Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Google has been Hijacked!

Started by cassassin , May 08 2008 07:22 PM

  • This topic is locked This topic is locked
4 replies to this topic

#1 cassassin

cassassin

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 08 May 2008 - 07:22 PM

So I just came home from College and my Dad told me he's been having trouble on his computer. Apparently Google has been hijacked. I'm an IT major, and I've never come across a google specific hijacker. I ran Hijack this, but I didn't want to delete any files or make any hasty decisions without hearing from the experts first.

Here are some screen shots of what I see when I go to google. Also, I noticed on the apparently expired certificate the name snakeoil.dom? I'm sure it's just a typo, but who knows? I figured if I'd mention the name here, people on google can find it when they look it up and have the same problem.

Posted Image

Here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:15 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\lxcjcoms.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: 124.217.251.159 google.dk
O1 - Hosts: 124.217.251.159 google.se
O1 - Hosts: 124.217.251.159 google.co.nz
O1 - Hosts: 124.217.251.159 google.cn
O1 - Hosts: 124.217.251.159 google.com.pr
O1 - Hosts: 124.217.251.159 google.com.ca
O1 - Hosts: 124.217.251.159 google.com.ch
O1 - Hosts: 124.217.251.159 google.fi
O1 - Hosts: 124.217.251.159 google.co.in
O1 - Hosts: 124.217.251.159 google.co.uk
O1 - Hosts: 124.217.251.159 google.lv
O1 - Hosts: 124.217.251.159 google.co.hu
O1 - Hosts: 124.217.251.159 google.lk
O1 - Hosts: 124.217.251.159 google.com.au
O1 - Hosts: 124.217.251.159 google.ru
O1 - Hosts: 124.217.251.159 google.nl
O1 - Hosts: 124.217.251.159 google.be
O1 - Hosts: 124.217.251.159 google.de
O1 - Hosts: 124.217.251.159 gogle.de
O1 - Hosts: 124.217.251.159 googel.de
O1 - Hosts: 124.217.251.159 google.ro
O1 - Hosts: 124.217.251.159 google.kz
O1 - Hosts: 124.217.251.159 google.by
O1 - Hosts: 124.217.251.159 google.no
O1 - Hosts: 124.217.251.159 google.pl
O1 - Hosts: 124.217.251.159 google.com.pl
O1 - Hosts: 124.217.251.159 google.es
O1 - Hosts: 124.217.251.159 google.pt
O1 - Hosts: 124.217.251.159 google.com.br
O1 - Hosts: 124.217.251.159 google.vc
O1 - Hosts: 124.217.251.159 google.co.za
O1 - Hosts: 124.217.251.159 google.tm
O1 - Hosts: 124.217.251.159 google.com.my
O1 - Hosts: 124.217.251.159 google.bg
O1 - Hosts: 124.217.251.159 google.co.jp
O1 - Hosts: 124.217.251.159 google.ie
O1 - Hosts: 124.217.251.159 google.co.ck
O1 - Hosts: 124.217.251.159 google.com.mx
O1 - Hosts: 124.217.251.159 google.com.om
O1 - Hosts: 124.217.251.159 google.fr
O1 - Hosts: 124.217.251.159 google.mu
O1 - Hosts: 124.217.251.159 google.com.ph
O1 - Hosts: 124.217.251.159 google.com.jm
O1 - Hosts: 124.217.251.159 google.com
O1 - Hosts: 124.217.251.159 google.us
O1 - Hosts: 124.217.251.159 google.ro
O1 - Hosts: 124.217.251.159 www.google.dk
O1 - Hosts: 124.217.251.159 www.google.se
O1 - Hosts: 124.217.251.159 www.google.co.nz
O1 - Hosts: 124.217.251.159 www.google.cn
O1 - Hosts: 124.217.251.159 www.google.com.pr
O1 - Hosts: 124.217.251.159 www.google.com.ca
O1 - Hosts: 124.217.251.159 www.google.com.ch
O1 - Hosts: 124.217.251.159 www.google.fi
O1 - Hosts: 124.217.251.159 www.google.co.in
O1 - Hosts: 124.217.251.159 www.google.co.uk
O1 - Hosts: 124.217.251.159 www.google.lv
O1 - Hosts: 124.217.251.159 www.google.co.hu
O1 - Hosts: 124.217.251.159 www.google.lk
O1 - Hosts: 124.217.251.159 www.google.com.au
O1 - Hosts: 124.217.251.159 www.google.ru
O1 - Hosts: 124.217.251.159 www.google.nl
O1 - Hosts: 124.217.251.159 www.google.be
O1 - Hosts: 124.217.251.159 www.google.de
O1 - Hosts: 124.217.251.159 www.gogle.de
O1 - Hosts: 124.217.251.159 www.googel.de
O1 - Hosts: 124.217.251.159 www.google.ro
O1 - Hosts: 124.217.251.159 www.google.kz
O1 - Hosts: 124.217.251.159 www.google.by
O1 - Hosts: 124.217.251.159 www.google.no
O1 - Hosts: 124.217.251.159 www.google.pl
O1 - Hosts: 124.217.251.159 www.google.com.pl
O1 - Hosts: 124.217.251.159 www.google.es
O1 - Hosts: 124.217.251.159 www.google.pt
O1 - Hosts: 124.217.251.159 www.google.com.br
O1 - Hosts: 124.217.251.159 www.google.vc
O1 - Hosts: 124.217.251.159 www.google.co.za
O1 - Hosts: 124.217.251.159 www.google.tm
O1 - Hosts: 124.217.251.159 www.google.com.my
O1 - Hosts: 124.217.251.159 www.google.bg
O1 - Hosts: 124.217.251.159 www.google.co.jp
O1 - Hosts: 124.217.251.159 www.google.ie
O1 - Hosts: 124.217.251.159 www.google.co.ck
O1 - Hosts: 124.217.251.159 www.google.com.mx
O1 - Hosts: 124.217.251.159 www.google.com.om
O1 - Hosts: 124.217.251.159 www.google.fr
O1 - Hosts: 124.217.251.159 www.google.mu
O1 - Hosts: 124.217.251.159 www.google.com.ph
O1 - Hosts: 124.217.251.159 www.google.com.jm
O1 - Hosts: 124.217.251.159 www.google.com
O1 - Hosts: 124.217.251.159 www.google.us
O1 - Hosts: 124.217.251.159 www.google.ro
O1 - Hosts: 124.217.251.159 www.video.google.com
O1 - Hosts: 124.217.251.159 www.maps.google.com
O1 - Hosts: 124.217.251.159 www.groups.google.com
O1 - Hosts: 124.217.251.159 www.news.google.com
O1 - Hosts: 124.217.251.159 www.images.google.com
O1 - Hosts: 124.217.251.159 www.earth.google.com
O1 - Hosts: 124.217.251.159 www.code.google.com
O1 - Hosts: 124.217.251.159 www.directory.google.com
O1 - Hosts: 124.217.251.159 www.labs.google.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0ed4a7b4-6c5b-c1bb-34c0-04a73d9a358f} - C:\WINDOWS\system32\commnt.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {732f54ca-901f-455b-88e1-5a079aa27d1b} - (no file)
O2 - BHO: scriptproxy - {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {ab03bec8-5de0-4182-9bca-c08239dfcad6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [K2nMiZVNkK] C:\Documents and Settings\All Users\Application Data\yvwdupel\mnavqdqj.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.mi...b?1210216591718
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...281/mcfscan.cab
O20 - Winlogon Notify: pmnnmccr - pmnnMcCr.dll (file missing)
O22 - SharedTaskScheduler: hemimorphite - {12a31567-9883-4cc0-a684-ad5804394d69} - (no file)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O22 - SharedTaskScheduler: frowardness - {b0fdc513-46b9-46fc-8e70-d575ee546dae} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0143061209225115) (0143061209225115mcinstcleanup) - Unknown owner - C:\DOCUME~1\FRIEND~1\LOCALS~1\Temp\014306~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: MBackMonitor (mbackmonitor) - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service (mcafee hackerwatch service) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (mcnasvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (mcods) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (mcproxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (mcredirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (mcshield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (mcsysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (mpfservice) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (mps9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: SoundMAX Agent Service (soundmax agent service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 14821 bytes


    Advertisements

Register to Remove

#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 09 May 2008 - 11:28 AM

Hello cassassin and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.


A. First we must disable some of your security programs so that they do not interfere with the running of our tools:

MCAFEE ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.


B. Please download ComboFix by sUBs from HERE or HERE directly to your Desktop.

Note: If you already have ComboFix on your machine, please DELETE it from your desktop before downloading the newest version.

Go to Posted Image -> Run -> copy/paste the following single line command in the runbox & click OK

"%userprofile%\desktop\combofix.exe" /killall

Posted Image
  • DO NOT USE your computer for any other purpose while ComboFix is running.
  • ComboFix may restart your computer, this is normal.
  • When finished, it will produce a log, ComboFix.txt.
  • Please post ComboFix.txt in your next reply along with a new HijackThis log.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 cassassin

cassassin

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 09 May 2008 - 03:32 PM

Thanks for your help, the problem seems to be fixed. Here's both log files regardless

ComboFix:

ComboFix 08-05-07.1 - Mike Jr 2008-05-09 17:12:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.582 [GMT -4:00]
Running from: C:\Documents and Settings\Mike Jr\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\secure32.html
C:\WINDOWS\system32\aHOrsBeg.ini
C:\WINDOWS\system32\aHOrsBeg.ini2
C:\WINDOWS\system32\hjihPXbc.ini
C:\WINDOWS\system32\hjihPXbc.ini2
C:\WINDOWS\Web\def.htm

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SERVICE.SYS
-------\Service_service.sys


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-08 14:11 . 2008-05-08 14:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-08 12:17 . 2008-05-08 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZipSE
2008-05-08 00:13 . 2002-09-20 11:53 235,100 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
2008-05-08 00:10 . 2008-05-08 00:10 <DIR> d-------- C:\Program Files\Analog Devices
2008-05-08 00:08 . 2008-05-08 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-08 00:07 . 2008-05-08 00:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 00:03 . 2008-05-08 00:06 <DIR> d-------- C:\TempEI4
2008-05-07 23:57 . 2008-05-07 23:57 <DIR> d-------- C:\Documents and Settings\Mike Jr\Application Data\Yahoo!
2008-05-07 23:54 . 2008-05-07 23:54 <DIR> d-------- C:\Documents and Settings\Mike Jr\Application Data\McAfee
2008-05-07 23:16 . 2008-05-07 23:16 <DIR> d---s---- C:\Documents and Settings\Kevin\UserData
2008-05-07 23:14 . 2008-05-07 23:14 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Yahoo!
2008-05-04 14:49 . 2008-05-05 17:04 <DIR> d-------- C:\Program Files\vipantispyware
2008-05-04 14:49 . 2008-05-04 14:49 0 --a------ C:\winxplogon.sys
2008-05-03 22:20 . 2008-05-03 22:20 <DIR> d-------- C:\Documents and Settings\Cassidy\Application Data\Yahoo!
2008-05-03 20:36 . 2008-05-03 20:36 <DIR> d-------- C:\Documents and Settings\Friends and Family\Application Data\Yahoo!
2008-05-03 20:36 . 2008-05-03 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-03 20:31 . 2008-05-03 20:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-03 07:05 . 2008-05-03 07:05 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\McAfee
2008-04-29 11:11 . 2008-04-15 01:23 26,504 --a------ C:\WINDOWS\setupapi.old
2008-04-28 16:51 . 2008-04-28 16:51 <DIR> d-------- C:\Documents and Settings\Cassidy\Application Data\McAfee
2008-04-28 16:50 . 2008-03-10 03:23 <DIR> d-------- C:\Documents and Settings\Cassidy\Application Data\Apple Computer
2008-04-28 16:50 . 2008-05-01 22:26 <DIR> d-------- C:\Documents and Settings\Cassidy
2008-04-28 16:50 . 2008-05-09 17:17 450,560 --ah----- C:\Documents and Settings\Cassidy\ntuser.dat.LOG
2008-04-26 16:48 . 2008-05-09 17:17 5,242 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-26 11:53 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-26 11:52 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-26 11:52 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-26 11:52 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-26 11:52 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-26 11:52 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-26 11:51 . 2008-04-26 11:51 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-26 11:51 . 2008-04-26 11:53 <DIR> d-------- C:\Program Files\McAfee
2008-04-26 11:51 . 2008-04-26 11:53 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-26 11:51 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-26 10:00 . 2008-04-26 10:00 61,224 --a------ C:\Documents and Settings\Friends and Family\GoToAssistDownloadHelper.exe
2008-04-26 09:09 . 2008-04-27 15:04 <DIR> d-------- C:\Documents and Settings\Friends and Family\Application Data\McAfee
2008-04-26 09:09 . 2008-04-27 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-25 16:17 . 2008-04-25 16:17 65,970 --a------ C:\WINDOWS\uazpiq.sys
2008-04-24 19:26 . 2008-04-24 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-04-24 18:10 . 2008-04-24 18:10 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-04-23 20:54 . 2008-04-23 20:54 <DIR> d-------- C:\Documents and Settings\delete
2008-04-23 17:50 . 2008-04-23 17:50 458,755 -rahs---- C:\WINDOWS\system32\i386-winconf.exe
2008-04-23 16:42 . 2008-04-23 16:42 144 --ahs---- C:\WINDOWS\system32\954361719.dat
2008-04-16 17:37 . 2004-11-02 08:58 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2008-04-16 17:30 . 2004-08-04 08:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-16 17:29 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-04-16 17:28 . 2008-04-26 13:25 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-04-16 17:28 . 2008-04-26 13:25 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-04-16 17:28 . 2008-04-26 13:25 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-04-16 17:28 . 2008-04-26 13:25 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-04-16 17:28 . 2008-04-16 17:28 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-16 10:30 . 2008-04-16 10:30 46 --a------ C:\WINDOWS\PRMLOGVW.INI
2008-04-15 03:52 . 2008-04-25 21:49 816 --a------ C:\WINDOWS\wininit.ini
2008-04-14 19:05 . 2008-04-26 19:08 <DIR> d-------- C:\WINDOWS\system32\403445
2008-04-14 18:52 . 2008-04-16 10:29 148 --a------ C:\WINDOWS\prmendpt.ini
2008-04-14 17:52 . 2008-04-14 17:52 <DIR> d-------- C:\P3WIN
2008-04-14 17:52 . 2008-04-14 17:54 426,475 --a------ C:\WINDOWS\DEISL1.ISU
2008-04-14 17:52 . 1998-10-29 16:45 307,004 --a------ C:\WINDOWS\ISUN16.EXE
2008-04-14 17:52 . 1995-07-13 17:43 26,768 --a------ C:\WINDOWS\system\CTL3D.DLL
2008-04-14 17:52 . 2008-04-16 10:30 1,024 --a------ C:\WINDOWS\MKDEWE.TRN
2008-04-14 17:52 . 2008-04-14 17:52 827 --a------ C:\WINDOWS\BTI.INI
2008-04-13 05:10 . 2008-04-13 05:10 <DIR> d-------- C:\Program Files\Photo to Cartoon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 16:46 --------- d-----w C:\Program Files\Lx_cats
2008-05-08 16:21 --------- d-----w C:\Documents and Settings\Mike Jr\Application Data\OpenOffice.org2
2008-05-08 16:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-08 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-05-08 16:03 --------- d-----w C:\Program Files\Windows Defender
2008-05-08 05:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-08 04:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-08 04:08 --------- d-----w C:\Program Files\Lavasoft
2008-04-26 20:15 1,256 ----a-w C:\Program Files\dpvcngkh.txt
2008-04-26 14:45 --------- d-----w C:\Documents and Settings\Friends and Family\Application Data\OpenOffice.org2
2008-04-25 21:26 --------- d-----w C:\Program Files\Google
2008-04-24 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-24 22:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-24 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-24 00:23 --------- d-----w C:\Program Files\QuickTime
2008-04-17 02:17 --------- d-----w C:\Program Files\Yahoo!
2008-04-16 22:41 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-16 15:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-15 19:16 --------- d-----w C:\Program Files\Java
2006-06-27 01:54 21,290,704 -c--a-w C:\Program Files\AdbeRdr708_en_US.exe
2006-06-27 01:53 762,512 -c--a-w C:\Program Files\ytb612_efgsip.exe
2006-06-27 01:53 7,050,552 -c--a-w C:\Program Files\psa30se_en_us.exe
.

------- Sigcheck -------

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
2004-08-04 08:00 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 08:00 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0ed4a7b4-6c5b-c1bb-34c0-04a73d9a358f}]
C:\WINDOWS\system32\commnt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{732f54ca-901f-455b-88e1-5a079aa27d1b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ab03bec8-5de0-4182-9bca-c08239dfcad6}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59 126976]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 11:46 172032]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"lxcjmon.exe"="C:\Program Files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 10:49 200704]
"EzPrint"="C:\Program Files\Lexmark 8300 Series\ezprint.exe" [2006-04-19 09:57 94208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"LXCJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 17:07 73728]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"combofix"="C:\WINDOWS\system32\CF9248.exe" [2004-08-04 08:00 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 08:00 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 08:00 44544]

C:\Documents and Settings\Mike Jr\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"K2nMiZVNkK"= C:\Documents and Settings\All Users\Application Data\yvwdupel\mnavqdqj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnmccr]
pmnnMcCr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
UpdateWin REG_SZ C:\WINDOWS\system32\1054r.exe

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^mike jr^start menu^programs^startup^openoffice.org 1.9.113.lnk]
path=C:\Documents and Settings\Mike Jr\Start Menu\Programs\Startup\OpenOffice.org 1.9.113.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 1.9.113.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobe photo downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aim]
--a------ 2005-08-05 16:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
--a------ 2007-07-10 09:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spybotsd teatimer]
--------- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\i386-winconf.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S0 xojbvojm;xojbvojm;C:\WINDOWS\system32\drivers\rmqpci^i.sys []
S1 kbd;kbd;C:\WINDOWS\system32\drivers\kbd.sys []
S2 0143061209225115mcinstcleanup;McAfee Application Installer Cleanup (0143061209225115);C:\DOCUME~1\FRIEND~1\LOCALS~1\Temp\014306~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 16:17:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-26 15:51:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-26 21:16:38 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 17:17:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2008-05-09 17:21:34 - machine was rebooted [Cassidy]
ComboFix-quarantined-files.txt 2008-05-09 21:21:28

Pre-Run: 14,745,186,304 bytes free
Post-Run: 14,771,150,848 bytes free

229 --- E O F --- 2008-05-09 07:00:47


Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:32, on 2008-05-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0ed4a7b4-6c5b-c1bb-34c0-04a73d9a358f} - C:\WINDOWS\system32\commnt.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {732f54ca-901f-455b-88e1-5a079aa27d1b} - (no file)
O2 - BHO: scriptproxy - {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {ab03bec8-5de0-4182-9bca-c08239dfcad6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [K2nMiZVNkK] C:\Documents and Settings\All Users\Application Data\yvwdupel\mnavqdqj.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.mi...b?1210216591718
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...281/mcfscan.cab
O20 - Winlogon Notify: pmnnmccr - pmnnMcCr.dll (file missing)
O22 - SharedTaskScheduler: hemimorphite - {12a31567-9883-4cc0-a684-ad5804394d69} - (no file)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O22 - SharedTaskScheduler: frowardness - {b0fdc513-46b9-46fc-8e70-d575ee546dae} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0143061209225115) (0143061209225115mcinstcleanup) - Unknown owner - C:\DOCUME~1\FRIEND~1\LOCALS~1\Temp\014306~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: MBackMonitor (mbackmonitor) - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service (mcafee hackerwatch service) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (mcnasvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (mcods) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (mcproxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (mcredirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (mcshield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (mcsysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (mpfservice) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (mps9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: SoundMAX Agent Service (soundmax agent service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 10356 bytes


#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 09 May 2008 - 04:07 PM

the problem seems to be fixed


Unfortunately not. They are much worse than originally expected. The following file was found in your ComboFix log:

C:\WINDOWS\uazpiq.sys

You can verify the identification here: http://www.bleepingc...ckthis/O23.html


And the above forces me to have to provide you with the following unpleasant information:


One or more of the identified infections is a backdoor trojan and a "rootkit" to boot..


A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log. However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan, the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what information can be accessed from it.

Knowing the above, let us know if you wish to proceed.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 19 May 2008 - 03:40 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·