Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Google trojan - search hijacked
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 12-27-2008, 08:06 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 11
OS: XP


Google trojan - search hijacked
I would be very grateful if you could provide help for my computer. Whenever I do a google search it returns the results after going to another website (something with an address like 1.2.3.0)

I attach the documents as mentioned in your sticky.
Thanks for your help!


twigdip


--------------------------------------------------------------


DDS (Version 1.1.0) - NTFSx86
Run by [anon] at 15:48:31.56 on 2008-12-27
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1327 [GMT 1:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\Nepali Calendar\Calendar.exe
C:\Program Files\VirtuaWin\modules\VWAssigner.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\dslAgent.exe
C:\WINDOWS\system32\gsicon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ian Fitzpatrick\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.lenovo.com/welcome/thinkpad
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - Symantec Intrusion Prevention
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [µTorrent] "c:\program files\utorrent.exe"
uRun: [uTorrent] "c:\program files\utorrent.exe"
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [TpShocks] TpShocks.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [THGuard] "c:\program files\trojanhunter 5.0\THGuard.exe"
mRun: [GSICONEXE] GSICON.EXE
mRun: [DSLAGENTEXE] dslagent.exe USB
StartupFolder: c:\docume~1\ianfit~1\startm~1\programs\startup\dual calendar.lnk - c:\program files\nepali calendar\Calendar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozilla thunderbird (2).lnk - c:\program files\mozilla thunderbird\thunderbird.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\virtuawin (2).lnk - c:\program files\virtuawin\VirtuaWin.exe
uPolicies-explorer: NoNetSetup = 0 (0x0)
uPolicies-explorer: NoPrinters = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {DA320635-F48C-4613-8325-D75A933C549E} - c:\program files\lenovo\system update\sulauncher.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
TCP: {D676C296-FE55-4309-99A4-8B6917299D16} = 193.70.152.15 193.70.152.25
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
Notify: tphotkey - tphklock.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli psqlpwd ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ianfit~1\applic~1\mozilla\firefox\profiles\xsrub3pm.default\
FF - prefs.js: browser.startup.homepage - about:blank

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\Shockprf.sys [2007-2-25 88576]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2007-2-25 11520]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\drivers\IBMBLDID.sys [2007-2-25 6016]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-11-3 15424]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-5-28 55024]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2007-2-25 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2007-2-25 4442]
R2 a2free;a-squared Free Service;"c:\program files\a-squared free\a2service.exe" [2008-12-26 419448]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
R2 NOD32krn;NOD32 Kernel Service;"c:\program files\eset\nod32krn.exe" [2007-11-3 552064]
R2 PrivateDisk;PrivateDisk;\??\c:\program files\lenovo\safeguard privatedisk\PrivateDiskM.sys [2006-3-14 58368]
R2 smi2;smi2;\??\c:\program files\smi2\smi2.sys [2006-7-15 3968]
R2 smihlp;SMI helper driver;\??\c:\program files\thinkvantage fingerprint software\smihlp.sys [2006-4-26 3456]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-2-25 13840]
S2 docker19;docker19;\??\c:\windows\system32\drivers\docker19.sys []
S2 gafwload;Eicon Networks USB ADSL Loader;c:\windows\system32\drivers\gafwload.sys [2008-12-27 26987]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S4 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\esri\license\arcgis9x\lmgrd.exe [2008-1-30 467968]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2008-12-27 15:31 250,706 a------- c:\windows\system32\drivers\gwausb.sys
2008-12-27 15:31 279,040 a------- c:\windows\system32\gsi.cpl
2008-12-27 15:31 75,776 a------- c:\windows\system32\gsicon.exe
2008-12-27 15:31 26,987 a------- c:\windows\system32\drivers\gafwload.sys
2008-12-27 15:31 25,088 a------- c:\windows\system32\CoInst.dll
2008-12-27 15:31 16,384 a------- c:\windows\system32\dslagent.exe
2008-12-27 15:31 <DIR> --d----- c:\program files\Eicon
2008-12-27 15:31 24,576 -------- c:\windows\system32\delaySpawn.exe
2008-12-27 15:30 102,400 -------- c:\windows\system32\instDll.dll
2008-12-27 15:30 98,304 -------- c:\windows\system32\gspnDll.dll
2008-12-27 15:30 3,570 -------- c:\windows\wwdslcfg.ini
2008-12-26 23:47 161,792 a------- c:\windows\SWREG.exe
2008-12-26 23:47 98,816 a------- c:\windows\sed.exe
2008-12-26 23:47 <DIR> --d----- C:\ComboFix
2008-12-26 23:47 388,608 a------- c:\windows\system32\CF28091.exe
2008-12-26 22:59 <DIR> --d----- c:\docume~1\ianfit~1\applic~1\TrojanHunter
2008-12-26 17:52 <DIR> --d----- c:\program files\TrojanHunter 5.0
2008-12-26 17:49 <DIR> --d----- c:\program files\a-squared Free
2008-12-23 16:50 <DIR> --d----- c:\program files\Burrrn
2008-12-23 16:45 <DIR> --d----- c:\docume~1\ianfit~1\applic~1\FairStars Audio Converter
2008-12-23 16:43 <DIR> --d----- c:\program files\FairStars Audio Converter
2008-12-23 13:08 <DIR> --d----- c:\program files\Monkey's Audio
2008-12-23 12:33 520,192 a------- c:\program files\WinDjView-0.5.exe
2008-12-16 17:30 <DIR> --d----- c:\program files\VideoLAN
2008-12-16 13:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2008-12-16 13:25 <DIR> --d----- c:\docume~1\ianfit~1\applic~1\Azureus
2008-12-16 13:24 <DIR> --d----- c:\program files\Vuze
2008-12-12 19:14 <DIR> --d----- c:\program files\DC++
2008-12-05 16:11 <DIR> --d----- c:\docume~1\ianfit~1\applic~1\QuosaDDM
2008-11-28 00:35 54,156 a---h--- c:\windows\QTFont.qfn
2008-11-28 00:35 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2008-12-21 13:52 5,427 a------- c:\windows\system32\EGATHDRV.SYS
2008-12-12 18:27 3,067,392 a------- c:\windows\system32\dllcache\mshtml.dll
2008-11-03 16:51 270,128 a------- c:\program files\utorrent.exe
2008-10-24 12:10 453,632 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:51 284,160 a------- c:\windows\system32\gdi32.dll
2008-10-23 13:51 284,160 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 15:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 15:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 15:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 15:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 15:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 15:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 15:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 17:53 339,456 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 15:18 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2008-10-03 11:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 11:15 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 17:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-07-22 18:06 604 ac--h--- c:\program files\STLL Notifier
2008-07-10 10:26 1,953 ac------ c:\docume~1\ianfit~1\applic~1\SAS7_000.DAT
2008-01-09 18:42 526 -c--h--- c:\docume~1\alluse~1\applic~1\Ian Fitzpatrick-acopts.dat
2008-01-09 18:33 1,469 -c--h--- c:\docume~1\alluse~1\applic~1\Ian Fitzpatrick-acft.dat
2007-02-22 21:08 925,696 ac------ c:\program files\fileinfo.exe
2007-02-19 16:28 117,974 ac---r-- c:\program files\GSpot27.dat
2006-03-20 23:37 5,689,344 ac------ c:\program files\Mplayer.exe
2008-01-22 16:14 198 -c-shr-- c:\windows\system32\TithiMiti.sys

============= FINISH: 15:49:11.60 ===============
Attached Files
File Type: zip Attach.zip (4.6 KB, 0 views)
File Type: txt ark.txt (7.9 KB, 6 views)
twigdip is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 12-30-2008, 03:46 PM   #2 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 11
OS: XP


BUMP, please
Help me out please!
twigdip is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-30-2008, 04:04 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,910
OS: WinXP and Vista


Re: Google trojan - search hijacked
Who instructed you to run ComboFix?

Post the combofix.txt please.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-31-2008, 01:51 AM   #4 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 11
OS: XP


combo fix attached
Ried -
thanks for your help:
combofix.txt is attached.

p.s. i didn't realise I had run combofix. I downloaded it and had opened it to see what it looked like but closed the program shortly after it started doing scans.

ComboFix 08-12-30.02 - Ian Fitzpatrick 2008-12-31 9:23:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1306 [GMT 1:00]
Running from: c:\documents and settings\Ian Fitzpatrick\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\npf.sys
c:\windows\system32\lsprst7.dll
c:\windows\system32\ntnet.drv
c:\windows\system32\packet.dll
c:\windows\system32\prsgrc.dll
c:\windows\system32\sysaudio.sys
c:\windows\system32\TDSSerrors.log
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-27 15:51 . 2008-12-27 15:53 250 --a------ c:\windows\gmer.ini
2008-12-27 15:31 . 2008-12-27 15:31 <DIR> d-------- c:\program files\Eicon
2008-12-27 15:31 . 2001-10-03 17:46 279,040 --a------ c:\windows\system32\gsi.cpl
2008-12-27 15:31 . 2001-09-28 13:05 250,706 --a------ c:\windows\system32\drivers\gwausb.sys
2008-12-27 15:31 . 2001-10-10 11:26 75,776 --a------ c:\windows\system32\gsicon.exe
2008-12-27 15:31 . 2001-09-28 13:07 26,987 --a------ c:\windows\system32\drivers\gafwload.sys
2008-12-27 15:31 . 2001-10-02 10:43 25,088 --a------ c:\windows\system32\CoInst.dll
2008-12-27 15:31 . 2001-10-02 10:42 24,576 --------- c:\windows\system32\delaySpawn.exe
2008-12-27 15:31 . 2001-10-02 10:42 16,384 --a------ c:\windows\system32\dslagent.exe
2008-12-27 15:30 . 2001-10-03 16:06 102,400 --------- c:\windows\system32\instDll.dll
2008-12-27 15:30 . 2001-10-02 10:42 98,304 --------- c:\windows\system32\gspnDll.dll
2008-12-27 15:30 . 2001-10-23 17:24 3,570 --------- c:\windows\wwdslcfg.ini
2008-12-26 22:59 . 2008-12-26 22:59 <DIR> d-------- c:\documents and settings\Ian Fitzpatrick\Application Data\TrojanHunter
2008-12-26 17:52 . 2008-12-30 13:09 <DIR> d-------- c:\program files\TrojanHunter 5.0
2008-12-23 16:50 . 2008-12-23 16:51 <DIR> d-------- c:\program files\Burrrn
2008-12-23 16:45 . 2008-12-23 16:46 <DIR> d-------- c:\documents and settings\Ian Fitzpatrick\Application Data\FairStars Audio Converter
2008-12-23 13:08 . 2008-12-23 13:10 <DIR> d-------- c:\program files\Monkey's Audio
2008-12-23 12:33 . 2008-12-23 12:34 520,192 --a------ c:\program files\WinDjView-0.5.exe
2008-12-16 17:32 . 2008-12-16 17:36 <DIR> d-------- c:\documents and settings\Ian Fitzpatrick\Application Data\vlc
2008-12-16 17:30 . 2008-12-16 17:30 <DIR> d-------- c:\program files\VideoLAN
2008-12-16 13:25 . 2008-12-16 13:27 <DIR> d-------- c:\documents and settings\Ian Fitzpatrick\Application Data\Azureus
2008-12-16 13:25 . 2008-12-16 13:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Azureus
2008-12-16 13:24 . 2008-12-16 15:10 <DIR> d-------- c:\program files\Vuze
2008-12-05 16:11 . 2008-12-05 16:11 <DIR> d-------- c:\documents and settings\Ian Fitzpatrick\Application Data\QuosaDDM
2008-11-28 00:35 . 2008-12-31 00:17 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-28 00:35 . 2008-11-28 00:35 1,409 --a------ c:\windows\QTFont.for
2008-11-18 14:20 . 2008-11-18 14:20 <DIR> d-------- c:\program files\Omni Encoder
2008-11-11 11:50 . 2008-12-30 09:51 <DIR> d-------- c:\program files\Halite
2008-11-08 10:14 . 2008-12-31 09:40 <DIR> d-------- c:\program files\Mozilla Thunderbird

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 08:41 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\uTorrent
2008-12-30 23:41 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\EndNote
2008-12-30 12:13 --------- d-----w c:\program files\Biblioscape 6
2008-12-30 12:12 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-30 08:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-30 08:51 --------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-26 16:41 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-24 01:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-23 15:08 --------- d-----w c:\program files\VPN Client
2008-12-13 17:26 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\Skype
2008-11-26 09:10 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\MindMapper 2008
2008-11-24 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-03 15:51 270,128 -c--a-w c:\program files\utorrent.exe
2008-10-31 18:09 --------- d-----w c:\program files\Windows Desktop Search
2008-10-31 14:21 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\SmartDraw
2008-10-31 11:14 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\Windows Search
2008-10-29 16:38 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\Talkback
2008-10-29 16:24 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\Thunderbird
2008-07-22 17:06 604 -c-ha-w c:\program files\STLL Notifier
2008-07-10 09:26 1,953 -c--a-w c:\documents and settings\Ian Fitzpatrick\Application Data\SAS7_000.DAT
2008-01-09 17:42 526 -c-h--w c:\documents and settings\All Users\Application Data\Ian Fitzpatrick-acopts.dat
2008-01-09 17:33 1,469 -c-h--w c:\documents and settings\All Users\Application Data\Ian Fitzpatrick-acft.dat
2007-02-22 20:08 925,696 -c--a-w c:\program files\fileinfo.exe
2007-02-19 15:28 117,974 -c--a-r c:\program files\GSpot27.dat
2006-03-20 22:37 5,689,344 -c--a-w c:\program files\Mplayer.exe
2007-12-10 17:40 6,275,816 -c--a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-01-22 15:14 198 -csh--r c:\windows\system32\TithiMiti.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"µTorrent"="c:\program files\utorrent.exe" [2008-11-03 270128]
"uTorrent"="c:\program files\utorrent.exe" [2008-11-03 270128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-11-03 949376]
"TpShocks"="TpShocks.exe" [2006-03-16 c:\windows\system32\TpShocks.exe]
"GSICONEXE"="GSICON.EXE" [2001-10-10 c:\windows\system32\gsicon.exe]
"DSLAGENTEXE"="dslagent.exe" [2001-10-02 c:\windows\system32\dslagent.exe]

c:\documents and settings\Ian Fitzpatrick\Start Menu\Programs\Startup\
Dual Calendar.Lnk [2008-10-13 752]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Mozilla Thunderbird (2).lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2008-11-08 8502888]
VirtuaWin (2).lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2008-02-06 115712]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetSetup"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 18:07 49152 c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 04:20 40448 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 12:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"= DrvTrNTm.dll
"mixer"= DrvTrNTm.dll
"VIDC.ACDV"= ACDV.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"aux2"= sysaudio.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd ACGina

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Fitzpatrick^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Ian Fitzpatrick\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a--c--- 2005-09-24 06:30 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--a--c--- 2006-05-25 17:13 208896 c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2006-10-26 20:02 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-10-19 21:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 02:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2008-07-19 16:01 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"CVPND"=2 (0x2)
"ArcGIS License Manager"=2 (0x2)
"UleadBurningHelper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\utorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NaturallySpeaking9\\Program\\natspeak.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EndNote X1\\EndNote.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"42377:TCP"= 42377:TCP:utorrent
"42377:UDP"= 42377:UDP:utorrent
"17503:TCP"= 17503:TCP:BitComet 17503 TCP
"17503:UDP"= 17503:UDP:BitComet 17503 UDP
"64514:TCP"= 64514:TCP:Utorrent
"64514:UDP"= 64514:UDP:Utorrent

R0 Shockprf;Shockprf;c:\windows\system32\drivers\Shockprf.sys [2007-02-25 88576]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2007-02-25 11520]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\IBMBLDID.sys [2007-02-25 6016]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-11-03 15424]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2007-02-25 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2007-02-25 4442]
R2 PrivateDisk;PrivateDisk;\??\c:\program files\Lenovo\SafeGuard PrivateDisk\PrivateDiskM.sys [2006-03-14 58368]
R2 smi2;smi2;\??\c:\program files\SMI2\smi2.sys [2006-07-15 3968]
R2 smihlp;SMI helper driver;\??\c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2006-04-26 3456]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2007-02-25 13840]
S2 docker19;docker19;\??\c:\windows\system32\drivers\docker19.sys []
S2 gafwload;Eicon Networks USB ADSL Loader;c:\windows\system32\DRIVERS\gafwload.sys [2008-12-27 26987]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
S4 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [2008-01-30 467968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c1c9c70-105d-11dd-9515-0019d245f7ec}]
\Shell\AutoRun\command - isetup.exe
\Shell\explore\Command - isetup.exe
\Shell\open\Command - isetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47a92c31-1b60-11dd-951b-0019d245f7ec}]
\Shell\AutoRun\command - wscript.exe VirusRemoval.vbs
\Shell\open\Command - wscript.exe VirusRemoval.vbs
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-05-25 17:13]

2008-12-31 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SmartDraw 7\Messages\SDNotify.exe [2005-08-23 10:09]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-1SPC - c:\program files\SentryPC\services.exe
MSConfigStartUp-TotalRecorderScheduler - c:\program files\TotalRecorder\TotRecSched.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\imon.dll
TCP: {D676C296-FE55-4309-99A4-8B6917299D16} = 193.70.152.15 193.70.152.25
FF - ProfilePath - c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\
FF - prefs.js: browser.startup.homepage - about:blank
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 09:41:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wbem\Performance\WmiApRpl_new.h 738 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-2878861388-2346302239-923548273-1005
@Allowed: (Read) (Everyone)
"*"=dword:00000004

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-2878861388-2346302239-923548273-1005
@Allowed: (Full) (S-1-5-21-2878861388-2346302239-923548273-1005)
@Allowed: (Full) (S-1-5-21-2878861388-2346302239-923548273-1005)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26F21ECC-291C-0724-B8F5-1CA67BEE7387}*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-2878861388-2346302239-923548273-1005
@Allowed: (Full) (S-1-5-21-2878861388-2346302239-923548273-1005)
@Allowed: (Full) (S-1-5-21-2878861388-2346302239-923548273-1005)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"abmbaihdccgoneimojifmcjenjopiajioh"=hex:61,62,6b,61,66,6f,63,65,6f,61,6d,63,\
6d,6c,6a,6c,67,65,6e,69,66,62,65,65,6e,6a,6d,67,67,70,6c,62,6d,6d,00,77
"bbmbaihdccgoneimojpfdchcnihhlohgigba"=hex:61,62,70,6f,62,68,6d,6c,66,6d,70,70,\
64,6f,64,6e,65,68,6c,6e,61,66,61,64,64,67,6c,67,65,65,68,70,70,64,00,77

[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Widcomm\Connections\D*NULL*a*NULL*r*NULL*s*NULL*h*NULL*a*NULL*n*NULL*a*NULL* *NULL*P*NULL*a*NULL*t*NULL*e*NULL*l*NULL* s*NULL* *NULL*C*NULL*o*NULL*m*NULL*p*NULL*u*NULL*t*NULL*e*NULL*r*NULL* *NULL*O*NULL*B*NULL*E*NULL*X*NULL* *NULL*F*NULL*i*NULL*l*NULL*e*NULL* *NULL*T*NULL*r*NULL*a*NULL*n*NULL*s*NULL*f*NULL*e*NULL*r*NULL*]
@Security="Inherited"
"UUID"=dword:00001106
"Authorization"=dword:00000000
"Authentication"=dword:00000001
"Encryption"=dword:00000001
"SecurityId"=dword:00000006
"Name"="OBEX File Transfer"
"GUID"="{00001106-0000-1000-8000-00805F9B34FB}"
"StatusDll"=""
"PropertiesDll"=""
"Description"="Browse another Bluetooth device's Public Folder or send and receive files to and from another Bluetooth device."
"InstallOnDemand"=dword:00000001
"BDAddress"=hex:00,19,e3,ec,c8,3d
"BDDevClass"=hex:10,21,0c
"BDName"=hex:44,61,72,73,68,61,6e,61,20,50,61,74,65,6c,e2,80,99,73,20,43,6f,6d,\
70,75,74,65,72,00
"DefaultConnection"=dword:00000000
"Flags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Owner=S-1-5-21-2878861388-2346302239-923548273-1005
@Denied: (A 2) (Everyone)
@Denied: (A 2) (S-1-5-7)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@Owner=S-1-5-21-2878861388-2346302239-923548273-1005
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash9.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\Programmable]
@Owner=S-1-5-21-2878861388-2346302239-923548273-1005

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-2878861388-2346302239-923548273-1005
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(2004)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(196)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\VPN Client\cvpnd.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Eset\nod32krn.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\rundll32.exe
c:\program files\VirtuaWin\modules\VWAssigner.exe
c:\program files\VirtuaWin\modules\WinList.exe
.
**************************************************************************
.
Completion time: 2008-12-31 9:46:39 - machine was rebooted [Ian Fitzpatrick]
ComboFix-quarantined-files.txt 2008-12-31 08:46:35

Pre-Run: 7,735,754,752 bytes free
Post-Run: 7,564,558,336 bytes free

389 --- E O F --- 2008-12-19 08:08:28
Attached Files
File Type: txt ComboFix.txt (24.9 KB, 4 views)
Last edited by Ried; 01-01-2009 at 12:40 AM.
twigdip is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-02-2009, 06:11 AM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,910
OS: WinXP and Vista


Re: Google trojan - search hijacked
Hello twigdip,

Quote:
p.s. i didn't realise I had run combofix. I downloaded it and had opened it to see what it looked like but closed the program shortly after it started doing scans.
Well...you hadn't run it all the way that first time, but now you went ahead and did run it.
Quote:
ComboFix 08-12-30.02 - Ian Fitzpatrick 2008-12-31 9:23:43.1
I undertand you're anxious to get this cleaned up, but please don't do anything until instructed.

Why did you not allow the Recovery Console to be installed? Did you receive any errors?

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------


During this next round, ComboFix will:
  • Prompt you to update it - allow it to do so.
  • Prompt you again to install the Recovery Console - allow it to do so.

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
C:\windows\system32\sysaudio.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47a92c31-1b60-11dd-951b-0019d245f7ec}]
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


--------------------------------------------------------------------

Post the contents of the C:\ComboFix.txt (do not attach it) in your next reply, along with an update on system behavior.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-02-2009, 05:45 PM   #6 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 11
OS: XP


Re: Google trojan - search hijacked
Hey Ried,
I did as you instructed. The google search seems to have cleaned up. but it did this once before for a day then started up again. so i'm not sure if it is cured for good.
below are pasted the combofix text as you instructed.
thanks so much for your help
-----------------------------------

ComboFix 09-01-01.02 - Ian Fitzpatrick 2009-01-03 1:18:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1483 [GMT 1:00]
Running from: c:\documents and settings\Ian Fitzpatrick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ian Fitzpatrick\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\sysaudio.sys
.

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2008-12-27 15:51 . 2008-12-27 15:53 250 --a------ c:\windows\gmer.ini
2008-12-27 15:31 . 2008-12-27 15:31 <DIR> d-------- c:\program files\Eicon
2008-12-27 15:31 . 2001-10-03 17:46 279,040 --a------ c:\windows\system32\gsi.cpl
2008-12-27 15:31 . 2001-09-28 13:05 250,706 --a------ c:\windows\system32\drivers\gwausb.sys
2008-12-27 15:31 . 2001-10-10 11:26 75,776 --a------ c:\windows\system32\gsicon.exe
2008-12-27 15:31 . 2001-09-28 13:07 26,987 --a------ c:\windows\system32\drivers\gafwload.sys
2008-12-27 15:31 . 2001-10-02 10:43 25,088 --a------ c:\windows\system32\CoInst.dll
2008-12-27 15:31 . 2001-10-02 10:42 24,576 --------- c:\windows\system32\delaySpawn.exe
2008-12-27 15:31 . 2001-10-02 10:42 16,384 --a------ c:\windows\system32\dslagent.exe
2008-12-27 15:30 . 2001-10-03 16:06 102,400 --------- c:\windows\system32\instDll.dll
2008-12-27 15:30 . 2001-10-02 10:42 98,304 --------- c:\windows\system32\gspnDll.dll
2008-12-27 15:30 . 2001-10-23 17:24 3,570 --------- c:\windows\wwdslcfg.ini
2008-12-26 22:59 . 2008-12-26 22:59 <DIR> d-------- c:\documents and settings\Ian Fitzpatrick\Application Data\TrojanHunter
2008-12-26 17:52 . 2008-12-30 13:09 <DIR> d-------- c:\program files\TrojanHunter 5.0
2008-12-23 16:50 . 2008-12-23 16:51 <DIR> d-------- c:\program files\Burrrn
2008-12-23 16:45 . 2008-12-23 16:46 <DIR> d-------- c:\documents and settings\Ian Fitzpatrick\Application Data\FairStars Audio Converter
2008-12-23 13:08 . 2008-12-23 13:10 <DIR> d-------- c:\program files\Monkey's Audio
2008-12-23 12:33 . 2008-12-23 12:34 520,192 --a------ c:\program files\WinDjView-0.5.exe
2008-12-16 17:32 . 2008-12-16 17:36 <DIR> d-------- c:\documents and settings\Ian Fitzpatrick\Application Data\vlc
2008-12-16 17:30 . 2008-12-16 17:30 <DIR> d-------- c:\program files\VideoLAN
2008-12-16 13:25 . 2008-12-16 13:27 <DIR> d-------- c:\documents and settings\Ian Fitzpatrick\Application Data\Azureus
2008-12-16 13:25 . 2008-12-16 13:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Azureus
2008-12-16 13:24 . 2008-12-16 15:10 <DIR> d-------- c:\program files\Vuze
2008-12-05 16:11 . 2008-12-05 16:11 <DIR> d-------- c:\documents and settings\Ian Fitzpatrick\Application Data\QuosaDDM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-03 00:22 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-03 00:21 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\uTorrent
2008-12-31 09:01 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\EndNote
2008-12-30 12:13 --------- d-----w c:\program files\Biblioscape 6
2008-12-30 12:12 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-30 08:51 --------- d-----w c:\program files\Halite
2008-12-30 08:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-30 08:51 --------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-26 16:41 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-24 01:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-23 15:08 --------- d-----w c:\program files\VPN Client
2008-12-13 17:26 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\Skype
2008-11-26 09:10 --------- d-----w c:\documents and settings\Ian Fitzpatrick\Application Data\MindMapper 2008
2008-11-24 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-18 13:20 --------- d-----w c:\program files\Omni Encoder
2008-11-03 15:51 270,128 -c--a-w c:\program files\utorrent.exe
2008-07-22 17:06 604 -c-ha-w c:\program files\STLL Notifier
2008-07-10 09:26 1,953 -c--a-w c:\documents and settings\Ian Fitzpatrick\Application Data\SAS7_000.DAT
2008-01-09 17:42 526 -c-h--w c:\documents and settings\All Users\Application Data\Ian Fitzpatrick-acopts.dat
2008-01-09 17:33 1,469 -c-h--w c:\documents and settings\All Users\Application Data\Ian Fitzpatrick-acft.dat
2007-02-22 20:08 925,696 -c--a-w c:\program files\fileinfo.exe
2007-02-19 15:28 117,974 -c--a-r c:\program files\GSpot27.dat
2006-03-20 22:37 5,689,344 -c--a-w c:\program files\Mplayer.exe
2007-12-10 17:40 6,275,816 -c--a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-01-22 15:14 198 -csh--r c:\windows\system32\TithiMiti.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-31_ 9.43.58.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-31 08:33:16 63,590 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-02 22:58:00 63,590 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-31 08:33:16 404,536 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-02 22:58:00 404,536 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-03 00:21:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_320.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"µTorrent"="c:\program files\utorrent.exe" [2008-11-03 270128]
"uTorrent"="c:\program files\utorrent.exe" [2008-11-03 270128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-11-03 949376]
"TpShocks"="TpShocks.exe" [2006-03-16 c:\windows\system32\TpShocks.exe]
"GSICONEXE"="GSICON.EXE" [2001-10-10 c:\windows\system32\gsicon.exe]
"DSLAGENTEXE"="dslagent.exe" [2001-10-02 c:\windows\system32\dslagent.exe]

c:\documents and settings\Ian Fitzpatrick\Start Menu\Programs\Startup\
Dual Calendar.Lnk [2008-10-13 752]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Mozilla Thunderbird (2).lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2008-11-08 8504936]
VirtuaWin (2).lnk - c:\program files\VirtuaWin\VirtuaWin.exe [2008-02-06 115712]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetSetup"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 18:07 49152 c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 04:20 40448 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 12:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"= DrvTrNTm.dll
"mixer"= DrvTrNTm.dll
"VIDC.ACDV"= ACDV.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd ACGina

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Fitzpatrick^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Ian Fitzpatrick\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a--c--- 2005-09-24 06:30 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
--a--c--- 2006-05-25 17:13 208896 c:\progra~1\ThinkPad\UTILIT~1\BATLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2006-10-26 20:02 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-10-19 21:16 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 02:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2008-07-19 16:01 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"CVPND"=2 (0x2)
"ArcGIS License Manager"=2 (0x2)
"UleadBurningHelper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\utorrent.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NaturallySpeaking9\\Program\\natspeak.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EndNote X1\\EndNote.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"42377:TCP"= 42377:TCP:utorrent
"42377:UDP"= 42377:UDP:utorrent
"17503:TCP"= 17503:TCP:BitComet 17503 TCP
"17503:UDP"= 17503:UDP:BitComet 17503 UDP
"64514:TCP"= 64514:TCP:Utorrent
"64514:UDP"= 64514:UDP:Utorrent

R0 Shockprf;Shockprf;c:\windows\system32\drivers\Shockprf.sys [2007-02-25 88576]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2007-02-25 11520]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\IBMBLDID.sys [2007-02-25 6016]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-11-03 15424]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2007-02-25 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2007-02-25 4442]
R2 PrivateDisk;PrivateDisk;\??\c:\program files\Lenovo\SafeGuard PrivateDisk\PrivateDiskM.sys [2006-03-14 58368]
R2 smi2;smi2;\??\c:\program files\SMI2\smi2.sys [2006-07-15 3968]
R2 smihlp;SMI helper driver;\??\c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2006-04-26 3456]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2007-02-25 13840]
S2 docker19;docker19;\??\c:\windows\system32\drivers\docker19.sys []
S2 gafwload;Eicon Networks USB ADSL Loader;c:\windows\system32\DRIVERS\gafwload.sys [2008-12-27 26987]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
S4 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [2008-01-30 467968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c1c9c70-105d-11dd-9515-0019d245f7ec}]
\Shell\AutoRun\command - isetup.exe
\Shell\explore\Command - isetup.exe
\Shell\open\Command - isetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-05-25 17:13]

2009-01-03 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SmartDraw 7\Messages\SDNotify.exe [2005-08-23 10:09]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\imon.dll
TCP: {D676C296-FE55-4309-99A4-8B6917299D16} = 193.70.152.15 193.70.152.25
FF - ProfilePath - c:\documents and settings\Ian Fitzpatrick\Application Data\Mozilla\Firefox\Profiles\xsrub3pm.default\
FF - prefs.js: browser.startup.homepage - about:blank
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 01:21:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2878861388-2346302239-923548273-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26F21ECC-291C-0724-B8F5-1CA67BEE7387}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abmbaihdccgoneimojifmcjenjopiajioh"=hex:61,62,6b,61,66,6f,63,65,6f,61,6d,63,\
6d,6c,6a,6c,67,65,6e,69,66,62,65,65,6e,6a,6d,67,67,70,6c,62,6d,6d,00,77
"bbmbaihdccgoneimojpfdchcnihhlohgigba"=hex:61,62,70,6f,62,68,6d,6c,66,6d,70,70,\
64,6f,64,6e,65,68,6c,6e,61,66,61,64,64,67,6c,67,65,65,68,70,70,64,00,77
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(2004)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(196)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\VPN Client\cvpnd.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Eset\nod32krn.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\VirtuaWin\modules\VWAssigner.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\VirtuaWin\modules\WinList.exe
.
**************************************************************************
.
Completion time: 2009-01-03 1:26:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 00:26:27
ComboFix2.txt 2008-12-31 08:46:40

Pre-Run: 6,634,340,352 bytes free
Post-Run: 6,625,177,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

310 --- E O F --- 2008-12-19 08:08:28
twigdip is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-02-2009, 11:32 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,910
OS: WinXP and Vista


Re: Google trojan - search hijacked
Hello twigdip,

Quote:
The google search seems to have cleaned up. but it did this once before for a day then started up again.
The file responsible for keeping this on your system has now been removed, so you should not experience any more issues with google search.

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Also, let me know if google searches are still behaving as they should.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-04-2009, 02:57 PM   #8 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 11
OS: XP


Re: Google trojan - search hijacked
Ried. attached is the kaspersky scan. there are two trojans. dunno if they're a real problem.
google search is clean. no weird things there so far.
thanks for your help


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 04, 2009 13:24:15
Records in database: 1558516
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Files scanned: 166486
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:38:46


File name / Threat name / Threats count
C:\Program Files\Eset\infected\5KTLLIAA.NQF Infected: Trojan-Downloader.Win32.FraudLoad.vbbw 1
C:\Program Files\Eset\infected\EJCNFYCA.NQF Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1

The selected area was scanned.
Attached Files
File Type: txt kaspersky.txt (1,008 Bytes, 1 views)
Last edited by Ried; 01-04-2009 at 03:01 PM.
twigdip is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-04-2009, 03:03 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,910
OS: WinXP and Vista


Re: Google trojan - search hijacked
Hi twigdip.

Those are infections that Eset has safely tucked away and quarantined. Go ahead and clear that folder.


Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-08-2009, 03:36 AM   #10 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 11
OS: XP


Re: Google trojan - search hijacked
thanks for your help. you've really helped me clean my comp up and protect it in future.
very much appreciated!
twigdip is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-08-2009, 04:04 AM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,910
OS: WinXP and Vista


Re: Google trojan - search hijacked
You're welcome, twigdip.


Take care and surf safely.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:41 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85