Thread: Google Hijacked by virus....browser shuts down
View Single Post
Old 11-16-2008, 12:16 AM   #6 (permalink)
dcogent1
Registered User
 
Join Date: Nov 2008
Posts: 10
OS: windows xp 2000


Re: Google Hijacked by virus....browser shuts down
Ok, it took a while but I got it done....pages seem to be loading up a bit faster....at any rate here is the log that CF produced....

ComboFix 08-11-14.01 - Josh 2008-11-15 22:54:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.16 [GMT -8:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Josh\Favorites\Cheap Pharmacy Online.url
c:\documents and settings\Josh\Favorites\SMS TRAP.url
c:\documents and settings\Josh\Start Menu\Cheap Pharmacy Online.url
c:\documents and settings\Josh\Start Menu\SMS TRAP.url
c:\documents and settings\Vaki\Start Menu\Programs\Outerinfo
c:\program files\Common Files\mantec~1
c:\program files\Common Files\mantec~1\??sembly\
c:\temp\0b9
c:\temp\0b9\tmpTF.log
c:\temp\1cb
c:\temp\bkR11
c:\temp\bkR11\ftCa.log
c:\temp\tn3
c:\windows\absolute key logger.lnk
c:\windows\aconti.log
c:\windows\acontidialer.txt
c:\windows\BMef65c440.txt
c:\windows\BMef65c440.xml
c:\windows\cookies.ini
c:\windows\k.txt
c:\windows\pskt.ini
c:\windows\system32\cxhvpxhk.ini
c:\windows\system32\daSgo02
c:\windows\system32\din.ip
c:\windows\system32\dpqaqlqx.bin
c:\windows\system32\drivers\alert_icon.gif
c:\windows\system32\drivers\blank.gif
c:\windows\system32\drivers\box_2.gif
c:\windows\system32\drivers\button_buynow.gif
c:\windows\system32\drivers\button_freescan.gif
c:\windows\system32\drivers\cell_bg.gif
c:\windows\system32\drivers\cell_footer.gif
c:\windows\system32\drivers\cell_header_block.gif
c:\windows\system32\drivers\cell_header_remove.gif
c:\windows\system32\drivers\cell_header_scan.gif
c:\windows\system32\drivers\close_icon.gif
c:\windows\system32\drivers\download_btn.jpg
c:\windows\system32\drivers\download_now_btn.gif
c:\windows\system32\drivers\footer_back.jpg
c:\windows\system32\drivers\header_1.gif
c:\windows\system32\drivers\header_2.gif
c:\windows\system32\drivers\header_3.gif
c:\windows\system32\drivers\header_4.gif
c:\windows\system32\drivers\header_bg.gif
c:\windows\system32\drivers\header_red_bg.gif
c:\windows\system32\drivers\header_red_free_scan.gif
c:\windows\system32\drivers\header_red_free_scan_bg.gif
c:\windows\system32\drivers\header_red_protect_your_pc.gif
c:\windows\system32\drivers\icon_warning.gif
c:\windows\system32\drivers\infected.gif
c:\windows\system32\drivers\main_back.gif
c:\windows\system32\drivers\product_2_header.gif
c:\windows\system32\drivers\product_2_name_small.gif
c:\windows\system32\drivers\product_features.gif
c:\windows\system32\drivers\pt.htm
c:\windows\system32\drivers\rating.gif
c:\windows\system32\drivers\remove_spyware_button.gif
c:\windows\system32\drivers\s_detect.htm
c:\windows\system32\drivers\screenshot.jpg
c:\windows\system32\drivers\secuity_center_logo.gif
c:\windows\system32\drivers\sep_hor.gif
c:\windows\system32\drivers\sep_vert.gif
c:\windows\system32\drivers\shadow.jpg
c:\windows\system32\drivers\shadow_bg.gif
c:\windows\system32\drivers\spacer.gif
c:\windows\system32\drivers\star.gif
c:\windows\system32\drivers\star_gray.gif
c:\windows\system32\drivers\star_gray_small.gif
c:\windows\system32\drivers\star_small.gif
c:\windows\system32\drivers\style.css
c:\windows\system32\drivers\v.gif
c:\windows\system32\drivers\warning_icon.gif
c:\windows\system32\drivers\win_logo.gif
c:\windows\system32\drivers\x.gif
c:\windows\system32\ejddfidj.ini
c:\windows\system32\fenjovtl.ini
c:\windows\system32\gtv_sd.bin
c:\windows\system32\gzmrot-uninst.exe
c:\windows\system32\jtyyurnk.ini
c:\windows\system32\ldinfo.ldr
c:\windows\system32\mcrh.tmp
c:\windows\system32\MSINET.oca
c:\windows\system32\okprlbip.ini
c:\windows\system32\oxfcjllu.ini
c:\windows\system32\rev1
c:\windows\system32\rfbwggid.ini
c:\windows\system32\sfblsxas.ini
c:\windows\system32\sl.bin
c:\windows\system32\stfv.bin
c:\windows\system32\sznf.ascii
c:\windows\system32\tuxbc.bak1
c:\windows\system32\tuxbc.bak2
c:\windows\system32\tuxbc.ini
c:\windows\system32\tuxbc.ini2
c:\windows\system32\tuxbc.tmp
c:\windows\system32\v2
c:\windows\system32\vjufjrke.ini
c:\windows\system32\vvrscdtp.ini
c:\windows\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Service_DomainService


((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-15 18:13 . 2008-11-15 18:13 <DIR> d-------- c:\program files\Avira
2008-11-15 18:13 . 2008-11-15 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-14 16:23 . 2008-11-14 16:39 250 --a------ c:\windows\gmer.ini
2008-11-14 05:23 . 2008-11-14 09:48 <DIR> d-------- c:\documents and settings\Josh\Application Data\Spyware Terminator
2008-11-14 05:23 . 2008-11-14 05:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-14 05:23 . 2008-11-14 07:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spyware Terminator
2008-11-14 05:23 . 2008-11-14 05:23 141,312 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
2008-11-14 05:22 . 2008-11-14 07:15 <DIR> d-------- c:\program files\Spyware Terminator
2008-11-14 05:21 . 2008-11-14 05:22 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-14 05:21 . 2008-11-14 05:21 <DIR> d-------- c:\documents and settings\Josh\Application Data\SUPERAntiSpyware.com
2008-11-14 05:19 . 2008-11-14 05:19 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-13 03:56 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 03:55 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-02 19:24 . 2008-11-02 19:24 <DIR> d-------- c:\windows\system32\scripting
2008-11-02 19:24 . 2008-11-02 19:24 <DIR> d-------- c:\windows\system32\en
2008-11-02 19:24 . 2008-11-02 19:24 <DIR> d-------- c:\windows\system32\bits
2008-11-02 19:24 . 2008-11-02 19:24 <DIR> d-------- c:\windows\l2schemas
2008-11-02 19:21 . 2008-11-02 19:24 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-02 19:00 . 2008-11-02 19:00 <DIR> d-------- c:\windows\EHome
2008-11-02 13:08 . 2008-10-03 09:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-02 13:08 . 2007-04-17 01:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-02 13:08 . 2007-03-07 21:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-02 13:08 . 2008-08-25 23:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-02 13:08 . 2008-08-25 23:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-02 13:08 . 2008-08-25 23:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-02 13:08 . 2008-08-25 23:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-02 13:08 . 2008-08-25 23:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-02 13:08 . 2008-08-25 00:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-02 11:03 . 2008-11-02 11:03 <DIR> d-------- c:\program files\Alwil Software
2008-11-02 11:03 . 2003-03-18 13:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-11-02 08:54 . 2004-08-04 04:00 999 -----c--- c:\windows\system32\dllcache\bktrh.gif
2008-11-02 08:12 . 2008-09-08 02:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-02 08:12 . 2008-06-13 03:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-02 08:12 . 2008-06-13 03:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-02 08:12 . 2008-08-14 02:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-11-02 08:11 . 2008-08-14 02:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-02 08:11 . 2008-08-14 02:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-02 08:11 . 2008-09-15 04:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-02 08:11 . 2008-04-11 11:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-11-02 08:11 . 2008-05-08 06:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-11-02 08:10 . 2008-08-14 01:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-02 08:10 . 2008-08-14 01:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-02 08:07 . 2008-10-15 08:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 23:27 --------- d-----w c:\program files\BitTorrent
2008-11-14 23:26 --------- d-----w c:\program files\VstPlugins
2008-11-14 23:26 --------- d-----w c:\program files\Image-Line
2008-11-14 16:30 --------- d-----w c:\program files\Google
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 -c--a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-04-04 188416]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-11-14 1783808]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-10 185896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= xgusb.cpl
"midi2"= xgusb.cpl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hotygebit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
--a------ 2002-04-04 12:01 335872 c:\windows\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
--a------ 2002-04-04 12:04 49152 c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTpatch]
-ra------ 2002-10-30 01:40 28672 c:\windows\htpatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
--a------ 2008-04-13 16:12 169984 c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-11 03:19 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
--a------ 2002-07-12 02:15 106496 c:\windows\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-05-10 23:15 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
--a------ 2002-06-04 22:17 167936 c:\windows\system32\pctspk.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\windows\system32\drivers\sp_rsdrv2.sys [2008-11-14 141312]
.
Contents of the 'Scheduled Tasks' folder

2008-11-16 c:\windows\Tasks\AECA9864913D0938.job
- c:\docume~1\josh\applic~1\inside~1\GreyForkAce.exe []

2008-11-15 c:\windows\Tasks\At1.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At10.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At11.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At12.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At13.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At14.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At15.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At16.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-16 c:\windows\Tasks\At17.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-16 c:\windows\Tasks\At18.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-16 c:\windows\Tasks\At19.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At2.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-16 c:\windows\Tasks\At20.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-16 c:\windows\Tasks\At21.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-16 c:\windows\Tasks\At22.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-16 c:\windows\Tasks\At23.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At24.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At3.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At4.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At5.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At6.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At7.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At8.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-15 c:\windows\Tasks\At9.job
- c:\windows\system32\GJWg0w0c.exe []

2008-11-14 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{2E3603DE-A5C8-4B8D-85AF-FA160D18B1CC} - (no file)
BHO-{8F912529-E236-4B9A-8EAB-BED43FF4C66C} - (no file)
BHO-{B7C234D8-1DE7-4414-B4B9-F9EF76A46FCA} - (no file)
BHO-{B7FA8E6E-64F9-3C58-DA58-3CE607870C9C} - (no file)
BHO-{d440c7f2-a7f4-4e14-a15f-b09850a25d08} - (no file)
BHO-{E7EE986D-504C-4429-E9AB-8AB1C653514B} - (no file)
Notify-jkkiihe - jkkiihe.dll
Notify-winlft32 - winlft32.dll
MSConfigStartUp-BMef65c440 - c:\windows\system32\aukplrof.dll
MSConfigStartUp-io43mvuiw4kj - c:\windows\io43mvuiw4kj.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl


.
------- File Associations -------
.
inifile=NOTEDAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-15 23:05:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\taskmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-15 23:11:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-16 07:11:24

Pre-Run: 29,302,231,040 bytes free
Post-Run: 29,619,814,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

326 --- E O F --- 2008-11-14 05:27:28
dcogent1 is offline