Cleaning Up After Spyware Infestation...(RESOLVED)
-
Cleaning Up After Spyware Infestation...(RESOLVED)
I think I got my computer back to normal, but I just want to make sure that there is nothing questionable left....let me know what can go!
Thanks a lot!
Logfile of HijackThis v1.99.1
Scan saved at 3:17:37 PM, on 12/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Documents and Settings\Tom\Desktop\hijackthis.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - (no file)
O2 - BHO: C:\WINDOWS\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\adsldpbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [delmsbb] C:\WINDOWS\delmsbb.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {53FD81EE-234F-45DA-8B77-2AE8A0C05F2A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: ComcastHSI - {C16ADD19-0473-480C-815E-84844A1D1BFE} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {EFAA3E7D-06A9-45DF-A6E2-2CF00F3FFFD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\
O20 - Winlogon Notify: st3i - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
-
Welcome to DAL,
You absolutely have to do this please:
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong.
You are still infected.
Go into add/remove program and remove:(IF FOUND)
180 solutions/180 search assistant
Delfin Media
Do you have a weather program on your computer? There is a program showing that says you do but there is also a trojan that is exactly the same. Let me know please.
Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.
5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.
Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
-
First of all, I do not believe I have a weather program on this computer, or at least one I actually want or use, so chances are it's problematic.
Here's a copy of the latest Ewido scan, though I did scan my computer with this program a couple of times prior where it found literally hundreds of infections, all of which were cleaned. Unfortunately, I did not save those logs.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 1:00:00 AM, 12/3/2005
+ Report-Checksum: 1B7CE77
+ Scan result:
:mozilla.10:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Tom\Application Data\Mozilla\Profiles\default\ues72n76.slt\cookies .txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Tom\Local Settings\Temp\32480.exe -> Not-A-Virus.Hoax.Win32.Renos.ad : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0006874.exe -> Not-A-Virus.Hoax.Win32.Renos.ad : Cleaned with backup
::Report End
Here's the HiJackThis Log after I ran the test and restarted...
Logfile of HijackThis v1.99.1
Scan saved at 1:06:37 AM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\explorer.exe
C:\HijackThis\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - (no file)
O2 - BHO: C:\WINDOWS\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\adsldpbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [delmsbb] C:\WINDOWS\delmsbb.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {53FD81EE-234F-45DA-8B77-2AE8A0C05F2A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: ComcastHSI - {C16ADD19-0473-480C-815E-84844A1D1BFE} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {EFAA3E7D-06A9-45DF-A6E2-2CF00F3FFFD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\
O20 - Winlogon Notify: st3i - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
Thanks A Lot!
-
OK,
Look in add/remove program and remove anything to do with "weather"
Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - (no file)
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKCU\..\Run: [delmsbb] C:\WINDOWS\delmsbb.exe
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: st3 - C:\WINDOWS\
O20 - Winlogon Notify: st3i - C:\WINDOWS\
Again make sure all browser windows are closed and click FIX
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Hunt for and delete if found:
C:\Program Files\AWS < folder
C:\Program Files\Daily Weather Forecast < folder
C:\WINDOWS\delmsbb.exe < file
Open C:\Windows\Prefetch\ Delete ALL files in this folder.
Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter
Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start
Post a new HJT log for further review. How is your computer running now?
-
OK, I was able to do most of that, but for some reason my CleanMgr.exe would get hung up at the very beginning and didn't ever complete. I manually emptied the recycle bin, and cleaned the temp files from IE (a browser I rarely ever use as it is). I also did not have a Prefetch folder in Windows, as far as I could tell. Everything else is OK though, and the computer is running very well. Here's my latest log...I don't know what to look for, but what's the deal with Weatherbug? I don't have that. nor do I want it, on my computer.
Thanks a lot for your help!
Logfile of HijackThis v1.99.1
Scan saved at 2:03:38 PM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\HijackThis\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\adsldpbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {53FD81EE-234F-45DA-8B77-2AE8A0C05F2A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: ComcastHSI - {C16ADD19-0473-480C-815E-84844A1D1BFE} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {EFAA3E7D-06A9-45DF-A6E2-2CF00F3FFFD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
-
This here:
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
Fix it also, I forgot to put in the fix.
This will clean out your computer also:
Download CCleaner from here:
http://www.majorgeeks.com/download4191.html
or here:
http://www.filehippo.com/download_ccleaner.html
don't run the tool just yet please.
Install it. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner. Just use the windows tab that is up front by default.
1.Uncheck "Cookies" under "Internet Explorer".
2.If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Reboot safe mode to run CCleaner useing windows tab only and if all is well I have some free programs for you to try and they will go a long way in keeping your computer safer then it is right now.
Let me know
-
OK, I did what you said and everything seems to be great now, but I included a HiJackThis log just in case. I would also love to find out about some other free security programs.
Thanks a lot for all of your help!
Logfile of HijackThis v1.99.1
Scan saved at 5:06:34 PM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\adsldpbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {53FD81EE-234F-45DA-8B77-2AE8A0C05F2A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {C16ADD19-0473-480C-815E-84844A1D1BFE} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {EFAA3E7D-06A9-45DF-A6E2-2CF00F3FFFD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
-
OK here you go
If you are no longer having any more trouble here is some preventative measures for you.
Here are some preventive measures you can take to keep your computer from getting infected again. also keep all these and Ad-awareSE and SpybotS&D updated.
http://forums.thatcomputerguy.us/ind...showtopic=1190
Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.
Explained here:
Windows XP: service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
Microsoft ME:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam
RegProtect
This small registry protection tool will save you hours of heartache by notifying you when some program good or bad is trying to access your registry.
You have the option of allowing(good) items or blocking(bad)items.
http://www.diamondcs.com.au/index.php?page=regprot
To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:
1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com/eng/avast_4_home.html
3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
MS Antispyware beta: http://www.microsoft.com/athome/secu...e/default.mspx
4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio
http://www.sunbelt-software.com/Press.cfm?id=134 Coming Soon
OutPost Personal Firewall:
Outpost
5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/
6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:
http://www.javacoolsoftware.com/spywareblaster.html
If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm
*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free
-
