Help!

Google Hijack

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs RSS
Next:  IE8 64bit slow to open  
Author Message
WorldStrike



Joined: May 02, 2009
Posts: 3
PostPosted: Sat May 02, 2009 9:08 am    Post subject: Google Hijack
Hi everyone. I seem to have the same problem a lot of people do, random links in google results will be hijacked and take me to another site. I already did the ATF Cleaner and the Malwarebytes scan/removal, and my results are still being hijaked.

I'm running Windows XP. Here's the HijackThis log I just did. Thanks in advance for any help:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:06 AM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Michael\Desktop\Tools2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {03402f96-3dc7-4285-bc50-9e81fefafe43} - (no file)
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GIZMO2] C:\Program Files\GIZMO2\GIZMO.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6331 bytes
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Sat May 02, 2009 9:38 am    Post subject:
Welcome to Lockergnome.

Uninstall Viewpoint via the Add/Remove Programs panel unless you use that media player. It comes bundled with AOL/AIM.

Download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
Back to top
AIM Address Yahoo Messenger
WorldStrike



Joined: May 02, 2009
Posts: 3
PostPosted: Sat May 02, 2009 2:07 pm    Post subject:
My text is in bold, so it isn't confused with the two logs.
Here's the log I got from Goored:

GooredFix v1.92 by jpshortstuff
Log created at 13:57 on 02/05/2009 running Option #1 (Michael)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{EDA22771-65A5-4F74-824A-6E687F2F883E}

C:\Program Files\Mozilla Firefox\extensions\{D9BB752E-72CE-4335-8EE8-44DB29A1713F}

C:\Program Files\Mozilla Firefox\extensions\{D5F69D0C-2CD5-4B5F-812F-ECA19C720173}

C:\Program Files\Mozilla Firefox\extensions\{B9BAED2B-DAAF-46F7-8AB8-4597AAF7A1FE}

C:\Program Files\Mozilla Firefox\extensions\{ABD3764B-7491-487B-803C-957C30769699}

C:\Program Files\Mozilla Firefox\extensions\{A8F6672F-F71F-4C93-A08C-BBAA25EE1619}

C:\Program Files\Mozilla Firefox\extensions\{A260CC4F-9428-49ED-8279-0D0F19924464}

C:\Program Files\Mozilla Firefox\extensions\{81A12057-D19F-473D-8E8B-0169F6237F60}

C:\Program Files\Mozilla Firefox\extensions\{71413ADF-1AAF-46C8-AA8B-EEDAB1F55BB9}

C:\Program Files\Mozilla Firefox\extensions\{6E1CDD58-EFFA-49E5-8FAA-7A565365589A}

C:\Program Files\Mozilla Firefox\extensions\{6DB3656C-84F2-447F-AFDD-43B41DE52F8A}

C:\Program Files\Mozilla Firefox\extensions\{6C856484-8F1D-4FAA-BE7B-E5EDBC76B0DB}

C:\Program Files\Mozilla Firefox\extensions\{6776A41F-7CAA-47D1-B61D-559A699D5D11}

C:\Program Files\Mozilla Firefox\extensions\{667A9F31-4D8C-4B5F-9C7C-207D7CAA9C3A}

C:\Program Files\Mozilla Firefox\extensions\{58493A17-082F-4765-9409-646987361BF9}

C:\Program Files\Mozilla Firefox\extensions\{50136878-DC92-41BB-959B-8D88EDE14ED3}

C:\Program Files\Mozilla Firefox\extensions\{383440D7-B746-4989-9438-4FBE173E7263}

C:\Program Files\Mozilla Firefox\extensions\{3234E2BF-D562-40CF-9612-93ACF22889FC}

C:\Program Files\Mozilla Firefox\extensions\{31B89DF9-4B26-4708-BDF0-BF38838F3D1C}

C:\Program Files\Mozilla Firefox\extensions\{25E6EFCD-A7F3-43B1-A1CF-267C8B4A3007}

C:\Program Files\Mozilla Firefox\extensions\{0A4F27FC-BD32-42E6-BCA0-F0D14251A01B}

C:\Program Files\Mozilla Firefox\extensions\{08A5F556-D02B-4ACF-A5D6-B3F4A848A5CE}

C:\Program Files\Mozilla Firefox\extensions\{05E23C28-1704-48F3-86E3-1FDDA66093B8}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord"




Here's the log I got from ComboFix:

ComboFix 09-05-02.4 - Michael 05/02/2009 14:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.481 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090501-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ovfsthwvvdlfhekxawjcmqoushnkjtmfnidsyn.dll
c:\windows\system32\ovfsthxijulvfpqmykpgoprtailrqgimepukar.dat
c:\windows\system32\pic.jpg

.
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-02 13:27 . 2009-05-02 13:27 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-02 13:27 . 2009-05-02 13:27 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-02 13:27 . 2009-05-02 13:27 -------- d-----w c:\documents and settings\Michael\Application Data\SUPERAntiSpyware.com
2009-05-02 13:26 . 2009-05-02 13:26 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-02 02:05 . 2009-05-02 02:05 -------- d-----w c:\documents and settings\Michael\Application Data\Malwarebytes
2009-05-02 02:05 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 02:05 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 02:05 . 2009-05-02 02:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 02:05 . 2009-05-02 02:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 10:32 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 10:32 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 10:32 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 10:32 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 10:32 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 10:32 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 10:32 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 10:32 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 10:32 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 10:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 10:32 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 16:11 . 2009-04-12 16:11 -------- d-----w c:\documents and settings\Michael\Application Data\TaxCut
2009-04-10 01:26 . 2009-04-10 01:26 17920 ----a-w c:\windows\system32\ovfsthcboeetnrxncntjnrnitkiovslfaovpdd.dll
2009-04-10 01:26 . 2009-04-10 01:26 19456 ----a-w c:\windows\system32\ovfsthtybrxpefgjopblxurlrmbquoflorkvte.dll
2009-04-10 01:26 . 2009-05-02 16:26 2152034 ----a-w c:\windows\system32\ovfsthykmxcftkdaipkjtpqladjypsxhgedjff.dat
2009-04-05 16:28 . 2009-04-05 16:28 -------- d-----w c:\documents and settings\Owen\Application Data\TaxCut
2009-04-04 15:12 . 2009-04-04 15:12 -------- d-----w c:\documents and settings\Colleen\Application Data\TaxCut
2009-04-04 15:01 . 2009-04-04 15:01 -------- d-----w c:\program files\PDF995
2009-04-04 14:57 . 2009-04-04 14:57 -------- d-----w c:\documents and settings\All Users\Application Data\TaxCut
2009-04-04 14:54 . 2009-04-04 15:14 -------- d-----w c:\program files\TaxCut08
2009-04-04 14:53 . 2009-04-04 14:53 -------- d-----w c:\documents and settings\All Users\Application Data\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 18:04 . 2008-12-13 02:52 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-01 11:19 . 2008-12-12 21:37 106496 ----a-w c:\windows\DUMP5294.tmp
2009-04-30 21:27 . 2009-01-14 09:28 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-11 16:02 . 2008-12-15 21:12 78400 ----a-w c:\documents and settings\Colleen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 03:07 . 2008-12-15 02:36 78400 ----a-w c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-21 01:23 . 2008-12-13 04:10 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 19:00 . 2009-01-14 09:30 -------- d-----w c:\program files\iTunes
2009-03-15 19:00 . 2009-03-15 19:00 -------- d-----w c:\program files\iPod
2009-03-15 19:00 . 2009-01-14 09:28 -------- d-----w c:\program files\Common Files\Apple
2009-03-15 18:56 . 2009-03-15 18:54 -------- d-----w c:\program files\QuickTime
2009-03-15 07:08 . 2009-03-15 06:54 -------- d-----w c:\program files\foobar2000
2009-03-14 05:24 . 2009-03-14 05:16 -------- d-----w c:\program files\Rainmeter
2009-03-14 04:55 . 2008-12-15 23:56 -------- d-----w c:\program files\Common Files\Adobe
2009-03-13 04:26 . 2009-01-16 02:11 -------- d-----w c:\program files\Winamp
2009-03-09 00:42 . 2009-02-28 18:01 -------- d-----w c:\program files\Finale 2009
2009-03-06 14:22 . 2003-07-16 20:41 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-15 18:51 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2009-01-14 09:28 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2003-07-16 20:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-26 01:05 . 2009-02-26 01:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-20 18:09 . 2008-12-15 02:23 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2003-07-16 20:32 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2003-07-16 20:43 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-07-16 20:39 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-07-16 20:23 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-07-16 20:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 18:24 . 2009-02-06 18:24 158544 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-06 11:11 . 2003-07-16 20:44 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2003-07-16 20:39 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-07-16 20:43 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2003-07-16 20:44 56832 ----a-w c:\windows\system32\secur32.dll
2006-05-03 10:06 . 2009-01-27 03:14 163328 --sha-r c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-01-27 03:14 31232 --sha-r c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-01-27 03:14 216064 --sha-r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2006-10-22 86016]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"GIZMO2"="c:\program files\GIZMO2\GIZMO.exe" [2008-11-17 2229512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-27 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-26 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

