CastleCops® Did all steps, have Yahoo adware still in there

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Forum FAQ

Usergroups

Profile

Select FavForums

[FIXED]Did all steps, have Yahoo adware still in there

All -> FavForums -> Trend Micro HijackThis Logs

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

deg007

Cadet
Cadet

Joined: Jul 01, 2008
Posts: 9
Location: USA

Posted: Tue Jul 01, 2008 9:25 pm Post subject: Did all steps, have Yahoo adware still in there

I used my computer's recovery discs, basically removing all virus-related items but one, apparently. I had Yahoo as main page. When I do a Yahoo search, all results are to re-direct me to ad sites or bad anti-virus purchases. It also stuck a (fake?) Google toolbar in there! When I switched from Yahoo search engine to Google search, no problem. So, I followed all steps required. I made a log, did the program removal task (nothing obvious there), did Ad-aware (which caught stuff and removed), did SpyBot (which caught stuff and removed), did AVG (which caught stuff and removed). Went from Google to Yahoo, did a search, and same exact re-direct issue. None of the anti-virus programs (Ad-aware, SpyBot and AVG) can permanently remove whatever is there. Here is my first log, followed below by my post-scanning log (thanks for your help; I am new here and hope I did everything right! Oh yeah, I see Java is in last log. I DID run Java from a safe site called www.runescape.com): Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:48:04 AM, on 7/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Works\WksWP.exe C:\Program Files\Microsoft Works\WkDStore.exe C:\Program Files\Microsoft Works\wkgdcach.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility.\Gear511.exe -hide O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Netgear Wireless Domain Login Service (NWDLS) - Unknown owner - C:\WINDOWS\system32\NWDLS.exe (file missing) -- End of file - 4668 bytes Here is my post-scan log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:03:06 PM, on 7/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Microsoft Works\WksWP.exe C:\Program Files\Microsoft Works\WkDStore.exe C:\Program Files\Microsoft Works\wkgdcach.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\PROGRA~1\AVG\AVG8\avgscanx.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility.\Gear511.exe -hide O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Netgear Wireless Domain Login Service (NWDLS) - Unknown owner - C:\WINDOWS\system32\NWDLS.exe (file missing) -- End of file - 6205 bytes

Prince_Serendip

Site Moderator

Joined: Sep 07, 2002
Posts: 17403

Posted: Wed Jul 02, 2008 4:18 am Post subject:

You're Ready for cleaning. At CastleCops we screen all HijackThis logs for errors, out-of-date versions, unupdated operating systems, omissions and P2P applications; getting you [READY] for cleaning by our 1st Responders and Security Experts. Now you wait for one of them to come help you. _________________ Microsoft MVP Consumer Security 2006, 2007 & 2008

deg007

Cadet
Cadet

Joined: Jul 01, 2008
Posts: 9
Location: USA

Posted: Sun Jul 06, 2008 6:35 pm Post subject:

I read in another part of this site that if a few days have gone by with no help to consider bumping. Since it's been five days... Bump. Thank you.

deg007

Cadet
Cadet

Joined: Jul 01, 2008
Posts: 9
Location: USA

Posted: Mon Jul 14, 2008 5:03 am Post subject:

Bump

deg007

Cadet
Cadet

Joined: Jul 01, 2008
Posts: 9
Location: USA

Posted: Tue Jul 22, 2008 4:56 pm Post subject:

Hi. Three weeks and no help. I completely understand this volunteer service is busy. I completely understand DDOS has caused problems. I am grateful for any future help I may receive. Wouldn't it be helpful to put on a main page somewhere that posters may not get help for anywhere from 3 to 6 weeks? Something like that... It would lower expectations, and posters may end up going somewhere else, thus eliminating some backlog. Just a thought. Thank you. BUMP

deg007

Cadet
Cadet

Joined: Jul 01, 2008
Posts: 9
Location: USA

Posted: Mon Aug 04, 2008 4:37 pm Post subject:

One month, and no help... Bump...

MauriceN

1st Responder
Premium Member

Joined: May 20, 2006
Posts: 990

Posted: Sun Aug 17, 2008 2:10 pm Post subject:

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

For Technical Support, double-click the e-mail address located at the bottom of each menu.
=
3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Check up on Spybot & see if Tea Timer is active. If so, de-activate it.
Turn off Tea Timer as it will interfere with the cleanup tools/tools procedures. Do that a.s.a.p.
See HOW TO disable Spybot Tea Timer at http://aumha.net/viewtopic.php?t=32409
>
4. You have an old version of Java runtime.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6

uninstall all of them, too. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.

JavaVM <=this folder

Open an IE window and go to http://java.sun.com/javase/downloads/index.jsp

In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6
If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content;

You do not have to install the Java Web Start ActiveX Control
Accept the license agreement
Click on Windows Offline Installation, Multi-language and Save the file to your desktop;
do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

Tip: Choose Custom install to select only the part(s) you need/want.

Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.
=
5. Please download & save Malwarebytes Anti-Malware from
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in a new reply as soon as it has finished.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
>
6. Download Deckard's System Scanner: http://www.techsupportforum.com/sectools/Deckard/dss.exe
Close all applications and windows.

Double-click on dss.exe to run the application; follow the prompts.

When the scan is completed, a text file named Main.txt will open. Please save this file, then close Notepad.

The folder C:\Deckard also will open. This folder will contain another text file named Extra.txt. Please save this file to your desktop, too, then exit Notepad.
Note: Your firewall may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

I'll also need the MBAM report, and the contents of Main.txt and Extra.txt (from above).
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

_________________
~Maurice Naggar
MS-MVP

MauriceN

1st Responder
Premium Member

Joined: May 20, 2006
Posts: 990

Posted: Thu Aug 21, 2008 4:43 pm Post subject:

Hello, Kindly advise if you have had a chance to read my reply and to start action on it. For the time being, make sure to skip the Deckard download and the Deckard report (step 6). That utility has been suspended. Aplogies on behalf of the forum for the delays in replies to you. The forum experienced much slowness in the past few weeks, but now is responding normally. _________________ ~Maurice Naggar MS-MVP

deg007

Cadet
Cadet

Joined: Jul 01, 2008
Posts: 9
Location: USA

Posted: Tue Aug 26, 2008 5:36 pm Post subject:

Maurice, thank you. After doing all steps EXCEPT 6, it appears that whatever was ailing Yahoo isn't there any longer. Are there other things I need to do? It's strange for a couple reasons. First, I have had to switch to Google instead of Yahoo for my searches because I kept getting redirected to apparent malware-influenced sites. But I haven't been using Yahoo or doing any anti-virus things since switching to Google while I waited for CastleCops to catch up. So I'm surprised if it was that easy and my computer is no longer infected. Second, the only "malware" that showed up on the scan was HiJackThis on a start menu , lol. So regardless of your instructions, I did NOT tell it to disinfect it. =) I have now done a variety of searches on Yahoo with no more pop-ups or re-directs. Following is the report you requested which shows no infections. Thank you again-- Darrell. Malwarebytes' Anti-Malware 1.25 Database version: 1088 Windows 5.1.2600 Service Pack 2 10:18:24 AM 8/26/2008 mbam-log-08-26-2008 (10-18-24).txt Scan type: Quick Scan Objects scanned: 38821 Time elapsed: 2 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Not selected for removal. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

MauriceN

1st Responder
Premium Member

Joined: May 20, 2006
Posts: 990

Posted: Tue Aug 26, 2008 6:30 pm Post subject:

Hi Darrell, I'm glad it is looking better. However, let's have you rerun MBAM after getting it updated. Start MBAM. Click the Update tab. Click check for updates. Next, click the Scan tab. Select do a FULL scan. and allow it to scan. This time, if it presents any items for action, at least select Quarantine, unless you wish to select Delete. We need flagged items out of the way. After that is done: Scan the system with the Kaspersky Online Scanner http://www.kaspersky.com/virusscanner Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished. During this run, make sure your browser does not block popup windows. Have patience while some screens populate. 1) Click the Kapersky Online Scanner button. You'll see a popup window. 2) Accept the agreement 3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar ) 4) For XP SP2-SP3, click the Install button when prompted 5) The necessary files will be downloaded and installed. Please have plenty of patience. 6) After Kaspersky AntiVirus Database is updated, look at the Scan box. 7) Click the My Computer line 8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares 9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply. Re-enable your antivirus program. Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired. Run a new HijackThis Scan & Save. Post back with copies of the new MBAM log, the new HJT report, and the Kaspersky.txt report. How is your system now Kaspersky is a report only and does not remove files. _________________ ~Maurice Naggar MS-MVP

deg007

Cadet
Cadet

Joined: Jul 01, 2008
Posts: 9
Location: USA

Posted: Wed Aug 27, 2008 12:03 am Post subject:

Hi Maurice, I did all of the above. Again, the only item found by MBAM was HijackThis. I did the Kaspersky; NOT A SINGLE ITEM-- woot! I am also sending you the HijackThis log. Are we done, since Yahoo continues to search correctly? =) KASPERSKY ONLINE SCANNER 7 REPORT Tuesday, August 26, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Tuesday, August 26, 2008 23:45:24 Records in database: 1149544 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 63041 Threat name: 0 Infected objects: 0 Suspicious objects: 0 Duration of the scan: 01:17:20 No malware has been detected. The scan area is clean. The selected area was scanned. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:59:23 PM, on 8/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility.\Gear511.exe -hide O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Netgear Wireless Domain Login Service (NWDLS) - Unknown owner - C:\WINDOWS\system32\NWDLS.exe (file missing) -- End of file - 5917 bytes

MauriceN

1st Responder
Premium Member

Joined: May 20, 2006
Posts: 990

Posted: Wed Aug 27, 2008 12:38 am Post subject:

Hi Darrell -- woot Laughing woot Thumbs Up

Note that Malwarebytes' Anti Malware {MBAM} (link given way earlier) is a very handy program, and you may keep it and use it as part of your anti-malware tools. I would strongly urge you to use it on a regular basis.

Your last HJT log looks fine. I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

Please download OTMoveIt2 by OldTimer: http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
1. Save it to your desktop.
2. Please double-click OTMoveIt.exe to run it.
3. Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
4. This step removes the files, folders, and shortcuts created by the tools I had you download and run.

Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.

Please do the steps on Bert Kinney's website to clear out & reset System Restore
http://bertk.mvps.org/html/diskclean.html

Use Control Panel's Add-or-Remove Programs to de-install Kaspersky Online scan. That will free up much HD space.
Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
Check in at Windows Update and install any Critical Updates offered.
Download and Install Windows Defender by Microsoft (free) if you do not already have it:
http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D
Make certain that Automatic Updates is enabled.
Download and install Comodo BOClean (free): http://www.comodo.com/boclean/CBO_download.html
Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
That would help to keep your browser away from known spyware/malware sites.
Make regular backups of your system to removable media: DVD, USB external hard drive, etc.

On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
Kaspersky Webscan Online Virus Scanner

ESET Online Scanner

Panda ActiveScan

Trend Micro Housecall

F-Secure Online Scanner
Read Tony Klein's article How Did I Get Infected In The First Place
Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !

Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html

We are finished Cool

_________________
~Maurice Naggar
MS-MVP

	All -> FavForums -> Trend Micro HijackThis Logs	All times are GMT
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 120ppm 0.629s (0.265s) Making cybercriminals unhappy since 2002*