moneybasis.com hijacked my computer, help

[milkman37]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:40 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth

Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\PROGRA~1\PERMIS~1\bin\dm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sandisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-

11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-

C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6902F36D-E8DE-4F58-9A64-

5B68B888130D} - C:\DOCUME~1\MILTON~1\LOCALS~1

\Temp\~DPD.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-

4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4

\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1

\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32

\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft

Excel - res://C:\PROGRA~1\MICROS~4\Office12

\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth -

C:\Program Files\WIDCOMM\Bluetooth

Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-

AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-

4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4

\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1

\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-

B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12

\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-

82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-

BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O14 - IERESET.INF:

START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&p f=la

ptop
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02}

(HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.ca

b
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(YInstStarter Class) - C:\Program Files\Yahoo!

\Common\yinsthelper.dll
O16 - DPF: {96D338F5-8757-4A1C-AFEA-770A4036752F} -

https://setup.bellsouth.net/wizlet/BellSouthDial/Webfl

owActiveXCab.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}

(get_atlcom Class) -

http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3016E75C-

6499-4617-A63E-DD760C127BF2}: NameServer =

172.16.5.1,58.147.128.7,66.178.2.16,203.196.128.4
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-

A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12

\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) -

Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007

\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv)

- ALWIL Software - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies

Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software -

C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software -

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software -

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom

Corporation. - C:\Program Files\WIDCOMM\Bluetooth

Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-

Packard Development Company, L.P. - C:\Program

Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT)

- Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling

Service (LightScribeService) - Unknown owner -

C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PermissionTV Download Manager Service

(PermissionTVDownloadManager) - PermissionTV -

C:\PROGRA~1\PERMIS~1\bin\dm.exe
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sansa Updater Service (SansaService) -

Unknown owner - C:\Program Files\Sandisk\Sansa

Updater\SansaSvr.exe
O23 - Service: Symantec Network Drivers Service

(SNDSrvc) - Symantec Corporation - c:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6550 bytes

[jholland1964]

How do you know the computer was hijacked? What symptoms did it show?

Please complete steps here
Post back here with requested logs. In the future please do not double space logs. Makes them awfully hard to read.

[milkman37]

when i go to any FTA (free-to-air satelite) forums, it goes to the website for about 1/2 a second, then it goes to moneybasis.com. It happens also in forums like this one. In this forum I have no problems, but I do in some of your links. It's always the same website and a pop up. I was able to block the pop up. I ran trend micro housecall and no help. I didn't know about all the steps beore i posted my log. I'm now doing all the steps.

[jholland1964]

No problem, will wait for all your logs.