Opera Hijacked!!!

[Dilbert]

I was answering a post about a "keylogger" so I googled and tried to C&P a link. However, when I got back, I couldn't type anything. Cut-and-paste was this:

5**-**4-**** cell (I changed the numbers to *'s to secure the privacy of the person)

I did type this in, but I don't remember putting it on the clipboard. And I could type in notepad, but nothing worked in the post box. I closed and restarted, a little annoyed. Normally I get a dialog box asking "start from previous" "start X session" "start with blank" "start with none". However, I gat about:blank as the page. I - *censored*

The hijacker appears to have deleted itself - no, I ran the aboutBuster. But I don't know if it'll come back. Just in case, I'm attaching a HijackThis logfile.

[dl65]

Dilbert....... So are you certain you have completely removed the highjacker ..... and I noticed that you did not include all the info in your hijacker log ......  the very top info is missing and that is important .
BTW .... I have recently sent you 2 pMs and you dont seem to reply to them , is there some reason you dont ?

dl65  

[Dilbert]

I only got one, and I replied to it.

OK, sorry. I removed the top info to save space because attachments weren't working for me as they should. Top info is:

Logfile of HijackThis v1.99.1
Scan saved at 3:46:29 PM, on 4/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

[dl65]

Dilbert , ok ...... How did you get rid of the hijacker ? I ask so I may suggest what apps to run to ensure your clean.


dl65  

[Dilbert]

I ran AboutBuster

[dl65]

Dilbert , the scan you attached....... was that from before you started the cleanse or after you finished ?

dl65  

[Dilbert]

Right after.

Ad-Aware came back with a Tracking Cookie and removed it. Norton found nothing. Spybot found and removed the following:

Comet Cursors
MyWay.Mysearch
Windows Security Center.AntiVirusOverride
Windows Security Center.FirewallDisableNotify

[Dilbert]

An aside: I downloaded SpyBot on my mother's computer. She insisted that her limited Internet use kept her safe, but no less than 22 problems were founds, including Windows Security Center.FirewallDisableNotify and Windows Security Center.AntiVirusDisableNotify

[dl65]

Dilbert....ok ,  In your running processes ...... Use the device manage to kill....

  C:\WINDOWS\system32\cfpsys.exe  

Now mark for removal the following :

O4 - HKLM\..\Run: [Warning: do not remove it! (system)] cfpsys.exe

017 ..... ALL of them UNLESS THEY ARE ASSOCIATED WITH YOUR ISP

O23 - Service: MySQL - Unknown owner - C:\MySQL\bin\mysqld-nt".exe (file missing)

If they are all marked .....click fix checked ......

Then reboot and post a fresh logfile .

dl65  

[Dilbert]

OK, the cfpsys.exe does look suspicious, but it's actually part of a password-protect program I downloaded. Info is here:

http://www.bleepingcomputer.com/startups/cfpsys.exe-14104.html

And removing the 017 things, I've found, causes issues with DynDNS updater. I've found this out by removing them, not being able to get online and getting errors from DynDNS, then restoring them and finding everything condition Green again...

The last one I fixed, but I'm going to bed. I'll post another one in the morning. (GMT-8 shows 11:10 PM. And it's a school night!)

So, G'night.

[dl65]

Dilbert ......

017 ..... ALL of them UNLESS THEY ARE ASSOCIATED WITH YOUR ISP

  ....... If they are from your ISP ...they are ok to stay ..... as stated .

Re ... cfpsys.exe ........ Yes I saw that as well , But I also saw a number of sites that were considering it an issue .......  The fact that you downloaded it confirms it .

dl65