Help!

As with everyone else, my Google search has been hijacked.

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs RSS
Next:  i think i have malware avg updates are "forb..  
Author Message
btbm



Joined: May 13, 2009
Posts: 4
PostPosted: Wed May 13, 2009 3:21 pm    Post subject: As with everyone else, my Google search has been hijacked.
I see you've been able to help others with great results, so I appreciate it.

I ran ATF-cleaner, Malwarebytes and Ad Aware, and while they solved some problems, I'm still having some trouble.

Thanks!

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:01 PM, on 5/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: TBSB00583 - {5DC51E2A-2041-4745-97BA-1CA8C794A07F} - C:\Program Files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {DCB114F2-3BB5-4012-AD63-A41131C55017} - C:\WINDOWS\system32\hgGaywUn.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: LiveInfoPro - {3E9D340B-D614-4854-AE06-4218201F6AAE} - C:\Program Files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Suite\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgets.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat orydrx.dll gjmmjh.dll rczffj.dll ,
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: cbXNHWME - cbXNHWME.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10576 bytes
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5651

Location: Brooklyn, NY
PostPosted: Thu May 14, 2009 11:41 am    Post subject:
Welcome to Lockergnome.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download [color=#0000FF]GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.[/color]

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: (no name) - {DCB114F2-3BB5-4012-AD63-A41131C55017} - C:\WINDOWS\system32\hgGaywUn.dll (file missing)
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O20 - AppInit_DLLs: karna.dat orydrx.dll gjmmjh.dll rczffj.dll ,
O20 - Winlogon Notify: cbXNHWME - cbXNHWME.dll (file missing)

Download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Processes
    explorer
    :Files
    C:\WINDOWS\system32\prnet.tmp
    C:\WINDOWS\system32\karna.dat
    C:\WINDOWS\system32\orydrx.dll
    C:\WINDOWS\system32\gjmmjh.dll
    C:\WINDOWS\system32\rczffj.dll
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.

  • Click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
Back to top
AIM Address Yahoo Messenger
btbm



Joined: May 13, 2009
Posts: 4
PostPosted: Thu May 14, 2009 11:55 pm    Post subject:
Thanks for the help! I goofed pasting the code for OTMoveIt3, but so far it seems to be working better. Here are the logs you requested.

Goored:

Quote:
GooredFix v1.92 by jpshortstuff
Log created at 23:45 on 14/05/2009 running Option #1 (Brian)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{D48C3A3F-0FBF-4B6A-BF13-D02FF04FC8C4}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"




OTMoveIt3:
Quote:

========== PROCESSES ==========
Unable to kill process: explorer
========== FILES ==========
File/Folder C:\WINDOWS\system32\prnet.tmp not found.
File/Folder C:\WINDOWS\system32\karna.dat not found.
File/Folder C:\WINDOWS\system32\orydrx.dll not found.
File/Folder C:\WINDOWS\system32\gjmmjh.dll not found.
File/Folder C:\WINDOWS\system32\rczffj.dll not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Brian\LOCALS~1\Temp\etilqs_W9nCD5dBhkXxdsTsEsMF scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_694.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\rg4sfay scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ydf8dk scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05142009_235319

Files moved on Reboot...
File C:\DOCUME~1\Brian\LOCALS~1\Temp\etilqs_W9nCD5dBhkXxdsTsEsMF not found!
File C:\WINDOWS\temp\Perflib_Perfdata_694.dat not found!
File move failed. C:\WINDOWS\temp\rg4sfay scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ydf8dk scheduled to be moved on reboot.
C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Brian\Local Settings\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\XUL.mfl moved successfully.



ComboFix:

Quote:
ComboFix 09-05-14.03 - Brian 05/14/2009 23:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.778 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brian\Local Settings\Temporary Internet Files\Cpvff.stt
c:\windows\system32\drivers\ovfsthruwpdqvxewdoobrpqrqalyyiqgvfmqiq.sys
c:\windows\system32\ovfsthaknmlntioetcpapqmqhpbywvfvybxhyl.dll
c:\windows\system32\ovfsthhitnxsenosowtostlmklfqtilobvqsli.dat
c:\windows\system32\ovfsthpalgexmarffmuuxomnvbkythohupspvy.dll
c:\windows\system32\ovfsthvgdlyxbpajauyuuvhsmjoaiomapcgqrm.dll
c:\windows\system32\ovfsthybljjuljnwenkovbikrddjloxaxwchtj.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthvtymovmktkornstbgrqptxvixrqswuiu


((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-15 03:15 . 2009-05-15 03:16 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-05-14 16:58 . 2009-05-14 16:58 -------- d-----w C:\_OTMoveIt
2009-05-12 16:47 . 2009-05-12 18:13 -------- d-----w c:\documents and settings\Brian\Application Data\Twain
2009-05-11 16:59 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-11 16:59 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-07 03:00 . 2009-05-07 03:01 336 ----a-w c:\program files\temp995.bat
2009-04-21 19:58 . 2009-04-21 19:58 -------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2009-04-21 19:58 . 2009-04-21 19:58 -------- d-----w c:\documents and settings\Brian\Application Data\EmailNotifier
2009-04-21 19:58 . 2009-04-21 19:58 -------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 17:00 . 2008-08-10 02:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-11 16:26 . 2009-05-11 16:26 704586 ----a-w c:\windows\system32\rn.tmp
2009-05-07 03:03 . 2009-04-10 06:17 -------- d-----w c:\program files\Windows Desktop Search
2009-05-07 03:02 . 2005-08-13 20:50 -------- d-----w c:\program files\Sony
2009-05-07 03:00 . 2009-01-30 17:24 -------- d-----w c:\program files\PDF995
2009-05-06 23:00 . 2005-07-08 17:17 139776 ----a-w c:\documents and settings\Brian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-23 18:37 . 2006-07-27 23:07 -------- d-----w c:\program files\Microsoft IntelliPoint
2009-04-23 18:37 . 2006-07-27 23:06 -------- d-----w c:\program files\Microsoft IntelliType Pro
2009-04-21 20:00 . 2005-07-08 17:26 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-14 13:48 . 2009-02-16 04:08 141136 ----a-w c:\windows\hpoins14.dat
2009-04-12 06:40 . 2009-02-17 04:28 -------- d-----w c:\program files\ExpressPCB
2009-04-03 14:11 . 2007-03-24 00:57 51716 ----a-w c:\windows\system32\pdf995mon.dll
2009-04-03 14:11 . 2007-03-24 00:57 249856 -c--a-w c:\windows\system32\pdfmona.dll
2009-03-24 18:29 . 2006-08-04 01:09 -------- d-----w c:\program files\Google
2009-03-17 20:13 . 2005-07-08 12:52 98304 ----a-w c:\windows\DUMP76c6.tmp
2009-03-17 19:58 . 2005-07-08 12:52 98304 ----a-w c:\windows\DUMP7b5a.tmp
2009-03-17 18:16 . 2005-07-08 12:52 98304 ----a-w c:\windows\DUMP6e69.tmp
2009-03-17 18:08 . 2005-07-08 12:52 98304 ----a-w c:\windows\DUMP74d2.tmp
2009-03-17 17:55 . 2005-07-08 12:52 98304 ----a-w c:\windows\DUMP7213.tmp
2009-03-14 18:44 . 2009-03-14 18:43 88 -csh--r c:\documents and settings\All Users\Application Data\12D33184DA.sys
2009-03-14 18:44 . 2009-03-14 18:43 2516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-16 15:09 . 2009-02-16 15:09 410984 ----a-w c:\windows\system32\deploytk.dll
2008-10-21 00:16 . 2008-10-21 00:16 18825 ----a-w c:\program files\Common Files\apikup.dll
2008-10-21 00:00 . 2008-10-21 00:00 14755 ----a-w c:\program files\Common Files\ahufepes.bat
2008-10-21 00:00 . 2008-10-21 00:00 14022 ----a-w c:\program files\Common Files\owynywyt.pif
2008-10-21 00:00 . 2008-10-21 00:00 10817 ----a-w c:\program files\Common Files\alunyh.pif
2002-04-19 23:15 . 2002-04-19 23:15 61 -c--a-w c:\program files\adobe photoshop 7.0 serial.txt
2009-05-12 16:53 . 2009-05-12 16:53 211968 ----a-w c:\program files\mozilla firefox\components\dfff.dll
2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll
.

((((((((((((((((((((((((((((( SnapShot.TakeThisOut@2009-05-15_03.26.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-15 03:36 . 2009-05-15 03:36 16384 c:\windows\Temp\Perflib_Perfdata_694.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DC51E2A-2041-4745-97BA-1CA8C794A07F}]
2007-12-27 13:07 2306048 ----a-w c:\program files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3E9D340B-D614-4854-AE06-4218201F6AAE}"= "c:\program files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll" [2007-12-27 2306048]

[HKEY_CLASSES_ROOT\clsid\{3e9d340b-d614-4854-ae06-4218201f6aae}]
[HKEY_CLASSES_ROOT\TBSB00583.TBSB00583.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00583.TBSB00583]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-29 68856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-17 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-07-27 180269]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"IPInSightLAN 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"IPInSightMonitor 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 136600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\WidgetEngine\YahooWidgets.exe [2007-12-11 3746856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-7-17 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [7/26/2006 9:09 PM 29312]
R3 L6TportK;Service - Line 6 TonePort KB37;c:\windows\system32\drivers\L6TportK.sys [2/11/2009 9:04 AM 521088]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [7/26/2006 9:06 PM 514432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 04:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: line6.net
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\dfff.dll
FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 23:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-15 23:42
ComboFix-quarantined-files.txt 2009-05-15 03:41
ComboFix2.txt 2009-05-15 03:28

Pre-Run: 18,189,574,144 bytes free
Post-Run: 18,172,719,104 bytes free

Current=13 Default=13 Failed=12 LastKnownGood=14 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14
178 --- E O F --- 2008-12-19 08:01


Again, thanks for the help!
Back to top
btbm



Joined: May 13, 2009
Posts: 4
PostPosted: Fri May 15, 2009 12:00 am    Post subject:
Well, I must have done something wrong, because I still have the redirect problem. I fudged some steps along the way. Sorry.
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5651

Location: Brooklyn, NY
PostPosted: Fri May 15, 2009 11:58 am    Post subject:
You didn't do anything wrong. Just need a little more cleanup and you should be there Very Happy

Double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
Quote:
File::
c:\windows\system32\rn.tmp
c:\windows\DUMP76c6.tmp
c:\windows\DUMP7b5a.tmp
c:\windows\DUMP6e69.tmp
c:\windows\DUMP74d2.tmp
c:\windows\DUMP7213.tmp
c:\program files\Common Files\apikup.dll
c:\program files\Common Files\ahufepes.bat
c:\program files\Common Files\owynywyt.pif
c:\program files\Common Files\alunyh.pif
c:\program files\mozilla firefox\components\dfff.dll

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
Back to top
AIM Address Yahoo Messenger
btbm



Joined: May 13, 2009
Posts: 4
PostPosted: Fri May 15, 2009 10:16 pm    Post subject:
Okay, here are the logs:

Goored:

Quote:
GooredFix v1.92 by jpshortstuff
Log created at 22:13 on 15/05/2009 running Option #2 (Brian)
Firefox version 3.0.10 (en-US)
(Subsequent Run)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{D48C3A3F-0FBF-4B6A-BF13-D02FF04FC8C4}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"


ComboFix:

Quote:
ComboFix 09-05-14.03 - Brian 05/15/2009 22:16.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.784 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt

FILE ::
c:\program files\Common Files\ahufepes.bat
c:\program files\Common Files\alunyh.pif
c:\program files\Common Files\apikup.dll
c:\program files\Common Files\owynywyt.pif
c:\program files\mozilla firefox\components\dfff.dll
c:\windows\DUMP6e69.tmp
c:\windows\DUMP7213.tmp
c:\windows\DUMP74d2.tmp
c:\windows\DUMP76c6.tmp
c:\windows\DUMP7b5a.tmp
c:\windows\system32\rn.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brian\Local Settings\Temporary Internet Files\Cpvff.stt
c:\program files\Common Files\ahufepes.bat
c:\program files\Common Files\alunyh.pif
c:\program files\Common Files\apikup.dll
c:\program files\Common Files\owynywyt.pif
c:\program files\mozilla firefox\components\dfff.dll
c:\windows\DUMP6e69.tmp
c:\windows\DUMP7213.tmp
c:\windows\DUMP74d2.tmp
c:\windows\DUMP76c6.tmp
c:\windows\DUMP7b5a.tmp
c:\windows\system32\rn.tmp

.
((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-15 14:47 . 2009-05-15 14:47 -------- d-----w c:\windows\LastGood
2009-05-15 03:15 . 2009-05-15 03:16 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-05-14 16:58 . 2009-05-14 16:58 -------- d-----w C:\_OTMoveIt
2009-05-12 16:47 . 2009-05-12 18:13 -------- d-----w c:\documents and settings\Brian\Application Data\Twain
2009-05-11 16:59 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-11 16:59 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-07 03:00 . 2009-05-07 03:01 336 ----a-w c:\program files\temp995.bat
2009-04-21 19:58 . 2009-04-21 19:58 -------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2009-04-21 19:58 . 2009-04-21 19:58 -------- d-----w c:\documents and settings\Brian\Application Data\EmailNotifier
2009-04-21 19:58 . 2009-04-21 19:58 -------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 17:17 . 2005-07-08 17:17 139776 ----a-w c:\documents and settings\Brian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-11 17:00 . 2008-08-10 02:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-07 03:03 . 2009-04-10 06:17 -------- d-----w c:\program files\Windows Desktop Search
2009-05-07 03:02 . 2005-08-13 20:50 -------- d-----w c:\program files\Sony
2009-05-07 03:00 . 2009-01-30 17:24 -------- d-----w c:\program files\PDF995
2009-04-23 18:37 . 2006-07-27 23:07 -------- d-----w c:\program files\Microsoft IntelliPoint
2009-04-23 18:37 . 2006-07-27 23:06 -------- d-----w c:\program files\Microsoft IntelliType Pro
2009-04-21 20:00 . 2005-07-08 17:26 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-14 13:48 . 2009-02-16 04:08 141136 ----a-w c:\windows\hpoins14.dat
2009-04-12 06:40 . 2009-02-17 04:28 -------- d-----w c:\program files\ExpressPCB
2009-04-03 14:11 . 2007-03-24 00:57 51716 ----a-w c:\windows\system32\pdf995mon.dll
2009-04-03 14:11 . 2007-03-24 00:57 249856 -c--a-w c:\windows\system32\pdfmona.dll
2009-03-24 18:29 . 2006-08-04 01:09 -------- d-----w c:\program files\Google
2009-03-14 18:44 . 2009-03-14 18:43 88 -csh--r c:\documents and settings\All Users\Application Data\12D33184DA.sys
2009-03-14 18:44 . 2009-03-14 18:43 2516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-16 15:09 . 2009-02-16 15:09 410984 ----a-w c:\windows\system32\deploytk.dll
2002-04-19 23:15 . 2002-04-19 23:15 61 -c--a-w c:\program files\adobe photoshop 7.0 serial.txt
2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll
.

((((((((((((((((((((((((((((( SnapShot.RemoveThis@2009-05-15_03.26.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-15 14:39 . 2009-05-15 14:39 16384 c:\windows\Temp\Perflib_Perfdata_32c.dat
+ 2005-07-08 12:58 . 2009-05-15 14:38 450880 c:\windows\system32\FNTCACHE.DAT
- 2005-07-08 12:58 . 2009-05-06 19:58 450880 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DC51E2A-2041-4745-97BA-1CA8C794A07F}]
2007-12-27 13:07 2306048 ----a-w c:\program files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3E9D340B-D614-4854-AE06-4218201F6AAE}"= "c:\program files\Internet Explorer\LiveInfoPro\toolbar_v0.9.5_w-jsinside-affid-1002.dll" [2007-12-27 2306048]

[HKEY_CLASSES_ROOT\clsid\{3e9d340b-d614-4854-ae06-4218201f6aae}]
[HKEY_CLASSES_ROOT\TBSB00583.TBSB00583.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00583.TBSB00583]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-07-27 180269]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"IPInSightLAN 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"IPInSightMonitor 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 136600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-7-17 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [7/26/2006 9:09 PM 29312]
R3 L6TportK;Service - Line 6 TonePort KB37;c:\windows\system32\drivers\L6TportK.sys [2/11/2009 9:04 AM 521088]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [7/26/2006 9:06 PM 514432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 04:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: line6.net
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\qtuncdij.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 22:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-16 22:20
ComboFix-quarantined-files.txt 2009-05-16 02:20
ComboFix2.txt 2009-05-15 03:42
ComboFix3.txt 2009-05-15 03:28

Pre-Run: 17,996,140,544 bytes free
Post-Run: 17,977,761,792 bytes free

Current=13 Default=13 Failed=12 LastKnownGood=14 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14
182 --- E O F --- 2008-12-19 08:01



What a ***** this thing is to get rid of. Again, thanks!
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5651

Location: Brooklyn, NY
PostPosted: Sat May 16, 2009 11:15 am    Post subject:
Please watch the language there Laughing

Good job. Your log is clean Very Happy

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
Back to top
AIM Address Yahoo Messenger
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum