catcooper
asked on
Bogus internet search results=virus?
Whenever i enter a search into the top part of my home page (Yahoo), it returns bogus results...for instance if i search for "pumpkin pie recipes", instead of giving me cooking sites like emerils or paula deen, it'll give me shopping.com and/or about.com...sometimes it'll say "Libby's famous Pumpkin Pie" in the headline, but then the accompanying url directs you to "lowpriceshopper.com" or some bogus site......
I have run HiJackThis and have copied those results below...Can someone please tell me what to do next?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:05 PM, on 11/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shar
C:\WINDOWS\System32\alg.ex
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\w
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\Boingo\GoBoingo\GoBo
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\system32\wuaucl
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Documents and Settings\Owner\Desktop\HiJ
C:\WINDOWS\system32\wbem\w
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBo
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {0CCA191D-13A6-4E29-B746-3
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shar
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6063 bytes
I have run HiJackThis and have copied those results below...Can someone please tell me what to do next?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:05 PM, on 11/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shar
C:\WINDOWS\System32\alg.ex
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\w
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\Boingo\GoBoingo\GoBo
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\system32\wuaucl
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Documents and Settings\Owner\Desktop\HiJ
C:\WINDOWS\system32\wbem\w
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBo
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {0CCA191D-13A6-4E29-B746-3
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shar
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6063 bytes
ASKER
i went to the site and could not figure out how to enter my HiJackThis values...????
ASKER
thanks--i went there, pasted my HiJackThis log, followed their recommendations, restarted my computer and still have the same problem...
then did the same thing (ran HJT, parsed log, followed recs, restarted...same problem)
can you give me the link to Spybot R&D so i can scan for viruses? (if i search for it, i get bogus urls! ) :)
or what do you recommend i do now?
then did the same thing (ran HJT, parsed log, followed recs, restarted...same problem)
can you give me the link to Spybot R&D so i can scan for viruses? (if i search for it, i get bogus urls! ) :)
or what do you recommend i do now?
http://www.fpweb.net/support/webhosting/hostfile.editing.support.asp
Check out the above. When you get a hijacking frequently they will rewrite your host file so that when you look for legitimate sites it redirects you to another URL.
As far as Spybot goes:
http://www.spybot.com/en/download/
Check out the above. When you get a hijacking frequently they will rewrite your host file so that when you look for legitimate sites it redirects you to another URL.
As far as Spybot goes:
http://www.spybot.com/en/download/
ASKER
what values should i put into the (yourdomainname)????
123.123.123.123 yourdomainname.com
123.123.123.123 www.yourdomainname.com
The site talks about publishing a website.....????
123.123.123.123 yourdomainname.com
123.123.123.123 www.yourdomainname.com
The site talks about publishing a website.....????
Bad example.
Tell me if you can access this site: http://personal-computer-tutor.com/abc4/v36/mike36.htm
Tell me if you can access this site: http://personal-computer-tutor.com/abc4/v36/mike36.htm
ASKER
yes i can...again, not sure what to do here....but am hoping you'll direct me! :)
Copy the contents of your host file and post it here.
C:\Windows\System32\driver
C:\Windows\System32\driver
ASKER
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
Your next step is to run Spybot, that file looks ok.
http://www.spybot.com/en/download/
Can you download this file?
http://www.spybot.com/en/download/
Can you download this file?
ASKER
yep--downloading now
That should get you closer to home, when it runs through it will indicate you what viral funk it finds, after that it can be an arduous task to find individual removal tools. Last time I dealt with a browser hijack it took me about four or five hours to get all of the tools I needed and remove everything. I ran Spybot and then went and got the invidual removal tools.
I believe I ended up using Trend Micro cwshredder, spybot and HIjack this to get it all taken care of, those three things did it though.
I believe I ended up using Trend Micro cwshredder, spybot and HIjack this to get it all taken care of, those three things did it though.
ASKER
ok, well, please hang with me in case i have more ???
THANKS!
THANKS!
I will be here a couple of hours yet :)
ASKER
ok,
i ran Spybot and fixed the few misc things it found...then, for the heckof it, i ran cwshredder and it found nothing...i had already ran HJT, so i thought i was good to go...
went to browser, tried looking for my pumpkin pie recipe and still the same thing happens....
what now?
here's the URL i get when i type in "pumpkin pie recipe" in the search field...
http://search.yahoo.com/search?p=pumpkin+pie+recipe&fr=yfp-t-501&toggle=1&cop=mss&ei=UTF-8
if you type in the same thing, i imagine you get dirrent URLs to choose from?
i ran Spybot and fixed the few misc things it found...then, for the heckof it, i ran cwshredder and it found nothing...i had already ran HJT, so i thought i was good to go...
went to browser, tried looking for my pumpkin pie recipe and still the same thing happens....
what now?
here's the URL i get when i type in "pumpkin pie recipe" in the search field...
http://search.yahoo.com/search?p=pumpkin+pie+recipe&fr=yfp-t-501&toggle=1&cop=mss&ei=UTF-8
if you type in the same thing, i imagine you get dirrent URLs to choose from?
ASKER
dirrent=different!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i like your first solution although i'd rather just pitch this laptop from the top floor! :)
ok, am running SpyBot again now.--and, yes, i did update it first..i actually did a print screen last time and this is what it found.
i did not restart my computer before i tested out the search function again....maybe that was my problem?
screenshot.xls
ok, am running SpyBot again now.--and, yes, i did update it first..i actually did a print screen last time and this is what it found.
i did not restart my computer before i tested out the search function again....maybe that was my problem?
screenshot.xls
The links Biff posted are good resources. Run HJT this again and post the log. Lord knows what the issue might be at this point. Most of the time HJT and CWShredder fix it. Last time I had this issue Smitfraudfix did solve the issue, but then again it also showed up in Spybot.
I am having same problems. I search for simple things and get crazy results. Results like monstermarklace.com, ansearch.com, info.com. It shows these links under the actual google results and also uses those links when I click on the results. In other words, results text appear fine... but when I mouse over it shows these bogus sites and others. I have run smitfraud, superanti, and spybot so far. no success
ASKER
here's the HJT log
i have to run out for a bit but will try and check back in a few hrs
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:21 PM, on 11/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shar
C:\WINDOWS\System32\alg.ex
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuaucl
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEU
C:\PROGRA~1\Symantec\LIVEU
C:\Documents and Settings\Owner\Desktop\HiJ
C:\WINDOWS\system32\wbem\w
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBo
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {0CCA191D-13A6-4E29-B746-3
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shar
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 5628 bytes
i have to run out for a bit but will try and check back in a few hrs
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:21 PM, on 11/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shar
C:\WINDOWS\System32\alg.ex
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\wbem\w
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuaucl
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEU
C:\PROGRA~1\Symantec\LIVEU
C:\Documents and Settings\Owner\Desktop\HiJ
C:\WINDOWS\system32\wbem\w
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBo
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {0CCA191D-13A6-4E29-B746-3
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shar
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 5628 bytes
I see nothing in your log that would cause that. I will say again, Combofix is the most powerful utility out there to clean your system of the nastiest malware. Do it both in safe mode and in regular mode. Then run SAS and spybot to clean the traces. It WILL work.
ASKER
originalbiffmalibu: i went to bleepingcomputer.com but can't seem to find the combofix download.....
ASKER
shoot--well, it's late and i have to be up at 4am to head back home tomorrow...will be travellin most of the day but will get back to this tomorrow afternoon/evening as soon as i can
ASKER
oh, one more thing B4 i go for originalbiffmalibu....if you're still there and if you post any suggestions for me, pls send me a link to where you want me to go...the 2nd item on your list was Smitfraudfix and you had said to search Google...well, i did and found my recipe for pumpkin pie...HA! ok, seriously...that's my problem--i CAN'T search as it brings me back bogus stuff--hence this thread...
ok, that's it for now--thanks
ok, that's it for now--thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://siri.geekstogo.com/SmitfraudFix.php
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Sorry, how stupid of me.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Sorry, how stupid of me.
ASKER
ok, guys...at the airport now and saw your posts...getting ready to board my flight but will try your respective fixes when i get home (long travel day ahead of me--west to east coast with 2 stops in between)...thanks all...be back in touch later
ASKER
ok, so my flight was late, blah, blah, blah....but i finally got to do some of your suggestions.
readydave: "run Internet Explorer without any addons"&tried that and the same thing showed&bogus stuff, so I guess it's not the add-ons.
originalbiffmalibu: Didn't get to run Combofix due to below
rpggamergirl: "Download Malware" & did that and after a LONG time (2 1/2 hours), and it showed 2 infections...Trojan.Agent and Rootkit.Agent. I "removed selected" ... restarted my computer, did my pumpking pie recipe search and YAY! I was successful. :)
Thanks to all for your help!
readydave: "run Internet Explorer without any addons"&tried that and the same thing showed&bogus stuff, so I guess it's not the add-ons.
originalbiffmalibu: Didn't get to run Combofix due to below
rpggamergirl: "Download Malware" & did that and after a LONG time (2 1/2 hours), and it showed 2 infections...Trojan.Agent and Rootkit.Agent. I "removed selected" ... restarted my computer, did my pumpking pie recipe search and YAY! I was successful. :)
Thanks to all for your help!
I had the same problem on a computer over the weekend and the program the finally fixed it for me was malwarebytes. Check it out at http://www.malwarebytes.org/
It saved the day!!!
It saved the day!!!
ASKER
Thanks for everyone who helped...matthewrhoades for sticking with me in the beginning and originalbiff/readydave/rpg
Glad to know it's been resolved.
Thanks for the points and the grade!
Happy computing and pumpkin pie cooking!
Now I feel hungry, :)
Thanks for the points and the grade!
Happy computing and pumpkin pie cooking!
Now I feel hungry, :)
That will parse the results for you. The behavior you are talking about is consistent with a browser hijacking. It is possible that your HOST file is compromised. Use the link above and follow HJTs recommendations. IF you are still experiencing issues try visiting http://www.trendmicro.com and using their virus scanner.
Spybot R & D is a fantastic free virus scanner you can download.