google hijack

View previous topic View next topic Go down

google hijack

Post by dingdandoo on 1st June 2009, 1:33 pm

I have been having problems lately with google when i use mozilla firefox, everytime i do a search and click on one of the search results a new tab is opened, which redirects me to another website. A lot of the time its a webpage on myspace layouts. I have used opera aswell and using google in opera is fine, it seems to be just firefox that has been hijacked. I have tryed to use anti-malware bytes but it crashes everytime i try to open it, most likely due to this malware. Any help would be appreciated, thanks.

here is my hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:23:12, on 01/06/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Users\steven\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\Explorer.EXE
C:\Program Files\Opera\opera.exe
C:\Users\steven\Documents\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Peer2Peer-EN Toolbar - {da21bd13-ca22-42e3-a071-98f08f1ca1e7} - C:\Program Files\Peer2Peer-EN\tbPeer.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: ZILLAbar Browser Helper Object - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Peer2Peer-EN Toolbar - {da21bd13-ca22-42e3-a071-98f08f1ca1e7} - C:\Program Files\Peer2Peer-EN\tbPeer.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O3 - Toolbar: Peer2Peer-EN Toolbar - {da21bd13-ca22-42e3-a071-98f08f1ca1e7} - C:\Program Files\Peer2Peer-EN\tbPeer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Users\steven\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AVScan] C:\Users\steven\AppData\Roaming\winav.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.15\AMVConverter\grab.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.15\MediaManager\grab.html
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - [You must be registered and logged in to see this link.] (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{F701E09C-BDD0-4B6C-AE8F-DD25CE376EA8}: NameServer = 85.255.112.60,85.255.112.82
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.60,85.255.112.82
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: NameServer = 85.255.112.60,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.60,85.255.112.82
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 10563 bytes

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29659
# Likes # Likes : 0

View user profile

Back to top Go down

Re: google hijack

Post by Belahzur on 1st June 2009, 2:28 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKCU\..\Run: [AVScan] C:\Users\steven\AppData\Roaming\winav.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F701E09C-BDD0-4B6C-AE8F-DD25CE376EA8}: NameServer = 85.255.112.60,85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.60,85.255.112.82
    O17 - HKLM\System\CS7\Services\Tcpip\Parameters: NameServer = 85.255.112.60,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.60,85.255.112.82


  • Press "Fix Checked"
  • Close Hijack This.

Next,
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Avira/Ad-watch)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: google hijack

Post by dingdandoo on 1st June 2009, 6:36 pm

Thanks for the help belazhur,

i think the problems fixed know, is it normal though for the desktop background to be changed?

the combofix log:
ComboFix 09-05-31.06 - steven 01/06/2009 19:03.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.958.320 [GMT 1:00]
Running from: c:\users\steven\Downloads\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\gxvxcbeeuohvshyhtmwqxylsgtajofmeuowiq.sys
c:\windows\system32\gxvxceisgxwnrwexqggqfmtnraquefufbwtmj.dll
c:\windows\system32\gxvxcfprhyrvenekwadbroorwtyrvtystpkuy.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
D:\Autorun.inf

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-06-01 18:15 . 2009-06-01 18:16 -------- d-----w- c:\users\steven\AppData\Local\temp
2009-06-01 18:15 . 2009-06-01 18:15 -------- d-----w- c:\users\dolly\AppData\Local\temp
2009-06-01 18:15 . 2009-06-01 18:15 -------- d-----w- c:\users\chubby\AppData\Local\temp
2009-06-01 10:33 . 2009-06-01 10:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-01 10:12 . 2009-06-01 10:12 -------- d-----w- c:\programdata\Sunbelt
2009-05-31 16:51 . 2009-05-31 16:54 -------- d-----w- c:\users\chubby\DoctorWeb
2009-05-31 13:31 . 2009-05-31 13:31 -------- d-----w- c:\users\chubby\.gimp-2.6
2009-05-31 13:31 . 2009-05-31 13:31 -------- d-----w- c:\users\chubby\.gegl-0.0
2009-05-31 11:24 . 2009-05-31 11:24 -------- d-----w- c:\program files\Trend Micro
2009-05-30 10:10 . 2009-03-12 08:17 2902048 -c--a-w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-30 10:06 . 2009-05-30 10:10 -------- dc-h--w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-24 11:42 . 2009-05-30 08:51 -------- d-----w- c:\program files\AccessMV
2009-05-20 22:51 . 2009-05-20 22:51 -------- d-----w- c:\users\chubby\AppData\Roaming\GRETECH
2009-05-18 17:38 . 2009-05-18 17:38 -------- d-----w- c:\users\steven\AppData\Roaming\Uniblue
2009-05-18 17:38 . 2008-12-22 08:47 2567619 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\Uniblue RegistryBooster.exe
2009-05-18 17:38 . 2009-05-18 17:38 -------- d-----w- c:\program files\Uniblue
2009-05-18 17:38 . 2008-08-26 16:48 757760 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\2B86F085\6383BC9B\UBVarRB.dll
2009-05-18 17:38 . 2008-08-26 16:48 497496 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\AF01B0B\6383BC9B\XceedZip.dll
2009-05-18 17:38 . 2008-08-26 16:48 413696 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\52CD59C9\6383BC9B\update.dll
2009-05-18 17:38 . 2008-08-26 16:48 99624 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\7390E4F0\6383BC9B\StartRegistryBooster.exe
2009-05-18 17:38 . 2008-08-26 16:48 6676480 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\4E45A1A4\6383BC9B\RegistryBooster.dll
2009-05-18 17:38 . 2008-08-26 16:48 2019624 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\7CE1607E\6383BC9B\RegistryBooster.exe
2009-05-18 17:38 . 2008-08-26 16:48 111912 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\65B92A91\6383BC9B\KillRBProcess.exe
2009-05-18 17:37 . 2009-05-18 17:38 -------- dc-h--w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-05-18 14:50 . 2009-05-18 14:50 2967799 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 17:58 . 2007-06-22 12:10 352614 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-06-01 10:32 . 2007-03-14 00:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-01 10:28 . 2008-12-10 23:38 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-31 17:54 . 2008-04-04 00:29 -------- d-----w- c:\programdata\Google Updater
2009-05-31 17:07 . 2008-12-10 16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-30 17:33 . 2007-03-16 16:12 778 ----a-w- c:\users\steven\AppData\Roaming\wklnhst.dat
2009-05-30 08:46 . 2007-07-16 06:59 8160 ----a-w- c:\users\steven\AppData\Local\d3d9caps.dat
2009-05-26 12:20 . 2008-12-10 16:49 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2008-12-10 16:49 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-25 09:44 . 2009-05-25 09:45 897536 ----a-w- c:\windows\Internet Logs\xDB8999.tmp
2009-05-16 23:05 . 2009-05-17 07:28 723968 ----a-w- c:\windows\Internet Logs\xDB866D.tmp
2009-05-15 06:39 . 2007-09-20 06:56 21655498 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-14 11:16 . 2009-04-23 15:29 -------- d-----w- c:\program files\PKR
2009-05-07 12:35 . 2009-03-26 14:26 -------- d-----w- c:\users\steven\AppData\Roaming\gtk-2.0
2009-05-03 23:27 . 2009-05-04 11:40 1531392 ----a-w- c:\windows\Internet Logs\xDB8056.tmp
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-30 11:17 . 2009-04-30 11:17 -------- d-----w- c:\programdata\Avira
2009-04-30 11:17 . 2009-04-30 11:17 -------- d-----w- c:\program files\Avira
2009-04-27 12:28 . 2009-04-27 12:28 299352 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-04-27 12:28 . 2009-04-27 12:28 25440 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-04-27 12:28 . 2009-04-27 12:28 15688 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-04-27 12:28 . 2009-04-27 12:28 165728 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-04-27 12:28 . 2009-04-27 12:28 343888 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-04-27 12:28 . 2009-04-27 12:28 289632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-04-27 12:28 . 2009-04-27 12:28 82784 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-04-27 12:27 . 2009-04-27 12:27 1629024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-04-27 12:27 . 2009-04-27 12:27 212848 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-04-27 12:27 . 2009-04-27 12:27 40288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-04-27 12:27 . 2009-04-27 12:29 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-27 12:27 . 2009-04-27 12:27 64160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-27 12:27 . 2009-04-27 12:27 632680 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-04-27 12:26 . 2009-04-27 12:26 539512 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-04-27 12:25 . 2009-04-27 12:25 552808 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-04-27 12:25 . 2009-04-27 12:25 2324808 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-04-27 12:25 . 2009-04-27 12:25 626000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-04-27 12:25 . 2009-04-27 12:25 516440 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-04-27 12:25 . 2009-04-27 12:25 953168 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-04-22 07:50 . 2007-03-14 00:42 -------- d-----w- c:\program files\Java
2009-04-17 21:56 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29659
# Likes # Likes : 0

