HJT Log with several Spyware/Antivirus issues

[yemburt]

Not sure what I got but I can't seem to fix this one. My computer keeps redirecting me to random sites and has blocked most anti-spyware sites and forums. I can't download any new programs and my computer is running insanely slow. After running spybot s&d I found FakeAlert.cc, Smitfraud-C, Microsoft.Windows.System, and a few others. After deleting them, the problem still hasn't gone away. AND it won't allow me to update my definitions in Spybot.

Any help would be greatly appreciated.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:18:23 PM, on 8/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [PxDotNetLoader] "C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe"
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162517300031

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) -

https://remote.guardhill.com/msrdp.cab

O16 - DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} (PtClickLoanWF Control) -

https://ilnet.wellsfargo.com/ilonline/hmUpload/ptclickloanwf.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -

http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) -

https://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) -

https://secure.logmein.com/activex/legacy/ractrl.cab?lmi=100

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6453 bytes

 

[BadBigBen]

needs fixing:

O24 - Desktop Component 0: (no name) - (no file)
Close

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for \"My current home page\")

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[yemburt]

Thanks.

Whenever I try to delete the 024 - Desktop Component with HiJack This it keeps coming right back. I can't delete it.

I've run the following in safe mode:

Spybot
A squared
CCleaner
AVG

And it still doesn't get rid of the problem. It seems like I have the google redirector / Antivirus 2009. The problem is that it blocks most websites that offer help and I can't really download any new programs that may offer help. This is incredibly frustrating.

Anyone have any ideas that I may have missed?

 

[BadBigBen]

Whenever I try to delete the 024 - Desktop Component with HiJack This it keeps coming right back. I can't delete it.

don't use HJT... follow the fix I gave above...

also check for ROOTKITS (F-Secure Black Light is a good prog for this) and use SuperAntiSpyware aswell...

also forgot to mention, update that JAVA, yours is way out of date and poses a security risk...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[yemburt]

Thanks again...When I went into the web tab, there was nothing in that box to check not even the "my current home page". It was completely blank.

I tried downloading SuperAntiSpyware from Downloads.com b/c it blocks the Superantispyware website directly. It took like 20 tries to download the full file but I finally got it.

I installed SAS and even changed the name as someone else recommended and updated definitions, ran it in safe mode, and all it found were some tracking cookies.

I deleted the cookies, rebooted again into safe mode, and ran:

Spybot
CCleaner
AVG 8
SAS

Rebooted, and the problem is still there!

I did notice that when running spybot, I got several error message popups during the search process that read:

there were problems in the include file C:\Program Files\Spybot - Search_Destroy\Includes\Malware.sbi. See 'Include errors.log' for details.

Does that mean anything of importance?

Is there anything else, short of completely reinstalling my OS, that you can think of?

 

[BadBigBen]

Yes, try running all from SAFE MODE, it would also be a good idea to go ahead and delete any RESTORE POINTS, and to back up your DATA...

once in SAFE MODE run another HJT LOG and paste it, it may show more info than in normal mode...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[yemburt]

Thanks for all your help.

It took about 20 attempts, but I was finally able to download Malwarebytes Anti-Spyware program from downloads.com and that did the trick.

That was the only thing that was able to get rid of this nasty little thing.

Thanks again.