c:\documents and settings\Colleen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2009-3-10 118784]

c:\documents and settings\Owen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-27 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-09-23 15:10 229376 ----a-w c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-04-28 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-04-28 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d88dbcf-ca4c-11dd-a6ca-000cf1e6bfa0}]
\Shell\AutoRun\command - G:\SETUP.EXE
\Shell\configure\command - G:\SETUP.EXE
\Shell\install\command - G:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7586ea12-c959-11dd-a6c8-000cf1e6bfa0}]
\Shell\AutoRun\command - g:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\au53sck6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ultimate-guitar.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&...ocation
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 14:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2009-05-02 14:10
ComboFix-quarantined-files.txt 2009-05-02 18:09

Pre-Run: 47,305,048,064 bytes free
Post-Run: 47,408,263,168 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=5 Default=5 Failed=3 LastKnownGood=6 Sets=1,3,4,5,6
192 --- E O F --- 2009-04-16 04:04


Thanks again for any help
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Sun May 03, 2009 9:20 am    Post subject:
Double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
Quote:
File::
c:\windows\system32\ovfsthcboeetnrxncntjnrnitkiovslfaovpdd.dll
c:\windows\system32\ovfsthtybrxpefgjopblxurlrmbquoflorkvte.dll
c:\windows\system32\ovfsthykmxcftkdaipkjtpqladjypsxhgedjff.dat
c:\windows\DUMP5294.tmp
Regnull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

You should be seeing some improvements by now Very Happy

You might want to reinstall Avast as it seems like one of the services is either not starting up properly or just missing (file corrupted maybe).
Back to top
AIM Address Yahoo Messenger
WorldStrike



Joined: May 02, 2009
Posts: 3
PostPosted: Sun May 03, 2009 11:42 am    Post subject:
Here you are...here's the Goored Log when I clicked 2 and then y:
GooredFix v1.92 by jpshortstuff
Log created at 11:31 on 03/05/2009 running Option #2 (Michael)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{EDA22771-65A5-4F74-824A-6E687F2F883E}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{D9BB752E-72CE-4335-8EE8-44DB29A1713F}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{D5F69D0C-2CD5-4B5F-812F-ECA19C720173}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{B9BAED2B-DAAF-46F7-8AB8-4597AAF7A1FE}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{ABD3764B-7491-487B-803C-957C30769699}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{A8F6672F-F71F-4C93-A08C-BBAA25EE1619}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{A260CC4F-9428-49ED-8279-0D0F19924464}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{81A12057-D19F-473D-8E8B-0169F6237F60}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{71413ADF-1AAF-46C8-AA8B-EEDAB1F55BB9}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{6E1CDD58-EFFA-49E5-8FAA-7A565365589A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{6DB3656C-84F2-447F-AFDD-43B41DE52F8A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{6C856484-8F1D-4FAA-BE7B-E5EDBC76B0DB}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{6776A41F-7CAA-47D1-B61D-559A699D5D11}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{667A9F31-4D8C-4B5F-9C7C-207D7CAA9C3A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{58493A17-082F-4765-9409-646987361BF9}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{50136878-DC92-41BB-959B-8D88EDE14ED3}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{383440D7-B746-4989-9438-4FBE173E7263}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{3234E2BF-D562-40CF-9612-93ACF22889FC}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{31B89DF9-4B26-4708-BDF0-BF38838F3D1C}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{25E6EFCD-A7F3-43B1-A1CF-267C8B4A3007}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{0A4F27FC-BD32-42E6-BCA0-F0D14251A01B}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{08A5F556-D02B-4ACF-A5D6-B3F4A848A5CE}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{05E23C28-1704-48F3-86E3-1FDDA66093B8}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord"




Now here's the log I got when I dragged the .txt file onto the .exe file:

ComboFix 09-05-02.4 - Michael 05/03/2009 11:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.437 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090502-0] *On-access scanning disabled* (Updated)

FILE ::
c:\windows\DUMP5294.tmp
c:\windows\system32\ovfsthcboeetnrxncntjnrnitkiovslfaovpdd.dll
c:\windows\system32\ovfsthtybrxpefgjopblxurlrmbquoflorkvte.dll
c:\windows\system32\ovfsthykmxcftkdaipkjtpqladjypsxhgedjff.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\DUMP5294.tmp
c:\windows\system32\ovfsthcboeetnrxncntjnrnitkiovslfaovpdd.dll
c:\windows\system32\ovfsthtybrxpefgjopblxurlrmbquoflorkvte.dll
c:\windows\system32\ovfsthykmxcftkdaipkjtpqladjypsxhgedjff.dat

.
((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-02 13:27 . 2009-05-02 13:27 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-02 13:27 . 2009-05-02 13:27 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-02 13:27 . 2009-05-02 13:27 -------- d-----w c:\documents and settings\Michael\Application Data\SUPERAntiSpyware.com
2009-05-02 13:26 . 2009-05-02 13:26 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-02 02:05 . 2009-05-02 02:05 -------- d-----w c:\documents and settings\Michael\Application Data\Malwarebytes
2009-05-02 02:05 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 02:05 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 02:05 . 2009-05-02 02:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 02:05 . 2009-05-02 02:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 10:32 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 10:32 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 10:32 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 10:32 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 10:32 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 10:32 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 10:32 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 10:32 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 10:32 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 10:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 10:32 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 16:11 . 2009-04-12 16:11 -------- d-----w c:\documents and settings\Michael\Application Data\TaxCut
2009-04-05 16:28 . 2009-04-05 16:28 -------- d-----w c:\documents and settings\Owen\Application Data\TaxCut
2009-04-04 15:12 . 2009-04-04 15:12 -------- d-----w c:\documents and settings\Colleen\Application Data\TaxCut
2009-04-04 15:01 . 2009-04-04 15:01 -------- d-----w c:\program files\PDF995
2009-04-04 14:57 . 2009-04-04 14:57 -------- d-----w c:\documents and settings\All Users\Application Data\TaxCut
2009-04-04 14:54 . 2009-04-04 15:14 -------- d-----w c:\program files\TaxCut08
2009-04-04 14:53 . 2009-04-04 14:53 -------- d-----w c:\documents and settings\All Users\Application Data\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 15:37 . 2008-12-13 02:52 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-30 21:27 . 2009-01-14 09:28 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-11 16:02 . 2008-12-15 21:12 78400 ----a-w c:\documents and settings\Colleen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 03:07 . 2008-12-15 02:36 78400 ----a-w c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-21 01:23 . 2008-12-13 04:10 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 19:00 . 2009-01-14 09:30 -------- d-----w c:\program files\iTunes
2009-03-15 19:00 . 2009-03-15 19:00 -------- d-----w c:\program files\iPod
2009-03-15 19:00 . 2009-01-14 09:28 -------- d-----w c:\program files\Common Files\Apple
2009-03-15 18:56 . 2009-03-15 18:54 -------- d-----w c:\program files\QuickTime
2009-03-15 07:08 . 2009-03-15 06:54 -------- d-----w c:\program files\foobar2000
2009-03-14 05:24 . 2009-03-14 05:16 -------- d-----w c:\program files\Rainmeter
2009-03-14 04:55 . 2008-12-15 23:56 -------- d-----w c:\program files\Common Files\Adobe
2009-03-13 04:26 . 2009-01-16 02:11 -------- d-----w c:\program files\Winamp
2009-03-09 00:42 . 2009-02-28 18:01 -------- d-----w c:\program files\Finale 2009
2009-03-06 14:22 . 2003-07-16 20:41 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-15 18:51 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2009-01-14 09:28 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2003-07-16 20:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-26 01:05 . 2009-02-26 01:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-20 18:09 . 2008-12-15 02:23 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2003-07-16 20:32 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2003-07-16 20:43 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-07-16 20:39 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-07-16 20:23 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-07-16 20:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 18:24 . 2009-02-06 18:24 158544 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-06 11:11 . 2003-07-16 20:44 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2003-07-16 20:39 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-07-16 20:43 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2003-07-16 20:44 56832 ----a-w c:\windows\system32\secur32.dll
2006-05-03 10:06 . 2009-01-27 03:14 163328 --sha-r c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-01-27 03:14 31232 --sha-r c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-01-27 03:14 216064 --sha-r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot.DeleteThis@2009-05-02_18.08.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 05:35 . 2009-05-03 05:35 16384 c:\windows\Temp\Perflib_Perfdata_bc.dat
+ 2009-05-03 05:34 . 2009-05-03 05:34 16384 c:\windows\Temp\Perflib_Perfdata_5b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2006-10-22 86016]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"GIZMO2"="c:\program files\GIZMO2\GIZMO.exe" [2008-11-17 2229512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-27 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-26 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

c:\documents and settings\Colleen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2009-3-10 118784]

c:\documents and settings\Owen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-27 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-09-23 15:10 229376 ----a-w c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-04-28 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-04-28 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d88dbcf-ca4c-11dd-a6ca-000cf1e6bfa0}]
\Shell\AutoRun\command - G:\SETUP.EXE
\Shell\configure\command - G:\SETUP.EXE
\Shell\install\command - G:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7586ea12-c959-11dd-a6c8-000cf1e6bfa0}]
\Shell\AutoRun\command - g:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\au53sck6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ultimate-guitar.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&...ocation
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 11:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2009-05-03 11:42
ComboFix-quarantined-files.txt 2009-05-03 15:41
ComboFix2.txt 2009-05-02 18:10

Pre-Run: 47,415,222,272 bytes free
Post-Run: 47,431,286,784 bytes free

Current=5 Default=5 Failed=3 LastKnownGood=6 Sets=1,3,4,5,6
192 --- E O F --- 2009-04-16 04:04


Thanks again for the responses Very Happy
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Tue May 05, 2009 11:31 am    Post subject:
Let's try this again....

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
Quote:
REGNULL::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
Back to top
AIM Address Yahoo Messenger
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum