Every time I go online, my browsergets hijacked. If I go to Google and do a search, When I click on a result, it gets hijacked to some other website other than the one I was trying to go to. If I cut & paste the URL into the address window, it goes where I want. I also have been getting popup windows for Broadcaster.com.
I have tried various spyware removal tools (don't even remember which ones now.) that have removed various things (sorry). Then I found this website. I have followed the "Before you post" thread. Tried to use "Bit Defender" and it runs to the end and I get an IE has performed an illegal action and will close message. (ran it twice with the same results). Then ran Trend Micro Online - didn't find anything and did not give me a choice to save a log/report.
I have run SpyBot and adaware and every time I reboot I get find the same stuff and cannot remove it. (TIBS C) I have done all the steps from the sticky thread and here is the HJT log:
--- Search result list ---
Smitfraud-C.Toolbar888: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1532886375-2966927733-1597234714-1006\Software\Microsoft\aldd
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-03-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-03-28 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-03-28 Includes\DialerC.sbi (*)
2007-03-21 Includes\Hijackers.sbi (*)
2007-03-28 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-03-28 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-03-21 Includes\Malware.sbi (*)
2007-03-28 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-03-28 Includes\PUPSC.sbi (*)
2007-03-28 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-03-28 Includes\SecurityC.sbi (*)
2007-03-21 Includes\Spybots.sbi (*)
2007-03-28 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-03-21 Includes\Trojans.sbi (*)
2007-03-28 Includes\TrojansC.sbi (*)
--- System information ---
Windows XP (Build: 2600)
/ Internet Explorer 6 / SP0: Windows XP Hotfix - KB834707
/ Windows XP / SP1: Windows XP Hotfix - KB823980
/ Windows XP / SP1: Windows XP Hotfix - KB824141
/ Windows XP / SP1: Windows XP Hotfix - KB828035
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q308402 for more information]
/ Windows XP / SP1 / Q308677: Windows XP Hotfix (SP1) [See Q308677 for more information]
/ Windows XP / SP1 / Q308678: Windows XP Hotfix (SP1) [See Q308678 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311889 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q312368 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315000 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315403 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q317277 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q317326 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q319632 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q326830 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329048 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q329170
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329390 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329441 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329834 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q810577
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q810833
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q811630
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q815021
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q817606
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q819696
/ Windows XP / SP2: Windows XP Hotfix - KB823559
/ Windows XP / SP2: Windows XP Hotfix - KB828741
/ Windows XP / SP2: Windows XP Hotfix - KB833987
/ Windows XP / SP2: Windows XP Hotfix - KB835732
/ Windows XP / SP2: Windows XP Hotfix - KB839643
/ Windows XP / SP2: Windows XP Hotfix - KB840374
/ Windows XP / SP2: Windows XP Hotfix - KB840987
/ Windows XP / SP2: Windows XP Hotfix - KB841356
/ Windows XP / SP2: Windows XP Hotfix - KB841873
/ Windows XP / SP2: Windows XP Hotfix - KB842773
/ Windows XP / SP2: Windows XP Hotfix - KB873376
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
--- Startup entries list ---
Located: HK_LM:Run, ATIModeChange
command: Ati2mdxx.exe
file: C:\WINDOWS\system32\Ati2mdxx.exe
size: 28672
MD5: fae95d6d7651b5629c4e19adbc9a3863
Located: HK_LM:Run, AtiPTA
command: atiptaxx.exe
file: C:\WINDOWS\system32\atiptaxx.exe
size: 286720
MD5: 4263458289fe421c014bed6ac1a2d1ed
Located: HK_LM:Run, CaAvTray
command: "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
file: C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
size: 230512
MD5: 080a83de3f10aade330268193b461e42
Located: HK_LM:Run, CAVRID
command: "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
file: C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
size: 185456
MD5: 3b0280a11e689315e3efb7c5675a99cb
Located: HK_LM:Run, Cpqset
command: c:\compaq\cpqsetup\cpqset.exe
file: c:\compaq\cpqsetup\cpqset.exe
size: 172101
MD5: 7b72c13e4b54444271bd20b8136e2e19
Located: HK_LM:Run, eabconfg.cpl
command: C:\Program Files\Compaq\EAB\EabServr.exe /Start
file:
Located: HK_LM:Run, Microsoft Works Portfolio
command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
file:
Located: HK_LM:Run, Microsoft Works Update Detection
command: C:\Program Files\Microsoft Works\WkDetect.exe
file: C:\Program Files\Microsoft Works\WkDetect.exe
size: 28739
MD5: 3141750fad211c6dadf7c2dc2ec74da8
Located: HK_LM:Run, Motive SmartBridge
command: C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
file: C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
size: 438359
MD5: 7d5393ba10deacb5a1ab7f05232eb600
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 77824
MD5: f8dbb32041336a94c676e6b70f759993
Located: HK_LM:Run, srmclean
command: C:\Cpqs\Scom\srmclean.exe
file: C:\Cpqs\Scom\srmclean.exe
size: 36864
MD5: 787b8ad5fef1a68d3ed00e4e393b9d18
Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
size: 36975
MD5: bd902d0d7ed7c2d5fc327567ce96b97c
Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 540672
MD5: 6849cbabadfd708421fb1258b0b3d297
Located: HK_LM:Run, SynTPLpr
command: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
file: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 126976
MD5: f8b2b0d165a53f6435797e6e94833428
Located: HK_LM:Run, TkBellExe
command: C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
file:
Located: HK_LM:Run, VerizonServicepoint.exe
command: C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
file: C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
size: 1880064
MD5: a7f075d26df8127140e70840134675b7
Located: HK_LM:Run, YOP
command: C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
file: C:\PROGRA~1\Yahoo!\YOP\yop.exe
size: 401408
MD5: 5278f0d69b1c7d5f32bbc8da3bf2573b
Located: HK_LM:Run, ZoneAlarm Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 919280
MD5: f6d4d4068aec371df8f89cdf11fc321d
Located: HK_CU:Run, spc_w
command: "C:\Program Files\NZSearch\nzspc.exe" -w
file: C:\Program Files\NZSearch\nzspc.exe
size: 286786
MD5: 990800fd5aac6c08e1d3bc146997372b
Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
size: 40048
MD5: 54c88bfbd055621e2306534f445c0c8d
Located: Startup (common), Adobe Reader Synchronizer.lnk
command: C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
file: C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
size: 734872
MD5: 169c293ce9460a05646d17dc6aa2fb2c
Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: 1a80248ec5d290a391ce27326dd13e29
Located: Startup (common), Microsoft Works Calendar Reminders.lnk
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
size: 24633
MD5: 7084b58a098d2f83b304832251a8c6a8
Located: Startup (user), HotSync Manager.lnk
command: C:\Program Files\Palm\hotsync.exe
file: C:\Program Files\Palm\hotsync.exe
size: 265728
MD5: cde086e30ce7f9c5b890265ae8396ef8
Located: System.ini, !SASWinLogon
command: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
file: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
size: 282624
MD5: f6597f9f732453daf4d3a86170da63d5
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, __c0047460
command: C:\WINDOWS\System32\__c0047460.dat
file: C:\WINDOWS\System32\__c0047460.dat
size: 9546
MD5: 23e0d413c9748e2c036215e25a6eb07b
Located: System.ini, __c00B6700
command: C:\WINDOWS\System32\__c00B6700.dat
file: C:\WINDOWS\System32\__c00B6700.dat
size: 9546
MD5: 23e0d413c9748e2c036215e25a6eb07b
--- Browser helper object list ---
@A 3B846-8D59-4ffb-8758-209B6AD74ACC} ()
BHO name:
CLSID name:
{02478D38-C3F9-4EFB-9B51-7695ECA05670} (&Yahoo! Toolbar Helper)
BHO name:
CLSID name: &Yahoo! Toolbar Helper
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
Path: C:\Program Files\Yahoo!\Companion\Installs\cpn0\
Long name: yt.dll
Short name:
Date (created): 2/13/2007 6:08:38 PM
Date (last access): 3/31/2007 12:30:38 PM
Date (last write): 2/13/2007 6:08:38 PM
Filesize: 807448
Attributes: archive
MD5: ED5A79CD89F920235E362B5F9A04739A
CRC32: 8B482521
Version: 2007.2.13.1
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 3/21/2007 2:56:24 PM
Date (last access): 3/31/2007 1:31:36 PM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
À@ 49E9F-C8D7-4D59-B87D-784B7D6BE0B3} ()
BHO name:
CLSID name:
ð@ BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} ()
BHO name:
CLSID name:
--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control)
DPF name:
CLSID name: ewidoOnlineScan Control
Installer:
Codebase: http://downloads.ewido.net/ewidoOnlineScan.cab
description:
classification: Legitimate
known filename: EWIDOO~1.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: ewidoOnlineScan.dll
Short name: EWIDOO~1.DLL
Date (created): 7/11/2006 9:41:36 AM
Date (last access): 3/31/2007 12:49:36 PM
Date (last write): 7/11/2006 9:41:36 AM
Filesize: 345656
Attributes: archive
MD5: B284992540E0FA2B76DEA56F93D49A16
CRC32: FD2E709C
Version: 1.0.0.4
{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf
Codebase: http://download.microsoft.com/downlo...0C/wmv9dmo.cab
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link:
info source: Patrick M. Kolla
{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\vzbb.inf
Codebase: http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
description:
classification: Legitimate
known filename: vzbb.dll
info link:
info source: Safer Networking Ltd.
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control)
DPF name:
CLSID name: BDSCANONLINE Control
Installer: C:\WINDOWS\Downloaded Program Files\oscan8.inf
Codebase: http://download.bitdefender.com/reso...an8/oscan8.cab
description:
classification: Legitimate
known filename: oscan8.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: oscan8.ocx
Short name:
Date (created): 6/1/2006 2:54:16 AM
Date (last access): 3/31/2007 11:57:26 AM
Date (last write): 6/1/2006 2:54:16 AM
Filesize: 471040
Attributes: archive
MD5: 9026F860148F0569BD92AEEFC4BDDFD7
CRC32: D1520CCE
Version: 1.0.0.1
{644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
DPF name:
CLSID name: Symantec RuFSI Utility Class
Installer: C:\WINDOWS\Downloaded Program Files\CabSA.inf
Codebase: http://security.symantec.com/sscv6/S.../bin/cabsa.cab
description:
classification: Legitimate
known filename: rufsi.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: rufsi.dll
Short name:
Date (created): 5/17/2006 2:32:42 PM
Date (last access): 3/31/2007 12:49:38 PM
Date (last write): 5/17/2006 2:32:42 PM
Filesize: 161480
Attributes: archive
MD5: D9021B7C1D765851774FD9A753AEC435
CRC32: 6D65423F
Version: 2006.2.15.43
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class)
DPF name:
CLSID name: WScanCtl Class
Installer: C:\WINDOWS\Downloaded Program Files\webscan.inf
Codebase: http://www3.ca.com/securityadvisor/v...fo/webscan.cab
description:
classification: Legitimate
known filename: webscan.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: webscan.dll
Short name:
Date (created): 11/20/2006 12:02:34 PM
Date (last access): 3/31/2007 12:49:38 PM
Date (last write): 11/20/2006 12:02:34 PM
Filesize: 180282
Attributes: archive
MD5: 76EA3ABECE61FBA3C07F61E42BB0CA48
CRC32: AECD0E4D
Version: 1.1.0.1049
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_03
Installer: C:\WINDOWS\Downloaded Program Files\jinstall-1_5_0_03.inf
Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_03\bin\
Long name: NPJPI150_03.dll
Short name: NPJPI1~1.DLL
Date (created): 4/13/2005 3:48:56 AM
Date (last access): 3/31/2007 11:01:06 AM
Date (last write): 4/13/2005 4:06:32 AM
Filesize: 69746
Attributes: archive
MD5: 13FCA03EBCA6E1F8C6481166C516D1FE
CRC32: 868C298F
Version: 5.0.30.7
See next post...