed.

    ================================================

    Run HijackThis, and press "Do a System Scan Only".
    1. When the scan is complete place a check mark next to the following entries:

    O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
    O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv

    2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked."


    ================================================

    Note: You may need to unhide hidden files and folders.
    Configure Windows XP to show hide hidden files:
    Click Start. Open My Computer.
    Select the Tools menu and click Folder Options. Select the View Tab.

    Under the Hidden files and folders heading select "Show hidden files and folders".
    Uncheck the "Hide protected operating system files (recommended)" option.
    Uncheck the "Hide file extensions for known file types" option.
    Click Yes to confirm. Click OK.

    Please DELETE the following file(s) IF STILL PRESENT. You can use Windows Explorer to navigate or use Windows Search feature to locate them.

    Files:

    C:\WINDOWS\services.exe <-- this file


    ================================
    Reboot back into Normal Mode
    ================================

    Download and scan with SUPERAntiSypware Free for Home Users
    alternate site
    • Double-click SUPERAntiSypware.exe to install and use the default settings for installation.
    • Run SUPERAntiSypware and update the definitions before scanning by selecting "Check for Udates".
    • When done, select "Scan for Harmful Software".
    • There are three scanning options available. Choose "Perform Complete Scan" and click "Next".
    • When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
    • Place a checkmark next to items you wish to remove/quarantine and Click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • Please post the results of the superantispyware log in your next reply.
    • Select close to exit the program.
    Note: If you encounter any problems while downloading the updates, manually download and unzip them from here.


    ==============================================

    Panda Activescan
    http://www.pandasoftware.com/products/activescan.htm
    1. Once you are on the Panda site click the Scan your PC button
    2. A new window will open...click the Check Now button
    3. Enter your Country
    4. Enter your State/Province
    5. Enter your e-mail address and click send
    6. Select either Home User or Company
    7. Click the big Scan Now button
    8. If it wants to install an ActiveX component allow it
    9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    10. When download is complete, click on Local Disks to start the scan
    11. When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


    In your next reply, please inlcude a fresh Hijackthis log, Super Anti-Spyware log and panda Activescan log. Thanks
     
  7. Marko2112

    Marko2112 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    29
    Thanx sjpritch 25 for all your help. I will make sure that my mom donates to the WORTHY cause. If this goes as good as my first go around with you guys we will be 2 for 2. I will run those fixes Thursday when I get off work and repost. Cheers friend, Marko
     
  8. Marko2112

    Marko2112 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    29
    SUPERAntiSpyware Scan Log
    Generated 01/25/2007 at 09:40 PM

    Application Version : 3.5.1016

    Core Rules Database Version : 3173
    Trace Rules Database Version: 1183

    Scan type : Complete Scan
    Total Scan Time : 00:46:13

    Memory items scanned : 537
    Memory threats detected : 0
    Registry items scanned : 5610
    Registry threats detected : 0
    File items scanned : 35158
    File threats detected : 139

    Adware.Tracking Cookie
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][3].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected]_7m7b[1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected]_5x7j[1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][6].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][4].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][4].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt

    Trojan.Comet/AutoSearch
    C:\DOCUMENTS AND SETTINGS\RUTH JEFFS\LOCAL SETTINGS\TEMP\TEMP.FR1F03\BIN\AUTOSEARCH.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP952\A0072100.DLL

    Unclassified.Unknown Origin
    C:\WINDOWS\SYSTEM32\FTPUPD.0XE

    BKDR_SDBOT.DP Trojan
    C:\WINDOWS\SYSTEM32\NAVMGRD.0XE

    Worm.Forbot-CC
    C:\WINDOWS\SYSTEM32\SVCHOSTING.EXE
     
  9. Marko2112

    Marko2112 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    29
    Hang in there sjpritch25. Ran out of time last night. Had to leave pandascan running til the am and then I will post the pandascan results and the fresh hijack this scan. looks like we may have found something. Thanx again, Marko
     
  10. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
  11. Marko2112

    Marko2112 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    29
    Incident Status Location

    Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][1].txt
    Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Ruth Jeffs\Cookies\ruth [email protected][2].txt
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ruth Jeffs\Desktop\SmitfraudFix\Process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ruth Jeffs\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
    Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.fr1F03\Bin\csadzap.dll
    Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.fr1F03\Bin\csband.dll
    Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.fr1F03\Bin\cscore.dll
    Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.fr1F03\Bin\cseng.dll
    Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.fr1F03\Bin\csietb.dll
    Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\temp.frBDFD
    Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\unpack\CC_43.inf
    Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ruth Jeffs\Local Settings\Temp\unpack\inst43.exe
    Adware:adware/comet Not disinfected C:\WINDOWS\Downloaded Program Files\dm.inf
    Adware:Adware/Comet Not disinfected C:\WINDOWS\INF\CC_43.inf
    Adware:adware program Not disinfected C:\WINDOWS\ss3unstl.exe
    Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\SYSTEM32\c.bat
    Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\SYSTEM32\cmd.ftp
    Virus:W32/Korgo.U.worm Disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\X[1].0XE
    Virus:W32/Korgo.U.worm Disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\x[2].0xe
    Virus:W32/Kelar.A Disinfected C:\WINDOWS\SYSTEM32\down.0om
    Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\SYSTEM32\MSNMSGPLUS.0XE
    Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
    Virus:W32/Blaster Disinfected C:\WINDOWS\SYSTEM32\TFTP556.0
    Virus:W32/Blaster Disinfected C:\WINDOWS\SYSTEM32\TFTP604.0
     
  12. Marko2112

    Marko2112 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    29
    Logfile of HijackThis v1.99.1
    Scan saved at 6:28:57 AM, on 1/26/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Ruth Jeffs\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?pr...10920152330000000113001889556&version=g_4.4.2
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Yahoo! Pager] 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108178698375
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
    O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
     
  13. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    This should clean most of the stuff found by Panda

    Please download ATF Cleaner by Atribune.

    This program is for XP and Windows 2000 only


    • Save it to your desktop

      Double-click ATF-Cleaner.exe to run the program.

      Under Main choose: Select All

      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu.


    Download Combofix and save it to your desktop.
    http://download.bleepingcomputer.com/sUBs/combofix.exe


    Note: It is important that it is saved directly to your desktop

    Close any open browsers.

    Double click on combofix.exe & follow the prompts.
    When finished, it shall produce a log for you.

    Post the ComboFix.txt in your next reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  14. Marko2112

    Marko2112 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    29
    Sorry about the delay in response but I went to the desert and raged on my motorcycle this weekend but alas Im back to reality. I will go by mothers tomorrow after work for the next installment and post the new logs sjpritch25. Oh and by the way, since ive let you in my registry would it be ok to address you common? Thanx alot for all your help and patience. Mark
     
  15. Marko2112

    Marko2112 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    29
    "Ruth Jeffs" - 07-01-29 15:41:57 Service Pack 1
    ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Ruth Jeffs\Desktop"
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/537792

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice