Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Internet Explorer HiJack

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Internet Explorer HiJack

Unread postby RibOne » August 24th, 2008, 3:31 am

Searching from Google using IE7 the displayed results page when clicked, takes you to a completely different website. Return via back button click the same link and the real website is displayed. In some instances it's not possible to return to the google results page. IE7 has to be closed down and a new search performed. Log file attached below.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:38:41, on 23/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
P:\CAinternetsecurity\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
P:\CAinternetsecurity\eTrust EZ Antivirus\CAVRID.exe
P:\CAinternetsecurity\cctray\cctray.exe
P:\CAinternetsecurity\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\WINDOWS\system32\ctfmon.exe
P:\CAinternetsecurity\eTrust PestPatrol Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\System32\svchost.exe
P:\CAinternetsecurity\eTrust EZ Antivirus\VetMsg.exe
P:\CAinternetsecurity\ccprovsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6CB804C6-8939-AA18-83BD-0A1183860E3F} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DSL Connection Manager] "C:\Program Files\INTEL\DSLSetup\ProDsl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CAVRID] "P:\CAinternetsecurity\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] "P:\CAinternetsecurity\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "P:\CAinternetsecurity\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegistrySmart] C:\Program Files\RegistrySmart\RegistrySmart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {0A62CEA2-6092-455A-B50B-200C904B08FF} - http://www.btopenworld.com/helpbb (file missing) (HKCU)
O9 - Extra button: Homepage - {2ACDC5B2-0E32-4CC1-BD9B-F647B92DA86C} - http://www.btopenworld.com/businesshome (file missing) (HKCU)
O9 - Extra button: BT - {BECB82FC-A5FD-400B-A126-A8CCDD931483} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: {006416E4-6530-57F5-23F2-3A7A7AF65B53} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {010633EE-2DE9-4567-4718-378927E92227} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0191897D-841F-4304-E794-0BB10FCA4CA6} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {04C6443D-8C87-3A12-7504-5411517C1931} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {05638749-B5C1-5EF2-556E-59966F5A0F80} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {09FAB6B7-33FF-032A-58D3-551444D80DF7} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0BC594F5-A692-7073-ACF5-1E044D0142DD} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {0D8471CE-47B3-00C0-9FED-08787855D1B7} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0DA8011B-46F7-7680-A080-5E22313FD426} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0F031E20-E761-78B9-6D78-46CA281356A0} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0FE8F388-95A8-6AC2-16DB-571676AA7333} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {1280B829-9913-5D67-7238-12AC02A84E02} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {13C0BCF1-B64E-3CDE-23D6-5399239CFCB9} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://training.k2ms.com/WebPlayer/auth ... wswaxd.cab
O16 - DPF: {1909E5BE-BE56-641D-EE38-346830E711A5} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {1AFA125A-D7E1-52A5-1BB5-47610D1442E3} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {202C403F-B981-2276-39D2-3778463640C4} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {204D3808-354D-488C-1501-68044E2E5E4B} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2101ACD7-8377-79BA-9398-02E716B306C5} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {2631DBED-7403-3F7B-CF8C-77AE70D465C7} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {27812E13-4CDB-6FE7-C532-39DF23172E76} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {27B5C7A2-4531-2B79-0462-55A05441A573} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {27B63DFD-A748-1111-0907-56C372800B17} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {27FD3FB7-C549-247F-F7CA-39B95C436F7B} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/com ... MediaX.cab
O16 - DPF: {2B108D4D-6326-6EAE-18A6-6B5014F9DD10} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2B84CF55-33F4-2732-0460-44B66B4BA6FA} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2B9AC3EC-A412-4302-6B05-29332D473EBC} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {2CC66FF6-ADA1-3D71-0DD4-6E8557445C94} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2EB9E46D-D34C-3ED9-B714-553344BE8030} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {3610B7A2-17EE-017E-0CB7-501E7B77E58C} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {36726AE1-3275-1B1F-7590-13D0560D26BA} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {39062C73-99ED-469F-A20A-561E67D86132} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {3AF1420A-306C-2AD1-D239-0A202420CCA5} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {3B2C4E33-B7C9-11B3-2EA7-57957CB64CB4} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {3BA4D915-683A-36D9-9D03-4E2D5956C941} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {3C9B611C-6032-2A32-AA47-17890A837D12} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {43652E67-CD64-3C68-BDC8-2D665AC6EB79} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {47969836-0DBA-101A-BABC-5C2205D007A4} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {47AFD7AF-50BE-15DA-A3F7-32B92CF7119C} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {47BCF70A-1481-1631-1CC5-2A1770574D72} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {48FD6500-3F6E-792A-B072-70D41984CF81} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {4D00DF50-1974-6DB1-1762-742314A8E0F8} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {4E6343BB-C229-2612-74C1-437551C5C69F} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {5189585D-3313-2D3C-A71D-7ACF63F8AC83} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {52128203-E2C1-5C1E-9855-525321B08A11} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {527A341D-1931-380F-3203-4E7F0950790E} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {53E6564C-B4C3-5D50-6400-145A4CCED51D} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {545D1464-E0E3-4275-CDE3-4DC943483947} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {554B6000-5DA2-383C-65BF-0B53176B4B5D} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestSc ... stscan.cab
O16 - DPF: {5801F8F1-ABA3-5925-3D60-3F5A589D5EDA} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {591C68D4-832F-5B6C-4B02-46F75DF97C91} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6088333D-04D1-6DCC-E9AA-47E067279782} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6779BA63-C483-630C-4993-153D08D13763} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {69489ED9-0B5D-213A-5F35-7FC72D4C3F9F} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6B870227-C92C-49E8-57DF-61F91EFF8C30} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6BCE3BE4-1562-78A5-B3A2-73AF4406D04F} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6D2AD786-F4BF-3B2B-5E70-52510ED83A42} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6EBB85C3-45D3-533F-3539-0E34155BADFA} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6F005B8E-3E92-5441-FB74-00BF7CE62C3D} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {728491C2-6960-29D9-E6B7-5B7730461A8D} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {72AB63D6-6614-3CF0-BB99-50C05BB3528D} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {733CD10A-8288-69D6-9036-2AD645CADD9F} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {737D68E6-D178-7524-8ADC-7D4C7B0A29E4} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {73B04ABE-2F7D-51DC-481F-4C926749F67F} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {757DF668-16E2-1820-107D-380F7887072B} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {789985B6-AD76-48AF-119F-4B632F29D9D8} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {78CF2FF1-4966-7E5F-E0CC-4CE82C2AC474} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {7A13544D-29F3-30D2-E240-4C9D38CD5AD2} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {7A9C26D3-F13D-4C84-D926-04E97D0C3A35} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {7C3B9F87-C1EB-577C-EACE-5E7F6E716CC7} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {7E94FC34-E655-23AE-B33E-37404D0638B8} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {7F6D73F6-0EFD-5C23-9036-11C12FF4D70B} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://207.226.177.98/dba2312.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba217.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gba217.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{63628ED7-C88D-46E1-BAEB-95EE5F619134}: NameServer = 194.74.65.69 194.72.9.34
O20 - AppInit_DLLs: dbi102.dll
O21 - SSODL: ComCfg - {49220253-153B-E3F3-67AF-0361FF5FF222} - C:\Program Files\huxcceg\ComCfg.dll
O23 - Service: CaCCProvSP - CA, Inc. - P:\CAinternetsecurity\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - P:\CAinternetsecurity\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - P:\CAinternetsecurity\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 14658 bytes
RibOne
Active Member
 
Posts: 5
Joined: August 23rd, 2008, 2:27 am
Advertisement
Register to Remove

Re: Internet Explorer HiJack

Unread postby jmw3 » August 28th, 2008, 10:30 am

Welcome Rib One
I will be helping you under the guidance of one of our expert coaches.
Please give me a little time to get back to you with instructions.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • Continue to respond to this thread until I give you the All Clean!
Please Note: My instructions to you are checked by an expert prior to posting. This may cause a small delay between posts.
Thanks
John

Create an Uninstall List
Make an uninstall list using HijackThis
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button
  • Click on the Save list... button and specify where you would like to save this file. When you press the Save button a notepad will open with the contents of that file. Copy and paste the contents of that notepad here in your next reply.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Internet Explorer HiJack

Unread postby RibOne » August 28th, 2008, 12:54 pm

able2buy
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Apple Mobile Device Support
Apple Software Update
BT Openworld Dell Signup
CA Internet Security Suite
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon Internet Library for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 1.6.1
Canon Utilities EOS Capture 1.3
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
Dell Photo Printer 720
Dell Solution Center
dvdSanta 4.00
Enhancement Browser Tools Mxlivemedia
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) AnyPoint(R) Modem
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
iTunes
Macromedia Shockwave Player
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
Modem Event Monitor
Modem Helper
Modem On Hold
Motion Director
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Norton PartitionMagic 8.0
NVIDIA Drivers
PDF-XChange 3.0
Picture Package Music Transfer
PowerDVD 5.1
QuickTime
RealPlayer
RegCure 1.5.0.1
RegistrySmart
Road Angel UK
Safari
Sage Instant Accounts V12.00
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sony Picture Utility
Sony USB Driver
TinCam 1.05
TomTom HOME
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Yahoo! Toolbar
RibOne
Active Member
 
Posts: 5
Joined: August 23rd, 2008, 2:27 am

Re: Internet Explorer HiJack

Unread postby jmw3 » August 29th, 2008, 9:04 am

Hello RibOne

Fix HiJackThis Entries
  • Open HiJackThis
  • Click on do a system scan only
  • Place a checkmark next to these lines(if still present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {6CB804C6-8939-AA18-83BD-0A1183860E3F} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - Global Startup: .protected
O16 - DPF: {006416E4-6530-57F5-23F2-3A7A7AF65B53} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {010633EE-2DE9-4567-4718-378927E92227} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0191897D-841F-4304-E794-0BB10FCA4CA6} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {04C6443D-8C87-3A12-7504-5411517C1931} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {05638749-B5C1-5EF2-556E-59966F5A0F80} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {09FAB6B7-33FF-032A-58D3-551444D80DF7} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0BC594F5-A692-7073-ACF5-1E044D0142DD} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0D8471CE-47B3-00C0-9FED-08787855D1B7} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0DA8011B-46F7-7680-A080-5E22313FD426} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0F031E20-E761-78B9-6D78-46CA281356A0} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {0FE8F388-95A8-6AC2-16DB-571676AA7333} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {1280B829-9913-5D67-7238-12AC02A84E02} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {13C0BCF1-B64E-3CDE-23D6-5399239CFCB9} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {1909E5BE-BE56-641D-EE38-346830E711A5} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {1AFA125A-D7E1-52A5-1BB5-47610D1442E3} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {202C403F-B981-2276-39D2-3778463640C4} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {204D3808-354D-488C-1501-68044E2E5E4B} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2101ACD7-8377-79BA-9398-02E716B306C5} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2631DBED-7403-3F7B-CF8C-77AE70D465C7} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {27812E13-4CDB-6FE7-C532-39DF23172E76} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {27B5C7A2-4531-2B79-0462-55A05441A573} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {27B63DFD-A748-1111-0907-56C372800B17} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {27FD3FB7-C549-247F-F7CA-39B95C436F7B} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2B108D4D-6326-6EAE-18A6-6B5014F9DD10} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2B84CF55-33F4-2732-0460-44B66B4BA6FA} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2B9AC3EC-A412-4302-6B05-29332D473EBC} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2CC66FF6-ADA1-3D71-0DD4-6E8557445C94} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {2EB9E46D-D34C-3ED9-B714-553344BE8030} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {3610B7A2-17EE-017E-0CB7-501E7B77E58C} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {36726AE1-3275-1B1F-7590-13D0560D26BA} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {39062C73-99ED-469F-A20A-561E67D86132} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {3AF1420A-306C-2AD1-D239-0A202420CCA5} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {3B2C4E33-B7C9-11B3-2EA7-57957CB64CB4} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {3BA4D915-683A-36D9-9D03-4E2D5956C941} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {3C9B611C-6032-2A32-AA47-17890A837D12} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {43652E67-CD64-3C68-BDC8-2D665AC6EB79} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {47969836-0DBA-101A-BABC-5C2205D007A4} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {47AFD7AF-50BE-15DA-A3F7-32B92CF7119C} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {47BCF70A-1481-1631-1CC5-2A1770574D72} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {48FD6500-3F6E-792A-B072-70D41984CF81} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {4D00DF50-1974-6DB1-1762-742314A8E0F8} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {4E6343BB-C229-2612-74C1-437551C5C69F} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {5189585D-3313-2D3C-A71D-7ACF63F8AC83} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {52128203-E2C1-5C1E-9855-525321B08A11} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {527A341D-1931-380F-3203-4E7F0950790E} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {53E6564C-B4C3-5D50-6400-145A4CCED51D} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {545D1464-E0E3-4275-CDE3-4DC943483947} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {554B6000-5DA2-383C-65BF-0B53176B4B5D} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {5801F8F1-ABA3-5925-3D60-3F5A589D5EDA} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {591C68D4-832F-5B6C-4B02-46F75DF97C91} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6088333D-04D1-6DCC-E9AA-47E067279782} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6779BA63-C483-630C-4993-153D08D13763} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {69489ED9-0B5D-213A-5F35-7FC72D4C3F9F} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6B870227-C92C-49E8-57DF-61F91EFF8C30} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6BCE3BE4-1562-78A5-B3A2-73AF4406D04F} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6D2AD786-F4BF-3B2B-5E70-52510ED83A42} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6EBB85C3-45D3-533F-3539-0E34155BADFA} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {6F005B8E-3E92-5441-FB74-00BF7CE62C3D} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {728491C2-6960-29D9-E6B7-5B7730461A8D} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {72AB63D6-6614-3CF0-BB99-50C05BB3528D} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {733CD10A-8288-69D6-9036-2AD645CADD9F} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {737D68E6-D178-7524-8ADC-7D4C7B0A29E4} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {73B04ABE-2F7D-51DC-481F-4C926749F67F} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {757DF668-16E2-1820-107D-380F7887072B} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {789985B6-AD76-48AF-119F-4B632F29D9D8} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {78CF2FF1-4966-7E5F-E0CC-4CE82C2AC474} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {7A13544D-29F3-30D2-E240-4C9D38CD5AD2} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {7A9C26D3-F13D-4C84-D926-04E97D0C3A35} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {7C3B9F87-C1EB-577C-EACE-5E7F6E716CC7} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {7E94FC34-E655-23AE-B33E-37404D0638B8} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {7F6D73F6-0EFD-5C23-9036-11C12FF4D70B} - http://85.255.115.229/1/gdnFR2312.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://207.226.177.98/dba2312.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gba217.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gba217.exe
O20 - AppInit_DLLs: dbi102.dll
O21 - SSODL: ComCfg - {49220253-153B-E3F3-67AF-0361FF5FF222} - C:\Program Files\huxcceg\ComCfg.dll


  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.

ATF Cleaner
Download ATF Cleaner here by Atribune.
    Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

Reboot your computer.

Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


To post in next reply:
MBAM log
New HJT log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Internet Explorer HiJack

Unread postby RibOne » August 30th, 2008, 1:53 pm

Hi

Many thanks for your help and support. It appears that the problem(s) have been resolved. No more re-directs, no more Antivirus 2008 Xp pop ups. What a relief! Ta!

As requested please find below the log files as per your instructions:

Malwarebytes' Anti-Malware 1.25
Database version: 1097
Windows 5.1.2600 Service Pack 2

13:09:05 30/08/2008
mbam-log-08-30-2008 (13-09-05).txt

Scan type: Full Scan (C:\|D:\|P:\|Q:\|)
Objects scanned: 122385
Time elapsed: 1 hour(s), 2 minute(s), 35 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 5
Registry Keys Infected: 16
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 58

Memory Processes Infected:
C:\Program Files\RegistrySmart\RegistrySmart.exe (Rogue.RegistrySmart) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\av2008xp.exe (Rogue.XPAntivirus) -> Unloaded process successfully.

Memory Modules Infected:
C:\Documents and Settings\All Users\Application Data\services\services.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\msvbcr40.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\RegistrySmart\RegCleaner.dll (Rogue.RegistrySmart) -> Delete on reboot.
C:\Program Files\RegistrySmart\TCL.dll (Rogue.RegistrySmart) -> Delete on reboot.
C:\Program Files\RegistrySmart\zlib.dll (Rogue.RegistrySmart) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\burstwriting.burstwriting (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8b8df25f-2c47-4473-8e1c-7f54ac7ef481} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\burstwriting.burstwriting.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\msvbcr40.msvbcr40 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2756bad7-2f9f-47ef-ae6d-8d39cceb396f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2756bad7-2f9f-47ef-ae6d-8d39cceb396f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\msvbcr40.msvbcr40.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\a1dc0fc00707a5a47b1b8c47064e8e01 (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\a1dc0fc00707a5a47b1b8c47064e8e01 (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mxlivemedia (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SoftLand Ltd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2756bad7-2f9f-47ef-ae6d-8d39cceb396f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrysmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s9201 (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\registrysmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\registrysmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\BASE (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\DELETED (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\LOG (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\SAVED (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\services\services.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\msvbcr40.dll (Trojan.BHO) -> Delete on reboot.
C:\Documents and Settings\steve\Local Settings\Temp\_addon.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\eehyzfrqqcypo.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\DataBase.ref (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\RegCleaner.dll (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\RegistrySmart.exe (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\RegistrySmart.url (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\TCL.dll (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\zlib.dll (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\emails.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\log.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\av2008xp.exe (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\LOG\20080828100635484.log (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\LOG\20080828100926031.log (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\LOG\20080828133258531.log (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\LOG\20080829091137031.log (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\LOG\20080830090322343.log (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\LOG\20080830115440578.log (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart\RegistrySmart on the Web.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart\RegistrySmart.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Log\2008 Aug 30 - 09_03_16 AM_671.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Log\2008 Aug 30 - 11_54_34 AM_734.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-04-13_10-08-14.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-05-14_15-14-58.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-05-15_08-54-05.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-06-08_08-39-01.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-06-12_12-07-48.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-06-15_15-25-44.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-06-19_12-04-39.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-07-05_08-56-27.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-07-11_09-32-39.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-08_10-39-12.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-08_15-39-13.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-09_10-21-55.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-15_10-11-18.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-15_10-23-36.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-15_11-48-23.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-15_14-42-33.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-22_10-24-16.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-22_11-04-43.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-23_14-39-16.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-23_14-50-30.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-23_15-00-06.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-24_09-32-00.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-25_09-15-56.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-26_09-02-30.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-27_09-02-48.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-27_16-00-40.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-28_09-00-18.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-28_10-14-15.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-28_13-52-43.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-29_09-22-00.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\steve\Application Data\RegistrySmart\Registry Backups\2008-08-30_09-43-29.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\.protected (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\.protected (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\.protected (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\RegistrySmart.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:06, on 30/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
P:\CAinternetsecurity\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
P:\CAinternetsecurity\eTrust EZ Antivirus\CAVRID.exe
P:\CAinternetsecurity\cctray\cctray.exe
P:\CAinternetsecurity\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
P:\CAinternetsecurity\eTrust PestPatrol Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\System32\svchost.exe
P:\CAinternetsecurity\eTrust EZ Antivirus\VetMsg.exe
P:\CAinternetsecurity\ccprovsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DSL Connection Manager] "C:\Program Files\INTEL\DSLSetup\ProDsl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CAVRID] "P:\CAinternetsecurity\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] "P:\CAinternetsecurity\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "P:\CAinternetsecurity\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "P:\Quicktime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {0A62CEA2-6092-455A-B50B-200C904B08FF} - http://www.btopenworld.com/helpbb (file missing) (HKCU)
O9 - Extra button: Homepage - {2ACDC5B2-0E32-4CC1-BD9B-F647B92DA86C} - http://www.btopenworld.com/businesshome (file missing) (HKCU)
O9 - Extra button: BT - {BECB82FC-A5FD-400B-A126-A8CCDD931483} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://training.k2ms.com/WebPlayer/auth ... wswaxd.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/com ... MediaX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestSc ... stscan.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63628ED7-C88D-46E1-BAEB-95EE5F619134}: NameServer = 194.74.65.69 194.72.9.34
O23 - Service: CaCCProvSP - CA, Inc. - P:\CAinternetsecurity\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - P:\CAinternetsecurity\eTrust EZ Antivirus\ISafe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - P:\CAinternetsecurity\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 7273 bytes

Thanks for your support during this difficult time.
Kevin
RibOne
Active Member
 
Posts: 5
Joined: August 23rd, 2008, 2:27 am

Re: Internet Explorer HiJack

Unread postby jmw3 » August 31st, 2008, 9:59 am

Hi RibOne
Good to hear things are better. Just a little more to do.

ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

Reboot your computer.

Kaspersky Online Scan
Please make sure that all programs are closed when installing Java.
  • Click here to visit Java's website
  • Scroll down to Java Runtime Environment (JRE) 6 Update 7. Click on Download
  • Select Windows from the drop-down list for Platform
  • Select Multi-language from the drop-down list for Language
  • Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue
  • Click on jre-6u7-windows-i586-p.exe link to download it and save this to a convenient location
  • Double click on jre-6u7-windows-i586-p.exe to install Java
  • After the Java installation has finished, go to Kaspersky website and perform an online antivirus scan
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Internet Explorer HiJack

Unread postby RibOne » September 3rd, 2008, 6:57 am

Hi

I got as far as the AFT Cleaner & Reboot.

The Java program would not RUN, something about no valid certificate, I guessed it was stopped by the CA Internet Security Suite on the PC. So in effect just the Kaspersky Online Scan has not been done or a logfile generated.

I must say however that since your earlier set of instuctions was followed the PC is remarkably clean, no issues and running top class. I'm of the old school, if it's not broke don't fix it, so the later checks I guess are only to confirm that all's OK.

I would prefer if we could now close-out this topic and on your next post if you could kindly provide a link to the 'donation section' which I would like to complete. Your help has been astounding, please accept my genuine thanks for your support. Keep up the good work.
RibOne
Active Member
 
Posts: 5
Joined: August 23rd, 2008, 2:27 am

Re: Internet Explorer HiJack

Unread postby jmw3 » September 3rd, 2008, 12:43 pm

All Clean
No problem RibOne.
Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Open Malwarebytes' Anti-Malware, Click Quarantine then Delete All. Close the program.
Download SecurityProvidersFix.zip from Here & save to your desktop. You may have to register in order to download the file. Unzip it the run the application. If it tells you that you have a corrupt registry value allow the tool to fix it.

Create a Clean System Restore Point
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and click OK
Ensure the boxes for Temporary Files & Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore click Clean up... and click Yes to the prompt
Click OK and Yes to confirm.

Microsoft Windows Update
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
http://www.bluetack.co.uk/forums/index.php?act=dscript&CODE=showdetails&f_id=5
A short distance down the page in the center, click on the Download button.
Agree to the license.
On the next page, to the right side of where it says Download Estimates, right click on the underlined word "Hosts Manager" choose "Save Target As" and download the installer Hosts20setup.exe to your desktop.
Double click the Installer on your desktop and let it Install the Hosts Manager

After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop).
When the Hosts Manager comes up, click the small down arrows on the Right side of the bar labeled "Options and Tools",
Click Disable DNS Service. This is important
In the Left Pane, click Download.
It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save.
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.

If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If you wish to make a donation to keep the site running, click the link Here.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Internet Explorer HiJack

Unread postby askey127 » September 8th, 2008, 10:06 am

RibOne, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 50 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware