Help!

Yet Another Google Search Hijack

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs RSS
Next:  Banks Reject U.S. Terms for Cutting Chrysler Debt  
Author Message
swiftstrike



Joined: Apr 06, 2009
Posts: 3
PostPosted: Wed Apr 22, 2009 4:37 am    Post subject: Yet Another Google Search Hijack
Hey guys,

I was directed here to get some help for this problem that I have with what I think is a rootkit. The problem it causes, you can probably guess, is that whenever I click on a search result I get redirected to random sites like the "cow survey" site for example. Please help me remove this problem.

Here is the Hijack this log:

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:23 AM, on 4/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\HP\KBD\KBD.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
F:\PortableApps\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_U...mp;c=Q3
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN...&c=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN...&c=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Answers.com Toolbar - {6341761b-babe-406d-b0d6-8d99b81c2ee5} - C:\Program Files\Answers.com\tbAnsw.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PORTAB~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Answers.com Toolbar - {6341761b-babe-406d-b0d6-8d99b81c2ee5} - C:\Program Files\Answers.com\tbAnsw.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Answers.com Toolbar - {6341761b-babe-406d-b0d6-8d99b81c2ee5} - C:\Program Files\Answers.com\tbAnsw.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Show missed alarms] C:\Program Files\Alarm\Alarm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EmbeddingClient-clock] C:\Documents and Settings\Compaq_Owner\Desktop\RunEmbeddingClient.exe i=clock
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\PortableApps\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [sawetupesu] Rundll32.exe "C:\WINDOWS\system32\bobajitu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [sawetupesu] Rundll32.exe "C:\WINDOWS\system32\bobajitu.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Answers.lnk = C:\Program Files\1-Click Answers\answers.exe
O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
O4 - Startup: EmbeddingClient.dll
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Answers... - file://C:\Program Files\1-Click Answers\Html\atiemenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PORTAB~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PORTAB~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\figohele.dll mccfpi.dll c:\windows\system32\jomotewa.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 14324 bytes


I was asked to run some Spyware scans by the Sticky. I have run previous scans and deleted most of the spyware already, so these recent logs show no signs of problems, except for the Panda Active Scan.


Quote:
Malwarebytes' Anti-Malware 1.35
Database version: 1927
Windows 5.1.2600 Service Pack 2

4/21/2009 1:26:25 AM
mbam-log-2009-04-21 (01-26-25).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 256526
Time elapsed: 1 hour(s), 59 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Quote:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/21/2009 at 07:04 PM

Application Version : 4.26.1000

Core Rules Database Version : 3856
Trace Rules Database Version: 1808

Scan type : Complete Scan
Total Scan Time : 01:01:45

Memory items scanned : 761
Memory threats detected : 0
Registry items scanned : 7166
Registry threats detected : 0
File items scanned : 35487
File threats detected : 0


Panda ActiveScan:
Quote:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-21 23:47:31
PROTECTIONS: 2
MALWARE: 5
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AntiVir Desktop 9.0.1.26 No No
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00487624 Trj/Banker.LNO Virus/Trojan No 1 Yes No C:\hp\recovery\wizard\SWR_Wizard.exe
00530924 Trj/Autoit.AJ Virus/Trojan No 1 Yes No C:\Program Files\SBC Self Support Tool\bin\closeAll.exe
01260840 Trj/Downloader.PME Virus/Trojan No 1 Yes No C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Wildtangent\Cdacache\00\00\10.dat
01343147 Application/MyWay HackTools No 0 Yes No D:\I386\Apps\APP32525\SRC\HPSummer2005.exe
01692698 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Compaq_Owner\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\Groove.x32
;===================================================================================================================================================================================
SUSPECTS
Sent Location R
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description R
;===================================================================================================================================================================================
;===================================================================================================================================================================================


Thank you in advance for your time.
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Wed Apr 22, 2009 6:43 pm    Post subject:
Welcome to Lockergnome.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\PortableApps\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [sawetupesu] Rundll32.exe "C:\WINDOWS\system32\bobajitu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [sawetupesu] Rundll32.exe "C:\WINDOWS\system32\bobajitu.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\WINDOWS\system32\figohele.dll mccfpi.dll c:\windows\system32\jomotewa.dll

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\bobajitu.dll
C:\WINDOWS\system32\figohele.dll
C:\WINDOWS\system32\mccfpi.dll
c:\windows\system32\jomotewa.dll
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Wildtangent\Cdacache\00\00\10.dat
C:\Documents and Settings\Compaq_Owner\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\Groove.x32

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.[/list]
Back to top
AIM Address Yahoo Messenger
swiftstrike



Joined: Apr 06, 2009
Posts: 3
PostPosted: Sun Apr 26, 2009 5:36 pm    Post subject:
Hi,

Thank you so much for taking the time to help me.
Sorry for taking a while to finish the tasks. Also, I have a question. Other forums told me to disable system restore and delete restore points because the spyware could be residing in there. I turned system restore back on to run combo fix. Will this be a problem?

Anyways, this is what I have done:

I deleted:
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Wildtangent\Cdacache\00\00\10.dat
C:\Documents and Settings\Compaq_Owner\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\Groove.x32

But couldn't find:
C:\WINDOWS\system32\bobajitu.dll
C:\WINDOWS\system32\figohele.dll
C:\WINDOWS\system32\mccfpi.dll
c:\windows\system32\jomotewa.dll

Quote:
ComboFix 09-04-25.A3 - Compaq_Owner 04/26/2009 1:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.563 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\patch.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-24 10:01 . 2009-04-24 10:09 1374 ----a-w c:\windows\imsins.BAK
2009-04-23 13:52 . 2009-04-23 14:19 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-23 13:36 . 2009-04-25 17:12 -------- d-----w c:\program files\Strokeit
2009-04-22 02:54 . 2008-06-19 23:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-22 02:53 . 2009-04-22 02:53 -------- d-----w c:\program files\Panda Security
2009-04-22 00:31 . 2009-04-22 00:31 -------- d-----w c:\program files\Trend Micro
2009-04-04 04:22 . 2009-02-13 18:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-04 04:22 . 2009-04-04 04:22 -------- d-----w c:\program files\Avira
2009-04-04 04:22 . 2009-04-04 04:22 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-04 04:22 . 2009-04-04 04:22 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-04 04:22 . 2009-04-04 04:29 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-04 04:22 . 2009-04-04 04:22 -------- d-----w c:\program files\Lavasoft
2009-03-31 00:16 . 2009-03-31 00:16 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-03-30 01:03 . 2009-04-26 08:15 10693 ----a-w c:\windows\system32\Config.MPF
2009-03-30 01:03 . 2009-03-30 01:03 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-03-30 00:59 . 2007-11-22 13:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-30 00:59 . 2007-12-02 19:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-30 00:59 . 2007-11-22 13:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-30 00:59 . 2007-11-22 13:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-30 00:59 . 2007-11-22 13:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-30 00:59 . 2007-07-13 13:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-03-30 00:59 . 2009-03-30 00:59 -------- d-----w c:\program files\McAfee.com
2009-03-30 00:58 . 2009-03-30 00:59 -------- d-----w c:\program files\Common Files\McAfee
2009-03-30 00:58 . 2009-04-20 00:57 -------- d-----w c:\program files\McAfee
2009-03-30 00:19 . 2009-03-30 01:03 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 17:13 . 2008-05-31 19:17 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-24 10:04 . 2008-06-13 05:20 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-22 06:50 . 2007-05-23 07:58 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-22 01:02 . 2008-07-27 00:05 -------- d-----w c:\program files\SpeedFan
2009-04-01 04:13 . 2009-03-25 06:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-30 00:51 . 2005-05-14 12:49 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-30 00:51 . 2005-05-14 12:49 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-30 00:45 . 2007-09-27 02:45 -------- d-----w c:\program files\Symantec
2009-03-30 00:38 . 2005-08-15 01:18 -------- d-s---w c:\program files\Yahoo!
2009-03-26 23:49 . 2009-03-25 06:58 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 23:49 . 2009-03-25 06:58 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 22:33 . 2009-03-03 06:57 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-25 08:37 . 2006-01-23 07:38 -------- d-s---w c:\program files\Steam
2009-03-25 06:58 . 2009-03-25 06:58 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-03-25 06:58 . 2009-03-25 06:58 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-25 06:47 . 2009-03-25 05:38 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-23 09:59 . 2007-01-12 04:44 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Viewpoint
2009-03-23 09:59 . 2006-11-27 01:48 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-23 09:59 . 2006-11-27 01:48 -------- d-s---w c:\program files\Viewpoint
2009-03-23 08:31 . 2009-03-23 08:31 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-21 14:18 . 2004-08-04 12:00 986112 ----a-w c:\windows\system32\dllcache\kernel32.dll
2009-03-16 09:34 . 2007-08-28 23:37 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\U3
2009-03-14 02:08 . 2009-03-14 02:08 -------- d-----w c:\program files\CCleaner
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\dllcache\pdh.dll
2009-03-03 06:57 . 2009-03-03 06:57 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-03 06:57 . 2009-03-03 06:57 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2009-03-03 06:56 . 2006-09-25 23:41 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-03 02:10 . 2005-05-14 12:41 -------- d-s---w c:\program files\Google
2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-02 05:38 . 2005-10-06 03:38 -------- d-s---w c:\program files\1-Click Answers
2009-03-02 05:30 . 2009-03-02 05:30 -------- d-----w c:\program files\Answers.com
2009-03-02 05:30 . 2009-03-02 05:30 -------- d-----w c:\program files\Conduit
2009-03-02 05:25 . 2009-03-02 05:25 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\VSRevoGroup
2009-03-01 02:40 . 2009-02-01 06:27 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-28 04:54 . 2004-08-04 12:00 636072 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-04-24 14:26 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2004-08-04 12:00 70656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2004-08-04 12:00 161792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w c:\windows\system32\dllcache\rpcss.dll
2009-02-09 10:20 . 2004-08-04 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 11:00 723456 ----a-w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 18:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 18:00 714752 ----a-w c:\windows\system32\dllcache\ntdll.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w c:\windows\system32\dllcache\advapi32.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:20 . 2004-08-04 12:00 473088 ----a-w c:\windows\system32\dllcache\fastprox.dll
2009-02-09 10:20 . 2004-08-04 12:00 453120 ----a-w c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\dllcache\win32k.sys
2009-02-06 17:24 . 2007-02-28 09:10 2180480 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 17:24 . 2004-08-04 12:00 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:22 . 2007-02-28 09:08 2136064 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 17:14 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 17:14 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\dllcache\services.exe
2009-02-06 16:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 16:49 . 2007-02-28 08:38 2015744 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 16:49 . 2007-02-28 08:38 2057728 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 16:49 . 2004-08-04 18:00 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 16:39 . 2004-08-04 12:00 227840 ----a-w c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 20:08 . 2004-08-04 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2009-02-03 20:08 . 2004-08-04 12:00 55808 ----a-w c:\windows\system32\dllcache\secur32.dll
2008-12-29 08:44 . 2007-02-28 03:02 101120 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-07-10 02:08 . 2005-10-07 07:54 63456 ----a-w c:\documents and settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-05-30 08:10 . 2007-05-30 08:10 63064 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-22 07:17 . 2007-05-22 07:17 75 ---h--w c:\program files\desktop.ini
2007-05-22 07:17 . 2007-05-22 07:17 75 ---h--w c:\program files\Common Files\desktop.ini
2007-02-11 07:40 . 2007-01-31 06:47 14 ----a-w c:\documents and settings\Compaq_Owner\getfile.dat
2007-01-22 06:59 . 2007-01-22 06:59 142520 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2006-02-03 06:37 . 2006-02-03 01:05 32 -c--a-w c:\documents and settings\Compaq_Owner\config.dat
2006-01-14 00:08 . 2006-01-14 00:08 135 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\fusioncache.dat
2006-01-08 07:21 . 2005-08-11 05:53 134 -c--a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2005-09-10 07:22 . 2005-09-10 07:22 10420936 ------w c:\program files\xlviewer.exe
2005-09-09 05:10 . 2005-09-09 05:10 2455040 ------w c:\program files\SC440WIN2K50AE.EXE
2005-09-05 18:57 . 2005-09-05 18:57 774144 -c--a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6341761b-babe-406d-b0d6-8d99b81c2ee5}]
2009-02-20 00:58 2081304 ----a-w c:\program files\Answers.com\tbAnsw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6341761b-babe-406d-b0d6-8d99b81c2ee5}"= "c:\program files\Answers.com\tbAnsw.dll" [2009-02-20 2081304]

[HKEY_CLASSES_ROOT\clsid\{6341761b-babe-406d-b0d6-8d99b81c2ee5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6341761B-BABE-406D-B0D6-8D99B81C2EE5}"= "c:\program files\Answers.com\tbAnsw.dll" [2009-02-20 2081304]

[HKEY_CLASSES_ROOT\clsid\{6341761b-babe-406d-b0d6-8d99b81c2ee5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-26 1830128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-19 50528]
"StrokeIt"="c:\program files\Strokeit\strokeit.exe" [2005-02-17 21504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-14 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-01-21 28160]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Answers.lnk - c:\program files\1-Click Answers\answers.exe [2005-10-5 806912]
Client Default.lnk - c:\program files\Samurize\Client.exe [2007-4-7 2010624]
EmbeddingClient.dll [2008-1-4 241664]
MagicFormation.lnk - c:\documents and settings\Compaq_Owner\Desktop\magicform\MagicFormation.exe [2009-4-22 454656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AlarmClockMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\lethalimpact\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\lethalimpact\\source dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\dtd1931\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Steam\\SteamApps\\lethalimpact\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 cpuz128;cpuz128; [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-26 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{874f5144-734d-11dd-bb95-0013d41edc5e}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8919e584-55bf-11dc-b996-0013d41edc5e}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-26 c:\windows\Tasks\answers.com.job
- c:\program files\1-Click Answers\answers.exe [2005-10-06 19:31]

2009-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-02-08 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 12:00]

2009-04-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-27 00:21]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-30 20:32]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-30 20:32]

2009-04-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EmbeddingClient-clock - c:\documents and settings\Compaq_Owner\Desktop\RunEmbeddingClient.exe
HKCU-Run-Steam - (no file)
HKCU-Run-P2kAutostart - (no file)
HKLM-Run-Show missed alarms - c:\program files\Alarm\Alarm.exe
HKLM-Run-DAEMON Tools - c:\program files\DAEMON Tools\daemon.exe
ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN...&c=
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN...&c=
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Answers... - file://c:\program files\1-Click Answers\Html\atiemenu.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\raxc4osh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/|http://www.google.com/ig?hl=en#restore
FF - component: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\raxc4osh.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\raxc4osh.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 01:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\COMPAQ~1\LOCALS~1\Temp\DIOF.tmp 47122 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3772)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\documents and settings\Compaq_Owner\Desktop\magicform\MFHook.dll
c:\program files\Strokeit\mhook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\1-CLIC~1\agtserv.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\ALCXMNTR.EXE
.
**************************************************************************
.
Completion time: 2009-04-26 1:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 08:25

Pre-Run: 133,834,473,472 bytes free
Post-Run: 133,729,730,560 bytes free

327 --- E O F --- 2009-04-24 10:10


Quote:

GooredFix v1.92 by jpshortstuff
Log created at 14:28 on 26/04/2009 running Option #1 (Compaq_Owner)
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{ACDF7F13-C3AB-4B41-84DD-BD7C77860CAB}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Sun Apr 26, 2009 7:19 pm    Post subject:
Double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

How is it running so far?
Back to top
AIM Address Yahoo Messenger
swiftstrike



Joined: Apr 06, 2009
Posts: 3
PostPosted: Sun Apr 26, 2009 9:34 pm    Post subject:
Here's the log. Wow, I think the spyware is gone. Google seems to be working perfectly. Thank you so much for helping me out. Very Happy

Quote:
GooredFix v1.92 by jpshortstuff
Log created at 18:27 on 26/04/2009 running Option #2 (Compaq_Owner)
Firefox version 3.0.7 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{ACDF7F13-C3AB-4B41-84DD-BD7C77860CAB}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Mon Apr 27, 2009 9:55 pm    Post subject:
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
Back to top
AIM Address Yahoo Messenger
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum