Tech Support Forum banner
Cancel

http://softwarereferral.com hijacking start page

1403 Views 1 Reply 2 Participants Last post by  tetonbob
F
My wife clicked an Active X install. I have been running AVG 7 (fully updated, scanning daily) but had no spyware protection. After the incident I installed Spybot, but still encountering continued issues. Any help or direction would be greatly appreciated. Thank you!

Deckard's System Scanner v20071014.68
Run by Kevin on 2008-05-26 20:47:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
108: 2008-05-27 01:47:32 UTC - RP565 - Deckard's System Scanner Restore Point
107: 2008-05-27 01:21:03 UTC - RP564 - Software Distribution Service 3.0
106: 2008-05-26 19:37:03 UTC - RP563 - Removed Disney Mix It Plug-in
105: 2008-05-26 19:36:14 UTC - RP562 - Removed Disney Mix It Plug-in
104: 2008-05-26 04:13:27 UTC - RP561 - System Checkpoint


-- First Restore Point --
1: 2008-05-14 22:15:32 UTC - RP458 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Kevin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:34 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Downloads\E-Sword\dss.exe
C:\DOWNLO~1\E-Sword\Kevin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1088A60D-5070-43AF-9FFC-4FADB43DCFFA} - C:\WINDOWS\system32\geBuRHWM.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {240A2128-ACD4-4124-87AF-527124CAAC38} - C:\WINDOWS\system32\geBtQkLB.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {757B2BF5-B96B-4390-8FC6-4F5772569A99} - C:\WINDOWS\system32\nnnoNgfD.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {DD793BA8-1AC4-43C1-B23E-4DB887053E62} - C:\WINDOWS\system32\vtUomnNg.dll (file missing)
O2 - BHO: (no name) - {EA01956D-1E66-4DE3-B687-0C2DA16DAB65} - C:\WINDOWS\system32\jkkJawxX.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [3c57418d] rundll32.exe "C:\WINDOWS\system32\rdkfhssc.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175441967562
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: geBtQkLB - geBtQkLB.dll (file missing)
O21 - SSODL: vbksrofa - {42D43DF8-9927-4192-950B-1BB21ADF625F} - C:\WINDOWS\vbksrofa.dll (file missing)
O21 - SSODL: mpfanvqg - {D4420CC5-903C-4A39-BD00-DBB2E83ADFAE} - C:\WINDOWS\mpfanvqg.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

--
End of file - 11408 bytes

-- HijackThis Fixed Entries (C:\DOWNLO~1\E-Sword\backups\) ---------------------

backup-20080526-203039-636 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_134D&DEV_2189&SUBSYS_1002134D&REV_04\3&61AAA01&0&58
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_134D&DEV_2189&SUBSYS_1002134D&REV_04\3&61AAA01&0&58
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-05-26 20:17:32 306 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-05-26 19:56:28 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-05-24 16:11:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 19:29:23 90112 --a------ C:\WINDOWS\system32\drggfpok.dll
2008-05-26 14:36:16 0 d-------- C:\WINDOWS\system32\appmgmt
2008-05-25 19:29:34 90624 --a------ C:\WINDOWS\system32\cbgbdcko.dll
2008-05-23 19:26:42 90112 --a------ C:\WINDOWS\system32\fmhslsww.dll
2008-05-22 19:26:34 90624 --a------ C:\WINDOWS\system32\oucxisci.dll
2008-05-21 19:24:42 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-21 19:24:42 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-21 19:24:42 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-21 19:24:42 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-21 19:24:42 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-21 19:24:42 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-21 19:24:42 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-21 19:24:42 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-21 19:24:42 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-21 19:24:42 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-21 19:24:42 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-21 19:24:42 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-21 19:24:42 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-21 19:24:41 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-17 16:32:38 1237427 --ahs---- C:\WINDOWS\system32\dgikkUtv.ini2
2008-05-17 09:32:53 0 d--h----- C:\$AVG8.VAULT$
2008-05-17 08:30:55 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-17 08:30:55 0 d-------- C:\Documents and Settings\Kevin\Application Data\AVGTOOLBAR
2008-05-17 08:30:39 0 d-------- C:\Program Files\AVG
2008-05-17 08:30:39 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-17 00:08:03 615183 --ahs---- C:\WINDOWS\system32\gNnmoUtv.ini2
2008-05-16 17:03:17 1237427 --ahs---- C:\WINDOWS\system32\XxwaJkkj.ini2
2008-05-16 16:56:51 0 d--hs---- C:\WINDOWS\CSC
2008-05-15 22:15:36 1245634 --ahs---- C:\WINDOWS\system32\OqBHknmp.ini2
2008-05-15 18:16:56 1223839 --ahs---- C:\WINDOWS\system32\mWxIOXbc.ini2
2008-05-15 16:48:34 1238478 --ahs---- C:\WINDOWS\system32\MWHRuBeg.ini2
2008-05-14 18:25:25 1092339 --ahs---- C:\WINDOWS\system32\GPAcKkkj.ini2
2008-05-14 17:28:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 17:17:55 0 d-------- C:\Documents and Settings\Kevin\Application Data\TmpRecentIcons
2008-05-14 17:05:07 344 --ahs---- C:\WINDOWS\system32\WDNpYcfe.ini2
2008-05-13 20:53:51 3932160 --a------ C:\Documents and Settings\Sharon\NTUSER.DAT
2008-05-13 20:53:50 6029312 --a------ C:\Documents and Settings\Kevin\ntuser.dat
2008-05-13 20:53:20 1092011 --ahs---- C:\WINDOWS\system32\DfgNonnn.ini2
2008-04-30 17:04:36 0 d-------- C:\AMGCD
2008-04-30 16:51:50 299008 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-04-30 16:47:03 0 d-------- C:\Documents and Settings\Kevin\WINDOWS
2008-04-26 16:26:18 0 d-------- C:\Documents and Settings\Sharon\Application Data\Simple Star
2008-04-26 11:47:35 0 d-------- C:\e-Sword
2008-04-26 10:47:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater


-- Find3M Report ---------------------------------------------------------------

2008-05-26 19:56:11 102991 --a------ C:\logfile
2008-05-26 13:22:09 0 d-------- C:\Program Files\e-Sword
2008-05-10 18:18:49 0 d-------- C:\Documents and Settings\Kevin\Application Data\U3
2008-04-29 06:37:27 0 d-------- C:\Program Files\Safari
2008-04-29 06:36:23 0 d-------- C:\Program Files\Apple Software Update
2008-04-26 10:47:49 0 d-------- C:\Program Files\Google
2008-04-05 17:08:40 62448 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-05 08:48:09 0 d-------- C:\Documents and Settings\Kevin\Application Data\Apple Computer
2008-04-04 22:57:47 0 d-------- C:\Program Files\iTunes
2008-04-04 22:57:12 0 d-------- C:\Program Files\iPod
2008-04-04 22:55:14 0 d-------- C:\Program Files\QuickTime
2008-03-29 22:32:55 0 d-------- C:\Documents and Settings\Kevin\Application Data\Walgreens
2008-03-15 07:10:11 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1088A60D-5070-43AF-9FFC-4FADB43DCFFA}]
C:\WINDOWS\system32\geBuRHWM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{240A2128-ACD4-4124-87AF-527124CAAC38}]
C:\WINDOWS\system32\geBtQkLB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{757B2BF5-B96B-4390-8FC6-4F5772569A99}]
C:\WINDOWS\system32\nnnoNgfD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD793BA8-1AC4-43C1-B23E-4DB887053E62}]
C:\WINDOWS\system32\vtUomnNg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA01956D-1E66-4DE3-B687-0C2DA16DAB65}]
C:\WINDOWS\system32\jkkJawxX.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [11/17/2006 05:42 AM C:\WINDOWS\soundman.exe]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/2007 03:52 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/19/2007 07:48 PM]
"SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [01/05/2004 07:34 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 05:37 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 05:33 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" []
"SiSPower"="SiSPower.dll" [11/10/2006 06:39 PM C:\WINDOWS\system32\SiSPower.dll]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 02:56 AM]
"3c57418d"="C:\WINDOWS\system32\rdkfhssc.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"gStart"="C:\Garmin\gStart.exe" [08/23/2007 06:58 AM]
"Tracks Eraser Pro"="C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe" [05/23/2007 09:06 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 01:54 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [4/1/2007 8:23:28 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/26/2008 10:47:45 AM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [9/19/2007 5:33:46 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 3:15:54 AM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2/5/2007 3:40:46 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 03:39 PM 294400]
"{240A2128-ACD4-4124-87AF-527124CAAC38}"= C:\WINDOWS\system32\geBtQkLB.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vbksrofa"= {42D43DF8-9927-4192-950B-1BB21ADF625F} - C:\WINDOWS\vbksrofa.dll [ ]
"mpfanvqg"= {D4420CC5-903C-4A39-BD00-DBB2E83ADFAE} - C:\WINDOWS\mpfanvqg.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtQkLB]
geBtQkLB.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUomnNg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3c57418d]
rundll32.exe "C:\WINDOWS\system32\drggfpok.dll",b


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28a59f3e-1d85-11dd-ae68-00142a08433f}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9c6a9e2-4d30-11dc-ae2e-00142a08433f}]
AutoRun\command- F:\PStart.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8520 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-26 20:51:05 ------------

Attachments

See less See more
Save
Like
Status
Not open for further replies.
1 - 2 of 2 Posts
tetonbob
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Don't guess. Stop and ask. Please don't run any tools on your own or make any additional system changes while we're working together, unless I request it.

Thanks.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.


Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.
See less See more
Save
Like
1 - 2 of 2 Posts
Status
Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top