|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
12-01-2007, 01:51 PM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: XP SP2
|
Browser Hijack?
IE keeps trying to add pages that I'm unfamiliar with to my favourites.
I've run hijackthis and the log file seems to be in order except for the last line which I don't recognise: O23 - Service: Window Image Worker (windownetpker) - Unknown owner - C:\Program Files\Internet Explorer\svchost.exe Is this the problem, and if so how do I fix it? Thanks for the help. Neil. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
12-04-2007, 10:29 AM
|
#2 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,224
OS: 2000 Pro; XP Pro; XP Home
|
Re: Browser Hijack?
Hello, and Welcome to TSF.
For any helper to take on your issue, we would need a full set of logs, not just one entry plucked out of it, though that seems a bad one. Please follow MicroBell's 5 Step process outlined here: http://www.techsupportforum.com/secu...tml#post342651 After running through all the steps, please post the requested logs. If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
|
|
|
|
|
12-06-2007, 03:09 AM
|
#3 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: XP SP2
|
Re: Browser Hijack?
Hi
Thanks very much for taking the time to reply. I've attached extra.txt to this post. Main.txt as follows: Deckard's System Scanner v20071014.68 Run by Neil on 2007-12-06 20:47:26 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 33: 2007-12-06 09:47:31 UTC - RP33 - Deckard's System Scanner Restore Point 32: 2007-12-05 08:55:00 UTC - RP32 - System Checkpoint 31: 2007-12-04 06:25:34 UTC - RP31 - System Checkpoint 30: 2007-12-03 05:35:36 UTC - RP30 - System Checkpoint 29: 2007-12-02 03:30:35 UTC - RP29 - System Checkpoint -- First Restore Point -- 1: 2007-11-16 00:41:52 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Neil.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:48:09 PM, on 6/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\DU Meter\DUMeter.exe C:\Program Files\Ahead\InCD\InCD.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\BitTornado\btdownloadgui.exe C:\Program Files\BitTornado\btdownloadgui.exe C:\WINDOWS\system32\WISPTIS.EXE C:\Documents and Settings\Neil\Desktop\torrents i am downloading now\dss.exe C:\Hold\Neil.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1195198780562 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Window Image Worker (windownetpker) - Unknown owner - C:\Program Files\Internet Explorer\svchost.exe -- End of file - 6065 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver> R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu> R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt> R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell> S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 windownetpker (Window Image Worker) - c:\program files\internet explorer\svchost.exe -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Files created between 2007-11-06 and 2007-12-06 ----------------------------- 2007-12-03 10:04:50 0 d-------- C:\Program Files\Easy Outlook Express Backup 2007-12-02 06:17:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-11-29 20:11:35 0 d-------- C:\Documents and Settings\Neil\Application Data\GlobalSCAPE 2007-11-29 20:10:17 0 d-------- C:\Program Files\GlobalSCAPE 2007-11-29 17:37:42 0 d-------- C:\Program Files\uTorrent 2007-11-29 17:37:36 0 d-------- C:\Documents and Settings\Neil\Application Data\uTorrent 2007-11-28 15:50:41 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-11-28 15:43:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM 2007-11-28 15:43:15 0 d-------- C:\Documents and Settings\LocalService\My Documents 2007-11-28 15:42:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe 2007-11-28 15:28:32 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia 2007-11-27 16:24:14 0 d-------- C:\WINDOWS\pss 2007-11-27 16  50 0 d-------- C:\Program Files\PowerISO2007-11-24 15:48:57 0 d-------- C:\WINDOWS\Easy CD-DA Extractor 2007-11-24 15:48:57 0 d-------- C:\Program Files\Easy CD-DA Extractor 10 2007-11-24 15:44:26 0 d-------- C:\WINDOWS\Downloaded Installations 2007-11-23 18:46:11 0 d-------- C:\Documents and Settings\Neil\Application Data\dvdcss 2007-11-23 18:37:23 0 d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink 2007-11-23 18:37:22 0 d-------- C:\Program Files\DVD Shrink 2007-11-23 18:33:04 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink 2007-11-23 18:33:02 0 d-------- C:\Program Files\CyberLink 2007-11-23 17:42:26 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> 2007-11-23 17:42:26 47360 --a------ C:\Documents and Settings\Neil\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> 2007-11-23 17:42:25 0 d-------- C:\Documents and Settings\Neil\Application Data\Vso 2007-11-23 17:42:21 0 d-------- C:\Program Files\DVDFab Platinum 3 2007-11-23 17:26:17 0 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft 2007-11-22 18:46:19 394240 --a------ C:\WINDOWS\system32\Smab.dll 2007-11-22 18:46:19 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)> 2007-11-22 18:46:19 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll 2007-11-22 18:46:19 318976 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5> 2007-11-22 18:46:19 66560 --a------ C:\WINDOWS\MOTA113.exe 2007-11-22 18:46:18 70656 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec> 2007-11-22 18:46:18 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec> 2007-11-22 18:46:18 217073 --a------ C:\WINDOWS\meta4.exe 2007-11-22 18:46:17 0 d-------- C:\Program Files\AviSynth 2.5 2007-11-22 18:45:38 31232 -r-hs---- C:\WINDOWS\system32\msfDX.dll <Not Verified; Hans Mayerl; msfDX.dll> 2007-11-22 18:45:38 163328 -r-hs---- C:\WINDOWS\system32\flvDX.dll <Not Verified; Gabest; FLV Splitter> 2007-11-22 18:45:31 0 d-------- C:\Program Files\eRightSoft 2007-11-21 15:49:30 0 dr-h----- C:\Documents and Settings\Neil\Recent 2007-11-21 14:12:12 0 d-------- C:\Documents and Settings\Neil\Application Data\WinRAR 2007-11-18 11:23:07 0 d-------- C:\Documents and Settings\Neil\Application Data\Help 2007-11-18 11:15:25 0 d-------- C:\Program Files\Agent 2007-11-17 17:19:41 0 d-------- C:\Program Files\Elaborate Bytes 2007-11-17 17:18:08 0 d-------- C:\Program Files\SlySoft 2007-11-17 17:15:44 0 d-------- C:\Program Files\Pegasys Inc 2007-11-17 12:14:05 0 d-------- C:\Documents and Settings\Neil\Application Data\AdobeUM 2007-11-17 12:08:34 1080 --a------ C:\WINDOWS\AUTOLNCH.REG 2007-11-17 12:08:31 350208 --a------ C:\WINDOWS\system32\ltkrn70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32> 2007-11-17 12:08:31 55296 --a------ C:\WINDOWS\system32\ltfil70n.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32> 2007-11-17 12:08:31 93184 --a------ C:\WINDOWS\system32\lftif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32> 2007-11-17 12:08:31 111104 --a------ C:\WINDOWS\system32\lfpng70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32> 2007-11-17 12:08:31 24576 --a------ C:\WINDOWS\system32\lfpcx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32> 2007-11-17 12:08:31 95232 --a------ C:\WINDOWS\system32\Lfkodak.dll 2007-11-17 12:08:31 32768 --a------ C:\WINDOWS\system32\lfgif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32> 2007-11-17 12:08:31 35328 --a------ C:\WINDOWS\system32\lffpx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32> 2007-11-17 12:08:31 306688 --a------ C:\WINDOWS\system32\Lffpx7.dll <Not Verified; ; Reference Implementation> 2007-11-17 12:08:31 55808 --a------ C:\WINDOWS\system32\lffax70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32> 2007-11-17 12:08:31 224768 --a------ C:\WINDOWS\system32\LFCMP70n.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32> 2007-11-17 12:08:31 667648 --a------ C:\WINDOWS\system32\ipeistor12.dll <Not Verified; Hewlett-Packard Company; IPEISTOR Dynamic Link Library> 2007-11-17 12:08:31 331776 --a------ C:\WINDOWS\system32\ipebase12.dll <Not Verified; Hewlett-Packard Company; IPEBASE Dynamic Link Library> 2007-11-17 12:08:31 77824 --a------ C:\WINDOWS\system32\ipeapi12.dll <Not Verified; Hewlett-Packard Company; IPEAPI Dynamic Link Library> 2007-11-17 12:08:31 32768 --a------ C:\WINDOWS\system32\hpsj32.dll <Not Verified; Hewlett-Packard Company; HP ScanJet Scanners> 2007-11-17 12:08:31 32768 --a------ C:\WINDOWS\system32\hpgreg32.dll <Not Verified; Hewlett-Packard, GHC; Hewlett-Packard, GHC hpgreg32> 2007-11-17 12:08:20 0 d-------- C:\Program Files\Hewlett-Packard 2007-11-17 12:05:59 0 d-------- C:\Program Files\SimpleCopier 2007-11-17 12:03:55 0 d-------- C:\Program Files\Mp3TagToolsv12 2007-11-17 10:26:47 26624 --a------ C:\WINDOWS\system32\PRTdlink.dll 2007-11-17 10:26:47 220160 --a------ C:\WINDOWS\PRINTERS.EXE <Not Verified; ; printers Application> 2007-11-17 10:26:47 0 d-------- C:\Program Files\D-Link 2007-11-17 10:25:23 45056 --a------ C:\WINDOWS\system32\Insts32K.dll <Not Verified; SEC; SEC InsDrv2K> 2007-11-17 10:25:22 0 d-------- C:\WINDOWS\Lexmark 2007-11-17 06:09:00 0 d-------- C:\Program Files\Alwil Software 2007-11-16 22:23:55 0 d-------- C:\Program Files\Common Files\ODBC 2007-11-16 22:23:53 0 dr------- C:\Program Files 2007-11-16 22:23:53 0 d-------- C:\Program Files\Common Files 2007-11-16 22:23:53 0 d-------- C:\Program Files\Common Files\SpeechEngines 2007-11-16 22:23:30 0 d--h----- C:\Documents and Settings\Default User\Templates 2007-11-16 22:23:30 0 dr------- C:\Documents and Settings\Default User\Start Menu 2007-11-16 22:23:30 0 dr-h----- C:\Documents and Settings\Default User\SendTo 2007-11-16 22:23:30 0 d--h----- C:\Documents and Settings\Default User\Recent 2007-11-16 22:23:30 0 d--h----- C:\Documents and Settings\Default User\PrintHood 2007-11-16 22:23:30 0 d--h----- C:\Documents and Settings\Default User\NetHood 2007-11-16 22:23:30 0 d-------- C:\Documents and Settings\Default User\My Documents 2007-11-16 22:23:30 0 dr-h----- C:\Documents and Settings\Default User\Local Settings 2007-11-16 22:23:30 0 d-------- C:\Documents and Settings\Default User\Favorites 2007-11-16 22:23:30 0 d-------- C:\Documents and Settings\Default User\Desktop 2007-11-16 22:23:30 0 d---s---- C:\Documents and Settings\Default User\Cookies 2007-11-16 22:23:30 0 d--h----- C:\Documents and Settings\All Users\Templates 2007-11-16 22:23:30 0 dr------- C:\Documents and Settings\All Users\Start Menu 2007-11-16 22:23:30 0 d-------- C:\Documents and Settings\All Users\Favorites 2007-11-16 22:23:30 0 dr------- C:\Documents and Settings\All Users\Documents 2007-11-16 22:23:30 0 d-------- C:\Documents and Settings\All Users\Desktop 2007-11-16 22:23:15 0 d-------- C:\WINDOWS\system32\CatRoot2 2007-11-16 22:23:15 0 d-------- C:\WINDOWS\system32\CatRoot 2007-11-16 22:23:09 0 dr-h----- C:\Documents and Settings\Default User\Application Data 2007-11-16 22:23:09 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft 2007-11-16 22:23:09 0 dr-h----- C:\Documents and Settings\All Users\Application Data 2007-11-16 22:23:09 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft 2007-11-16 22:22:56 0 d-------- C:\Documents and Settings 2007-11-16 22:19:45 0 d-------- C:\WINDOWS 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\WinSxS 2007-11-16 22:19:45 0 dr------- C:\WINDOWS\Web 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\twain_32 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\wins 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\wbem 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\usmt 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\spool 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\ShellExt 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\Setup 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\ras 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\oobe 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\npp 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\mui 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\inetsrv 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\IME 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\icsxml 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\ias 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\export 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\drivers 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\drivers\etc 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\drivers\disdn 2007-11-16 22:19:45 0 dr-hs--c- C:\WINDOWS\system32\dllcache 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\dhcp 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\config 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\3com_dmi 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\3076 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\2052 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\1054 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\1042 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\1041 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\1037 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\1033 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\1031 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\1028 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system32\1025 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\system 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\security 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\Resources 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\repair 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\mui 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\msapps 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\msagent 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\Media 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\java 2007-11-16 22:19:45 0 d--h----- C:\WINDOWS\inf 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\ime 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\Help 2007-11-16 22:19:45 0 dr--s---- C:\WINDOWS\Fonts 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\Driver Cache 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\Debug 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\Cursors 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\Connection Wizard 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\Config 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\AppPatch 2007-11-16 22:19:45 0 d-------- C:\WINDOWS\addins 2007-11-16 20:37:14 0 d-------- C:\Program Files\Winamp 2007-11-16 18:47:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage 2007-11-16 18:42:49 0 d-------- C:\WINDOWS\system32\PreInstall 2007-11-16 18:42:47 0 d--h----- C:\WINDOWS\$hf_mig$ 2007-11-16 18:40:26 0 d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-11-16 18:39:24 0 d---s---- C:\Documents and Settings\Neil\UserData 2007-11-16 16:33:33 0 d-------- C:\Documents and Settings\Neil\Application Data\.BitTornado 2007-11-16 16:30:30 0 d-------- C:\Program Files\MP3 Splitter & Joiner 2007-11-16 16:08:06 0 d-------- C:\Documents and Settings\All Users\Application Data\RoboForm 2007-11-16 16:07:11 0 d-------- C:\Program Files\Siber Systems 2007-11-16 16:03:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems 2007-11-16 16:01:41 0 d-------- C:\Documents and Settings\Neil\Application Data\Adobe 2007-11-16 15:55:27 0 d-------- C:\WINDOWS\RegisteredPackages 2007-11-16 15:55:21 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared 2007-11-16 15:54:17 0 d-------- C:\Program Files\Common Files\Adobe 2007-11-16 15:52:04 0 d-------- C:\Program Files\BitTornado 2007-11-16 15:47:00 3067904 -----n--- C:\WINDOWS\NuNinst.exe <Not Verified; Nero AG; Nero WebEngine> 2007-11-16 15:46:59 33536 -----n--- C:\WINDOWS\system32\drivers\InCDrm.sys <Not Verified; Nero AG; EasyWrite Reader> 2007-11-16 15:46:59 8704 -----n--- C:\WINDOWS\system32\drivers\InCDrec.sys <Not Verified; Nero AG; InCD> 2007-11-16 15:46:59 29440 -----n--- C:\WINDOWS\system32\drivers\InCDpass.sys <Not Verified; Nero AG; InCD> 2007-11-16 15:46:59 102016 -----n--- C:\WINDOWS\system32\drivers\InCDfs.sys <Not Verified; Nero AG; InCD> 2007-11-16 15:46:59 0 d-------- C:\WINDOWS\InCD 2007-11-16 15:45:56 0 d-------- C:\Program Files\ExplorerXP 2007-11-16 15:41:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Hagel Technologies 2007-11-16 15:40:25 0 d-------- C:\Program Files\APSW 2007-11-16 15:40:03 0 d-------- C:\Program Files\Atomic Clock Sync 2007-11-16 15:30:29 89184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys <Not Verified; Ahead Software AG and its licensors; NERO IMAGEDRIVE> 2007-11-16 15:30:18 38912 --a------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS> 2007-11-16 15:30:18 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck> 2007-11-16 15:30:18 544768 --a------ C:\WINDOWS\system32\imagx5.dll <Not Verified; Pegasus Software, LLC; ImagXpress> 2007-11-16 15:30:18 569344 --a------ C:\WINDOWS\system32\imagr5.dll <Not Verified; Pegasus Software,LLC; ImagXpress> 2007-11-16 15:30:18 0 d-------- C:\Program Files\Common Files\Ahead 2007-11-16 15:30:15 0 d-------- C:\Program Files\Ahead 2007-11-16 15:23:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe 2007-11-16 15:22:57 0 d-------- C:\WINDOWS\Cache 2007-11-16 15:21:04 0 d-------- C:\Documents and Settings\Neil\Application Data\Macromedia 2007-11-16 15:13:54 0 d-------- C:\Program Files\IrfanView 2007-11-16 15:10:42 0 d-------- C:\Documents and Settings\Neil\Application Data\vlc 2007-11-16 15:10:21 0 d-------- C:\Program Files\VideoLAN 2007-11-16 14:55:17 5776 --a------ C:\WINDOWS\Icoadb32.dat 2007-11-16 14:55:17 40448 --a------ C:\WINDOWS\Icg32.dll <Not Verified; Intuit; Internet Client 2.0> 2007-11-16 14:55:10 0 d-------- C:\WINDOWS\Intuit 2007-11-16 14:55:10 0 d-------- C:\Program Files\Intuit 2007-11-16 14:17:29 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-11-16 14:17:22 0 d-------- C:\WINDOWS\SHELLNEW 2007-11-16 13:59:59 0 dr------- C:\Documents and Settings\Neil\Favorites 2007-11-16 13:49:56 0 d-------- C:\Documents and Settings\Neil\Outlook Express Backups 2007-11-16 13:17:20 61008 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver> 2007-11-16 13:17:19 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt> 2007-11-16 13:17:15 0 d-------- C:\Program Files\Sygate 2007-11-16 13:17:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-11-16 12:58:15 0 d-------- C:\WINDOWS\system32\NtmsData 2007-11-16 12:26:06 45056 --a------ C:\WINDOWS\system32\vusetup.dll 2007-11-16 12:25:19 0 d-------- C:\Hold 2007-11-16 12:13:14 0 d-------- C:\Program Files\Gigabyte 2007-11-16 12:07:15 208896 -ra------ C:\WINDOWS\alcupd.exe <Not Verified; Avance Logic, Inc.; Update Application for Avance AC'97> 2007-11-16 12:07:15 135168 -ra------ C:\WINDOWS\alcrmv.exe <Not Verified; Avance Logic, Inc.; Avance AC'97 Removing Tool for INTEL, VIA, SIS ALI Chipset> 2007-11-16 12:07:15 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-11-16 12:07:11 0 d-------- C:\Program Files\Common Files\InstallShield 2007-11-16 12 14 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>2007-11-16 12 06 0 d-------- C:\Documents and Settings\Neil\WINDOWS2007-11-16 12:04:18 0 d-------- C:\Documents and Settings\LocalService\Start Menu 2007-11-16 12:03:27 0 d-------- C:\WINDOWS\SoftwareDistribution 2007-11-16 12:03:25 0 d-------- C:\WINDOWS\Prefetch 2007-11-16 12:03:24 0 d---s---- C:\WINDOWS\system32\Microsoft 2007-11-16 11:59:19 0 d-------- C:\WINDOWS\peernet 2007-11-16 11:59:18 0 d-------- C:\WINDOWS\provisioning 2007-11-16 11:58:00 0 d-------- C:\WINDOWS\ServicePackFiles 2007-11-16 11:54:58 0 d-------- C:\WINDOWS\system32\ReinstallBackups 2007-11-16 11:53:24 0 d-------- C:\WINDOWS\EHome 2007-11-16 11:41:38 0 d--hs---- C:\WINDOWS\Installer 2007-11-16 11:41:35 0 d-------- C:\Documents and Settings\Neil\Application Data\Identities 2007-11-16 11:41:24 0 d-------- C:\Documents and Settings\Neil\Desktop 2007-11-16 11:41:24 0 d---s---- C:\Documents and Settings\Neil\Cookies 2007-11-16 11:41:24 0 dr-h----- C:\Documents and Settings\Neil\Application Data 2007-11-16 11:41:23 0 d--h----- C:\Documents and Settings\Neil\Templates 2007-11-16 11:41:23 0 dr------- C:\Documents and Settings\Neil\Start Menu 2007-11-16 11:41:23 0 dr-h----- C:\Documents and Settings\Neil\SendTo 2007-11-16 11:41:23 0 d--h----- C:\Documents and Settings\Neil\PrintHood 2007-11-16 11:41:23 2621440 --ah----- C:\Documents and Settings\Neil\NTUSER.DAT 2007-11-16 11:41:23 0 d--h----- C:\Documents and Settings\Neil\NetHood 2007-11-16 11:41:23 0 dr------- C:\Documents and Settings\Neil\My Documents 2007-11-16 11:41:23 0 d--h----- C:\Documents and Settings\Neil\Local Settings 2007-11-16 11:40:14 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT 2007-11-16 11:40:14 0 d--h----- C:\Documents and Settings\LocalService\Local Settings 2007-11-16 11:40:14 0 d---s---- C:\Documents and Settings\LocalService\Cookies 2007-11-16 11:40:14 0 d-------- C:\Documents and Settings\LocalService\Application Data 2007-11-16 11:40:14 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft 2007-11-16 11:40:13 262144 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT 2007-11-16 11:40:13 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings 2007-11-16 11:40:13 0 d---s---- C:\Documents and Settings\NetworkService\Cookies 2007-11-16 11:40:13 0 d-------- C:\Documents and Settings\NetworkService\Application Data 2007-11-16 11:40:13 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft 2007-11-16 11:35:42 0 d-------- C:\WINDOWS\system32\xircom 2007-11-16 11:35:42 0 d-------- C:\Program Files\microsoft frontpage 2007-11-16 11:35:28 233472 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT 2007-11-16 11:35:21 0 -rahs---- C:\MSDOS.SYS 2007-11-16 11:35:21 0 -rahs---- C:\IO.SYS 2007-11-16 11:35:21 0 --a------ C:\CONFIG.SYS 2007-11-16 11:35:21 0 --a------ C:\AUTOEXEC.BAT 2007-11-16 11:34:27 0 d--hs---- C:\Documents and Settings\All Users\DRM 2007-11-16 11:34:17 0 dr------- C:\WINDOWS\Offline Web Pages 2007-11-16 11:34:17 0 d---s---- C:\WINDOWS\Downloaded Program Files 2007-11-16 11:33:53 0 d-------- C:\WINDOWS\srchasst 2007-11-16 11:33:45 0 d-------- C:\WINDOWS\system32\Macromed 2007-11-16 11:33:45 0 d-------- C:\WINDOWS\system32\DirectX 2007-11-16 11:33:36 0 d-------- C:\Program Files\Movie Maker 2007-11-16 11:33:13 0 d-------- C:\WINDOWS\system32\Restore 2007-11-16 11:33:09 0 d-------- C:\WINDOWS\PCHEALTH 2007-11-16 11:33:05 0 d---s---- C:\WINDOWS\Tasks 2007-11-16 11:33:02 0 d-------- C:\Program Files\Common Files\MSSoap 2007-11-16 11:32:33 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-11-16 11:32:17 0 d-------- C:\WINDOWS\Registration 2007-11-16 11:32:10 0 d--h----- C:\Program Files\WindowsUpdate 2007-11-16 11:32:10 0 d-------- C:\Program Files\Online Services 2007-11-16 11:32:01 0 d-------- C:\Program Files\Messenger 2007-11-16 11:31:54 0 d-------- C:\Program Files\MSN Gaming Zone 2007-11-16 11:31:44 0 d-------- C:\Program Files\Windows NT 2007-11-16 11:31:35 0 d-------- C:\WINDOWS\system32\MsDtc 2007-11-16 11:31:34 0 d-------- C:\WINDOWS\system32\Com 2007-11-16 11:13:26 0 d--hs---- C:\System Volume Information -- Find3M Report --------------------------------------------------------------- 2007-11-23 17:42:45 34 --a------ C:\Documents and Settings\Neil\Application Data\pcouffin.log 2007-11-23 17:42:26 1144 --a------ C:\Documents and Settings\Neil\Application Data\pcouffin.inf 2007-11-23 17:42:26 7887 --a------ C:\Documents and Settings\Neil\Application Data\pcouffin.cat 2007-11-16 22:23:30 62 --ahs---- C:\Documents and Settings\Neil\Application Data\desktop.ini -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [11/09/2002 01:57 PM C:\WINDOWS\SOUNDMAN.EXE] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [27/09/2005 12:16 PM] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50 AM] "DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [01/02/2005 07:28 PM] "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [23/03/2006 05:06 PM] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [06/09/2007 08:06 PM] "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM] "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [16/11/2007 04:07 PM] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [31/08/2007 04:46 PM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" C:\Documents and Settings\Neil\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 8:16:50 PM] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" -- End of Deckard's System Scanner: finished at 2007-12-06 20:49:46 ------------ Thanks again. Last edited by tetonbob; 12-06-2007 at 08:24 AM. Reason: removed quote tags; makes logs harder to read |
|
|
|
|
12-06-2007, 08:28 AM
|
#4 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,224
OS: 2000 Pro; XP Pro; XP Home
|
Re: Browser Hijack?
Hi budsy -
Thanks for supplying the logs. I'd like to spend a few preliminary minutes identifying the nature of this threat. I'll be here for the next several hours, so we can address the results quickly. Please go to: VirusTotal
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
12-10-2007, 06:12 PM
|
#5 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,224
OS: 2000 Pro; XP Pro; XP Home
|
Re: Browser Hijack?
Still with us, budsy?
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
12-10-2007, 11:05 PM
|
#6 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: XP SP2
|
Re: Browser Hijack?
Hi,
Yeah, still with you, just got in. Results: File svchost.exe received on 12.11.2007 06:50:11 (CET)Antivirus Version Last Update Result AhnLab-V3 2007.12.11.1 2007.12.11 - AntiVir 7.6.0.40 2007.12.10 TR/Delf.bld Authentium 4.93.8 2007.12.10 - Avast 4.7.1098.0 2007.12.10 - AVG 7.5.0.503 2007.12.10 Generic9.AADT BitDefender 7.2 2007.12.11 - CAT-QuickHeal 9.00 2007.12.10 Trojan.Delf.amr ClamAV 0.91.2 2007.12.11 - DrWeb 4.44.0.09170 2007.12.10 Trojan.DownLoader.origin eSafe 7.0.15.0 2007.12.10 Win32.Delf.amr eTrust-Vet 31.3.5368 2007.12.10 - Ewido 4.0 2007.12.10 - FileAdvisor 1 2007.12.11 - Fortinet 3.14.0.0 2007.12.11 W32/Delf.AMR!tr F-Prot 4.4.2.54 2007.12.10 W32/Trojan2.HWF F-Secure 6.70.13030.0 2007.12.11 Trojan.Win32.Delf.amr Ikarus T3.1.1.12 2007.12.11 Trojan.Win32.Delf.amr Kaspersky 7.0.0.125 2007.12.11 Trojan.Win32.Delf.amr McAfee 5182 2007.12.10 - Microsoft 1.3007 2007.12.10 - NOD32v2 2714 2007.12.10 - Norman 5.80.02 2007.12.10 W32/Delf.BCHU Panda 9.0.0.4 2007.12.10 - Prevx1 V2 2007.12.11 - Rising 20.21.42.00 2007.12.07 - Sophos 4.24.0 2007.12.11 Mal/Behav-053 Sunbelt 2.2.907.0 2007.12.07 TR/Delf.bld Symantec 10 2007.12.11 - TheHacker 6.2.9.155 2007.12.10 Trojan/Delf.amr VBA32 3.12.2.5 2007.12.10 Trojan.Win32.Delf.amr VirusBuster 4.3.26:9 2007.12.10 Trojan.Delf.AADI Webwasher-Gateway 6.6.2 2007.12.10 Trojan.Delf.bld Additional information File size: 497664 bytes MD5: b7675e7881b9eaf0d7eea37fc6239e9a SHA1: 12bf603ec484b7ccfbf960df664c5df7bd7c9c1d PEiD: - Seems like I've caught a bug? |
|
|
|
|
12-10-2007, 11:11 PM
|
#7 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,224
OS: 2000 Pro; XP Pro; XP Home
|
Re: Browser Hijack?
Yuck....
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
12-11-2007, 02:55 AM
|
#9 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: XP SP2
|
Re: Browser Hijack?
Hello again
I did exactly as you said, but I have no idea where Combofix saved it's log file. Anyhow, I ran Hijackthis and the log is as follows: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:51, on 2007-12-11 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\DU Meter\DUMeter.exe C:\Program Files\Ahead\InCD\InCD.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Hold\HiJackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1195198780562 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Window Image Worker (windownetpker) - Unknown owner - C:\Program Files\Internet Explorer\svchost.exe (file missing) -- End of file - 5857 bytes Hope this helps. Thanks again for your time. Neil. |
|
|
|
|
12-11-2007, 10:24 AM
|
#10 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,224
OS: 2000 Pro; XP Pro; XP Home
|
Re: Browser Hijack?
Hi Neil -
To help ComboFix's developer, can you please do this: Please download & run this file> http://download.bleepingcomputer.com/sUBs/grab.exe It shall produce a zip file named _sUBs_.zip. Please visit this site and submit the file http://www.bleepingcomputer.com/subm....php?channel=4 Let me know when that's been accomplished. Also, can you locate C:\Qoobox\ComboFix_quarantined_files.txt and post it if it's present?
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 12-11-2007 at 10:34 AM. |
|
|
|
|
12-11-2007, 05:32 PM
|
#12 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,224
OS: 2000 Pro; XP Pro; XP Home
|
Re: Browser Hijack?
Thanks for uploading the file.
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries and click Fix Checked O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat" Close HijackThis now. --------------------------------------------------------------------------------------------- Open notepad and copy/paste the text in the quotebox below into it: Quote:
It should look like this:  Double click on fix.bat & allow it to run Run ComboFix once again, this time just by double clicking on the ComboFix.exe file. Post the log produced, and a new HijackThis log.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
12-11-2007, 08:37 PM
|
#13 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: XP SP2
|
Re: Browser Hijack?
Hi
Done all that, seemed to go OK. Combofix log: ComboFix 07-12-09.1 - Neil 2007-12-12 14:28:52.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.589 [GMT 11:00] Running from: C:\Documents and Settings\Neil\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\Neil\Application Data\inst.exe C:\Program Files\internet explorer\svchost.exe . ((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 ))))))))))))))))))))))))))))))) . 2007-12-03 10:04 . 2007-12-03 10:06 <DIR> d-------- C:\Program Files\Easy Outlook Express Backup 2007-12-02 06:17 . 2007-12-02 07:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-11-29 20:11 . 2007-11-29 20:11 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\GlobalSCAPE 2007-11-29 20:10 . 2007-11-29 20:10 <DIR> d-------- C:\Program Files\GlobalSCAPE 2007-11-29 17:37 . 2007-11-29 17:37 <DIR> d-------- C:\Program Files\uTorrent 2007-11-29 17:37 . 2007-12-08 10:11 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\uTorrent 2007-11-28 15:43 . 2007-11-28 15:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM 2007-11-27 16:06 . 2007-11-27 16:06 <DIR> d-------- C:\Program Files\PowerISO 2007-11-24 15:50 . 2007-11-24 15:50 164 --a------ C:\WINDOWS\CDPLAYER.UNI 2007-11-24 15:48 . 2007-11-24 15:48 <DIR> d-------- C:\WINDOWS\Easy CD-DA Extractor 2007-11-24 15:48 . 2007-11-24 15:49 <DIR> d-------- C:\Program Files\Easy CD-DA Extractor 10 2007-11-24 15:44 . 2007-11-24 15:44 <DIR> d-------- C:\WINDOWS\Downloaded Installations 2007-11-23 18:46 . 2007-12-12 14:17 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\dvdcss 2007-11-23 18:37 . 2007-11-23 18:37 <DIR> d-------- C:\Program Files\DVD Shrink 2007-11-23 18:37 . 2007-11-23 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink 2007-11-23 18:33 . 2007-11-23 18:33 <DIR> d-------- C:\Program Files\CyberLink 2007-11-23 18:33 . 2007-11-23 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink 2007-11-23 17:42 . 2007-11-23 17:42 <DIR> d-------- C:\Program Files\DVDFab Platinum 3 2007-11-23 17:42 . 2007-11-23 20:45 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\Vso 2007-11-23 17:42 . 2007-11-23 17:42 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-11-23 17:42 . 2007-11-23 17:42 47,360 --a------ C:\Documents and Settings\Neil\Application Data\pcouffin.sys 2007-11-23 17:26 . 2007-11-23 17:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft 2007-11-22 18:46 . 2007-11-22 18:46 <DIR> d-------- C:\Program Files\AviSynth 2.5 2007-11-22 18:46 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll 2007-11-22 18:46 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe 2007-11-22 18:46 . 2007-05-14 15:24 394,240 --a------ C:\WINDOWS\system32\Smab.dll 2007-11-22 18:46 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll 2007-11-22 18:46 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe 2007-11-22 18:46 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe 2007-11-22 18:46 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll 2007-11-22 18:46 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll 2007-11-22 18:46 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe 2007-11-22 18:46 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll 2007-11-22 18:45 . 2007-11-22 18:45 <DIR> d-------- C:\Program Files\eRightSoft 2007-11-18 18:57 . 2001-08-03 11:21 438,272 -ra------ C:\WINDOWS\system32\hpgmatk.dll 2007-11-18 18:57 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-11-18 18:57 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys 2007-11-18 11:15 . 2007-11-21 14:14 <DIR> d-------- C:\Program Files\Agent 2007-11-17 17:19 . 2007-11-17 17:19 <DIR> d-------- C:\Program Files\Elaborate Bytes 2007-11-17 17:18 . 2007-11-23 17:25 <DIR> d-------- C:\Program Files\SlySoft 2007-11-17 17:15 . 2007-11-17 17:15 <DIR> d-------- C:\Program Files\Pegasys Inc 2007-11-17 12:14 . 2007-11-17 12:14 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\AdobeUM 2007-11-17 12:08 . 2007-11-17 12:08 <DIR> d-------- C:\Program Files\Hewlett-Packard 2007-11-17 12:08 . 2001-01-15 22:06 667,648 --a------ C:\WINDOWS\system32\ipeistor12.dll 2007-11-17 12:05 . 2007-11-22 21:37 <DIR> d-------- C:\Program Files\SimpleCopier 2007-11-17 12:03 . 2007-12-03 16:13 <DIR> d-------- C:\Program Files\Mp3TagToolsv12 2007-11-17 10:26 . 2007-11-17 10:26 <DIR> d-------- C:\Program Files\D-Link 2007-11-17 10:26 . 1999-08-25 16:19 220,160 --a------ C:\WINDOWS\PRINTERS.EXE 2007-11-17 10:26 . 2001-03-15 15:39 26,624 --a------ C:\WINDOWS\system32\PRTdlink.dll 2007-11-17 10:25 . 2007-11-17 10:25 <DIR> d-------- C:\WINDOWS\Lexmark 2007-11-17 10:25 . 2001-11-10 13:22 45,056 --a------ C:\WINDOWS\system32\Insts32K.dll 2007-11-17 10:25 . 2001-05-30 16:02 32,025 --a------ C:\WINDOWS\ssgs3su.hlp 2007-11-17 10:25 . 2001-03-20 16:10 3,262 --a------ C:\WINDOWS\reinstall.ico 2007-11-17 10:25 . 2001-03-20 14:52 766 --a------ C:\WINDOWS\Uninstall.ico 2007-11-17 06:09 . 2007-11-17 06:09 <DIR> d-------- C:\Program Files\Alwil Software 2007-11-17 06:09 . 2007-12-05 00:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-11-17 06:09 . 2004-01-09 21:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2007-11-17 06:09 . 2007-12-04 23:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-11-17 06:09 . 2007-12-05 01:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-11-17 06:09 . 2007-12-05 01:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-11-17 06:09 . 2007-12-05 01:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-11-17 06:09 . 2007-12-05 01:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-11-17 06:09 . 2007-12-05 01:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-11-16 20:37 . 2007-12-03 18:07 <DIR> d-------- C:\Program Files\Winamp 2007-11-16 19:01 . 2007-07-10 00:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-11-16 18:42 . 2007-11-16 19:19 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2007-11-16 18:40 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll 2007-11-16 18:40 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui 2007-11-16 18:40 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui 2007-11-16 18:40 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2007-11-16 18:40 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui 2007-11-16 18:39 . 2007-11-16 18:39 <DIR> d---s---- C:\Documents and Settings\Neil\UserData 2007-11-16 16:33 . 2007-11-29 17:41 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\.BitTornado 2007-11-16 16:30 . 2007-11-16 16:30 <DIR> d-------- C:\Program Files\MP3 Splitter & Joiner 2007-11-16 16:08 . 2007-11-16 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm 2007-11-16 16:07 . 2007-11-16 16:07 <DIR> d-------- C:\Program Files\Siber Systems 2007-11-16 16:03 . 2007-11-16 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems 2007-11-16 15:55 . 2007-11-16 15:55 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared 2007-11-16 15:54 . 2007-11-16 15:56 <DIR> d-------- C:\Program Files\Common Files\Adobe 2007-11-16 15:52 . 2007-11-16 15:52 <DIR> d-------- C:\Program Files\BitTornado 2007-11-16 15:47 . 2006-03-07 16:27 3,067,904 --------- C:\WINDOWS\NuNinst.exe 2007-11-16 15:47 . 2006-03-24 11:12 59,278 --------- C:\WINDOWS\NuNinst.cfg 2007-11-16 15:46 . 2007-11-16 15:46 <DIR> d-------- C:\WINDOWS\InCD 2007-11-16 15:46 . 2006-03-23 17:15 102,016 --------- C:\WINDOWS\system32\drivers\InCDfs.sys 2007-11-16 15:46 . 2006-03-23 17:15 33,536 --------- C:\WINDOWS\system32\drivers\InCDrm.sys 2007-11-16 15:46 . 2006-03-23 17:15 29,440 --------- C:\WINDOWS\system32\drivers\InCDpass.sys 2007-11-16 15:46 . 2006-03-23 17:00 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys 2007-11-16 15:45 . 2007-11-17 18:45 <DIR> d-------- C:\Program Files\ExplorerXP 2007-11-16 15:41 . 2007-11-16 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hagel Technologies 2007-11-16 15:40 . 2007-11-16 15:40 <DIR> d-------- C:\Program Files\Atomic Clock Sync 2007-11-16 15:40 . 2007-11-16 15:40 <DIR> d-------- C:\Program Files\APSW 2007-11-16 15:30 . 2007-11-16 15:30 <DIR> d-------- C:\Program Files\Common Files\Ahead 2007-11-16 15:30 . 2007-11-16 15:46 <DIR> d-------- C:\Program Files\Ahead 2007-11-16 15:30 . 2001-07-06 13:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll 2007-11-16 15:30 . 2001-07-06 11:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll 2007-11-16 15:30 . 2001-07-06 17:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll 2007-11-16 15:30 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2007-11-16 15:30 . 2003-03-29 15:45 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys 2007-11-16 15:30 . 2003-09-15 13:56 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl 2007-11-16 15:30 . 2001-06-26 07:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-29 06:41 --------- d-----w C:\Documents and Settings\Neil\Application Data\.BitTornado 2007-11-17 06:15 20,576 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-11-17 06:15 108,544 ------w C:\WINDOWS\system32\pxcpyi64.exe 2007-11-17 06:15 103,936 ------w C:\WINDOWS\system32\pxinsi64.exe 2007-11-17 06:15 10,752 ------w C:\WINDOWS\system32\pxwma.dll 2007-11-16 00:35 --------- d-----w C:\Program Files\microsoft frontpage 2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll 2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-11-16 16:07] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2002-09-11 13:57 C:\WINDOWS\SOUNDMAN.EXE] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2005-09-27 12:16] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50] "DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2005-02-01 19:28] "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-23 17:06] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 00:00] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56] "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-11-16 16:07] . ************************************************************************** catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-12 14:30:17 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-12 14:31:16 . --- E O F --- Hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:32:38 PM, on 12/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\DU Meter\DUMeter.exe C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\BitTornado\btdownloadgui.exe C:\Program Files\BitTornado\btdownloadgui.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Hold\Neil.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1195198780562 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe -- End of file - 5799 bytes Thanks again, I hope that's done with. By the way, the PC seems to be running quite a bit faster. What did this Trojan do anyway? Neil. |
|
|
|
|
12-11-2007, 08:54 PM
|
#14 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,224
OS: 2000 Pro; XP Pro; XP Home
|
Re: Browser Hijack?
Almost done...if I could impose upon you again....
The file is a trojan downloader; by uploading it, experts, developers and AV vendors will get a look at it to get a more precise idea of what exactly it does. Avast is one in the list which doesn't have it in their definitions...so by uploading it, and sending it to the vendors, we help others. Please run this online scan to help look for remnants. First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one. Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
12-12-2007, 02:23 AM
|
#15 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: XP SP2
|
Re: Browser Hijack?
Hello again,
Sorry it took so long, but the virus scan was nearly two hours. I uploaded the file as you asked. Anyway, virus scan log is here: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, December 12, 2007 8:11:03 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 12/12/2007 Kaspersky Anti-Virus database records: 480541 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan Statistics: Total number of scanned objects: 133098 Number of viruses found: 4 Number of infected objects: 15 Number of suspicious objects: 0 Duration of the scan process: 01:45:50 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Neil\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Neil\Local Settings\Application Data\Identities\{83F4F2B9-9F03-4EA8-91FB-1FC6E00DB2F2}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped C:\Documents and Settings\Neil\Local Settings\Application Data\Identities\{83F4F2B9-9F03-4EA8-91FB-1FC6E00DB2F2}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped C:\Documents and Settings\Neil\Local Settings\Application Data\Identities\{83F4F2B9-9F03-4EA8-91FB-1FC6E00DB2F2}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped C:\Documents and Settings\Neil\Local Settings\Application Data\Identities\{83F4F2B9-9F03-4EA8-91FB-1FC6E00DB2F2}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Neil\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Neil\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Neil\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Neil\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Log.txt Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Sygate\SPF\debug.log Object is locked skipped C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped C:\qoobox\Quarantine\C\Program Files\Internet Explorer\svchost.exe.vir Infected: Trojan.Win32.Delf.amr skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{909E6C58-C145-4BBE-A5E5-E623C4B0ED1A}\RP38\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_6b4.dat Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{909E6C58-C145-4BBE-A5E5-E623C4B0ED1A}\RP38\change.log Object is locked skipped E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\043334160d107a173c8f953cec7c2a2a_8648b0d9-f9fd-4ec0-8144-22296353f773 Object is locked skipped E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2786ad530f16b5275c0588a42408cb5d_8648b0d9-f9fd-4ec0-8144-22296353f773 Object is locked skipped E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bcd4b3d753b022b671d9d07ecaab8818_8648b0d9-f9fd-4ec0-8144-22296353f773 Object is locked skipped E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ca1aa990308f157dd1a8277d8cfa43a6_8648b0d9-f9fd-4ec0-8144-22296353f773 Object is locked skipped E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb4647c55da1c24b2970201defe636f9_8648b0d9-f9fd-4ec0-8144-22296353f773 Object is locked skipped E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f8b1fa5f68b13295474fb6513c1ff190_8648b0d9-f9fd-4ec0-8144-22296353f773 Object is locked skipped E:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped E:\Documents and Settings\Neil\Local Settings\Temp\''WGA Notification v1.5.708.0'' Update\Data\Port_RockXP_v4.exe/data0000.cab/rock.exe/pwdump2/samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped E:\Documents and Settings\Neil\Local Settings\Temp\''WGA Notification v1.5.708.0'' Update\Data\Port_RockXP_v4.exe/data0000.cab/rock.exe/pwdump2/pwdump2.exe Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped E:\Documents and Settings\Neil\Local Settings\Temp\''WGA Notification v1.5.708.0'' Update\Data\Port_RockXP_v4.exe/data0000.cab/rock.exe Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped E:\Documents and Settings\Neil\Local Settings\Temp\''WGA Notification v1.5.708.0'' Update\Data\Port_RockXP_v4.exe/data0000.cab/RockXP4.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped E:\Documents and Settings\Neil\Local Settings\Temp\''WGA Notification v1.5.708.0'' Update\Data\Port_RockXP_v4.exe/data0000.cab Infected: not-a-virus:PSWTool.Win32.RAS.a skipped E:\Documents and Settings\Neil\Local Settings\Temp\''WGA Notification v1.5.708.0'' Update\Data\Port_RockXP_v4.exe Rsrc-Package: infected - 5 skipped E:\Documents and Settings\Neil\Local Settings\Temp\''WGA Notification v1.5.708.0'' Update\Data\Port_RockXP_v4.exe UPack: infected - 5 skipped E:\Documents and Settings\Neil\Local Settings\Temp\''WGA Notification v1.5.708.0'' Update\Data\Port_RockXP_v4.exe PE_Patch: infected - 5 skipped E:\Documents and Settings\Neil\Local Settings\Temp\NeroDemo12065\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped E:\Hold\Nero 6\Nero-6.6.1.15a.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped E:\Hold\Nero 6\Nero-6.6.1.15a.exe RAR: infected - 1 skipped E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped E:\System Volume Information\_restore{909E6C58-C145-4BBE-A5E5-E623C4B0ED1A}\RP38\change.log Object is locked skipped E:\System Volume Information\_restore{909E6C58-C145-4BBE-A5E5-E623C4B0ED1A}\RP4\A0003700.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped E:\System Volume Information\_restore{909E6C58-C145-4BBE-A5E5-E623C4B0ED1A}\RP4\A0003700.exe RAR: infected - 1 skipped F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped F:\System Volume Information\_restore{909E6C58-C145-4BBE-A5E5-E623C4B0ED1A}\RP38\change.log Object is locked skipped Scan process completed. |
|
|
|
|
12-12-2007, 08:12 AM
|
#16 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,224
OS: 2000 Pro; XP Pro; XP Home
|
Re: Browser Hijack?
Thanks again for uploading the file.
Kaspersky IDs this file as password tool: E:\Documents and Settings\Neil\Local Settings\Temp\''WGA Notification v1.5.708.0'' Update\Data\Port_RockXP_v4.exe Programs detected in the Riskware category are not directly malicious, but are often used in conjunction with Malware. the RockXP is retrieving a hidden key, and also shows some passwords...(the key is a password in reality). It's probably fine, if you're aware of it. Seems like an odd location for an .exe file, though E:\Documents and Settings\Neil\Local Settings\Temp If you're not aware of it, delete it. Other than that, the other finds will be addressed by uninstalling ComboFix using the method proscribed below. Your logs appear clean.You should be good to go. We still have a few items to address. Go to  -> Run -> copy/paste in the following single line command & click OKcombofix /u  This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety.
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
12-12-2007, 10:40 PM
|
#17 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: XP SP2
|
Re: Browser Hijack?
Hello again
E:\Documents and Settings\Neil\Local Settings\Temp, where the odd .exe file was located is the remnant of a previous windows install. I installed a new hard disk a few months ago and hadn't got around to deleting Windows from the old one which I'm now using for storage and backups. I've deleted it now. Once again, thanks for all your help. Regards Neil. |
|
|
|
| Thread Tools | |
|
|
-> Run -> paste in the following single line command & click OK