View user profile

Back to top Go down

Re: google hijack

Post by dingdandoo on 1st June 2009, 6:36 pm

2009-04-17 21:55 . 2009-04-17 21:58 562176 ----a-w- c:\windows\Internet Logs\xDB755D.tmp
2009-04-12 00:23 . 2009-04-12 10:03 398848 ----a-w- c:\windows\Internet Logs\xDB8610.tmp
2009-04-04 23:12 . 2009-04-05 06:25 1328128 ----a-w- c:\windows\Internet Logs\xDB9452.tmp
2009-03-30 09:33 . 2009-04-30 11:18 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-03-24 15:08 . 2009-04-30 11:18 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-03-17 03:16 . 2009-04-16 16:32 14848 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:16 . 2009-04-16 16:32 25600 ----a-w- c:\windows\system32\amxread.dll
2009-03-08 10:07 . 2009-03-08 10:07 1099776 ----a-w- c:\windows\Internet Logs\xDB7261.tmp
2008-01-05 18:08 . 2008-01-05 18:06 80 --sha-r- c:\windows\System32\41C336709D.dll
2007-06-30 18:34 . 2007-06-10 15:08 88 --sha-r- c:\windows\System32\63F43ECA55.sys
2007-06-30 18:34 . 2007-06-10 15:08 3506 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-03-14 08:27 . 2007-03-14 08:26 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da21bd13-ca22-42e3-a071-98f08f1ca1e7}]
2008-09-15 06:47 1784856 ----a-w- c:\program files\Peer2Peer-EN\tbPeer.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Google Update"="c:\users\steven\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-02-11 133104]
"Uniblue RegistryBooster 2009"="c:\program files\uniblue\registrybooster\StartRegistryBooster.exe" [2008-08-26 99624]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-09 959976]
"MSConfig"="c:\windows\system32\msconfig.exe" [2006-11-02 222208]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"PKR Pal"="c:\program files\PKR\pkrpal.exe" [2009-05-06 2296936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-01 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*WerKernelReporting"="c:\windows\SYSTEM32\WerFault.exe" [2006-11-02 216064]

c:\users\chubby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2006-7-24 159744]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2478390336-1506789915-2723413947-1000]
"EnableNotificationsRef"=dword:00000004

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E40E23A0-3F53-4E0A-BD10-A6F87E251B89}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{7791C0C4-CF51-480E-8935-CC393054D22B}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{ED4FA755-F957-436B-B1C3-4A556E9004E6}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{284247BD-381A-4DA4-B3CA-7E9CF1050395}c:\\program files\\bitdownload\\bitdownload.exe"= UDP:c:\program files\bitdownload\bitdownload.exe:Torrent P2P application
"UDP Query User{FFA5B41E-DE13-4F37-A500-01DFFC202153}c:\\program files\\bitdownload\\bitdownload.exe"= TCP:c:\program files\bitdownload\bitdownload.exe:Torrent P2P application
"{A1500816-CCD4-4FA5-B76A-43FA30F5AF9D}"= UDP:c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe
"{936A4CEF-1F4D-48BF-B8E8-46B3CB11E1D2}"= TCP:c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe
"{FE92EC84-6EDD-4601-8DB8-0EA078D942AE}"= UDP:c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe
"{7E3F38D0-992F-48FF-83A3-E6ACBBB1334F}"= TCP:c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe
"{2F0B0DAA-0C98-44F7-8E3E-B167E16C1D36}"= UDP:c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe
"{952BB71B-9C91-4C79-B841-6CC26896AF02}"= TCP:c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe
"{437427C6-5375-4D58-80BB-2A1C3ADD2AB9}"= UDP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{A8A16130-69B4-497C-AF24-4EC370CAAD40}"= TCP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{5102C4C8-4D55-41B2-A006-851D239A45FF}"= UDP:c:\users\steven\Program Files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{C4D5C2F6-0A07-4863-96E8-3FDEE383B735}"= TCP:c:\users\steven\Program Files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{5D2A2DA1-EEBF-4313-BED5-4EE0C65ED9ED}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{805C0773-0B60-4022-80A0-66D576626A19}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{CF17122B-C2DC-4003-AD51-E38F5DD3A8F3}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{43B4FE5E-A35C-42DD-9104-E7F46B51E470}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{3A25364A-1E94-4E25-BB3E-825531804BE0}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{47C6BC9E-D305-4226-8A02-6BEF3DB853A5}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{616B929E-BBE3-4A0D-B542-5714045FA654}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{561491F4-2307-4B91-A0F9-D3F134A2B2B5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C66A02AB-3363-49E1-8B88-D71B2713272B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9DAE95AE-BFF2-4391-8121-6505EAB7D258}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B51033C1-52C9-421B-9D5E-046CC46E20DD}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29659
# Likes # Likes : 0

View user profile

Back to top Go down

Re: google hijack

Post by dingdandoo on 1st June 2009, 6:37 pm

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [27/04/2009 13:29 64160]
R0 szkg5;szkg;c:\windows\System32\drivers\SZKG.sys [12/12/2007 13:28 30208]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/04/2009 12:18 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 951632]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\System32\drivers\s115mdfl.sys [23/04/2007 13:54 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\System32\drivers\s115mdm.sys [23/04/2007 13:54 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s115mgmt.sys [23/04/2007 13:54 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\System32\drivers\s115obex.sys [23/04/2007 13:54 98568]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\w300mgmt.sys [16/03/2007 19:03 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\System32\drivers\w300obex.sys [16/03/2007 19:02 85696]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [22/02/2007 19:39 2808664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-06-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2478390336-1506789915-2723413947-1000.job
- c:\users\steven\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-11 13:42]

2009-05-24 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 13:15]

2009-06-01 c:\windows\Tasks\User_Feed_Synchronization-{1DFEA306-C0E8-4072-80CC-2A847A29AA5D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2009-06-01 c:\windows\Tasks\User_Feed_Synchronization-{378FC4FB-AC9A-4968-BFF3-D0FD99701AD2}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2009-06-01 c:\windows\Tasks\User_Feed_Synchronization-{9B8571A5-D99F-405F-8499-8AAD102A1E2D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.15\AMVConverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.15\MediaManager\grab.html
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - [You must be registered and logged in to see this link.]
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: pwsforums.com\www
FF - ProfilePath - c:\users\steven\AppData\Roaming\Mozilla\Firefox\Profiles\5cv9ex7j.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\Npindeo.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\users\steven\AppData\Local\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\steven\Picassa\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\users\steven\Picassa\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-01 19:16
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{5f246876-d822-40d0-9e94-56f15e4aa4d2}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0e00147f
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{7ccb61a8-277e-4ee4-a990-a4df7defb5d3}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0b000000
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{8063b8bf-e98a-4896-b59a-0ac70752649b}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:07001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{82890bb3-c89e-470a-9497-f0ab75ccd42d}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:07020054
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ba9e677f-0ef8-4bb2-a3e5-3ba5c63d1e87}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:06001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f701e09c-bdd0-4b6c-ae8f-dd25ce376ea8}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0c001aa0
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{fe860af9-23f9-4e23-9c6f-5ee61aeb2cc9}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0c001372
"Dhcpv6State"=dword:00000000
.
Completion time: 2009-06-01 19:20
ComboFix-quarantined-files.txt 2009-06-01 18:20
ComboFix2.txt 2008-12-10 22:53

Pre-Run: 9,925,820,416 bytes free
Post-Run: 10,381,406,208 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7,16
339 --- E O F --- 2009-04-17 23:06

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29659
# Likes # Likes : 0

View user profile

Back to top Go down

Re: google hijack

Post by Belahzur on 1st June 2009, 7:11 pm

Okay, nearly there now.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: google hijack

Post by dingdandoo on 1st June 2009, 9:07 pm

thanks,

heres the save list:
4oD
7-Zip 4.57
AccessMV
Acrobat.com
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 9.1
Adobe Shockwave Player 11
Age of Empires III
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
AVS Video Converter 6
AVS4YOU Software Navigator 1.2
Bonjour
BT Home Hub
CCleaner (remove only)
Championship Manager 2006
Clean Uninstaller
Dell System Customization Wizard
DellSupport
Disc2Phone
DivX Web Player
Elecard MPEG-2 Decoder&Streaming Pack
FLV Player 2.0 (build 25)
GIMP 2.6.4
GOM Player
Google Earth
Google Updater
GPL MPEG-1/2 DirectShow Decoder Filter
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Indeo® Software
iTunes
Java(TM) 6 Update 14
Java(TM) SE Runtime Environment 6
king.com (remove only)
LimeWire PRO 4.12.4
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Messenger Plus! Live & Sponsor (CiD)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Office XP Professional with FrontPage
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601)
Microsoft Windows Logo
Microsoft Works
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
Norton PC Checkup
NVIDIA Drivers
Nvu 1.0
Opera 9.62
Orange Preload
Peer2Peer-EN Toolbar
Picasa 3
PKR
Pop-Up Stopper Free Edition
PowerDVD
PSP Video 9 2.25
QuickTime
RealPlayer
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937061)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB947738)
SigmaTel Audio
Sky Broadband
Smart Defrag 1.10
Smart Menus (Windows Live Toolbar)
Sonic Activation Module
STOPzilla
Ultra PSP Movie Converter 4.2.0716
Uniblue RegistryBooster 2009
Uniblue RegistryBooster 2009
Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB932232)
URL Assistant
User's Guides
VC80CRTRedist - 8.0.50727.762
VeohTV BETA
VideoLAN VLC media player 0.8.6d
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WinAVIVideoConverter
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Upload Tool
Windows Media Player Firefox Plugin
Yahoo! Install Manager
Yahoo! Toolbar
ZoneAlarm

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29659
# Likes # Likes : 0

View user profile

Back to top Go down

Re: google hijack

Post by Belahzur on 1st June 2009, 9:24 pm

Hello.

I see that you are running BitTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If BitTorrent is not removed, then I won't help you.

If you choose to follow my recommendation then follow these instructions.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight the following:

    7-Zip 4.57
    Java(TM) SE Runtime Environment 6
    LimeWire PRO 4.12.4
    Norton PC Checkup

  • Click on the Uninstall/Change button at the top.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\Internet Logs\xDB8999.tmp
c:\windows\Internet Logs\xDB866D.tmp
c:\windows\Internet Logs\xDB8056.tmp
c:\windows\Internet Logs\xDB755D.tmp
c:\windows\Internet Logs\xDB8610.tmp
c:\windows\Internet Logs\xDB9452.tmp
c:\windows\Internet Logs\xDB7261.tmp

Folder::
c:\program files\BitTorrent
c:\program files\BitTorrent_DNA
c:\program files\uTorrent
c:\program files\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7791C0C4-CF51-480E-8935-CC393054D22B}"=-
"{ED4FA755-F957-436B-B1C3-4A556E9004E6}"=-
"TCP Query User{284247BD-381A-4DA4-B3CA-7E9CF1050395}c:\\program files\\bitdownload\\bitdownload.exe"=-
"UDP Query User{FFA5B41E-DE13-4F37-A500-01DFFC202153}c:\\program files\\bitdownload\\bitdownload.exe"=-
"{437427C6-5375-4D58-80BB-2A1C3ADD2AB9}"=-
"{A8A16130-69B4-497C-AF24-4EC370CAAD40}"=-
"{5102C4C8-4D55-41B2-A006-851D239A45FF}"=-
"{C4D5C2F6-0A07-4863-96E8-3FDEE383B735}"=-
"{5D2A2DA1-EEBF-4313-BED5-4EE0C65ED9ED}"=-
"{805C0773-0B60-4022-80A0-66D576626A19}"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: google hijack

Post by dingdandoo on 2nd June 2009, 10:14 am

When you say im using bit torrent i cant find it in add/remove a program. do you by any chance mean the peer2peer-en-toolbar?

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29659
# Likes # Likes : 0

View user profile

Back to top Go down

Re: google hijack

Post by Belahzur on 2nd June 2009, 10:31 am

It's probably that, remove that too.
Sometimes BitTorrent doesn't appear in the uninstall list.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: google hijack

Post by dingdandoo on 2nd June 2009, 11:41 am

combofix log:
ComboFix 09-05-31.06 - steven 02/06/2009 12:25.3 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.958.295 [GMT 1:00]
Running from: c:\users\steven\Desktop\ComboFix.exe
Command switches used :: c:\users\steven\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: AntiVir Desktop *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\Internet Logs\xDB7261.tmp"
"c:\windows\Internet Logs\xDB755D.tmp"
"c:\windows\Internet Logs\xDB8056.tmp"
"c:\windows\Internet Logs\xDB8610.tmp"
"c:\windows\Internet Logs\xDB866D.tmp"
"c:\windows\Internet Logs\xDB8999.tmp"
"c:\windows\Internet Logs\xDB9452.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWire
c:\program files\LimeWire\clink.jar
c:\program files\LimeWire\commons-httpclient.jar
c:\program files\LimeWire\commons-logging.jar
c:\program files\LimeWire\commons-net.jar
c:\program files\LimeWire\daap.jar
c:\program files\LimeWire\GenericWindowsUtils.dll
c:\program files\LimeWire\i18n.jar
c:\program files\LimeWire\icu4j.jar
c:\program files\LimeWire\id3v2.jar
c:\program files\LimeWire\jcraft.jar
c:\program files\LimeWire\jl011.jar
c:\program files\LimeWire\jmdns.jar
c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.jar
c:\program files\LimeWire\LimeWire20.dll
c:\program files\LimeWire\log4j.jar
c:\program files\LimeWire\looks.jar
c:\program files\LimeWire\MessagesBundles.jar
c:\program files\LimeWire\mp3sp14.jar
c:\program files\LimeWire\ProgressTabs.jar
c:\program files\LimeWire\themes.jar
c:\program files\LimeWire\tritonus.jar
c:\program files\LimeWire\vorbis.jar
c:\program files\LimeWire\WindowsFirewall.dll
c:\program files\LimeWire\WindowsV5PlusUtils.dll
c:\program files\LimeWire\xerces.jar
c:\program files\LimeWire\xml-apis.jar
c:\program files\uTorrent
c:\windows\Internet Logs\xDB7261.tmp
c:\windows\Internet Logs\xDB755D.tmp
c:\windows\Internet Logs\xDB8056.tmp
c:\windows\Internet Logs\xDB8610.tmp
c:\windows\Internet Logs\xDB866D.tmp
c:\windows\Internet Logs\xDB8999.tmp
c:\windows\Internet Logs\xDB9452.tmp

.
((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-06-02 11:35 . 2009-06-02 11:35 -------- d-----w- c:\users\steven\AppData\Local\temp
2009-06-02 11:35 . 2009-06-02 11:35 -------- d-----w- c:\users\dolly\AppData\Local\temp
2009-06-02 11:35 . 2009-06-02 11:35 -------- d-----w- c:\users\chubby\AppData\Local\temp
2009-06-02 10:36 . 2009-06-02 10:36 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-06-01 10:33 . 2009-06-01 10:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-01 10:12 . 2009-06-01 10:12 -------- d-----w- c:\programdata\Sunbelt
2009-05-31 16:51 . 2009-05-31 16:54 -------- d-----w- c:\users\chubby\DoctorWeb
2009-05-31 13:31 . 2009-05-31 13:31 -------- d-----w- c:\users\chubby\.gimp-2.6
2009-05-31 13:31 . 2009-05-31 13:31 -------- d-----w- c:\users\chubby\.gegl-0.0
2009-05-31 11:24 . 2009-05-31 11:24 -------- d-----w- c:\program files\Trend Micro
2009-05-30 10:10 . 2009-03-12 08:17 2902048 -c--a-w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-30 10:06 . 2009-05-30 10:10 -------- dc-h--w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-20 22:51 . 2009-05-20 22:51 -------- d-----w- c:\users\chubby\AppData\Roaming\GRETECH
2009-05-18 17:38 . 2009-05-18 17:38 -------- d-----w- c:\users\steven\AppData\Roaming\Uniblue
2009-05-18 17:38 . 2008-12-22 08:47 2567619 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\Uniblue RegistryBooster.exe
2009-05-18 17:38 . 2009-05-18 17:38 -------- d-----w- c:\program files\Uniblue
2009-05-18 17:38 . 2008-08-26 16:48 757760 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\2B86F085\6383BC9B\UBVarRB.dll
2009-05-18 17:38 . 2008-08-26 16:48 497496 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\AF01B0B\6383BC9B\XceedZip.dll
2009-05-18 17:38 . 2008-08-26 16:48 413696 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\52CD59C9\6383BC9B\update.dll
2009-05-18 17:38 . 2008-08-26 16:48 99624 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\7390E4F0\6383BC9B\StartRegistryBooster.exe
2009-05-18 17:38 . 2008-08-26 16:48 6676480 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\4E45A1A4\6383BC9B\RegistryBooster.dll
2009-05-18 17:38 . 2008-08-26 16:48 2019624 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\7CE1607E\6383BC9B\RegistryBooster.exe
2009-05-18 17:38 . 2008-08-26 16:48 111912 -c--a-w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\65B92A91\6383BC9B\KillRBProcess.exe
2009-05-18 17:37 . 2009-05-18 17:38 -------- dc-h--w- c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-05-18 14:50 . 2009-05-18 14:50 2967799 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 11:10 . 2007-03-14 00:50 -------- d-----w- c:\programdata\Roxio
2009-06-02 10:47 . 2007-12-20 11:06 -------- d-----w- c:\users\steven\AppData\Roaming\uTorrent
2009-06-02 10:39 . 2007-06-22 12:10 352614 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-06-02 06:44 . 2007-07-16 06:59 8160 ----a-w- c:\users\steven\AppData\Local\d3d9caps.dat
2009-06-01 18:56 . 2008-04-04 00:29 -------- d-----w- c:\programdata\Google Updater
2009-06-01 10:32 . 2007-03-14 00:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-01 10:28 . 2008-12-10 23:38 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-31 17:07 . 2008-12-10 16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-30 17:33 . 2007-03-16 16:12 778 ----a-w- c:\users\steven\AppData\Roaming\wklnhst.dat
2009-05-26 12:20 . 2008-12-10 16:49 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2008-12-10 16:49 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-15 06:39 . 2007-09-20 06:56 21655498 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-14 11:16 . 2009-04-23 15:29 -------- d-----w- c:\program files\PKR
2009-05-07 12:35 . 2009-03-26 14:26 -------- d-----w- c:\users\steven\AppData\Roaming\gtk-2.0
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-30 11:17 . 2009-04-30 11:17 -------- d-----w- c:\programdata\Avira
2009-04-30 11:17 . 2009-04-30 11:17 -------- d-----w- c:\program files\Avira
2009-04-27 12:28 . 2009-04-27 12:28 299352 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-04-27 12:28 . 2009-04-27 12:28 25440 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-04-27 12:28 . 2009-04-27 12:28 15688 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-04-27 12:28 . 2009-04-27 12:28 165728 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-04-27 12:28 . 2009-04-27 12:28 343888 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-04-27 12:28 . 2009-04-27 12:28 289632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-04-27 12:28 . 2009-04-27 12:28 82784 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-04-27 12:27 . 2009-04-27 12:27 1629024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-04-27 12:27 . 2009-04-27 12:27 212848 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-04-27 12:27 . 2009-04-27 12:27 40288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-04-27 12:27 . 2009-04-27 12:29 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-27 12:27 . 2009-04-27 12:27 64160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-27 12:27 . 2009-04-27 12:27 632680 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-04-27 12:26 . 2009-04-27 12:26 539512 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-04-27 12:25 . 2009-04-27 12:25 552808 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-04-27 12:25 . 2009-04-27 12:25 2324808 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-04-27 12:25 . 2009-04-27 12:25 626000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-04-27 12:25 . 2009-04-27 12:25 516440 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-04-27 12:25 . 2009-04-27 12:25 953168 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-04-22 07:50 . 2007-03-14 00:42 -------- d-----w- c:\program files\Java
2009-04-17 21:56 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-03-30 09:33 . 2009-04-30 11:18 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-03-24 15:08 . 2009-04-30 11:18 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-03-17 03:16 . 2009-04-16 16:32 14848 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:16 . 2009-04-16 16:32 25600 ----a-w- c:\windows\system32\amxread.dll
2008-01-05 18:08 . 2008-01-05 18:06 80 --sha-r- c:\windows\System32\41C336709D.dll
2007-06-30 18:34 . 2007-06-10 15:08 88 --sha-r- c:\windows\System32\63F43ECA55.sys
2007-06-30 18:34 . 2007-06-10 15:08 3506 --sha-w- c:\windows\System32\KGyGaAvL.sys
2007-03-14 08:27 . 2007-03-14 08:26 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29659
# Likes # Likes : 0

View user profile

Back to top Go down

Re: google hijack

Post by dingdandoo on 2nd June 2009, 11:41 am

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-14 01:03 . 2009-06-02 10:45 75810 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-06-02 10:45 64128 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-03-16 11:53 . 2009-06-02 10:45 27898 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2478390336-1506789915-2723413947-1000_UserData.bin
- 2007-03-16 11:47 . 2009-06-01 18:04 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-03-16 11:47 . 2009-06-02 10:38 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-03-16 11:47 . 2009-06-02 10:38 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-03-16 11:47 . 2009-06-01 18:04 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-03-16 11:47 . 2009-06-02 10:38 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-03-16 11:47 . 2009-06-01 18:04 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-01 17:57 . 2009-06-01 17:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-02 10:38 . 2009-06-02 10:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-06-01 17:57 . 2009-06-01 17:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-06-02 10:38 . 2009-06-02 10:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-06-02 10:36 . 2009-06-02 10:36 2560 c:\windows\_MSRSTRT.EXE
+ 2006-11-02 10:33 . 2009-06-01 20:57 677942 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-06-01 09:52 677942 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-06-01 09:52 129454 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-06-01 20:57 129454 c:\windows\System32\perfc009.dat
+ 2009-06-01 21:40 . 2009-06-01 10:28 148888 c:\windows\System32\javaws.exe
- 2009-06-01 10:28 . 2009-06-01 10:28 148888 c:\windows\System32\javaws.exe
- 2009-06-01 10:28 . 2009-06-01 10:28 144792 c:\windows\System32\javaw.exe
+ 2009-06-01 21:40 . 2009-06-01 10:28 144792 c:\windows\System32\javaw.exe
+ 2009-06-01 21:40 . 2009-06-01 10:28 144792 c:\windows\System32\java.exe
- 2009-06-01 10:28 . 2009-06-01 10:28 144792 c:\windows\System32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Google Update"="c:\users\steven\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-02-11 133104]
"Uniblue RegistryBooster 2009"="c:\program files\uniblue\registrybooster\StartRegistryBooster.exe" [2008-08-26 99624]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-09 959976]
"MSConfig"="c:\windows\system32\msconfig.exe" [2006-11-02 222208]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"PKR Pal"="c:\program files\PKR\pkrpal.exe" [2009-05-06 2296936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-01 148888]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2478390336-1506789915-2723413947-1000]
"EnableNotificationsRef"=dword:00000004

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E40E23A0-3F53-4E0A-BD10-A6F87E251B89}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{A1500816-CCD4-4FA5-B76A-43FA30F5AF9D}"= UDP:c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe
"{936A4CEF-1F4D-48BF-B8E8-46B3CB11E1D2}"= TCP:c:\program files\Grisoft\AVG Free\avginet.exe:avginet.exe
"{FE92EC84-6EDD-4601-8DB8-0EA078D942AE}"= UDP:c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe
"{7E3F38D0-992F-48FF-83A3-E6ACBBB1334F}"= TCP:c:\program files\Grisoft\AVG Free\avgamsvr.exe:avgamsvr.exe
"{2F0B0DAA-0C98-44F7-8E3E-B167E16C1D36}"= UDP:c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe
"{952BB71B-9C91-4C79-B841-6CC26896AF02}"= TCP:c:\program files\Grisoft\AVG Free\avgcc.exe:avgcc.exe
"{CF17122B-C2DC-4003-AD51-E38F5DD3A8F3}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{43B4FE5E-A35C-42DD-9104-E7F46B51E470}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{3A25364A-1E94-4E25-BB3E-825531804BE0}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{47C6BC9E-D305-4226-8A02-6BEF3DB853A5}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{616B929E-BBE3-4A0D-B542-5714045FA654}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{561491F4-2307-4B91-A0F9-D3F134A2B2B5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C66A02AB-3363-49E1-8B88-D71B2713272B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9DAE95AE-BFF2-4391-8121-6505EAB7D258}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B51033C1-52C9-421B-9D5E-046CC46E20DD}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [27/04/2009 13:29 64160]
R0 szkg5;szkg;c:\windows\System32\drivers\SZKG.sys [12/12/2007 13:28 30208]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/04/2009 12:18 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 951632]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\System32\drivers\s115mdfl.sys [23/04/2007 13:54 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\System32\drivers\s115mdm.sys [23/04/2007 13:54 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s115mgmt.sys [23/04/2007 13:54 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\System32\drivers\s115obex.sys [23/04/2007 13:54 98568]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\w300mgmt.sys [16/03/2007 19:03 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\System32\drivers\w300obex.sys [16/03/2007 19:02 85696]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [22/02/2007 19:39 2808664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-06-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2478390336-1506789915-2723413947-1000.job
- c:\users\steven\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-11 13:42]

2009-06-02 c:\windows\Tasks\User_Feed_Synchronization-{1DFEA306-C0E8-4072-80CC-2A847A29AA5D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2009-06-02 c:\windows\Tasks\User_Feed_Synchronization-{378FC4FB-AC9A-4968-BFF3-D0FD99701AD2}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2009-06-02 c:\windows\Tasks\User_Feed_Synchronization-{9B8571A5-D99F-405F-8499-8AAD102A1E2D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.15\AMVConverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.15\MediaManager\grab.html
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - [You must be registered and logged in to see this link.]
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: pwsforums.com\www
FF - ProfilePath - c:\users\steven\AppData\Roaming\Mozilla\Firefox\Profiles\5cv9ex7j.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\Npindeo.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\users\steven\AppData\Local\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\steven\Picassa\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\users\steven\Picassa\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-02 12:35
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-02 12:39
ComboFix-quarantined-files.txt 2009-06-02 11:39
ComboFix2.txt 2009-06-01 18:20
ComboFix3.txt 2008-12-10 22:53

Pre-Run: 11,268,521,984 bytes free
Post-Run: 11,175,505,920 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7,16
344 --- E O F --- 2009-04-17 23:06

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29659
# Likes # Likes : 0

View user profile

Back to top Go down

Re: google hijack

Post by Belahzur on 2nd June 2009, 4:11 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: google hijack

Post by dingdandoo on 2nd June 2009, 6:05 pm

thanks for your help belazhur,

everything is running smoothly now thanks to your help, found some extra malware and trojans aswell when anit-malware bytes was finally able to load, thanks to your help.

regards

dingdandoo
Intermediate
Intermediate

Posts Posts : 77
Joined Joined : 2008-12-10
OS OS : windows vista home basic
Points Points : 29659
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum