I think Ive Been Google 'Jacked

Compaq LAPTOP
February 12, 2009 at 20:19:50
Specs: Windows XP, 1.5gb
Hello all, I have been hijacked. I thnk I have got most of the infections out using the MalwareBytes program, but would love it if someone could give my Hijack this log a look, and possible any other advice you may have....
Will follow this post with the Hijack this log............

See More: I think Ive Been Google Jacked

Report •


#1
February 13, 2009 at 03:29:12
Please post your Hijack This log.

Report •

#2
February 13, 2009 at 11:46:02
Should couldve swore I did this last night, but oh well, my apologies.... Hijack this log......

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:36 PM, on 12/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pages.ebay.ca/ebay_toolbar/a...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitLord\BitLord.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20New%20York%20Fortune/Images/stg_drm.ocx
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://preview.licenseacquisition.o...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9758 bytes


Report •

#3
February 13, 2009 at 15:00:03
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Avast antivirus, and any antispyware that you may have.
2. Run Combofix by double clicking the combofix.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

Related Solutions

#4
February 13, 2009 at 15:58:37
Will do thanks.

Report •

#5
February 13, 2009 at 21:43:45
This is STRANGE. I know 100% positive I posted this earlier, got the confirm post page and everything andf then nothing. Same thing happened last night when I posted the HJ this log which again I am 100% positive I posted, but then the posts dissapear ?
Anyways for the third time heres a log file from the COmboFix program.......

