Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

search result window; redirect IE to Yahoo; svhost.exe 100%

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 29th, 2008, 5:07 pm

Kaspersky report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 29, 2008 5:05:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 812777
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 85597
Number of viruses found: 4
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 01:59:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Shelley Simon\triggers.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Shelley Simon\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\212AFB7C-7D5D-412C-AAA7-E5E3D0\152A1AE8-43D2-47EE-8087-E0B9A0 Infected: Trojan.Win32.Qhost.el skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\CC3200D4-65FB-49D3-9B0E-A67450\F02820CC-433E-4BF8-9C31-D2C566 Infected: Trojan-Downloader.Win32.Zlob.ghz skipped
C:\Documents and Settings\Shelley Simon\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Shelley Simon\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\qsacz.dll.vir Infected: Trojan-Downloader.Win32.WinShow.ak skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iupds.dll.vir Infected: Trojan-Downloader.Win32.WinShow.ak skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP3\A0000112.dll Infected: Trojan-Downloader.Win32.WinShow.ak skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP3\A0000113.dll Infected: Trojan-Downloader.Win32.WinShow.ak skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\STRTDB80.EXE.20050627-003811-00.hdmp Object is locked skipped
C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\STRTDB80.EXE.20050627-003811-00.mdmp Object is locked skipped
C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\STRTDB80.EXE.20050722-132229-00.hdmp Object is locked skipped
C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\STRTDB80.EXE.20050722-132229-00.mdmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\OSession.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\dmcwy.exe Infected: Trojan.Win32.Small.fb skipped
C:\WINDOWS\SYSTEM32\dmukd.exe Infected: Trojan.Win32.Small.fb skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Cookies\index.dat Object is locked skipped
C:\WINDOWS\Temp\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm
Advertisement
Register to Remove

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 29th, 2008, 5:08 pm

Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:44 PM, on 5/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\windows\system32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
C:\windows\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = msproxy.ccs.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ccs.com;192.64.*;204.124.249.*;*.wbds.mcilink.com;reports.ccity.com;ccity.com;pac.ccity.com;myaccounts.ccity.com;*.circuitcity.net;166.86.*;172.*;10.*;wbds.mcilink.com;*.ccity.com;*.asteaqa.net;*.asteaprod.net;ccsra*;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;<local
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=eddb2dc7-402b-4405-9893-80cd7ba8641c
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: CARD Monitor.lnk = C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\windows\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://ccsra1.circuitcity.com/CACHE/st ... stcweb.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2052583281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/ ... s-i586.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {D94B2F87-CE31-11D5-9F7A-0090F50400FE} (NP5Sample.docBookNP5) - file://D:\content\bwnp5s.CAB
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F4BDA33C-7C59-11D5-9F7A-0090F50400FE} (Project1.checkfiles) - file://D:\checkfiles.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F7E3BB7B-9B9F-11D5-9F7A-0090F50400FE} (PlayIt7Student.PlayIt7d) - file://D:\np5intro\content\PlayIt7d.CAB
O22 - SharedTaskScheduler: Security Update - {A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: OracleAgent80 - oracle - C:\orant\agentbin\DBSNMP.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleCMAdminService80 - Unknown owner - C:\orant\BIN\CMADM80.EXE
O23 - Service: OracleCManService80 - Unknown owner - C:\orant\BIN\CMGW80.EXE
O23 - Service: OracleDataGatherer - Unknown owner - C:\orant\bin\vppdc.exe
O23 - Service: OracleExtprocAgent - Unknown owner - C:\orant\BIN\EXTPROCT.EXE
O23 - Service: OracleNamesService80 - Unknown owner - C:\orant\BIN\NAMES80.EXE
O23 - Service: OracleServiceORC0 - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleStartORC0 - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleStartORCL - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleTNSListener80 - Unknown owner - C:\orant\BIN\TNSLSNR80.EXE
O23 - Service: OracleWebAssistant - Oracle Corporation - C:\orant\bin\OWASTsvr.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 10180 bytes
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 29th, 2008, 5:13 pm

finally : as far as the IP addresses:
ccs.com and ccity.com (both associated with Circuit City)
204.124.249.*, which belongs to a company named NaBANCO
192.64.*, possibly local addresses for your network
and mcilink.com, which belongs to a company named MCI

Have those Proxy overrides been set by you or should they be removed?

-----------------------------------------------------------------------

I use the CISCO VPN to sign in to work (Circuit City) and used to use the client version but it stopped working on my PC. I now go to the internet to get connection. At that point, if my IE opens on my home desktop, it will go through the proxy server. I have no idea about the NaBanco or MCI links. If you think it would be OK, I can take them out and see if I have any IE problems.

Thanks for all your help. I will wait for your response.
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 29th, 2008, 7:18 pm

My counterspy ran again and quarantined the same 2 threats:
bifrost
trogan downloader win32 agent

So far, nothing has taken over my keyboard but sometimes it does sleep and then comes back with a vengence.

Will let you know if it takes over again. I shut down my computer at night since this happened.

My start menu doesn't seem to save my 'recent' run programs. Maybe it will once I reboot - no biggie !!
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 30th, 2008, 6:56 am

My start menu - recently run programs list is working now.

So far, so good - Counterspy has been updating it's definitions a lot lately. Will do another scan this morning.
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 30th, 2008, 7:40 am

It started up again -~ 7:30 EST
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby Carolyn » May 30th, 2008, 9:42 am

shelleysimon wrote:It started up again -~ 7:30 EST


Sorry, but could you be more specific? What started up again?
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 30th, 2008, 9:52 am

The search windows and the try to redirect to another web site. Not as much as before but did do it twice.
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby Carolyn » May 30th, 2008, 11:56 am

Hello again,

Download roguescanfix_setup.

Doubleclick roguescanfix_setup to install it.

After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.

When you start roguescanfix.bat you'll see a menu:
1. Run Roguescanfix
2. Run sharedtasksrem

Choose option 1 by typing "1".

Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
In case you still get the message BFU.exe is not present, download BFU.zip from here.
Unzip it and place BFU.exe in the c:\program files\roguescanfix-folder. Then doubleclick Roguescanfix.bat again.


The tool will uninstall some programs and delete related files and registry keys.
When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
Please make sure the uninstall of the programs are finished before you click Yes to reboot.

A text file will open. Place the contents of that file in your next reply.
(The textfile can also be found at c:\program files\roguescanfix\task.txt)


Next,
Download and Run FixWareout
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lo ... areout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


Please post
  • The Roguescanfix log
  • The FixWareout report
  • A fresh HijackThis log
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 30th, 2008, 12:36 pm

Roguescanfix log

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 30th, 2008, 12:49 pm

The FixWareout Report

Username "Shelley Simon" - 05/30/2008 12:42:00 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "jsosc" Value deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "mbusc" Value deleted
HKCR\CLSID\{5D6FFCE6-962E-4D92-9697-C02DAD6F477A}\_h\4 Deleted.
HKCR\CLSID\{72D4E34E-362B-4B6A-BCD4-D48C50F08601}\_h\4 Deleted.
C:\windows\System32\dmcwy.exe Deleted
C:\windows\System32\dmukd.exe Deleted
....
~~~~~ Misc files.
C:\Documents and Settings\Shelley Simon\Application Data\uns.tmp Deleted
C:\windows\Help\SPAlert.chm Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"tgcmd"="C:\\Program Files\\Support.com\\bin\\tgcmd.exe /server /startmonitor /deaf"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"SBCSTray"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\SBCSTray.exe"
"S3TRAY2"="S3tray2.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\windows\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Comcast\\COMCAS~1\\data\\Xtras\\mssysmgr.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 30th, 2008, 12:54 pm

Here is the hijackthis log. As always, thank you so much for your help. Let me know if I did anything incorrectly (My dns settings were already set as described - i did the ipconfig flush)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:30 PM, on 5/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
C:\windows\system32\svchost.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = msproxy.ccs.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ccs.com;192.64.*;204.124.249.*;*.wbds.mcilink.com;reports.ccity.com;ccity.com;pac.ccity.com;myaccounts.ccity.com;*.circuitcity.net;166.86.*;172.*;10.*;wbds.mcilink.com;*.ccity.com;*.asteaqa.net;*.asteaprod.net;ccsra*;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;<local
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=eddb2dc7-402b-4405-9893-80cd7ba8641c
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: CARD Monitor.lnk = C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\windows\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://ccsra1.circuitcity.com/CACHE/st ... stcweb.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2052583281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/ ... s-i586.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {D94B2F87-CE31-11D5-9F7A-0090F50400FE} (NP5Sample.docBookNP5) - file://D:\content\bwnp5s.CAB
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F4BDA33C-7C59-11D5-9F7A-0090F50400FE} (Project1.checkfiles) - file://D:\checkfiles.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F7E3BB7B-9B9F-11D5-9F7A-0090F50400FE} (PlayIt7Student.PlayIt7d) - file://D:\np5intro\content\PlayIt7d.CAB
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: OracleDataGatherer - Unknown owner - C:\orant\bin\vppdc.exe
O23 - Service: OracleExtprocAgent - Unknown owner - C:\orant\BIN\EXTPROCT.EXE
O23 - Service: OracleNamesService80 - Unknown owner - C:\orant\BIN\NAMES80.EXE
O23 - Service: OracleServiceORC0 - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleStartORC0 - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleStartORCL - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleTNSListener80 - Unknown owner - C:\orant\BIN\TNSLSNR80.EXE
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 9220 bytes
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby Carolyn » May 30th, 2008, 3:00 pm

Hello again,

Please disable Counterspy real-time protection for this next step. It may interfere with HijackThis.


Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):


    O16 - DPF: {D94B2F87-CE31-11D5-9F7A-0090F50400FE} (NP5Sample.docBookNP5) - file://D:\content\bwnp5s.CAB


    O16 - DPF: {F4BDA33C-7C59-11D5-9F7A-0090F50400FE} (Project1.checkfiles) - file://D:\checkfiles.CAB


    O16 - DPF: {F7E3BB7B-9B9F-11D5-9F7A-0090F50400FE} (PlayIt7Student.PlayIt7d) - file://D:\np5intro\content\PlayIt7d.CAB


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.


Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 30th, 2008, 6:40 pm

I ran hijackThis and clicked on fix checked foooooooooooooooooooooooooooooooooooooooooooooooo ; that is what happens - my keyboard is taken over. Here is the Kaspersky Report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 30, 2008 6:37:18 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/05/2008
Kaspersky Anti-Virus database records: 815162
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 85398
Number of viruses found: 4
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 02:19:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Shelley Simon\triggers.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Shelley Simon\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\212AFB7C-7D5D-412C-AAA7-E5E3D0\152A1AE8-43D2-47EE-8087-E0B9A0 Infected: Trojan.Win32.Qhost.el skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\CC3200D4-65FB-49D3-9B0E-A67450\F02820CC-433E-4BF8-9C31-D2C566 Infected: Trojan-Downloader.Win32.Zlob.ghz skipped
C:\Documents and Settings\Shelley Simon\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\History\History.IE5\MSHist012008053020080531\index.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Temp\~DF447C.tmp Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shelley Simon\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Shelley Simon\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\qsacz.dll.vir Infected: Trojan-Downloader.Win32.WinShow.ak skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iupds.dll.vir Infected: Trojan-Downloader.Win32.WinShow.ak skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP10\A0001830.exe Infected: Trojan.Win32.Small.fb skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP10\A0001831.exe Infected: Trojan.Win32.Small.fb skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP11\change.log Object is locked skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP3\A0000112.dll Infected: Trojan-Downloader.Win32.WinShow.ak skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP3\A0000113.dll Infected: Trojan-Downloader.Win32.WinShow.ak skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\STRTDB80.EXE.20050627-003811-00.hdmp Object is locked skipped
C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\STRTDB80.EXE.20050627-003811-00.mdmp Object is locked skipped
C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\STRTDB80.EXE.20050722-132229-00.hdmp Object is locked skipped
C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\STRTDB80.EXE.20050722-132229-00.mdmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{741062A6-0E24-4198-A455-D4CE78E60B3A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\OSession.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Cookies\index.dat Object is locked skipped
C:\WINDOWS\Temp\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm

Re: search result window; redirect IE to Yahoo; svhost.exe 100%

Unread postby shelleysimon » May 30th, 2008, 6:42 pm

Here is hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:31 PM, on 5/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
C:\windows\system32\svchost.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\Counterspy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TextPad 5\TextPad.exe
C:\windows\system32\taskmgr.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = msproxy.ccs.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ccs.com;192.64.*;204.124.249.*;*.wbds.mcilink.com;reports.ccity.com;ccity.com;pac.ccity.com;myaccounts.ccity.com;*.circuitcity.net;166.86.*;172.*;10.*;wbds.mcilink.com;*.ccity.com;*.asteaqa.net;*.asteaprod.net;ccsra*;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;<local
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSTray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=eddb2dc7-402b-4405-9893-80cd7ba8641c
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: CARD Monitor.lnk = C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\windows\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://ccsra1.circuitcity.com/CACHE/st ... stcweb.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2052583281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/ ... s-i586.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: OracleDataGatherer - Unknown owner - C:\orant\bin\vppdc.exe
O23 - Service: OracleExtprocAgent - Unknown owner - C:\orant\BIN\EXTPROCT.EXE
O23 - Service: OracleNamesService80 - Unknown owner - C:\orant\BIN\NAMES80.EXE
O23 - Service: OracleServiceORC0 - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleStartORC0 - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleStartORCL - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleTNSListener80 - Unknown owner - C:\orant\BIN\TNSLSNR80.EXE
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 9036 bytes
shelleysimon
Regular Member
 
Posts: 53
Joined: May 16th, 2008, 12:42 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 495 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware