Internet Scam involving Comcast

Hello,

I have a question that I am posting on behalf of my aunt. I am working on her computer and kind of hit a bump in the road!!

She has Comcast high speed internet. The browser is set to automatically load in the Comcast.net homepage. The other day she proceeded to go into the internet and when she opened Internet Explorer and instead of automatically going into the comcast page, she got a notice that the page or URL (she doesn't remember exactly) had been moved and she'll be redirected in 5 seconds. THIS IS WHERE IT GETS INTERESTING, AND KEEP IN MIND THAT SHE ONLY KNOWS HOW TO USE THE COMPUTER TO A BARE MINIMUM!! Then she gets a notice to download and install something that appeared to her to have something to do with her internet service or comcast or something to that effect. So naturally she proceeds to follow what it tells her to do. Fortunately she is aware enough that when you download and install something it lets you know that it is finished etc. Well, she says it never did that. After a little bit it just kind of dissappeared into thin space, and then guess what....Voila....her computer is messed up beyond belief!!!!

Needless to say I think she fell prey to a scam of some sort!!!!!!!!!!

Anyhow....It is painstakeingly slow and (IF) the homepage loads in, it takes about 5 minutes!! Obviously that is rediculous!!!! So....I proceed to see what I can do. I followed everything in the tutorial that you always tell everyone to do before they post an HJT Log. The Spyware removal tools did clean up a substantial amount of junk, etc. And I ran the Norton scan and that came up with nothing. Unfortunately I can't download any updates for any of these utilities, including norton!!! So obviously if this is something brand stinking new, these apps aren't going to even know they exist....let alone have the proper information to fix the problem. Some of them connect to their home server and find the latest definitions, but won't download them. They appear as though they are trying, but after sitting there for 30 minutes and the progress indicator hasn't gone beyond 2-3%, (and that happens within the first couple seconds) It's obvious something isn't right!!!! Others can't even seem to find the updates. After doing some research for a couple of days now, I'm just about at witts end, so i'm hoping this rings a bell with someone!!

Also I noticed that there was some changes with the buttons,etc on the Internet Explorer GUI, disappearing or moved and this appears to have happened after this fiasco started.

Sorry this turned into a novel, but I figure too much information is better than not enough!!

Any Takers?

Thank You
Roger

 

After doing ALL of the READ ME if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

OK....I have done everything in the spyware tutorial, including running the Norton AV scan. Here is the HJT log. AS an attatchment ofcourse.

Thank You
Roger

 

P.S. It dawned on me that the scan I first did was in safe mode so i'm also attatching the NON safe mode scan to this reply.

Thanks Again
Roger

 

WOOOOOOOHOOOOOO...Got it!!!!

After VERY thoroughly reading NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting in "TheOldThug's" reply, I went through my log file and fixed the following lines.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com;;localhost;<local>

O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

After that ALL my problems dissappeared, i've updated all the scanner apps and run new scans and i'm running slick as a whistle now!!!!

If anyone else sees something I might have missed in the log file, please let me know, I will keep checking on this thread for a couple more days. Otherwise, I appreciate everyones patience and help and suggestions!!

Thank You
Roger

 

Does this adress look familiar?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/

If not I would fix both of those lines and then:

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

You should check this out now: How to Protect yourself from malware!

Once everything seems OK be sure to turn System restore back on.

 

This: (http://search.hpwis.com/) I think has something to do with it being an HP comp.....did some research on it and it seems harmless??

Already did this other stuff too, but I definitely appreciate your input!!

Thanks A Million!! I love the whole MajorGeeks.com website!!!!

Thanks
Roger

 

Your Welcome

Glad you got it all fixed. Another reminder you should check this out now: How to Protect yourself from malware!

Once everything seems OK be sure to turn System restore back on.