ComboFix 09-02-12.03 - Mike 2009-02-13 17:32:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.716 [GMT -8:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090213-0] *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\_000008_.tmp.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-13 12:25 . 2009-02-13 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-12 12:26 . 2009-02-12 12:26 <DIR> d-------- c:\program files\Bethesda Softworks
2009-02-11 22:25 . 2009-02-11 22:25 <DIR> d-------- c:\program files\Common Files\DirectX
2009-02-11 21:54 . 2009-02-11 21:54 <DIR> d-------- C:\AeriaGames
2009-02-10 20:42 . 2009-02-10 20:42 1,374 --a------ c:\windows\imsins.BAK
2009-02-10 15:21 . 2009-02-10 15:21 <DIR> d-------- c:\documents and settings\Mike\Application Data\Malwarebytes
2009-02-10 15:21 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 15:21 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-10 15:18 . 2009-02-10 15:18 <DIR> d-------- c:\program files\Uniblue
2009-02-10 15:18 . 2009-02-10 15:18 <DIR> d-------- c:\documents and settings\Mike\Application Data\Uniblue
2009-02-10 15:18 . 2009-02-10 15:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-10 15:16 . 2009-02-10 15:18 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2009-02-05 20:49 . 2009-02-05 20:49 <DIR> d-------- c:\program files\BSCCleanitol
2009-02-02 23:06 . 2009-02-02 23:06 <DIR> d-------- c:\program files\SC4Mapper
2009-02-01 20:15 . 2009-02-01 20:16 <DIR> d-------- c:\program files\TrafficCop
2009-02-01 20:15 . 2009-02-01 20:15 249,856 --------- c:\windows\Setup1.exe
2009-02-01 20:15 . 2009-02-01 20:15 73,216 --a------ c:\windows\ST6UNST.EXE
2009-01-30 10:32 . 2009-01-30 10:32 <DIR> d-------- c:\program files\Maxis
2009-01-29 08:57 . 2009-01-29 08:57 <DIR> d-------- c:\program files\RadioXpi
2009-01-26 12:32 . 1998-08-26 20:51 182,032 --a------ c:\windows\system32\dxtmsft3.dll
2009-01-26 12:32 . 1998-09-02 00:28 38,160 --a------ c:\windows\system32\LMRTREND.dll
2009-01-26 12:30 . 1998-09-02 00:28 63,488 --a------ c:\windows\system32\unam4ie.exe
2009-01-26 12:29 . 1998-09-02 00:02 194,320 --a------ c:\windows\system32\qcut.dll
2009-01-26 12:29 . 1998-08-17 01:21 11,776 --a------ c:\windows\system32\mciqtz.drv
2009-01-26 12:29 . 1998-08-17 01:21 10,240 --a------ c:\windows\system32\vidx16.dll
2009-01-26 12:29 . 1998-08-17 01:21 5,672 --a------ c:\windows\system32\quartz.vxd
2009-01-26 12:29 . 2009-01-26 12:29 4,608 --a------ c:\windows\system32\w95inf32.dll
2009-01-26 12:29 . 2009-01-26 12:29 2,272 --a------ c:\windows\system32\w95inf16.dll
2009-01-26 12:27 . 2009-01-29 02:16 <DIR> d-------- c:\program files\System Shock 2
2009-01-25 22:24 . 2009-01-25 22:24 52,736 --a------ c:\windows\ipuninst.exe
2009-01-25 22:23 . 2009-01-25 22:23 <DIR> d-------- c:\program files\BlackIsle
2009-01-19 14:58 . 2009-02-13 17:29 <DIR> d-------- c:\windows\system32\CatRoot2
2009-01-19 12:21 . 2009-01-23 13:08 <DIR> d-------- c:\documents and settings\Mike\Application Data\IObit
2009-01-19 12:11 . 2009-01-23 13:08 <DIR> d-------- c:\program files\IObit
2009-01-19 12:02 . 2009-01-19 12:02 <DIR> d-------- c:\program files\Lavasoft
2009-01-19 12:02 . 2009-01-19 12:02 <DIR> d-------- c:\documents and settings\Mike\Application Data\Lavasoft
2009-01-19 11:54 . 2009-01-19 11:54 <DIR> d-------- C:\VundoFix Backups
2009-01-18 13:05 . 2009-02-13 15:36 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-18 13:05 . 2009-01-18 13:05 <DIR> d-------- c:\program files\InCode Solutions
2009-01-18 13:05 . 2009-01-18 13:05 <DIR> d-------- c:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com
2009-01-18 13:04 . 2009-01-19 12:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-18 13:03 . 2009-01-19 11:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-18 13:03 . 2009-01-18 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-18 12:31 . 2009-01-18 12:32 <DIR> d-------- c:\program files\RogueRemover FREE
2009-01-18 12:16 . 2008-07-08 13:54 148,496 --a------ c:\windows\system32\drivers\35934702.sys
2009-01-18 12:13 . 2009-01-18 12:13 <DIR> d-------- c:\program files\Trend Micro
2009-01-18 12:08 . 2009-02-10 15:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-18 12:08 . 2009-01-18 12:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-17 16:37 . 2009-01-17 16:37 <DIR> d-------- c:\program files\Unlocker
2009-01-17 16:37 . 2009-01-24 15:15 <DIR> d-------- c:\documents and settings\Mike\Application Data\Desktopicon
2009-01-16 08:43 . 2009-02-10 14:21 54,679 --a------ c:\windows\Sysvxd.exe
2009-01-14 14:55 . 2009-01-14 14:55 <DIR> d--hs---- c:\windows\ftpcache
2009-01-14 09:50 . 2008-12-11 02:57 333,952 --a------ c:\windows\system32\drivers\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 23:35 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-02-12 20:26 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-10 23:58 --------- d-----w c:\program files\Astro Gemini Software
2009-02-02 05:04 --------- d-----w c:\documents and settings\Mike\Application Data\OpenOffice.org2
2009-01-26 06:45 --------- d-----w c:\program files\SystemRequirementsLab
2009-01-26 06:44 --------- d-----w c:\documents and settings\Mike\Application Data\SystemRequirementsLab
2009-01-23 19:25 --------- d-----w c:\program files\Guitar Pro 5
2009-01-22 22:55 --------- d-----w c:\program files\Wesnoth 1.4.5
2009-01-19 20:49 --------- d-----w c:\program files\CCleaner
2009-01-19 00:27 --------- d-----w c:\program files\RegVac Registry Cleaner
2009-01-18 20:09 --------- d-----w c:\program files\Yahoo!
2009-01-17 05:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-17 02:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-14 22:47 --------- d-----w c:\program files\HP Games
2009-01-13 17:06 --------- d-----w c:\program files\Google
2009-01-12 19:16 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2009-01-12 19:02 --------- d-----w c:\program files\WinWay Resume
2009-01-12 18:37 --------- d-----w c:\program files\CleanMyPC
2009-01-12 18:31 --------- d-----w c:\program files\Sonic
2009-01-12 18:30 --------- d-----w c:\program files\Miuchiz 2.0
2009-01-12 05:04 --------- d-----w c:\documents and settings\Mike\Application Data\Astro Gemini Software
2009-01-11 23:40 --------- d-----w c:\documents and settings\Mike\Application Data\SpinTop Games
2009-01-10 03:00 --------- d-----w c:\program files\SCRABBLE
2009-01-07 04:44 --------- d-----w c:\documents and settings\Mike\Application Data\SpinTop
2008-12-27 09:06 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-19 15:54 --------- d-----w c:\program files\Bonjour
2008-12-19 15:52 --------- d-----w c:\program files\iTunes
2008-12-19 15:52 --------- d-----w c:\program files\iPod
2008-12-19 15:52 --------- d-----w c:\program files\Common Files\Apple
2008-12-19 15:52 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 15:50 --------- d-----w c:\program files\QuickTime
2008-12-19 15:40 --------- d-----w c:\program files\Safari
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-12 19:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 19:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\dllcache\srv.sys
2008-12-03 08:26 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-11-06 04:12 11,976,319 ----a-w c:\program files\PROCESSLIST.DB
2008-11-06 04:11 1,073,147 ----a-w c:\program files\PROCESSLISTRELATED.DB
2006-07-17 22:16 22 -csha-w c:\windows\SMINST\HPCD.sys
2008-07-11 04:48 56 --sh--r c:\windows\system32\3FEF8B1F9B.sys
2008-07-11 04:48 1,942 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-09-20 22:31 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-13_17.30.08.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-14 01:26:30 71,710 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-14 01:28:35 71,710 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-14 01:26:31 442,192 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-14 01:28:35 442,192 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Registry Cleaner Scheduler"="c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe" [2008-09-20 471650]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SmartRAM"="c:\program files\IObit\Advanced WindowsCare V2\MemCleaner.exe" [2007-10-29 662016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20:TCP"= 20:TCP:Entropia
"21:TCP"= 21:TCP:Entropia
"30584:UDP"= 30584:UDP:Entropia

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-05 114768]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-05 20560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-08-22 231424]
S1 is-7S9E1drv;is-7S9E1drv;c:\windows\system32\drivers\35934702.sys [2009-01-18 148496]
S3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [2007-05-29 508160]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-01-23 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-01-23 28800]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 UXDCMN;UXDCMN;\??\f:\winstress\UXDCMN.SYS --> f:\winstress\UXDCMN.SYS [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\OblivionLauncher.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-08 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []

2009-02-08 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-14 13:15]

2009-02-08 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-01-23 13:08]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Pro Antispyware 2009 - c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\proas2009.exe
MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://pages.ebay.ca/ebay_toolbar/app/congrats.html
uInternet Settings,ProxyOverride = *.local
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
Trusted Zone: download.microsoft.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: update.microsoft.com
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.microsoft.com
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\efwd5hx1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1434207&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - isoHunt Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1434207&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 4

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - );user_pref(yahoo.homepage.dontask, true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 17:34:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????P??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1859129205-3716493205-2414112154-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3e,37,02,c2,a1,34,a5,fb,46,72,6b,4b,14,39,86,f7,bc,29,b6,1f,34,37,79,
b3,3f,14,4c,5e,73,25,ea,fa,ad,f8,34,dd,05,5e,58,77,60,44,d5,0b,19,21,59,46,\
"??"=hex:37,2d,9d,45,99,25,96,f2,03,ce,23,f7,34,bf,0b,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-13 17:36:25
ComboFix-quarantined-files.txt 2009-02-14 01:36:11

Pre-Run: 6,298,783,744 bytes free
Post-Run: 6,281,338,880 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=6 Sets=1,2,3,4,5,6
258 --- E O F --- 2009-02-11 04:45:14


Hopefully this post will work as inteded, again much thanks for anyones help, have a great night, and weekend.
-Grais.


Report •

#6
February 19, 2009 at 12:40:43
My apologies for neglecting my post, but I was unable to get to a PC for a couple of days....withdrawal was beginning to set in.
Anyhow I would really appreciate if one of the knowledgeable folks here might have a boo at my post and see if theres anything to remove, etc..
Really would like to clear up any trouble areas on the PC !
Thanks again,
-Mike

Report •

#7
February 19, 2009 at 14:07:44
Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#8
February 21, 2009 at 13:43:43
GooredFix v1.91 by jpshortstuff
Log created at 13:42 on 21/02/2009 running Option #1 (Mike)
Firefox version 3.0.6 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"


Thanks ready for next step.....


Report •

#9
February 21, 2009 at 17:46:18
We need to see the Kaspersky log.

Are you still being redirected?


Report •

#10
February 22, 2009 at 16:30:30
Sorry jabuck, I missed the part about posting the kaspersky Log, will re do the scan right now and post the log.
As to being re directed, that annoying problem is fixed, much thanks for that. I just was trying to be sure that I had my PC cleaned up ?
-G
PS: Log to follow.....

Report •

#11
February 24, 2009 at 10:19:40
Computer was clean, no log to post, so I guess thats that, Thanks a lot JaBuck.
-Grais

Report •

#12
February 24, 2009 at 10:34:22
Just as an aside, the scan took 3hrs 54min, is that a real long time ?
It found one lame old trojan that was hiding in a rar file I had downloaded but thankfully had yet to ever even open.
Again I just want to say thanks to jabuck, lots of time spent helping us all with all our various problems, much thanks is required. So thanks a tonne bud.
-G.

Report •

#13
February 24, 2009 at 18:06:19
A little cleanup to do.

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.


Glad we could help.


Report •

#14
February 26, 2009 at 13:48:55
you deserve all the thanks in the world Ja, Ive read a lot of the posts here, and you help a LOT of people, so be proud.
You make a difference actually to people. Thats not that easy to do.
And thanks for the advice.
-Mike.

Report •

#15
February 26, 2009 at 13:56:12
Thanks for the kind words Mike. Glad we could help.

Report •


Ask Question