Not feeling too well...

Welcome to MGs!

CAUTION: Your log shows evidence of Trojan.Spy.Small.DG. This trojan sends information about:
• Cached passwords
• Collected Email addresses
• Created logfiles
• IP address
• Current malware status
• Opened port
• Collected information described in stealing section
• Information about the Windows operating system

It is advised that you change all password for ALL accounts (especially financial related) that you have accessed from this PC. You security may have been compromised and the safest thing to do is to change the passwords NOW!. Do not do that from this PC! Either call up and have them changed or do it from another PC that you are sure is clean.

Please run the steps in the below.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Network Monitor ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Monitor

Now exit HJT but do not reboot when it tells you it needs to. We will reboot later before running Ewido.


Now run the steps in: Running Ewido Security Suite

Then after rebooting into normal attach the Ewido log here. Also attach a new HJT log.

 

Are the below settings things that you have setup and require? Did you want your Start Page to be about:blank? What about the proxy settings?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - Default URLSearchHook is missing

You HJT is basically clean now but let's double check for any nasty's hanging around. Some of these may already be gone now but it does not hurt to double check. Make sure you have viewing of hidden and system files enabled per the tutorial. Then continue. Also note, if you cannot delete any of these, reboot into safe mode and try again.

Open Windows Explorer and navigate to the below and delete them:
C:\inrh9400.exe
C:\secure32.html
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
C:\Program Files\Network Monitor <--- the whole Network Monitor folder
C:\WINDOWS\kl.exe
C:\WINDOWS\secure32.html
C:\WINDOWS\smss.exe <-- only delete this one if found. Do not delete c:\windows\system32\smss.exe which is valid.
C:\WINDOWS\tool1.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\system32\avAw6.sys
C:\WINDOWS\system32\msrdth.exe
C:\WINDOWS\system32\pstmct.exe
C:\WINDOWS\system32\unregister.exe
C:\WINDOWS\system32\whCC-CLICK.exe
C:\WINDOWS\system32\whAgent.exe
C:\WINDOWS\system32\HyperLinker.exe
C:\WINDOWS\system32\msoff.exe
C:\WINDOWS\system32\paradise.raw.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\pi1_58.exe
C:\WINDOWS\system32\ykczr.dll
C:\WINDOWS\system32\lmf32v.dll
C:\WINDOWS\system32\00kk03qo.dll
C:\WINDOWS\system32\data.~

 

You're welcome! But what about my question:

We don't accept donations but you send your friends here and/or buy some Geek-Wear (see the main page in the right column under the INFO heading)

 

You can just have HJT fix any of those R0 and R1 lines that are incorrect. Are you sure you do not need the Proxy Server entry. It seems to be related to ComCast. Is that your ISP?