Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] HJT log_IE homepage hijack?

Started by donr727 , Oct 28 2007 04:51 PM

  • This topic is locked This topic is locked
5 replies to this topic

#1 donr727

donr727

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 28 October 2007 - 04:51 PM

Hello my helpful friends...I am experiencing problems when logging into IE; the normal homepage http//:www.comcast.net/ will stall while opening, then get a message in the lower corner that displays "searching for [url="http://www6.comcast.net""]http://www6.comcast.net"[/url] Where the heck did the "www6" come from? Looking at the HJT log; look at lines 09...many comcast items show (file missing) (HKCU). Then line 011..."International*" ??. And line 014..IERESET.INF...

What's a non-techy to do??

Logfile of HijackThis v1.99.1
Scan saved at 6:25:44 PM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16544)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\program files\common files\mcafee\mna\mcnasvc.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
F:\PROGRA~1\McAfee\MSC\mcpromgr.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
f:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\PROGRA~1\McAfee\MPS\mps.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\Explorer.EXE
f:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee\MPS\mpsevh.exe
F:\Program Files\Picasa2\PicasaMediaDetector.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Palm\HOTSYNC.EXE
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - f:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = F:\Palm\HOTSYNC.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ComcastHSI - {247F96B0-3625-4C7C-BFEC-56D764338BA9} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {6803C9E8-5D25-4FE8-A43D-31C7E85FA67A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {C9D73BBB-B524-4A7F-9FA2-41876E32A034} - http://www.comcastsupport.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - F:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - F:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - F:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - F:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: wkssvc (Windows Kernel Serivce) - Unknown owner - F:\WINDOWS\wkssvc.exe (file missing)


I'd appreciate any assistance you can provide!! Thanks! :thumbup:

    Advertisements

Register to Remove

#2 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 30 October 2007 - 08:03 AM

Hi donr727,

Welcome to the forums, my name is Dave.

Looking at the HJT log; look at lines 09...many comcast items show (file missing) (HKCU)

Hijackthis unfortunately contains a bug where it will display this "file missing" when it's not, but those items we may able to remove any way.

Then line 011..."International*" ??. And line 014..IERESET.INF...

Those are both safe.

Here's the main problem:

O23 - Service: wkssvc (Windows Kernel Serivce) - Unknown owner - F:\WINDOWS\wkssvc.exe (file missing)

-----------------------

Please download SDFix and save it to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • Open the SDFix folder and double click on RunThis.bat to start the script.
  • Type Y and press Enter to begin the script.
  • It will start cleaning your PC and then prompt you to press any key to Reboot.
  • Press any key to restart the PC.
  • Your system will take longer than normal to restart as the fixtool will be removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished.
  • Press any key to end the script and to load your desktop icons.
  • A text file should automatically open, so please copy the contents and post them here. We also need you to post a new HijackThis log

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#3 donr727

donr727

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 30 October 2007 - 05:46 PM

IndiGenus...Thank you for your response!!

Here is the SDFix log:

SDFix: Version 1.112

Run by Don on Tue 10/30/2007 at 07:03 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: F:\DOCUME~1\Don\MYDOCU~1\SDFix

Safe Mode:
Checking Services:

Name:
Windows Kernel Serivce

ImagePath:
"F:\WINDOWS\wkssvc.exe"

Windows Kernel Serivce - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

F:\WINDOWS
No streams found.

F:\WINDOWS\system32
No streams found.

F:\WINDOWS\system32\svchost.exe
No streams found.

F:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Support.com\\bin\\tgcmd.exe"="F:\\Program Files\\Support.com\\bin\\tgcmd.exe:*:Enabled:ComcastSUPPORT / Support.com Agent"
"F:\\Program Files\\Common Files\\AOL\\1124833271\\ee\\AOLServiceHost.exe"="F:\\Program Files\\Common Files\\AOL\\1124833271\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"F:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="F:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"F:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"="F:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe:*:Enabled:Logitech Harmony Remote Software V5"
"F:\\Program Files\\Common Files\\AOL\\1150071286\\ee\\aolsoftware.exe"="F:\\Program Files\\Common Files\\AOL\\1150071286\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"F:\\Program Files\\Common Files\\AOL\\1150071286\\ee\\aim6.exe"="F:\\Program Files\\Common Files\\AOL\\1150071286\\ee\\aim6.exe:*:Enabled:AIM"
"F:\\Documents and Settings\\Kyle\\My Documents\\My Music\\iTunes\\iTunes Music\\LimeWire\\LimeWire.exe"="F:\\Documents and Settings\\Kyle\\My Documents\\My Music\\iTunes\\iTunes Music\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"F:\\Program Files\\AIM\\aim.exe"="F:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"F:\\Program Files\\AIM6\\aim6.exe"="F:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="F:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"F:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="F:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"F:\\Program Files\\WinMX\\WinMX.exe"="F:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"F:\\Program Files\\iTunes\\iTunes.exe"="F:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Common Files\\AOL\\1124833271\\ee\\AOLServiceHost.exe"="F:\\Program Files\\Common Files\\AOL\\1124833271\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"F:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="F:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"F:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"="F:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe:*:Enabled:Logitech Harmony Remote Software V5"
"F:\\Program Files\\AIM\\aim.exe"="F:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="F:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

Remaining Files:
---------------


Files with Hidden Attributes:

Thu 28 Jul 2005 210 ..SH. --- "F:\BOOT.BAK"
Thu 12 Aug 2004 24,448 A.SHR --- "F:\NTBOOTDD.SYS"
Mon 4 Dec 2006 4,908,872 ...H. --- "F:\Program Files\Picasa2\setup.exe"
Sat 22 Oct 2005 4,348 A.SH. --- "F:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 21 Nov 2006 28,160 ...H. --- "F:\Documents and Settings\Kyle\My Documents\~WRL0990.tmp"
Wed 1 Aug 2007 20,487 A.SHR --- "F:\Program Files\McAfee\MQC\MRU.bak"
Wed 1 Aug 2007 211 A.SHR --- "F:\Program Files\McAfee\MQC\qcconf.bak"
Wed 9 Nov 2005 6,040 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR161.tmp"
Wed 9 Nov 2005 7,276 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR163.tmp"
Wed 9 Nov 2005 5,716 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR165.tmp"
Wed 9 Nov 2005 6,564 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR167.tmp"
Wed 9 Nov 2005 6,068 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR169.tmp"
Wed 9 Nov 2005 11,288 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR16B.tmp"
Wed 9 Nov 2005 10,548 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR16D.tmp"
Wed 9 Nov 2005 6,388 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR16F.tmp"
Wed 9 Nov 2005 44,904 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR171.tmp"
Wed 9 Nov 2005 7,316 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR174.tmp"
Wed 9 Nov 2005 6,784 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR176.tmp"
Wed 9 Nov 2005 5,952 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR178.tmp"
Wed 9 Nov 2005 7,816 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR17A.tmp"
Wed 9 Nov 2005 12,608 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR17C.tmp"
Wed 9 Nov 2005 5,316 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR17E.tmp"
Wed 9 Nov 2005 6,036 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR180.tmp"
Wed 9 Nov 2005 10,576 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR182.tmp"
Wed 9 Nov 2005 44,904 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTR184.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS162.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS164.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS166.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS168.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS16A.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS16C.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS16E.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS170.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS172.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS175.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS177.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS179.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS17B.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS17D.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS17F.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS181.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS183.tmp"
Wed 9 Nov 2005 1,409 ...H. --- "F:\Documents and Settings\Kelly\Local Settings\Temp\ZTS185.tmp"
Wed 1 Nov 2006 19,456 ...H. --- "F:\Documents and Settings\Kyle\Application Data\Microsoft\Word\~WRL0005.tmp"
Wed 1 Nov 2006 19,456 ...H. --- "F:\Documents and Settings\Kyle\Application Data\Microsoft\Word\~WRL0839.tmp"
Sun 23 Oct 2005 2,180 A.SH. --- "F:\Documents and Settings\Kyle\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_CD-ROM_GCR-8481B_1.06_300_DICV018_DRGV20100BC.TMP"

Finished!

Here is the newest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:45 PM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16544)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\program files\common files\mcafee\mna\mcnasvc.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
F:\PROGRA~1\McAfee\MSC\mcpromgr.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
f:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\PROGRA~1\McAfee\MPS\mps.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\McAfee\MPS\mpsevh.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Picasa2\PicasaMediaDetector.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\ctfmon.exe
f:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Palm\HOTSYNC.EXE
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - f:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = F:\Palm\HOTSYNC.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ComcastHSI - {247F96B0-3625-4C7C-BFEC-56D764338BA9} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {6803C9E8-5D25-4FE8-A43D-31C7E85FA67A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {C9D73BBB-B524-4A7F-9FA2-41876E32A034} - http://www.comcastsupport.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - F:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - F:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - F:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - F:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe

I notice that suddenly (before this repair), my IE homepage began coming up...Comcast changed the URL extension to .net/a/ so maybe they were having problems on their end.

Please let me know if you are satisfied with the scans pasted above. I truly appreciate your help and your dedication to assisting laymen like myself!! Thanks!! -Don

#4 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 30 October 2007 - 05:54 PM

Comcast changed the URL extension to .net/a/ so maybe they were having problems on their end.

That may have been the case but as you could see SDFix did find what I had expected it to and cleaned it up...nice.

I would recommend some more cleaning and a couple of scans.

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now
    change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
  • Under How to act? - make sure that Quarantine is selected.
  • Under How to scan? - All checkboxes should be ticked.
  • Under Possibly unwanted software - All checkboxes should be ticked.
  • Under Reports - Select Do not automatically generate reports.
  • Under What to scan? - Select Scan every file.
Close all open windows.



Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine,
amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Run AVG

  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button This must done before saving the report
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
      Posted Image
  • Right-click the AVG Tray Icon and select Exit.
  • Now copy the report back to this topic.

Restart into normal mode and post the AVG Log.

--------------------------------------------------------------------------------------------

Using Internet Explorer, click on Kaspersky Online Scanner * Click 'Accept' in the window that pops up.
* You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save Report As...' button:
* Make sure it says Save as a text file - change it if not
* Save the file to your desktop.
Please post the Kaspersky report and a new HijackThis log.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#5 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 06 November 2007 - 07:25 AM

How are you making out here? Still need help? Let us know. Thanks, Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

#6 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 14 November 2007 - 05:03 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·