Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

iGoogle has hijacked my homepage! Please help me get it back

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

iGoogle has hijacked my homepage! Please help me get it back

Unread postby talanad » August 4th, 2008, 11:29 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:56 PM, on 8/4/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... &M=C-141XL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... &M=C-141XL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... &M=C-141XL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} (Google Gadget Control) - http://dl.google.com/dl/desktop/nv/Goog ... nIEWin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 7828 bytes
talanad
Regular Member
 
Posts: 19
Joined: August 4th, 2008, 11:16 pm
Advertisement
Register to Remove

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby Katana » August 9th, 2008, 6:26 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe


----------------------------------------------------------------------------------------


If you still require help please post a fresh HJT log along with the following


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby talanad » August 9th, 2008, 5:42 pm

Hi and thanx so much for the response, I know you're busy.
Problem is, I've tried saving the file 3 times and I get:
"Cannot find the C:\Program Files\Trend Micro\HijackThis\LogFiles\uninstall_list.txt file.
Do you want to create a new file?"

It has also been showing the file as there in the browse menu when I try to repeat the process and asking if I want to replace it but when I click yes, I still get the above message.
The file does not show up in the Windows Explorer when I go look for the file it is asking me to replace.

Thought about hitting the Open Add/Remove Software list to try to copy it that way since I can't copy it from the save list screen but will await your advice.

Thanx again for any aid you can give me.
Terry
talanad
Regular Member
 
Posts: 19
Joined: August 4th, 2008, 11:16 pm

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby Katana » August 10th, 2008, 6:20 am

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Now try to get the uninstall list
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby talanad » August 10th, 2008, 1:46 pm

Malwarebytes' Anti-Malware 1.24
Database version: 1036
Windows 6.0.6000

10:09:50 AM 8/10/2008
mbam-log-8-10-2008 (10-09-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150595
Time elapsed: 1 hour(s), 24 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I will now try to get the uninstall list as you suggested....
Well, I am sorry to say that it still tells me it cannot find the Uninstall list file.
I'm new to Vista OS but don't think I'm doing anything wrong.
I do see the file as saved in the the "Save Add/Remove Software list to disk" window in the location I'm saving to and when I click 'Save' the error window asks if I want to replace it but then says it can't find it....
Also tried right click opening it but message says can't be found from there.
Also checked properties of the file in said window and it states the Size as 3.01 KB but system doesn't see it.
I've checked my folder views in Windows Explorer and if it's there I should be seeing it in WE but can't.
HijackThis isn't seeing it either.
Will wait for your instructions.
Terry
talanad
Regular Member
 
Posts: 19
Joined: August 4th, 2008, 11:16 pm

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby Katana » August 10th, 2008, 1:57 pm

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby talanad » August 11th, 2008, 5:19 pm

I've printed the instructions to ComboFix but may not be able to complete the task until Thursday 8/14/08.
Please don't lose me I will be staying with this as long as necessary.
Hopefully it will be sooner than that,
Thank you so much, will be in contact with you,
Terry
talanad
Regular Member
 
Posts: 19
Joined: August 4th, 2008, 11:16 pm

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby Katana » August 11th, 2008, 6:29 pm

Thanks for letting me know :thumbup:
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby talanad » August 14th, 2008, 4:29 pm

Hello Katana,
I have read the instructions for Combofix and have 1 question before proceding with the download you suggested...
I am using Windows Vista and no mention is made of it in the section about the Windows Recovery Console, Windows XP.
Should I ignore that section and procede where is tells me to close all open windows and disable other scanning programs?
T
talanad
Regular Member
 
Posts: 19
Joined: August 4th, 2008, 11:16 pm

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby Katana » August 14th, 2008, 5:05 pm

talanad wrote:Should I ignore that section and procede where is tells me to close all open windows and disable other scanning programs?
T


Correct ;)
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby talanad » August 14th, 2008, 5:08 pm

Excellent, :cheers: ,
Thanx for the Quick response.
T
talanad
Regular Member
 
Posts: 19
Joined: August 4th, 2008, 11:16 pm

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby talanad » August 14th, 2008, 7:11 pm

:cry:
I turned off scanning programs and closed all windows and when I start Combofix the blue window appears but in the top bar next to the combofix icon it has the word Administrator: , the blue screen remains blank and it just sits there. There is no Please wait or preparing to run message.
I restarted it 4 times then deleted and redownloaded Combofix. I gave it 10 minutes the 4th time.

There is a message each time from Windows Defender (I checked, it is disabled!!) that says:
"A system change was made by a known program... C:\windows\SMINST\launcher.exe. Then the blue screen appears and just sits there.

Please advise, I'm pretty frustrated.
T
talanad
Regular Member
 
Posts: 19
Joined: August 4th, 2008, 11:16 pm

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby talanad » August 14th, 2008, 8:11 pm

Was able to get the log of the Uninstall.txt file from HiJackThis this time?
:o

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware SE Plus
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Agere Systems HDA Modem
Apple Software Update
ATI Uninstaller
AVG Free 8.0
BigFix
Browser Address Error Redirector
ccc-Branding
Compatibility Pack for the 2007 Office system
EAX Unified
Gateway Connect
Gateway Recovery Center Installer
HijackThis 2.0.2
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Java(TM) SE Runtime Environment 6 Update 1
Lara Croft Tomb Raider: The Angel Of Darkness
Majesty
Malwarebytes' Anti-Malware
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote 2007
Microsoft Office OneNote 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 2.0 SP3 Runtime
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
Myst Masterpiece Edition
Napster
Napster Burn Engine
Network Play System (Patching)
Palm
Passwords Plus
Power2Go 5.0
Protector Suite QL 5.6
QuickTime
Quicktime Browser Plug-In
RealPlayer
Rhapsody Player Engine
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB947801)
SigmaTel Audio
Spare Backup
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
The Sims
Tomb Raider - The Lost Artifact
Tomb Raider III
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
WIDCOMM Bluetooth Software 6.0.1.4900
talanad
Regular Member
 
Posts: 19
Joined: August 4th, 2008, 11:16 pm

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby Katana » August 15th, 2008, 4:10 am

Please have a look for

C:\ComboFix.txt and C:\Qoobox\ComboFix.txt

If you find any, please post them, if not please try running ComboFix in safe mode.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: iGoogle has hijacked my homepage! Please help me get it back

Unread postby talanad » August 15th, 2008, 7:25 pm

Hi,
Restarted and reconnected to internet and the Combofix took off just fine.

Here's the logfile:

ComboFix 08-08-14.01 - teylanad 2008-08-15 15:29:44.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2105 [GMT -7:00]
Running from: C:\Users\teylanad\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\teylanad\AppData\Roaming\macromedia\Flash Player\#SharedObjects\CDPEKTSE\interclick.com
C:\Users\teylanad\AppData\Roaming\macromedia\Flash Player\#SharedObjects\CDPEKTSE\interclick.com\ud.sol
C:\Users\teylanad\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Users\teylanad\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-14 11:27 . 2008-07-15 16:48 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-10 08:39 . 2008-08-10 08:39 <DIR> d-------- C:\Users\teylanad\AppData\Roaming\Malwarebytes
2008-08-10 08:39 . 2008-08-10 08:39 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-10 08:39 . 2008-08-10 08:39 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-10 08:39 . 2008-08-10 10:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-10 08:39 . 2008-07-30 20:07 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-10 08:39 . 2008-07-30 20:07 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-04 19:49 . 2008-08-04 19:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 08:29 . 2008-06-25 17:33 11,722,752 --a------ C:\Windows\System32\NlsLexicons0001.dll
2008-07-16 16:22 . 2008-07-16 16:27 <DIR> d-------- C:\Users\teylanad\Mom Transfer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 22:35 --------- d-----w C:\Users\teylanad\AppData\Roaming\Spare Backup
2008-08-14 18:24 --------- d-----w C:\Program Files\Windows Mail
2008-08-04 23:04 --------- d-----w C:\Program Files\Google
2008-07-09 21:43 174 --sha-w C:\Program Files\desktop.ini
2008-07-09 04:55 --------- d-----w C:\Users\teylanad\AppData\Roaming\CyberLink
2008-07-09 04:55 --------- d-----w C:\ProgramData\CyberLink
2008-07-03 02:45 --------- d-----w C:\Program Files\Red Orb
2008-07-03 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 02:41 --------- d-----w C:\Program Files\MicroProse
2008-07-03 02:38 --------- d-----w C:\Program Files\Core Design
2008-07-02 23:41 --------- d-----w C:\Program Files\InterActual
2008-07-02 19:26 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-07-02 19:26 69,128 ----a-w C:\Windows\system32\drivers\avgwfpx.sys
2008-07-02 19:26 10,520 ----a-w C:\Windows\System32\avgrsstx.dll
2008-07-02 03:30 --------- d-----w C:\Program Files\Electronic Arts
2008-07-02 03:28 --------- d-----w C:\Program Files\Maxis
2008-07-02 00:57 --------- d-----w C:\Program Files\Creative
2008-07-02 00:46 --------- d-----w C:\Program Files\Eidos Interactive
2008-07-01 19:07 --------- d-----w C:\Users\teylanad\AppData\Roaming\Lavasoft
2008-07-01 19:07 --------- d-----w C:\Program Files\Lavasoft
2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-06-26 02:45 --------- d-----w C:\Users\teylanad\AppData\Roaming\Roxio
2008-06-26 02:45 --------- d-----w C:\ProgramData\Napster
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-24 18:01 --------- d-----w C:\ProgramData\Apple Computer
2008-06-24 18:01 --------- d-----w C:\Program Files\QuickTime
2008-06-23 17:38 --------- d-----w C:\ProgramData\avg8
2008-06-23 17:38 --------- d-----w C:\Program Files\AVG
2008-06-23 16:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-23 16:39 --------- d-----w C:\ProgramData\Symantec
2008-06-19 21:13 --------- d-----w C:\Program Files\Common Files\DataViz
2008-06-19 20:36 --------- d-----w C:\Program Files\Palm
2008-06-19 19:25 --------- d-----w C:\Program Files\Passwords Plus
2008-06-19 03:25 61,440 ----a-w C:\Windows\System32\winipsec.dll
2008-06-19 03:25 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-06-19 03:25 28,672 ----a-w C:\Windows\System32\FwRemoteSvr.dll
2008-06-19 03:25 272,896 ----a-w C:\Windows\System32\polstore.dll
2008-06-12 06:54 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-12 06:54 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-12 01:21 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-04-30 07:20 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-30 07:20 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-30 07:20 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-28 20:59 2953216 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-28 20:59 2953216 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" [2005-05-25 12:12 517632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 14:37 174872]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-05 02:18 827392]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2007-03-28 20:23 49168]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2006-09-06 13:12 323216]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [2007-09-13 17:22 5252936]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-06 11:05 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-02 12:26 1232152]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" [2005-05-25 12:12 517632]

C:\Users\teylanad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2008-03-04 19:04:07 2342912]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-03-29 14:11:50 719664]
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-28 20:46 90112 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1669751230-3628068341-3706583971-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{90A40444-73DE-4E5A-AE81-8232BC6376BF}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5ED803E3-D302-4CEC-B8D8-7535BA7E0B40}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9326A280-DDC0-4B13-B978-6F1AD8A943EF}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{02A8F421-A1D9-4EA6-AF65-061853A7D83C}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
"TCP Query User{EFEE5914-F223-4E80-BBA7-C51B38553DCA}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{8CA8B965-F614-48B9-A3DC-FA672B47E913}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-07-02 12:26]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-02 12:26]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 12:26]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-10 07:54]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-07-02 12:26]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-03-29 12:46]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2007-02-26 23:20]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-02-26 23:20]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;C:\Windows\system32\DRIVERS\mstabbtn.sys [2007-03-08 19:40]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 00:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/ig?hl=en&source=iglk
R0 -: HKLM-Main,Start Page = hxxp://www.gateway.com/g/startpage.html ... &M=C-141XL
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 -: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 -: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O16 -: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/Goog ... nIEWin.cab
C:\Windows\Downloaded Program Files\install.inf
C:\Windows\Downloaded Program Files\GoogleGadgetPluginIEWin.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 15:33:45
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\agrsmsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
.
**************************************************************************
.
Completion time: 2008-08-15 15:41:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-15 22:40:14

Pre-Run: 167,478,779,904 bytes free
Post-Run: 167,514,083,328 bytes free

194 --- E O F --- 2008-08-14 18:28:08
talanad
Regular Member
 
Posts: 19
Joined: August 4th, 2008, 11:16 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 505 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware