Google Hijack - Newbie Jumped the Gun?

tcadena · 06-20-2009, 10:02 AM

I suddenly found my Google search results hijacked to various other hosting or search websites. I found your website via a Google search (which I got to by manually typing in the URL so I didn't get hijacked) and it seemed like I had found the solution. The Google search led me to another user's solution and I did not (immediately) find the right place to start with DDS and GMER. In my frustration and haste, I downloaded and ran Combofix per Techsupportforum.com's instructions in that other thread and it has seemed to fix my problem, thus far. I had already had all my data backed up and didn't feel too much at risk.

First of all, a big MEA CULPA for not being more careful and following your very clear instructions. I am posting the Combofix log below and I would like to know if I should re-start the process with DDS and GMER or do that if the problem recurs.

Thank you in advance and, again, my apologies for the bonehead move to jump to what I thought was the "final answer".

Tony

When I ran Combofix, it informed me that it had detected the presence of rootkit activity in C:\WINDOWS\system32\sdra64.exe.

Here is the Combofix log:

ComboFix 09-06-18.02 - Tony 06/19/2009 0:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1560 [GMT -7:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 Premier Edition *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycled\NPROTECT
c:\windows\Downloaded Program Files\MyWebEx
c:\windows\system32\drivers\str.sys
c:\windows\system32\lowsec
c:\windows\system32\sdra64.exe
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\recycled\NPROTECT\00000159.XML
c:\recycled\NPROTECT\00000160.XML
c:\recycled\NPROTECT\00000164.XML
c:\recycled\NPROTECT\00000165.XML
c:\recycled\NPROTECT\00000167.XML
c:\recycled\NPROTECT\00000168.XML
c:\recycled\NPROTECT\00000179.XML
c:\recycled\NPROTECT\00000181.XML
c:\recycled\NPROTECT\00000184.XML
c:\recycled\NPROTECT\00000186.XML
c:\recycled\NPROTECT\00000196.XML
c:\recycled\NPROTECT\00000197.XML
c:\recycled\NPROTECT\00000205.XML
c:\recycled\NPROTECT\00000206.XML
c:\recycled\NPROTECT\00000207.XML
c:\recycled\NPROTECT\00000208.XML
c:\recycled\NPROTECT\00000210.XML
c:\recycled\NPROTECT\00000349.XML
c:\recycled\NPROTECT\00000350.XML
c:\recycled\NPROTECT\00000362.XML
c:\recycled\NPROTECT\00000363.XML
c:\recycled\NPROTECT\00000366.XML
c:\recycled\NPROTECT\00000367.XML
c:\recycled\NPROTECT\00000372.XML
c:\recycled\NPROTECT\00000373.XML
c:\recycled\NPROTECT\00000385.XML
c:\recycled\NPROTECT\00000386.XML
c:\recycled\NPROTECT\00000394.XML
c:\recycled\NPROTECT\00000395.XML
c:\recycled\NPROTECT\00000405.doc
c:\recycled\NPROTECT\00000411.XML
c:\recycled\NPROTECT\00000412.XML
c:\recycled\NPROTECT\00000421.doc
c:\recycled\NPROTECT\00000424.DOC
c:\recycled\NPROTECT\00000479.XML
c:\recycled\NPROTECT\00000480.XML
c:\recycled\NPROTECT\00000575.jpg
c:\recycled\NPROTECT\00000587.XML
c:\recycled\NPROTECT\00000588.XML
c:\recycled\NPROTECT\00000590.XML
c:\recycled\NPROTECT\00000591.XML
c:\recycled\NPROTECT\00000593.XML
c:\recycled\NPROTECT\00000594.XML
c:\recycled\NPROTECT\00000598.XML
c:\recycled\NPROTECT\00000599.XML
c:\recycled\NPROTECT\00000601.XML
c:\recycled\NPROTECT\00000602.XML
c:\recycled\NPROTECT\00000650.jpg
c:\recycled\NPROTECT\00000656.jpg
c:\recycled\NPROTECT\00000663.jpg
c:\windows\Downloaded Program Files\MyWebEx\419\atarm.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atas32.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasanot.exe
c:\windows\Downloaded Program Files\MyWebEx\419\atasctrl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasnt40.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atdl2006.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atkbctl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atlchat.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atnetext.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atpack.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\attp.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atwbxui6.dll
c:\windows\Downloaded Program Files\MyWebEx\419\h264dec.dll
c:\windows\Downloaded Program Files\MyWebEx\419\h264enc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mmssl32.dll
c:\windows\Downloaded Program Files\MyWebEx\419\msess.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mticket.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mutiltpd.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mvc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwm.ini
c:\windows\Downloaded Program Files\MyWebEx\419\mwmcliun.exe
c:\windows\Downloaded Program Files\MyWebEx\419\mwmie.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmim.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmoi.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmpad.exe
c:\windows\Downloaded Program Files\MyWebEx\419\mwmproxy.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmres1.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmupd.exe
c:\windows\Downloaded Program Files\MyWebEx\419\raurl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\uilibres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
c:\windows\Downloaded Program Files\MyWebEx\419\webexmgr.dll
c:\windows\kb913800.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\hlwpuldrb.sys
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\sdra64.exe
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UBPCFYPUXFCPNW

((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-18 06:28 . 2009-06-18 06:28 2 ----a-w- c:\windows\010112010146118114.dat
2009-06-18 06:24 . 2009-06-18 06:24 172 ----a-w- C:\nm8912.bat
2009-06-13 18:40 . 2009-06-13 18:40 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\QuickPlay
2009-06-13 18:40 . 2009-06-13 18:40 -------- d-----w- c:\documents and settings\Visitor\Application Data\HP
2009-06-10 17:18 . 2009-06-10 17:18 152576 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-07 20:19 . 2009-06-07 20:19 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-22 19:43 . 2009-05-22 19:43 1536000 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll
2009-05-21 15:46 . 2009-05-21 15:46 488960 ----a-w- c:\documents and settings\Tony\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...070-0-main.dll
2009-05-21 15:45 . 2009-05-21 15:45 319488 ----a-w- c:\documents and settings\Tony\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 07:22 . 2006-07-28 14:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-19 06:05 . 2007-12-19 00:08 -------- d-----w- c:\documents and settings\Tony\Application Data\HPAppData
2009-06-19 04:09 . 2006-08-31 03:26 -------- d-----w- c:\documents and settings\Tony\Application Data\Skype
2009-06-19 00:56 . 2006-08-17 22:26 -------- d-----w- c:\program files\QuickTime
2009-06-19 00:34 . 2008-09-07 02:16 -------- d-----w- c:\documents and settings\Tony\Application Data\skypePM
2009-06-14 18:50 . 2008-01-02 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 15:32 . 2008-04-07 22:12 -------- d-----w- c:\program files\Safari
2009-06-10 17:19 . 2006-07-28 11:39 -------- d-----w- c:\program files\Java
2009-06-07 20:27 . 2006-08-17 22:25 -------- d-----w- c:\program files\iTunes
2009-06-07 20:27 . 2006-08-17 22:25 -------- d-----w- c:\program files\iPod
2009-06-07 20:27 . 2007-07-02 17:56 -------- d-----w- c:\program files\Common Files\Apple
2009-05-22 19:46 . 2006-07-28 14:27 -------- d-----w- c:\program files\Quicken
2009-05-22 19:42 . 2009-01-25 16:49 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-05-21 18:33 . 2008-09-28 15:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-17 15:42 . 2007-06-11 20:41 -------- d-----w- c:\documents and settings\Tony\Application Data\Move Networks
2009-05-11 03:26 . 2007-09-17 13:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-07 15:32 . 2004-08-10 15:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 15:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 02:00 . 2009-04-24 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-23 20:08 . 2007-12-23 05:40 -------- d-----w- c:\documents and settings\Visitor\Application Data\HPAppData
2009-04-17 12:26 . 2004-08-10 15:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 15:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-13 18:37 . 2006-12-09 02:14 144784 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 14:24 . 2009-04-10 14:24 152576 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-01 05:46 . 2008-02-24 02:07 9584 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static\NCO20.dll
2009-03-24 03:41 . 2007-06-11 20:41 34062 ----a-w- c:\documents and settings\Tony\Application Data\Move Networks\ie_bin\Uninst.exe
2009-03-24 03:41 . 2009-03-24 03:41 1047072 ----a-w- c:\documents and settings\Tony\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe
2002-07-27 01:02 . 2007-12-19 07:41 153088 ----a-w- c:\program files\UNWISE.EXE
2008-12-16 04:37 . 2006-09-21 17:27 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856]
"Google Update"="c:\documents and settings\Tony\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-15 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-15 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-21 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-21 86960]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb13.exe" [2004-11-24 172032]
"HPHUPD06"="c:\program files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe" [2004-12-16 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-12-16 622592]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-06-01 196608]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-21 213936]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-04-15 1519616]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-03 61952]

c:\documents and settings\Erin\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2006-8-17 61440]

c:\documents and settings\Tony\Start Menu\Programs\Startup\
qlock.lnk - c:\program files\Qlock\qlock.exe [2006-7-31 4102656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-27 581693]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 12:37 PM 149352]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [1/30/2008 4:52 AM 106496]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 12:54 PM 101936]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\Tony\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Tony\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
S2 ubpcfypuxfcpnw;ubpcfypuxfcpnw;\??\c:\windows\system32\drivers\hlwpuldrb.sys --> c:\windows\system32\drivers\hlwpuldrb.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 7:32 PM 23888]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/12/2008 2:21 PM 29744]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [1/17/2006 12:37 AM 1536000]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [1/20/2003 10:30 AM 17018]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [8/29/2006 8:58 AM 15576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-747133990-1552522543-3996072772-1005.job
- c:\documents and settings\Tony\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www6.comcast.net/b/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: turbotax.com
Trusted Zone: wsj.com\online
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 00:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????P??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,68,b3,2c,52,24,
1c,87,f8,2e,e8,e1,00,eb,16,2b,de,48,f0,d2,da,09,65,74,3b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,ce,60,e3,63,f0,
c9,d5,17,46,47,15,b0,92,4b,c7,ef,a7,98,79,87,5e,98,39,9e,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,af,14,c0,a0,98,
b7,40,26,7a,45,05,fd,91,e8,6f,31,02,7f,c0,2c,d7,b4,25,ea,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,f9,55,4f,7e,4d,
64,ca,9b,6b,65,49,6a,7e,99,74,f7,a0,ac,d5,9f,d1,62,d3,e7,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ac,b6,a7,55,e9,
b7,d9,05,e9,02,6c,fa,fb,1d,47,57,1e,93,84,33,68,2f,7b,59,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,7c,c2,07,37,b2,
7d,94,f6,50,93,e5,ab,ec,6a,4e,ab,99,e5,94,7e,9c,4e,a9,f7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,c0,fc,36,0c,19,
83,5f,a5,97,20,4e,9a,c7,f1,35,ee,ad,b4,fa,a2,da,14,d8,3d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,59,8e,53,91,d8,
3d,9e,bb,aa,52,c6,00,84,3c,26,64,8e,38,03,21,d7,31,0f,e4,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,6e,1a,84,60,a8,
26,31,40,b2,46,9a,e2,1b,fe,1b,94,45,55,c8,39,fe,c1,0a,5b,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,38,d3,f4,66,22,
c5,29,c2,37,a4,aa,c3,a6,15,56,0a,f6,45,2e,99,2e,1e,bf,80,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,c2,ec,0c,02,28,
2f,a1,60,f8,31,0f,a9,5f,a0,ec,fb,c9,32,68,5a,5b,07,7c,30,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,4a,41,d1,d4,45,
02,08,e0,05,73,21,dd,54,d8,4a,c5,b5,04,d7,ab,e0,83,f4,c1,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(8704)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\java.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\searchindexer.exe
c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Hp\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\Hp\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-06-19 0:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 07:30

Pre-Run: 1,775,386,624 bytes free
Post-Run: 1,705,222,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

434 --- E O F --- 2009-06-14 18:50

tetonbob · 06-23-2009, 12:08 PM

Hello -

Apologies accepted.

For others who might read this topic...

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

DO NOT FIX ANY ENTRIES OR DELETE ANY FILES YOURSELF. Do not run any specialized tools that you see being used in other threads without direct supervision from one of our trained analysts. Be advised that running any specialized tools not listed in this topic, on your own, is done solely at your own risk

A Reminder....

As seen in Post #2 of our sticky topic 'NEW INSTRUCTIONS Read this Before Posting For Malware Removal Help'

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix

On to your issue.....it looks like ComboFix has done a good job, but there's more work to do.

First.......

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

tcadena · 06-23-2009, 05:06 PM

Thank you.

1. I am working on the first item of resetting passwords via an alternate computer.
2. Here are the results of running the command specified:

2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Abacast Client
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11
AIO_Scan
AppCore
Apple Mobile Device Support
Apple Software Update
Backup
Bonjour
BufferChm
C7200
C7200_doccd
c7200_Help
CameraDrivers
CameraUserGuides
ccCommon
Conexant HD Audio
Copy
Corel Paint Shop Pro X
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DiscAPI (Studio 10)
DocProc
DocProcQFolder
Entriq MediaSphere 3.5.2.2
ESPNMotion
eSupportQFolder
Fax
Garmin USB Drivers
GearDrvs
Google Chrome
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
GoToMeeting 4.0.0.320
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 9.0
HP Driver Diagnostics
HP Help and Support
HP Imaging Device Functions 9.0
HP Integrated Module with Bluetooth wireless technology
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Cameras 7.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Photosmart Premier Software 6.5
HP Product Assistant
HP Product Detection
hp psc 700 series
HP Quick Launch Buttons 6.00 E2
HP QuickPlay 2.1
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HP User Guides--System Recovery
HP User Guides 0019
HP Wireless Assistant 2.00 E1
hpicamDrvQFolder
HPNetworkAssistant
HPPhotoSmartExpress
HPProductAssistant
HpSdpAppCoreApp
HPSSupply
HPSystemDiagnostics
InstantShare
InstantShareDevices
Intel(R) Network Connections Drivers
IntelliMover
iPod for Windows 2005-10-12
ItsDeductible Express
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 14
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LightScribe System Software 1.10.27.1
LightScribeTemplateLabeler
Linksys Updater
LiveUpdate (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Logitech Desktop Messenger
Logitech Legacy USB Camera Driver Package
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech Updater
Macromedia Flash Player 8
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server Desktop Engine (PINNACLESYS)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
muvee autoProducer 4.5
MyDVD-VR Recorder
NBC Universal 1.0.0.7
NetDeviceManager
Netflix Movie Viewer
NETGEAR XE102 Powerline Ethernet Adapter
NetWaiting
Norton 360
Norton 360 HTMLHelp
Norton 360 Premier Edition (Symantec Corporation)
Norton Confidential Core
NVIDIA Drivers
Octoshape add-in for Adobe Flash Player
OptionalContentQFolder
Otto
PanoStandAlone
PhotoGallery
Photosmart 320,370,7400,8100,8400,8700 Series
Picasa 2
Pinnacle Instant DVD Recorder
Pinnacle MediaServer
proDAD Heroglyph 2.5
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_min
PS8700
PSPExpress
PSPrinters06
PSSWCORE
Qlock Lite
Quicken 2009
Quicken WillMaker Plus 2009
RandMap
RAPID (Studio 10)
Rhapsody Player Engine
Safari
Scan
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SkinsHP1
Skype™ 4.0
SlideShow
SmartAudio
SmartSound Quicktracks Plugin
SmartWebPrinting
SolutionCenter
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD-VR
Sonic MyDVD Deluxe
Sonic Update Manager
Sonic_PrimoSDK
SonicAC3Encoder
SonicMPEGEncoder
SPBBC 32bit
Status
Studio 10
Studio 10 Bonus DVD
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Toolbox
TrayApp
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 woriper
TurboTax 2008 wrapper
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
TurboTax Premier 2004
TurboTax Premier 2005
TurboTax Premier 2007
TurboTax Premier Investments 2006
Unload
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoToolkit01
Virtual Earth 3D (Beta)
Vongo
WD Diagnostics
WD Drive Manager (x86)
WDCSAM Driver
WebEx MeetMeNow
WebFldrs XP
WebReg
WexTech AnswerWorks
Windows Desktop Search 3.01
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (12/05/2006 1.0.0007.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinZip 11.2
XML Paper Specification Shared Components Pack 1.0

tetonbob · 06-23-2009, 06:10 PM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Leave Java(TM) 6 Update 14 alone, as it has the most recent security updates.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/387339-google-hijack-newbie-jumped-gun.html#post2204899
Driver::
ubpcfypuxfcpnw
Rootkit::
c:\windows\system32\drivers\hlwpuldrb.sys
Collect::
c:\windows\system32\drivers\hlwpuldrb.sys

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Please let me know if the file was successfully submitted . Thanks.

------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to the following:
  - Update Malwarebytes' Anti-Malware
  - Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.
---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
- Close any open programs
- Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
- Click Run at the Security prompt.
- The program will then begin downloading and installing and will also update the database.
- Please be patient as this can take several minutes.
- Once the update is complete, click on Settings. Uncheck Mail databases.
- Next, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Click View scan report at the bottom.
- Click the Save Report As... button.
- Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
---------------------------------------------------------------------------------------------

How is the machine behaving?

tcadena · 06-23-2009, 11:34 PM

Thank you in advance.

Per your instructions, I did the following, but stopped as indicated below:

1. I uninstalled as directed, only rebooting at the end of the complete list of uninstalls. Finished successfully.

2. I disabled AntiVirus (Norton); created and saved "CFScript.txt". I dragged CFScript.txt onto ComboFix.exe which caused ComboFix to launch. When ComboFix launched it indicated there was a newer version of ComboFix available and asked if I wanted to update. I responded "yes" and ComboFix relaunched after the update. Subsequently, Combofix DID produce a log which is posted at the end of this message. However, the following did NOT occur (from your instructions):

"When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box."

I am wondering if the message box and submission did not occur because ComboFix updated are restarted.

To be safe, this is where I stopped, as there was no file submission. I reenabled my Antivirus.

Here is the ComboFix log:

ComboFix 09-06-23.01 - Tony 06/23/2009 21:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1344 [GMT -7:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tony\Desktop\CFScript.txt.txt
AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 Premier Edition *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ubpcfypuxfcpnw

((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-18 06:28 . 2009-06-18 06:28 2 ----a-w- c:\windows\010112010146118114.dat
2009-06-18 06:24 . 2009-06-18 06:24 172 ----a-w- C:\nm8912.bat
2009-06-13 18:40 . 2009-06-13 18:40 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\QuickPlay
2009-06-13 18:40 . 2009-06-13 18:40 -------- d-----w- c:\documents and settings\Visitor\Application Data\HP
2009-06-10 17:18 . 2009-06-10 17:18 152576 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-05 20:57 . 2009-06-05 20:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-24 05:05 . 2006-07-28 14:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-24 04:28 . 2006-07-28 11:39 -------- d-----w- c:\program files\Java
2009-06-24 03:53 . 2007-12-19 00:08 -------- d-----w- c:\documents and settings\Tony\Application Data\HPAppData
2009-06-20 17:11 . 2006-08-17 22:25 -------- d-----w- c:\program files\iTunes
2009-06-20 17:11 . 2006-08-17 22:25 -------- d-----w- c:\program files\iPod
2009-06-20 17:11 . 2007-07-02 17:56 -------- d-----w- c:\program files\Common Files\Apple
2009-06-20 17:10 . 2006-08-17 22:26 -------- d-----w- c:\program files\QuickTime
2009-06-19 04:09 . 2006-08-31 03:26 -------- d-----w- c:\documents and settings\Tony\Application Data\Skype
2009-06-19 00:34 . 2008-09-07 02:16 -------- d-----w- c:\documents and settings\Tony\Application Data\skypePM
2009-06-14 18:50 . 2008-01-02 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 15:32 . 2008-04-07 22:12 -------- d-----w- c:\program files\Safari
2009-05-22 19:46 . 2006-07-28 14:27 -------- d-----w- c:\program files\Quicken
2009-05-22 19:43 . 2009-05-22 19:43 1536000 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll
2009-05-22 19:42 . 2009-01-25 16:49 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-05-21 18:33 . 2008-09-28 15:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-21 15:46 . 2009-05-21 15:46 488960 ----a-w- c:\documents and settings\Tony\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...070-0-main.dll
2009-05-21 15:45 . 2009-05-21 15:45 319488 ----a-w- c:\documents and settings\Tony\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-05-17 15:42 . 2007-06-11 20:41 -------- d-----w- c:\documents and settings\Tony\Application Data\Move Networks
2009-05-11 03:26 . 2007-09-17 13:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-07 15:32 . 2004-08-10 15:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 15:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 15:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 15:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-13 18:37 . 2006-12-09 02:14 144784 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 14:24 . 2009-04-10 14:24 152576 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-01 05:46 . 2008-02-24 02:07 9584 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static\NCO20.dll
2002-07-27 01:02 . 2007-12-19 07:41 153088 ----a-w- c:\program files\UNWISE.EXE
2008-12-16 04:37 . 2006-09-21 17:27 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-19_07.25.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-24 05:05 . 2009-06-24 05:05 16384 c:\windows\temp\Perflib_Perfdata_9e4.dat
+ 2009-06-24 05:05 . 2009-06-24 05:05 16384 c:\windows\temp\Perflib_Perfdata_830.dat
+ 2009-06-24 05:04 . 2009-06-24 05:04 16384 c:\windows\temp\Perflib_Perfdata_174.dat
+ 2009-06-24 05:07 . 2009-06-24 05:07 49152 c:\windows\temp\CompiledAdapter.dll
- 2009-06-19 07:23 . 2009-06-19 07:23 49152 c:\windows\temp\CompiledAdapter.dll
+ 2009-06-20 17:12 . 2009-06-20 17:12 102400 c:\windows\Installer\{5D601655-6D54-4384-B52C-17EC5385FBBD}\iTunesIco.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856]
"Google Update"="c:\documents and settings\Tony\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-15 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-15 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-21 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-21 86960]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb13.exe" [2004-11-24 172032]
"HPHUPD06"="c:\program files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe" [2004-12-16 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-12-16 622592]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-06-01 196608]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-21 213936]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-04-15 1519616]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-03 61952]

c:\documents and settings\Tony\Start Menu\Programs\Startup\
qlock.lnk - c:\program files\Qlock\qlock.exe [2006-7-31 4102656]

c:\documents and settings\Erin\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2006-8-17 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-27 581693]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 12:37 PM 149352]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [1/30/2008 4:52 AM 106496]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 12:54 PM 101936]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\Tony\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Tony\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 7:32 PM 23888]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/12/2008 2:21 PM 29744]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [1/17/2006 12:37 AM 1536000]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [1/20/2003 10:30 AM 17018]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [8/29/2006 8:58 AM 15576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-747133990-1552522543-3996072772-1005.job
- c:\documents and settings\Tony\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www6.comcast.net/b/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: turbotax.com
Trusted Zone: wsj.com\online
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-23 22:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???`R??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,68,b3,2c,52,24,
1c,87,f8,2e,e8,e1,00,eb,16,2b,de,48,f0,d2,da,09,65,74,3b,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,ce,60,e3,63,f0,
c9,d5,17,46,47,15,b0,92,4b,c7,ef,a7,98,79,87,5e,98,39,9e,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,af,14,c0,a0,98,
b7,40,26,7a,45,05,fd,91,e8,6f,31,02,7f,c0,2c,d7,b4,25,ea,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,f9,55,4f,7e,4d,
64,ca,9b,6b,65,49,6a,7e,99,74,f7,a0,ac,d5,9f,d1,62,d3,e7,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ac,b6,a7,55,e9,
b7,d9,05,e9,02,6c,fa,fb,1d,47,57,1e,93,84,33,68,2f,7b,59,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,7c,c2,07,37,b2,
7d,94,f6,50,93,e5,ab,ec,6a,4e,ab,99,e5,94,7e,9c,4e,a9,f7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,c0,fc,36,0c,19,
83,5f,a5,97,20,4e,9a,c7,f1,35,ee,ad,b4,fa,a2,da,14,d8,3d,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,59,8e,53,91,d8,
3d,9e,bb,aa,52,c6,00,84,3c,26,64,8e,38,03,21,d7,31,0f,e4,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,6e,1a,84,60,a8,
26,31,40,b2,46,9a,e2,1b,fe,1b,94,45,55,c8,39,fe,c1,0a,5b,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,38,d3,f4,66,22,
c5,29,c2,37,a4,aa,c3,a6,15,56,0a,f6,45,2e,99,2e,1e,bf,80,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,c2,ec,0c,02,28,
2f,a1,60,f8,31,0f,a9,5f,a0,ec,fb,c9,32,68,5a,5b,07,7c,30,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,4a,41,d1,d4,45,
02,08,e0,05,73,21,dd,54,d8,4a,c5,b5,04,d7,ab,e0,83,f4,c1,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(9608)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\mqsvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\searchindexer.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\java.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Hp\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hp\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-06-24 22:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 05:15
ComboFix2.txt 2009-06-19 07:30

Pre-Run: 955,858,944 bytes free
Post-Run: 1,291,948,032 bytes free

334 --- E O F --- 2009-06-14 18:50

tetonbob · 06-24-2009, 07:06 AM

There was no file for submission, because there was no file present to collect. Please continue with the remaining instructions.

tcadena · 06-24-2009, 03:54 PM

Next Steps:

I downloaded the Malwarebytes software. Interestingly, I noticed that when I rolled over the link and looked at the URL it was different than where I was directed to when I clicked the link. The "bad" website was: hxxp://majorgeeks.com/download.php?det=5756 (replacing the "http" with "hxxp"). I manually typed in the correct URL and downloaded Malwarebytes successfully.

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.38
Database version: 2329
Windows 5.1.2600 Service Pack 3

6/24/2009 8:05:02 AM
mbam-log-2009-06-24 (08-05-02).txt

Scan type: Quick Scan
Objects scanned: 122244
Time elapsed: 9 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.lso (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\nm8912.bat (Malware.Trace) -> Quarantined and deleted successfully.

Here is the Kaspersky scan log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 24, 2009 18:19:21
Records in database: 2386834
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 157950
Threat name: 3
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 04:55:35

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hlwpuldrb.sys.vir Infected: Rootkit.Win32.Agent.lrk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip Infected: Trojan-Spy.Win32.Zbot.wti 1
C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP791\A0309634.exe Infected: Trojan.Win32.Agent.cmrk 1
C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP793\A0309962.sys Infected: Rootkit.Win32.Agent.lrk 1

The selected area was scanned.

My machine appears to be acting "normally" thus far.

Thank you.

tetonbob · 06-24-2009, 04:07 PM

Hello -

Thanks for letting me know. MajorGeeks is one of the approved download hosts for MBAM. Odd you'd see that, though, as I thought the mbam download link only served up the cnet link.

The good news is, your logs look good.

The other items Kaspersky found are in ComboFix quarantine or System Restore points, and will be addressed by uninstalling ComboFix as instructed below.

Other than that....We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.

Disconnect from the internet and disable your AntiVirus temporarily.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

tcadena · 06-24-2009, 07:01 PM

tetonbob and all of the tech team at techsupportforum.com:

I have completed the items above (uninstall ComboFix and deleted tools used, etc.) I am following up with the suggestions in the next day, as well.

Consider this issue resolved. Thanks very much for the help. I will certainly let others know of your remarkable assistance and will remain vigilant. I also plan to contribute to supporting techsupportforum.com.

Again, simply, thanks!

tetonbob · 06-24-2009, 07:25 PM

Hi tcadena -

I'm glad to have helped, thanks for the kind words, and consideration of support. We do appreciate that, and it helps keep the forum running for all.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

06-20-2009, 10:02 AM	#1 (permalink)
tcadena Registered User Join Date: Jun 2009 Posts: 5 OS: windows XP	Google Hijack - Newbie Jumped the Gun? I suddenly found my Google search results hijacked to various other hosting or search websites. I found your website via a Google search (which I got to by manually typing in the URL so I didn't get hijacked) and it seemed like I had found the solution. The Google search led me to another user's solution and I did not (immediately) find the right place to start with DDS and GMER. In my frustration and haste, I downloaded and ran Combofix per Techsupportforum.com's instructions in that other thread and it has seemed to fix my problem, thus far. I had already had all my data backed up and didn't feel too much at risk. First of all, a big MEA CULPA for not being more careful and following your very clear instructions. I am posting the Combofix log below and I would like to know if I should re-start the process with DDS and GMER or do that if the problem recurs. Thank you in advance and, again, my apologies for the bonehead move to jump to what I thought was the "final answer". Tony When I ran Combofix, it informed me that it had detected the presence of rootkit activity in C:\WINDOWS\system32\sdra64.exe. Here is the Combofix log: ComboFix 09-06-18.02 - Tony 06/19/2009 0:04.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1560 [GMT -7:00] Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe AV: Norton 360 Premier Edition On-access scanning disabled (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4} FW: Norton 360 Premier Edition disabled {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycled\NPROTECT c:\windows\Downloaded Program Files\MyWebEx c:\windows\system32\drivers\str.sys c:\windows\system32\lowsec c:\windows\system32\sdra64.exe c:\windows\TEMP\logishrd\LVPrcInj01.dll c:\recycled\NPROTECT\00000159.XML c:\recycled\NPROTECT\00000160.XML c:\recycled\NPROTECT\00000164.XML c:\recycled\NPROTECT\00000165.XML c:\recycled\NPROTECT\00000167.XML c:\recycled\NPROTECT\00000168.XML c:\recycled\NPROTECT\00000179.XML c:\recycled\NPROTECT\00000181.XML c:\recycled\NPROTECT\00000184.XML c:\recycled\NPROTECT\00000186.XML c:\recycled\NPROTECT\00000196.XML c:\recycled\NPROTECT\00000197.XML c:\recycled\NPROTECT\00000205.XML c:\recycled\NPROTECT\00000206.XML c:\recycled\NPROTECT\00000207.XML c:\recycled\NPROTECT\00000208.XML c:\recycled\NPROTECT\00000210.XML c:\recycled\NPROTECT\00000349.XML c:\recycled\NPROTECT\00000350.XML c:\recycled\NPROTECT\00000362.XML c:\recycled\NPROTECT\00000363.XML c:\recycled\NPROTECT\00000366.XML c:\recycled\NPROTECT\00000367.XML c:\recycled\NPROTECT\00000372.XML c:\recycled\NPROTECT\00000373.XML c:\recycled\NPROTECT\00000385.XML c:\recycled\NPROTECT\00000386.XML c:\recycled\NPROTECT\00000394.XML c:\recycled\NPROTECT\00000395.XML c:\recycled\NPROTECT\00000405.doc c:\recycled\NPROTECT\00000411.XML c:\recycled\NPROTECT\00000412.XML c:\recycled\NPROTECT\00000421.doc c:\recycled\NPROTECT\00000424.DOC c:\recycled\NPROTECT\00000479.XML c:\recycled\NPROTECT\00000480.XML c:\recycled\NPROTECT\00000575.jpg c:\recycled\NPROTECT\00000587.XML c:\recycled\NPROTECT\00000588.XML c:\recycled\NPROTECT\00000590.XML c:\recycled\NPROTECT\00000591.XML c:\recycled\NPROTECT\00000593.XML c:\recycled\NPROTECT\00000594.XML c:\recycled\NPROTECT\00000598.XML c:\recycled\NPROTECT\00000599.XML c:\recycled\NPROTECT\00000601.XML c:\recycled\NPROTECT\00000602.XML c:\recycled\NPROTECT\00000650.jpg c:\recycled\NPROTECT\00000656.jpg c:\recycled\NPROTECT\00000663.jpg c:\windows\Downloaded Program Files\MyWebEx\419\atarm.dll c:\windows\Downloaded Program Files\MyWebEx\419\atas32.dll c:\windows\Downloaded Program Files\MyWebEx\419\atasanot.exe c:\windows\Downloaded Program Files\MyWebEx\419\atasctrl.dll c:\windows\Downloaded Program Files\MyWebEx\419\atasnt40.dll c:\windows\Downloaded Program Files\MyWebEx\419\atcarmcl.dll c:\windows\Downloaded Program Files\MyWebEx\419\atdl2006.dll c:\windows\Downloaded Program Files\MyWebEx\419\atjpeg60.dll c:\windows\Downloaded Program Files\MyWebEx\419\atkbctl.dll c:\windows\Downloaded Program Files\MyWebEx\419\atlchat.dll c:\windows\Downloaded Program Files\MyWebEx\419\atmemmgr.dll c:\windows\Downloaded Program Files\MyWebEx\419\atnetext.dll c:\windows\Downloaded Program Files\MyWebEx\419\atpack.dll c:\windows\Downloaded Program Files\MyWebEx\419\atres.dll c:\windows\Downloaded Program Files\MyWebEx\419\attp.dll c:\windows\Downloaded Program Files\MyWebEx\419\atwbxui6.dll c:\windows\Downloaded Program Files\MyWebEx\419\h264dec.dll c:\windows\Downloaded Program Files\MyWebEx\419\h264enc.dll c:\windows\Downloaded Program Files\MyWebEx\419\mmssl32.dll c:\windows\Downloaded Program Files\MyWebEx\419\msess.dll c:\windows\Downloaded Program Files\MyWebEx\419\mticket.dll c:\windows\Downloaded Program Files\MyWebEx\419\mutiltpd.dll c:\windows\Downloaded Program Files\MyWebEx\419\mvc.dll c:\windows\Downloaded Program Files\MyWebEx\419\mwm.ini c:\windows\Downloaded Program Files\MyWebEx\419\mwmcliun.exe c:\windows\Downloaded Program Files\MyWebEx\419\mwmie.dll c:\windows\Downloaded Program Files\MyWebEx\419\mwmim.dll c:\windows\Downloaded Program Files\MyWebEx\419\mwmoi.dll c:\windows\Downloaded Program Files\MyWebEx\419\mwmpad.exe c:\windows\Downloaded Program Files\MyWebEx\419\mwmproxy.dll c:\windows\Downloaded Program Files\MyWebEx\419\mwmres.dll c:\windows\Downloaded Program Files\MyWebEx\419\mwmres1.dll c:\windows\Downloaded Program Files\MyWebEx\419\mwmupd.exe c:\windows\Downloaded Program Files\MyWebEx\419\raurl.dll c:\windows\Downloaded Program Files\MyWebEx\419\uilibres.dll c:\windows\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll c:\windows\Downloaded Program Files\MyWebEx\419\webexmgr.dll c:\windows\kb913800.exe c:\windows\system32\AutoRun.inf c:\windows\system32\drivers\hlwpuldrb.sys c:\windows\system32\lowsec\local.ds c:\windows\system32\lowsec\user.ds c:\windows\system32\lowsec\user.ds.lll c:\windows\system32\sdra64.exe D:\Autorun.inf D:\Desktop.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_UBPCFYPUXFCPNW ((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 ))))))))))))))))))))))))))))))) . 2009-06-18 06:28 . 2009-06-18 06:28 2 ----a-w- c:\windows\010112010146118114.dat 2009-06-18 06:24 . 2009-06-18 06:24 172 ----a-w- C:\nm8912.bat 2009-06-13 18:40 . 2009-06-13 18:40 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\QuickPlay 2009-06-13 18:40 . 2009-06-13 18:40 -------- d-----w- c:\documents and settings\Visitor\Application Data\HP 2009-06-10 17:18 . 2009-06-10 17:18 152576 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-07 20:19 . 2009-06-07 20:19 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe 2009-05-22 19:43 . 2009-05-22 19:43 1536000 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll 2009-05-21 15:46 . 2009-05-21 15:46 488960 ----a-w- c:\documents and settings\Tony\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...070-0-main.dll 2009-05-21 15:45 . 2009-05-21 15:45 319488 ----a-w- c:\documents and settings\Tony\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-19 07:22 . 2006-07-28 14:17 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-06-19 06:05 . 2007-12-19 00:08 -------- d-----w- c:\documents and settings\Tony\Application Data\HPAppData 2009-06-19 04:09 . 2006-08-31 03:26 -------- d-----w- c:\documents and settings\Tony\Application Data\Skype 2009-06-19 00:56 . 2006-08-17 22:26 -------- d-----w- c:\program files\QuickTime 2009-06-19 00:34 . 2008-09-07 02:16 -------- d-----w- c:\documents and settings\Tony\Application Data\skypePM 2009-06-14 18:50 . 2008-01-02 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-06-12 15:32 . 2008-04-07 22:12 -------- d-----w- c:\program files\Safari 2009-06-10 17:19 . 2006-07-28 11:39 -------- d-----w- c:\program files\Java 2009-06-07 20:27 . 2006-08-17 22:25 -------- d-----w- c:\program files\iTunes 2009-06-07 20:27 . 2006-08-17 22:25 -------- d-----w- c:\program files\iPod 2009-06-07 20:27 . 2007-07-02 17:56 -------- d-----w- c:\program files\Common Files\Apple 2009-05-22 19:46 . 2006-07-28 14:27 -------- d-----w- c:\program files\Quicken 2009-05-22 19:42 . 2009-01-25 16:49 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE 2009-05-21 18:33 . 2008-09-28 15:46 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-05-17 15:42 . 2007-06-11 20:41 -------- d-----w- c:\documents and settings\Tony\Application Data\Move Networks 2009-05-11 03:26 . 2007-09-17 13:49 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-05-07 15:32 . 2004-08-10 15:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2004-08-10 15:00 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-10 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-24 02:00 . 2009-04-24 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-23 20:08 . 2007-12-23 05:40 -------- d-----w- c:\documents and settings\Visitor\Application Data\HPAppData 2009-04-17 12:26 . 2004-08-10 15:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-10 15:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2009-04-13 18:37 . 2006-12-09 02:14 144784 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-10 14:24 . 2009-04-10 14:24 152576 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-04-01 05:46 . 2008-02-24 02:07 9584 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static\NCO20.dll 2009-03-24 03:41 . 2007-06-11 20:41 34062 ----a-w- c:\documents and settings\Tony\Application Data\Move Networks\ie_bin\Uninst.exe 2009-03-24 03:41 . 2009-03-24 03:41 1047072 ----a-w- c:\documents and settings\Tony\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe 2002-07-27 01:02 . 2007-12-19 07:41 153088 ----a-w- c:\program files\UNWISE.EXE 2008-12-16 04:37 . 2006-09-21 17:27 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856] "Google Update"="c:\documents and settings\Tony\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-15 7561216] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-15 86016] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-21 213936] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-21 86960] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960] "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840] "Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb13.exe" [2004-11-24 172032] "HPHUPD06"="c:\program files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe" [2004-12-16 49152] "HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-12-16 622592] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152] "USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728] "USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-06-01 196608] "PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-21 213936] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-04-15 1519616] "MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-03 61952] c:\documents and settings\Erin\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2006-8-17 61440] c:\documents and settings\Tony\Start Menu\Programs\Startup\ qlock.lnk - c:\program files\Qlock\qlock.exe [2006-7-31 4102656] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-27 581693] HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520] HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "LightScribeService"=2 (0x2) "iPod Service"=3 (0x3) "Bonjour Service"=2 (0x2) "Apple Mobile Device"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\Abacast\\Abaclient.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088] R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 12:37 PM 149352] R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [1/30/2008 4:52 AM 106496] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 12:54 PM 101936] S2 pciinfo;HP Pci Information;\??\c:\docume~1\Tony\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Tony\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?] S2 ubpcfypuxfcpnw;ubpcfypuxfcpnw;\??\c:\windows\system32\drivers\hlwpuldrb.sys --> c:\windows\system32\drivers\hlwpuldrb.sys [?] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 7:32 PM 23888] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/12/2008 2:21 PM 29744] S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [1/17/2006 12:37 AM 1536000] S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [1/20/2003 10:30 AM 17018] S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [8/29/2006 8:58 AM 15576] --- Other Services/Drivers In Memory --- NewlyCreated - COMHOST [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc HPService REG_MULTI_SZ HPSLPSVC [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2009-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-747133990-1552522543-3996072772-1005.job - c:\documents and settings\Tony\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:11] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www6.comcast.net/b/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm Trusted Zone: turbotax.com Trusted Zone: wsj.com\online Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-19 00:24 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????P??????(?@???????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,68,b3,2c,52,24, 1c,87,f8,2e,e8,e1,00,eb,16,2b,de,48,f0,d2,da,09,65,74,3b,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,ce,60,e3,63,f0, c9,d5,17,46,47,15,b0,92,4b,c7,ef,a7,98,79,87,5e,98,39,9e,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,af,14,c0,a0,98, b7,40,26,7a,45,05,fd,91,e8,6f,31,02,7f,c0,2c,d7,b4,25,ea,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,f9,55,4f,7e,4d, 64,ca,9b,6b,65,49,6a,7e,99,74,f7,a0,ac,d5,9f,d1,62,d3,e7,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ac,b6,a7,55,e9, b7,d9,05,e9,02,6c,fa,fb,1d,47,57,1e,93,84,33,68,2f,7b,59,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,7c,c2,07,37,b2, 7d,94,f6,50,93,e5,ab,ec,6a,4e,ab,99,e5,94,7e,9c,4e,a9,f7,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,c0,fc,36,0c,19, 83,5f,a5,97,20,4e,9a,c7,f1,35,ee,ad,b4,fa,a2,da,14,d8,3d,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,59,8e,53,91,d8, 3d,9e,bb,aa,52,c6,00,84,3c,26,64,8e,38,03,21,d7,31,0f,e4,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,6e,1a,84,60,a8, 26,31,40,b2,46,9a,e2,1b,fe,1b,94,45,55,c8,39,fe,c1,0a,5b,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,38,d3,f4,66,22, c5,29,c2,37,a4,aa,c3,a6,15,56,0a,f6,45,2e,99,2e,1e,bf,80,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,c2,ec,0c,02,28, 2f,a1,60,f8,31,0f,a9,5f,a0,ec,fb,c9,32,68,5a,5b,07,7c,30,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,4a,41,d1,d4,45, 02,08,e0,05,73,21,dd,54,d8,4a,c5,b5,04,d7,ab,e0,83,f4,c1,6c,43,2d,1e,aa,22,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(8704) c:\windows\TEMP\logishrd\LVPrcInj01.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\msdtc.exe c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\windows\system32\java.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\windows\system32\mqsvc.exe c:\windows\system32\searchindexer.exe c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\windows\system32\mqtgsvc.exe c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe c:\windows\ehome\ehmsas.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE c:\program files\Hp\Digital Imaging\bin\hpqimzone.exe c:\windows\system32\wscntfy.exe c:\windows\system32\dllhost.exe c:\progra~1\HPQ\Shared\HPQTOA~1.EXE c:\program files\Hp\Digital Imaging\bin\hpqste08.exe . ************************************************************************** . Completion time: 2009-06-19 0:30 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-19 07:30 Pre-Run: 1,775,386,624 bytes free Post-Run: 1,705,222,144 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 434 --- E O F --- 2009-06-14 18:50

06-23-2009, 05:06 PM	#3 (permalink)
tcadena Registered User Join Date: Jun 2009 Posts: 5 OS: windows XP	Re: Google Hijack - Newbie Jumped the Gun? Thank you. 1. I am working on the first item of resetting passwords via an alternate computer. 2. Here are the results of running the command specified: 2007 Microsoft Office Suite Service Pack 1 (SP1) 32 Bit HP CIO Components Installer Abacast Client Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) Adobe Flash Player 10 ActiveX Adobe Flash Player Plugin Adobe Help Center 2.1 Adobe Photoshop Elements 5.0 Adobe Reader 8.1.2 Adobe Reader 8.1.2 Security Update 1 (KB403742) Adobe Shockwave Player 11 AIO_Scan AppCore Apple Mobile Device Support Apple Software Update Backup Bonjour BufferChm C7200 C7200_doccd c7200_Help CameraDrivers CameraUserGuides ccCommon Conexant HD Audio Copy Corel Paint Shop Pro X CP_AtenaShokunin1Config CP_CalendarTemplates1 cp_LightScribeConfig cp_OnlineProjectsConfig CP_Package_Basic1 CP_Package_Variety1 CP_Package_Variety2 CP_Package_Variety3 CP_Panorama1Config cp_PosterPrintConfig cp_UpdateProjectsConfig CreativeProjects CreativeProjectsTemplates Critical Update for Windows Media Player 11 (KB959772) CueTour Customer Experience Enhancement CustomerResearchQFolder Destination Component DeviceDiscovery DeviceManagementQFolder DiscAPI (Studio 10) DocProc DocProcQFolder Entriq MediaSphere 3.5.2.2 ESPNMotion eSupportQFolder Fax Garmin USB Drivers GearDrvs Google Chrome Google Desktop Google Earth Google Toolbar for Internet Explorer GoToMeeting 4.0.0.320 HDAUDIO Soft Data Fax Modem with SmartCP Hotfix 2050 for SQL Server 2000 ENU (KB948110) Hotfix 2055 for SQL Server 2000 ENU (KB960082) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) HP Customer Participation Program 9.0 HP Driver Diagnostics HP Help and Support HP Imaging Device Functions 9.0 HP Integrated Module with Bluetooth wireless technology HP OCR Software 9.0 HP Photosmart All-In-One Software 9.0 HP Photosmart Cameras 7.0 HP Photosmart Essential 2.01 HP Photosmart Essential2.01 HP Photosmart Premier Software 6.5 HP Product Assistant HP Product Detection hp psc 700 series HP Quick Launch Buttons 6.00 E2 HP QuickPlay 2.1 HP Smart Web Printing HP Solution Center 9.0 HP Update HP User Guides--System Recovery HP User Guides 0019 HP Wireless Assistant 2.00 E1 hpicamDrvQFolder HPNetworkAssistant HPPhotoSmartExpress HPProductAssistant HpSdpAppCoreApp HPSSupply HPSystemDiagnostics InstantShare InstantShareDevices Intel(R) Network Connections Drivers IntelliMover iPod for Windows 2005-10-12 ItsDeductible Express iTunes J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 8 J2SE Runtime Environment 5.0 Update 9 Java(TM) 6 Update 14 Java(TM) 6 Update 2 Java(TM) 6 Update 3 Java(TM) 6 Update 5 Java(TM) 6 Update 7 Java(TM) SE Runtime Environment 6 Update 1 LightScribe System Software 1.10.27.1 LightScribeTemplateLabeler Linksys Updater LiveUpdate (Symantec Corporation) LiveUpdate 3.2 (Symantec Corporation) LiveUpdate Notice (Symantec Corporation) Logitech Desktop Messenger Logitech Legacy USB Camera Driver Package Logitech QuickCam Logitech QuickCam Driver Package Logitech Updater Macromedia Flash Player 8 MarketResearch Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft .NET Framework 3.0 Service Pack 1 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Excel MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office PowerPoint Viewer 2007 (English) Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Standard 2007 Microsoft Office Word MUI (English) 2007 Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs Microsoft Silverlight Microsoft Software Update for Web Folders (English) 12 Microsoft SQL Server Desktop Engine (PINNACLESYS) Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable MobileMe Control Panel Move Networks Media Player for Internet Explorer MSXML 4.0 SP2 (KB925672) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 6.0 Parser (KB933579) muvee autoProducer 4.5 MyDVD-VR Recorder NBC Universal 1.0.0.7 NetDeviceManager Netflix Movie Viewer NETGEAR XE102 Powerline Ethernet Adapter NetWaiting Norton 360 Norton 360 HTMLHelp Norton 360 Premier Edition (Symantec Corporation) Norton Confidential Core NVIDIA Drivers Octoshape add-in for Adobe Flash Player OptionalContentQFolder Otto PanoStandAlone PhotoGallery Photosmart 320,370,7400,8100,8400,8700 Series Picasa 2 Pinnacle Instant DVD Recorder Pinnacle MediaServer proDAD Heroglyph 2.5 PS_AIO_02_ProductContext PS_AIO_02_Software PS_AIO_02_Software_min PS8700 PSPExpress PSPrinters06 PSSWCORE Qlock Lite Quicken 2009 Quicken WillMaker Plus 2009 RandMap RAPID (Studio 10) Rhapsody Player Engine Safari Scan Security Update for 2007 Microsoft Office System (KB951550) Security Update for 2007 Microsoft Office System (KB951944) Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB969679) Security Update for CAPICOM (KB931906) Security Update for Microsoft Office Excel 2007 (KB969682) Security Update for Microsoft Office PowerPoint 2007 (KB957789) Security Update for Microsoft Office system 2007 (KB954326) Security Update for Microsoft Office system 2007 (KB969613) Security Update for Microsoft Office Word 2007 (KB969604) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Visio 2007 (KB947590) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) SkinsHP1 Skype™ 4.0 SlideShow SmartAudio SmartSound Quicktracks Plugin SmartWebPrinting SolutionCenter Sonic Audio Module Sonic Copy Module Sonic Data Module Sonic Express Labeler Sonic MyDVD-VR Sonic MyDVD Deluxe Sonic Update Manager Sonic_PrimoSDK SonicAC3Encoder SonicMPEGEncoder SPBBC 32bit Status Studio 10 Studio 10 Bonus DVD Symantec Real Time Storage Protection Component Symantec Technical Support Controls SymNet Synaptics Pointing Device Driver Texas Instruments PCIxx21/x515/xx12 drivers. TIPCI Toolbox TrayApp TurboTax 2008 TurboTax 2008 WinPerFedFormset TurboTax 2008 WinPerProgramHelp TurboTax 2008 WinPerReleaseEngine TurboTax 2008 WinPerTaxSupport TurboTax 2008 WinPerUserEducation TurboTax 2008 woriper TurboTax 2008 wrapper TurboTax ItsDeductible 2005 TurboTax ItsDeductible 2006 TurboTax Premier 2004 TurboTax Premier 2005 TurboTax Premier 2007 TurboTax Premier Investments 2006 Unload UnloadSupport Update for 2007 Microsoft Office System (KB967642) Update for Microsoft Office Outlook 2007 (KB969907) Update for Outlook 2007 Junk Email Filter (kb970012) Update for Windows Media Player 10 (KB913800) Update for Windows Media Player 10 (KB926251) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update Rollup 2 for Windows XP Media Center Edition 2005 VideoToolkit01 Virtual Earth 3D (Beta) Vongo WD Diagnostics WD Drive Manager (x86) WDCSAM Driver WebEx MeetMeNow WebFldrs XP WebReg WexTech AnswerWorks Windows Desktop Search 3.01 Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (12/05/2006 1.0.0007.0) Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Player 11 Windows Presentation Foundation Windows XP Media Center Edition 2005 KB925766 Windows XP Service Pack 3 WinZip 11.2 XML Paper Specification Shared Components Pack 1.0

06-23-2009, 06:10 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,548 OS: 2000 Pro; XP Pro; XP Home	Re: Google Hijack - Newbie Jumped the Gun? Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs): J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 8 J2SE Runtime Environment 5.0 Update 9 Java(TM) 6 Update 2 Java(TM) 6 Update 3 Java(TM) 6 Update 5 Java(TM) 6 Update 7 Java(TM) SE Runtime Environment 6 Update 1 These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this. Leave Java(TM) 6 Update 14 alone, as it has the most recent security updates. --------------------------------------------------------------------------------------------- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. Open notepad and copy/paste the text in the quotebox below into it: Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/387339-google-hijack-newbie-jumped-gun.html#post2204899 Driver:: ubpcfypuxfcpnw Rootkit:: c:\windows\system32\drivers\hlwpuldrb.sys Collect:: c:\windows\system32\drivers\hlwpuldrb.sys Save this as CFScript.txt Referring to the picture above, drag CFScript.txt into ComboFix.exe Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Note When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. Please let me know if the file was successfully submitted . Thanks. ------------------------------------------------------ Ensure your AntiVirus and AntiSpyware applications are re-enabled. --------------------------------------------------------------------------------------------- Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply. --------------------------------------------------------------------------------------------- Please perform this online scan to help look for remnants Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on Settings. Uncheck Mail databases. Next, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. --------------------------------------------------------------------------------------------- How is the machine behaving? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-23-2009, 11:34 PM	#5 (permalink)
tcadena Registered User Join Date: Jun 2009 Posts: 5 OS: windows XP	Re: Google Hijack - Newbie Jumped the Gun? Thank you in advance. Per your instructions, I did the following, but stopped as indicated below: 1. I uninstalled as directed, only rebooting at the end of the complete list of uninstalls. Finished successfully. 2. I disabled AntiVirus (Norton); created and saved "CFScript.txt". I dragged CFScript.txt onto ComboFix.exe which caused ComboFix to launch. When ComboFix launched it indicated there was a newer version of ComboFix available and asked if I wanted to update. I responded "yes" and ComboFix relaunched after the update. Subsequently, Combofix DID produce a log which is posted at the end of this message. However, the following did NOT occur (from your instructions): "When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box." I am wondering if the message box and submission did not occur because ComboFix updated are restarted. To be safe, this is where I stopped, as there was no file submission. I reenabled my Antivirus. Here is the ComboFix log: ComboFix 09-06-23.01 - Tony 06/23/2009 21:53.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1344 [GMT -7:00] Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Tony\Desktop\CFScript.txt.txt AV: Norton 360 Premier Edition On-access scanning disabled (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4} FW: Norton 360 Premier Edition disabled {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\TEMP\logishrd\LVPrcInj01.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ubpcfypuxfcpnw ((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 ))))))))))))))))))))))))))))))) . 2009-06-18 06:28 . 2009-06-18 06:28 2 ----a-w- c:\windows\010112010146118114.dat 2009-06-18 06:24 . 2009-06-18 06:24 172 ----a-w- C:\nm8912.bat 2009-06-13 18:40 . 2009-06-13 18:40 -------- d-----w- c:\documents and settings\Visitor\Local Settings\Application Data\QuickPlay 2009-06-13 18:40 . 2009-06-13 18:40 -------- d-----w- c:\documents and settings\Visitor\Application Data\HP 2009-06-10 17:18 . 2009-06-10 17:18 152576 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-05 20:57 . 2009-06-05 20:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-24 05:05 . 2006-07-28 14:17 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-06-24 04:28 . 2006-07-28 11:39 -------- d-----w- c:\program files\Java 2009-06-24 03:53 . 2007-12-19 00:08 -------- d-----w- c:\documents and settings\Tony\Application Data\HPAppData 2009-06-20 17:11 . 2006-08-17 22:25 -------- d-----w- c:\program files\iTunes 2009-06-20 17:11 . 2006-08-17 22:25 -------- d-----w- c:\program files\iPod 2009-06-20 17:11 . 2007-07-02 17:56 -------- d-----w- c:\program files\Common Files\Apple 2009-06-20 17:10 . 2006-08-17 22:26 -------- d-----w- c:\program files\QuickTime 2009-06-19 04:09 . 2006-08-31 03:26 -------- d-----w- c:\documents and settings\Tony\Application Data\Skype 2009-06-19 00:34 . 2008-09-07 02:16 -------- d-----w- c:\documents and settings\Tony\Application Data\skypePM 2009-06-14 18:50 . 2008-01-02 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-06-12 15:32 . 2008-04-07 22:12 -------- d-----w- c:\program files\Safari 2009-05-22 19:46 . 2006-07-28 14:27 -------- d-----w- c:\program files\Quicken 2009-05-22 19:43 . 2009-05-22 19:43 1536000 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll 2009-05-22 19:42 . 2009-01-25 16:49 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE 2009-05-21 18:33 . 2008-09-28 15:46 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-05-21 15:46 . 2009-05-21 15:46 488960 ----a-w- c:\documents and settings\Tony\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...070-0-main.dll 2009-05-21 15:45 . 2009-05-21 15:45 319488 ----a-w- c:\documents and settings\Tony\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe 2009-05-17 15:42 . 2007-06-11 20:41 -------- d-----w- c:\documents and settings\Tony\Application Data\Move Networks 2009-05-11 03:26 . 2007-09-17 13:49 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-05-07 15:32 . 2004-08-10 15:00 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2004-08-10 15:00 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-10 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 12:26 . 2004-08-10 15:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-10 15:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2009-04-13 18:37 . 2006-12-09 02:14 144784 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-10 14:24 . 2009-04-10 14:24 152576 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-04-01 05:46 . 2008-02-24 02:07 9584 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static\NCO20.dll 2002-07-27 01:02 . 2007-12-19 07:41 153088 ----a-w- c:\program files\UNWISE.EXE 2008-12-16 04:37 . 2006-09-21 17:27 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-06-19_07.25.51 ))))))))))))))))))))))))))))))))))))))))) . + 2009-06-24 05:05 . 2009-06-24 05:05 16384 c:\windows\temp\Perflib_Perfdata_9e4.dat + 2009-06-24 05:05 . 2009-06-24 05:05 16384 c:\windows\temp\Perflib_Perfdata_830.dat + 2009-06-24 05:04 . 2009-06-24 05:04 16384 c:\windows\temp\Perflib_Perfdata_174.dat + 2009-06-24 05:07 . 2009-06-24 05:07 49152 c:\windows\temp\CompiledAdapter.dll - 2009-06-19 07:23 . 2009-06-19 07:23 49152 c:\windows\temp\CompiledAdapter.dll + 2009-06-20 17:12 . 2009-06-20 17:12 102400 c:\windows\Installer\{5D601655-6D54-4384-B52C-17EC5385FBBD}\iTunesIco.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856] "Google Update"="c:\documents and settings\Tony\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-15 7561216] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-15 86016] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-21 213936] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-21 86960] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960] "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840] "Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb13.exe" [2004-11-24 172032] "HPHUPD06"="c:\program files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe" [2004-12-16 49152] "HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-12-16 622592] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152] "USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728] "USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-06-01 196608] "PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-01-30 438272] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-21 213936] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-04-15 1519616] "MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-03 61952] c:\documents and settings\Tony\Start Menu\Programs\Startup\ qlock.lnk - c:\program files\Qlock\qlock.exe [2006-7-31 4102656] c:\documents and settings\Erin\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2006-8-17 61440] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-27 581693] HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520] HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "LightScribeService"=2 (0x2) "iPod Service"=3 (0x3) "Bonjour Service"=2 (0x2) "Apple Mobile Device"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"= "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\Abacast\\Abaclient.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088] R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 12:37 PM 149352] R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [1/30/2008 4:52 AM 106496] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 12:54 PM 101936] S2 pciinfo;HP Pci Information;\??\c:\docume~1\Tony\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Tony\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 7:32 PM 23888] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/12/2008 2:21 PM 29744] S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [1/17/2006 12:37 AM 1536000] S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [1/20/2003 10:30 AM 17018] S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [8/29/2006 8:58 AM 15576] --- Other Services/Drivers In Memory --- NewlyCreated - COMHOST [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc HPService REG_MULTI_SZ HPSLPSVC [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2009-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-747133990-1552522543-3996072772-1005.job - c:\documents and settings\Tony\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:11] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www6.comcast.net/b/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm Trusted Zone: turbotax.com Trusted Zone: wsj.com\online Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-23 22:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???`R??????(?@???????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,68,b3,2c,52,24, 1c,87,f8,2e,e8,e1,00,eb,16,2b,de,48,f0,d2,da,09,65,74,3b,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,ce,60,e3,63,f0, c9,d5,17,46,47,15,b0,92,4b,c7,ef,a7,98,79,87,5e,98,39,9e,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,af,14,c0,a0,98, b7,40,26,7a,45,05,fd,91,e8,6f,31,02,7f,c0,2c,d7,b4,25,ea,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,f9,55,4f,7e,4d, 64,ca,9b,6b,65,49,6a,7e,99,74,f7,a0,ac,d5,9f,d1,62,d3,e7,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ac,b6,a7,55,e9, b7,d9,05,e9,02,6c,fa,fb,1d,47,57,1e,93,84,33,68,2f,7b,59,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,7c,c2,07,37,b2, 7d,94,f6,50,93,e5,ab,ec,6a,4e,ab,99,e5,94,7e,9c,4e,a9,f7,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,c0,fc,36,0c,19, 83,5f,a5,97,20,4e,9a,c7,f1,35,ee,ad,b4,fa,a2,da,14,d8,3d,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,59,8e,53,91,d8, 3d,9e,bb,aa,52,c6,00,84,3c,26,64,8e,38,03,21,d7,31,0f,e4,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,6e,1a,84,60,a8, 26,31,40,b2,46,9a,e2,1b,fe,1b,94,45,55,c8,39,fe,c1,0a,5b,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,38,d3,f4,66,22, c5,29,c2,37,a4,aa,c3,a6,15,56,0a,f6,45,2e,99,2e,1e,bf,80,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,c2,ec,0c,02,28, 2f,a1,60,f8,31,0f,a9,5f,a0,ec,fb,c9,32,68,5a,5b,07,7c,30,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,4a,41,d1,d4,45, 02,08,e0,05,73,21,dd,54,d8,4a,c5,b5,04,d7,ab,e0,83,f4,c1,6c,43,2d,1e,aa,22,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(9608) c:\windows\TEMP\logishrd\LVPrcInj01.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\msdtc.exe c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\mqsvc.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\windows\system32\searchindexer.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\windows\system32\java.exe c:\windows\system32\mqtgsvc.exe c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\progra~1\HPQ\Shared\HPQTOA~1.EXE c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe c:\windows\ehome\ehmsas.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE c:\program files\Hp\Digital Imaging\bin\hpqimzone.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Hp\Digital Imaging\bin\hpqste08.exe . ************************************************************************** . Completion time: 2009-06-24 22:15 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-24 05:15 ComboFix2.txt 2009-06-19 07:30 Pre-Run: 955,858,944 bytes free Post-Run: 1,291,948,032 bytes free 334 --- E O F --- 2009-06-14 18:50

06-24-2009, 07:06 AM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,548 OS: 2000 Pro; XP Pro; XP Home	Re: Google Hijack - Newbie Jumped the Gun? There was no file for submission, because there was no file present to collect. Please continue with the remaining instructions. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-24-2009, 03:54 PM	#7 (permalink)
tcadena Registered User Join Date: Jun 2009 Posts: 5 OS: windows XP	Re: Google Hijack - Newbie Jumped the Gun? Next Steps: I downloaded the Malwarebytes software. Interestingly, I noticed that when I rolled over the link and looked at the URL it was different than where I was directed to when I clicked the link. The "bad" website was: hxxp://majorgeeks.com/download.php?det=5756 (replacing the "http" with "hxxp"). I manually typed in the correct URL and downloaded Malwarebytes successfully. Here is the Malwarebytes log: Malwarebytes' Anti-Malware 1.38 Database version: 2329 Windows 5.1.2600 Service Pack 3 6/24/2009 8:05:02 AM mbam-log-2009-06-24 (08-05-02).txt Scan type: Quick Scan Objects scanned: 122244 Time elapsed: 9 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully. C:\WINDOWS\010112010146118114.lso (Worm.KoobFace) -> Quarantined and deleted successfully. C:\nm8912.bat (Malware.Trace) -> Quarantined and deleted successfully. Here is the Kaspersky scan log: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Wednesday, June 24, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Wednesday, June 24, 2009 18:19:21 Records in database: 2386834 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: no Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 157950 Threat name: 3 Infected objects: 4 Suspicious objects: 0 Duration of the scan: 04:55:35 File name / Threat name / Threats count C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hlwpuldrb.sys.vir Infected: Rootkit.Win32.Agent.lrk 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip Infected: Trojan-Spy.Win32.Zbot.wti 1 C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP791\A0309634.exe Infected: Trojan.Win32.Agent.cmrk 1 C:\System Volume Information\_restore{92EC12A7-009B-4D77-899D-FF91068A8284}\RP793\A0309962.sys Infected: Rootkit.Win32.Agent.lrk 1 The selected area was scanned. My machine appears to be acting "normally" thus far. Thank you.

06-24-2009, 04:07 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,548 OS: 2000 Pro; XP Pro; XP Home	Re: Google Hijack - Newbie Jumped the Gun? Hello - Thanks for letting me know. MajorGeeks is one of the approved download hosts for MBAM. Odd you'd see that, though, as I thought the mbam download link only served up the cnet link. The good news is, your logs look good. The other items Kaspersky found are in ComboFix quarantine or System Restore points, and will be addressed by uninstalling ComboFix as instructed below. Other than that....We should be done here. Some final housekeeping instructions, and protection information for you. Your logs appear clean.You should be good to go. We still have a few items to address. Disconnect from the internet and disable your AntiVirus temporarily. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Re-enable your AntiVirus now. Reconnect to the internet at your leisure. Delete any remaining tools we've used (DDS and GMER) and logs from them. Empty your Recycle Bin. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE. Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles How did I get infected in the first place? PC Safety and Security--What Do I Need? If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-24-2009, 07:01 PM	#9 (permalink)
tcadena Registered User Join Date: Jun 2009 Posts: 5 OS: windows XP	Re: Google Hijack - Newbie Jumped the Gun? tetonbob and all of the tech team at techsupportforum.com: I have completed the items above (uninstall ComboFix and deleted tools used, etc.) I am following up with the suggestions in the next day, as well. Consider this issue resolved. Thanks very much for the help. I will certainly let others know of your remarkable assistance and will remain vigilant. I also plan to contribute to supporting techsupportforum.com. Again, simply, thanks!

06-24-2009, 07:25 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,548 OS: 2000 Pro; XP Pro; XP Home	Re: Google Hijack - Newbie Jumped the Gun? Hi tcadena - I'm glad to have helped, thanks for the kind words, and consideration of support. We do appreciate that, and it helps keep the forum running for all. Surf Safely, and Think Prevention! Since this issue is resolved, this topic will be archived. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009