Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Searches hijacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Searches hijacked

Unread postby AngusPodgorney » January 20th, 2010, 8:44 pm

Hello, when I enter a search phrase into either Google or Yahoo, I get a correct page with a list of possible sites. When I click on one of those links my browser gets redirected to any number of add sites, featuring names like "Info.com" or "Search.Com", etc. Various anti spyware and antivirus programs have failed to find the problem.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:24 PM, on 1/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RegCure\RegCure.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\SYSTEM32\Rundll32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: RedBox Toolbar - {e6d87380-6e47-11db-9fe1-0800200c9a66} - C:\Program Files\Studio V5\RedBox7\RedBoxBar.dll
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [P17Helper] "C:\WINDOWS\SYSTEM32\Rundll32.exe" P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\Inkline Global\PC Booster\PCBooster.exe
O4 - HKLM\..\Run: [Modem Booster] C:\Program Files\inKline Global\Modem Booster\ModemBtr.exe
O4 - HKCU\..\Run: [Weather] C:\Documents and Settings\EDWARD STAHL\Local Settings\Temp\temp.frB4E4\Quarantine\28-04-2007-13-24-04\10000.qit\Weather.exe 1
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe (User 'Default user')
O4 - .DEFAULT Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MSOFFI~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Documents and Settings\EDWARD STAHL\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/rap ... loader.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCo ... taller.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - F:\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe

--
End of file - 11565 bytes


Uninstall List

32 Bit HP CIO Components Installer
360Share Pro(remove only)
ActiveDiary
Ad-Aware
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop Elements 6.0
Adobe Reader 7.1.0
Alpha Journal 3.6.1.0
Alpha Key Saver 3.3.0.0
Amateur Contact Log 2.5
Amazon MP3 Downloader 1.0.3
AnswerWorks 4.0 Runtime - English
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audible Download Manager
AudibleManager
AxCrypt (Remove Only)
Bonjour
BurnPlugin for Audible
Camera Driver
CoffeeCup Flash Blogger - Registered
CoffeeCup Flash Website Font
Creative MediaSource
Critical Update for Windows Media Player 11 (KB959772)
Cryptainer ME
DeCypherIT
Dell Driver Reset Tool
DesignPro 5.0 Media Edition
Download Manager 2.3.6
EA Download Manager
Free Download Manager 2.1
FT-60 Programmer
G4FON Koch Method Morse Trainer
GNU Privacy Guard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) Network Connections 12.4.38.0
Internet Explorer Default Page
iPod for Windows 2005-09-23
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album
Java(TM) 6 Update 13
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LCP 5.04
Living Cookbook
Macromedia Shockwave Player
MemTurbo
MemTurbo 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.53
MobileMe Control Panel
Modem Booster 7
Modem Helper
Modem On Hold
Mozilla Firefox (3.5.7)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OCR Software by I.R.I.S. 10.0
OpenOffice.org 3.1
ParetoLogic Anti-Spyware
Password Safe
PC Booster Version 7
PilotMorse
PIXresizer 1.0.9
QuickTime
RedBox 7.0
RegCure
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Live! 24-bit
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
StokerLog
TARGETMASTER 2.0
Temperature Converter
TOSHIBA gigabeat applications 3.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Verizon Online Support Center
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Wal-Mart Music Downloads Store
WD Diagnostics
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
Zoom ADSL Modem
Zoom ADSL Modem
AngusPodgorney
Regular Member
 
Posts: 17
Joined: January 20th, 2010, 8:30 pm
Advertisement
Register to Remove

Re: Searches hijacked

Unread postby MWR 3 day Mod » January 24th, 2010, 4:34 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Searches hijacked

Unread postby deltalima » January 28th, 2010, 5:32 am

Hi AngusPodgorney,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me.

Please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Searches hijacked

Unread postby AngusPodgorney » January 28th, 2010, 9:07 am

Hello deltalima and thank you for taking on my "case." Looking forward to working with you and resolving my search engine issue(s).

Best,

Ed
AngusPodgorney
Regular Member
 
Posts: 17
Joined: January 20th, 2010, 8:30 pm

Re: Searches hijacked

Unread postby deltalima » January 28th, 2010, 1:59 pm

Hi AngusPodgorney,

Remove P2P Programs

  • I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    360Share Pro

  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them. This program will be removed below.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

You have Ad-Aware and Spybot - Search & Destroy installed, both of these will cause problems when running the scans that we need to do so we need to uninstall them. We can reinstall later if you still require them.


  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs,
    highlight 360Share Pro(remove only)
    click Remove
    highlight Ad-Aware
    click Remove
    highlight Spybot - Search & Destroy
    click Remove
  • Close the Add or Remove Programs and the Control Panel windows.

Note both Ad-Aware and Spybot Search & Destroy may be listed twice, please remove both versions.

You have a program called Weather set to automatically run on your computer. It is installed in a most unusual place. Could you please let me know anything you can tell me about how this program was installed on the computer.

Please download DDS ... by sUBs.
Save it to your desktop. Alternate download link:here.
  • Double click the tool to run it.
  • A black Screen will open... read the contents but do nothing.
  • When DDS finishes... Notepad will open with 2 reports... DDS.txt and Attach.txt
    Ignore the comments about zipping / attaching any of the report files. The 2 report files are not saved anywhere,
    if you close Notepad, before copying /pasting them... you will need to run DDS again.
  • Copy/paste both DDS.txt and Attach.txt reports in your next reply.
  • Once the reports have been posted, you can delete DDS from your desktop.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with DDS.txt and Attach.txt from the DDS scan, and let me know about Weather in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Searches hijacked

Unread postby AngusPodgorney » January 28th, 2010, 4:14 pm

Hello,

Weather is probably "Weather Bug." a regularly updated weather information program from a local mini weather station that resides in the system tray when not in use (displaying the current temperature). When you click on the temperature it opens a larger window displaying other weather information. I have used Weather Bug for years but suddenly last week (after installing Ad-Aware and SpyBot) it stopped working. It didn't seem to be able to reach it's source. I have since installed another version of Weather Bug that runs when my browser is open (Firefox).

I am following the rest of your instructions now and will post the results as soon as I have finished.

Thanks,

ejs
AngusPodgorney
Regular Member
 
Posts: 17
Joined: January 20th, 2010, 8:30 pm

Re: Searches hijacked

Unread postby AngusPodgorney » January 28th, 2010, 6:30 pm

DDS (Ver_09-12-01.01) - NTFSx86
Run by EDWARD STAHL at 15:18:28.29 on Thu 01/28/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.387 [GMT -5:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\SYSTEM32\Rundll32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRAM FILES\CREATIVE\SOUND BLASTER LIVE! 24-BIT\SURROUND MIXER\CTSYSVOL.EXE
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\EDWARD STAHL\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://channels.aimtoday.com/search/aimtoolbar.jsp
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} -
TB: RedBox Toolbar: {e6d87380-6e47-11db-9fe1-0800200c9a66} - c:\program files\studio v5\redbox7\RedBoxBar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ParetoLogic Anti-Spyware] "c:\program files\paretologic\anti-spyware\Pareto_AS.exe" -NM -hidesplash
uRun: [WeatherBug Desktop] c:\program files\aws\weatherbug\Weather.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [P17Helper] "c:\windows\system32\Rundll32.exe" P17.dll,P17Helper
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTASK.EXE" -atboottime
StartupFolder: c:\docume~1\edward~1\startm~1\programs\startup\memturbo.lnk - c:\program files\memturbo30\MemTurbo.exe
StartupFolder: c:\docume~1\edward~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - f:\msoffi~1\office12\EXCEL.EXE/3000
IE: Subscribe in RSS Bandit - c:\documents and settings\edward stahl\application data\rssbandit\iecontext_subscribebandit.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - {8C85E2EE-9FD6-11D5-B770-504D54C10000}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: synchrogenix.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/rap ... loader.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCo ... taller.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/sh ... tor/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... mv9VCM.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} - hxxp://host.oddcast.com/hostClientIE.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: PASShlExt Class: {51c55f9e-c308-4c95-89ab-8858d8afd819} - c:\program files\paretologic\anti-spyware\PASShlExt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\edward~1\applic~1\mozilla\firefox\profiles\t4vn3hew.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?cl ... e=en_US&q=
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: f:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: f:\divx\divx web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys [2008-7-13 164256]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2004-5-21 114944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-8-30 112688]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-01-22 22:02:37 0 d-----w- c:\program files\Ask.com
2010-01-22 21:23:44 0 d-----w- c:\docume~1\edward~1\applic~1\WinPatrol
2010-01-22 21:20:01 0 d-----w- c:\program files\BillP Studios
2010-01-21 00:12:24 0 d-----w- c:\program files\Trend Micro
2010-01-20 13:51:45 0 d-----w- c:\program files\Lavasoft
2010-01-12 22:26:16 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2005-04-04 17:18:23 212992 -c--a-w- c:\program files\xAutoUpdate.dll
2007-09-11 17:34:58 88 --sh--r- c:\windows\system32\99842D7CE1.sys
2008-02-10 19:01:39 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-08-05 12:00:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080520080806\index.dat
2008-08-30 11:29:04 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-08-30 11:29:04 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-08-30 11:29:04 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 15:19:50.01 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/23/2004 1:41:28 PM
System Uptime: 1/28/2010 2:58:34 PM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0N6381
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 34 GiB total, 6.296 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 233 GiB total, 178.398 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C7200 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C7200 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

==== System Restore Points ===================

RP2052: 12/19/2009 2:51:15 PM - System Checkpoint
RP2053: 12/20/2009 7:14:47 PM - System Checkpoint
RP2054: 12/21/2009 7:46:24 PM - System Checkpoint
RP2055: 12/22/2009 8:46:32 PM - System Checkpoint
RP2056: 12/23/2009 9:15:15 PM - System Checkpoint
RP2057: 12/24/2009 9:48:03 PM - Removed iTunes
RP2058: 12/24/2009 10:00:04 PM - Configured iPod for Windows 2006-01-10
RP2059: 12/24/2009 10:00:50 PM - Configured iPod for Windows 2006-01-10
RP2060: 12/24/2009 10:02:07 PM - Configured iPod for Windows 2005-09-23
RP2061: 12/24/2009 10:28:54 PM - Installed iTunes
RP2062: 12/25/2009 10:42:48 PM - System Checkpoint
RP2063: 12/26/2009 11:29:06 PM - System Checkpoint
RP2064: 12/27/2009 11:40:51 PM - System Checkpoint
RP2065: 12/28/2009 11:53:09 PM - System Checkpoint
RP2066: 12/29/2009 11:41:29 AM - Installed Vz In Home Agent
RP2067: 12/30/2009 1:03:31 PM - System Checkpoint
RP2068: 12/31/2009 2:03:45 PM - System Checkpoint
RP2069: 1/1/2010 3:26:40 PM - System Checkpoint
RP2070: 1/2/2010 3:30:03 PM - System Checkpoint
RP2071: 1/3/2010 4:44:06 PM - System Checkpoint
RP2072: 1/4/2010 5:00:23 PM - System Checkpoint
RP2073: 1/5/2010 5:29:51 PM - System Checkpoint
RP2074: 1/6/2010 6:46:30 PM - System Checkpoint
RP2075: 1/7/2010 3:27:22 PM - Removed Vz In Home Agent
RP2076: 1/8/2010 4:55:01 PM - System Checkpoint
RP2077: 1/9/2010 5:40:14 PM - System Checkpoint
RP2078: 1/10/2010 6:01:08 PM - System Checkpoint
RP2079: 1/11/2010 6:55:28 PM - System Checkpoint
RP2080: 1/12/2010 5:40:09 PM - Software Distribution Service 3.0
RP2081: 1/13/2010 3:00:45 AM - Software Distribution Service 3.0
RP2082: 1/14/2010 3:32:54 AM - System Checkpoint
RP2083: 1/15/2010 6:02:41 AM - System Checkpoint
RP2084: 1/16/2010 6:32:43 AM - System Checkpoint
RP2085: 1/17/2010 7:32:36 AM - System Checkpoint
RP2086: 1/18/2010 8:32:41 AM - System Checkpoint
RP2087: 1/19/2010 8:23:50 PM - System Checkpoint
RP2088: 1/20/2010 10:18:51 PM - System Checkpoint
RP2089: 1/21/2010 6:27:14 PM - Software Distribution Service 3.0
RP2090: 1/22/2010 5:00:29 PM - Installed WeatherBug
RP2091: 1/23/2010 5:31:35 PM - System Checkpoint
RP2092: 1/24/2010 5:35:09 PM - System Checkpoint
RP2093: 1/25/2010 7:16:04 PM - System Checkpoint
RP2094: 1/26/2010 7:25:00 PM - System Checkpoint
RP2095: 1/27/2010 7:56:16 PM - System Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
360Share Pro(remove only)
AAC Decoder
ActiveDiary
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop Elements 6.0
Adobe Reader 7.1.0
AIO_Scan
Alpha Journal 3.6.1.0
Alpha Key Saver 3.3.0.0
Amateur Contact Log 2.5
Amazon MP3 Downloader 1.0.3
AnswerWorks 4.0 Runtime - English
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Audible Download Manager
AudibleManager
AutoUpdate
AxCrypt (Remove Only)
BitTorrent
Bonjour
BufferChm
BurnPlugin for Audible
C7200
C7200_Help
Camera Driver
Cards_Calendar_OrderGift_DoMorePlugout
CoffeeCup Flash Blogger - Registered
CoffeeCup Flash Website Font
Copy
Creative MediaSource
Critical Update for Windows Media Player 11 (KB959772)
Cryptainer ME
DeCypherIT
Dell Driver Reset Tool
DesignPro 5.0 Media Edition
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Converter
DivX Version Checker
DocProc
DocProcQFolder
Download Manager 2.3.6
EA Download Manager
ESET Smart Security
eSupportQFolder
Fax
Free Download Manager 2.1
FT-60 Programmer
G4FON Koch Method Morse Trainer
GNU Privacy Guard
GPBaseService
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) Network Connections 12.4.38.0
Internet Explorer Default Page
iPod for Windows 2005-09-23
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album
Java(TM) 6 Update 13
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LCP 5.04
Living Cookbook
Macromedia Shockwave Player
MemTurbo
MemTurbo 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.53
MKV Splitter
MobileMe Control Panel
Modem Booster 7
Modem Helper
Modem On Hold
Mozilla Firefox (3.5.7)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetDeviceManager
OCR Software by I.R.I.S. 10.0
OpenOffice.org 3.1
PanoStandAlone
ParetoLogic Anti-Spyware
Password Safe
PC Booster Version 7
PilotMorse
PIXresizer 1.0.9
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
PSSWCORE
QuickTime
RedBox 7.0
RegCure
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shockwave
SmartWebPrintingOC
SolutionCenter
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Live! 24-bit
Status
Stoker Timers
StokerLog
TARGETMASTER 2.0
Temperature Converter
The Filter
Toolbox
TOSHIBA gigabeat applications 3.0
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Verizon Online Support Center
VideoToolkit01
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Wal-Mart Music Downloads Store
WD Diagnostics
WeatherBug
WebReg
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinPatrol 2009
Zoom ADSL Modem

==== Event Viewer Messages From Past Week ========

1/28/2010 2:39:37 PM, error: Print [6161] - The document Microsoft Word - Document1 owned by EDWARD STAHL failed to print on printer HP DeskJet 722C. Data type: NT EMF 1.008. Size of the spool file in bytes: 131072. Number of bytes printed: 23984. Total number of pages in the document: 2. Number of pages printed: 1. Client machine: \\DELLPC. Win32 error code returned by the print processor: 0 (0x0).
1/22/2010 8:27:41 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
1/22/2010 6:11:21 PM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
1/22/2010 2:37:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/22/2010 2:37:02 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/22/2010 2:35:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl ehdrv epfwtdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
1/22/2010 2:35:29 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/22/2010 2:35:29 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/22/2010 2:35:29 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/22/2010 2:35:29 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/22/2010 2:35:29 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/22/2010 2:35:29 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/21/2010 6:45:36 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
1/21/2010 6:43:58 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
1/21/2010 6:43:58 PM, error: Service Control Manager [7000] - The Adobe Active File Monitor V6 service failed to start due to the following error: The system cannot find the path specified.

==== End Of File ===========================


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-28 17:22:26
Windows 5.1.2600 Service Pack 3
Running: 98wlzedl.exe; Driver: C:\DOCUME~1\EDWARD~1\LOCALS~1\Temp\uwtdapod.sys


---- System - GMER 1.0.15 ----

SSDT 85E858A0 ZwAssignProcessToJobObject
SSDT 85E84CB0 ZwOpenProcess
SSDT 85E850D0 ZwOpenThread
SSDT 85E856D0 ZwSuspendProcess
SSDT 85E854F0 ZwSuspendThread
SSDT 85E84EE0 ZwTerminateProcess
SSDT 85E85310 ZwTerminateThread

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 8 Bytes CALL 68A31B26
.text ntoskrnl.exe!_abnormal_termination + 450 804E2AAC 8 Bytes CALL 68A13B36
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF747E780]
.text C:\WINDOWS\system32\spssys.sys section is writeable [0xF72CF2C0, 0x24932, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7892760]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[324] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\system32\SearchIndexer.exe[2916] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7471B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F7471B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F7471B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F7471B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:520] 85E83930

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
AngusPodgorney
Regular Member
 
Posts: 17
Joined: January 20th, 2010, 8:30 pm

Re: Searches hijacked

Unread postby deltalima » January 29th, 2010, 4:59 am

Hi AngusPodgorney,

In my last post I outlined the Forum Guidelines concerning P2P programs.

I see that 360Share Pro is still installed and also BitTorrent is now showing as installed. If you wish to continue then please uninstall both of these programs and run a new DDS scan and post back both logs.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Searches hijacked

Unread postby AngusPodgorney » January 29th, 2010, 7:25 am

Both 360 Share and BitTorent have been removed and do not show up in the Add/Remove list. BitTorent does show up in the All Programs list from the start box but the folder shows as empty. I do not know how to go any further with removing them.

Thanks.
AngusPodgorney
Regular Member
 
Posts: 17
Joined: January 20th, 2010, 8:30 pm

Re: Searches hijacked

Unread postby deltalima » January 29th, 2010, 7:50 am

Hi AngusPodgorney,

Run Combofix:

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

You must rename it before saving it... Rename it: Combofx . See images below. Save it to your desktop.

Image

Image

For more information about Combofix please see here.

Close all programs.

Double click combofx.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of that log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Searches hijacked

Unread postby AngusPodgorney » January 29th, 2010, 9:09 am

ComboFix 10-01-28.05 - EDWARD STAHL 01/29/2010 7:33.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.625 [GMT -5:00]
Running from: c:\documents and settings\EDWARD STAHL\Desktop\Combofx.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\EDWARD STAHL\Local Settings\Application Data\tvgobn
c:\documents and settings\EDWARD STAHL\Local Settings\Application Data\tvgobn\trknsysguard.exe
c:\recycler\NPROTECT
c:\windows\BackUp
c:\windows\BackUp\actived.dat
c:\windows\system32\Data
c:\windows\system32\spool\prtprocs\w32x86\00007e5d.tmp
c:\windows\system32\Thumbs.db
c:\windows\Sysvxd.exe
E:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-29 )))))))))))))))))))))))))))))))
.

2010-01-22 22:02 . 2010-01-22 22:03 -------- d-----w- c:\program files\Ask.com
2010-01-22 22:01 . 2010-01-22 22:01 -------- d-----w- c:\documents and settings\EDWARD STAHL\Local Settings\Application Data\WeatherBug
2010-01-22 21:23 . 2010-01-22 21:23 -------- d-----w- c:\documents and settings\EDWARD STAHL\Application Data\WinPatrol
2010-01-22 21:20 . 2010-01-22 21:20 -------- d-----w- c:\program files\BillP Studios
2010-01-22 19:56 . 2010-01-22 19:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2010-01-22 19:55 . 2010-01-22 19:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thunderbird
2010-01-22 19:55 . 2010-01-22 19:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thunderbird
2010-01-22 19:38 . 2010-01-22 19:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-22 19:34 . 2010-01-22 19:38 -------- d-----w- c:\documents and settings\Administrator
2010-01-21 00:12 . 2010-01-21 00:12 -------- d-----w- c:\program files\Trend Micro
2010-01-21 00:02 . 2010-01-21 00:02 -------- d-----w- c:\documents and settings\EDWARD STAHL\Local Settings\Application Data\WMTools Downloaded Files
2010-01-20 14:02 . 2010-01-20 14:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-20 13:51 . 2010-01-20 13:51 -------- d-----w- c:\program files\Lavasoft
2010-01-20 13:51 . 2010-01-28 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-12 22:26 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 22:24 . 2005-02-13 20:15 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-28 19:49 . 2005-10-15 15:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-28 19:49 . 2005-02-05 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 22:01 . 2010-01-22 22:01 18944 ----a-r- c:\documents and settings\EDWARD STAHL\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A16301.exe
2010-01-22 22:01 . 2010-01-22 22:01 11264 ----a-r- c:\documents and settings\EDWARD STAHL\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A1630.exe
2010-01-22 22:00 . 2004-10-24 22:59 -------- d-----w- c:\program files\AWS
2010-01-20 12:11 . 2008-01-11 17:27 -------- d-----w- c:\program files\Password Safe
2010-01-18 00:58 . 2009-08-05 14:19 1 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-07 19:46 . 2009-06-01 21:02 -------- d-----w- c:\program files\Common Files\Motive
2010-01-05 23:36 . 2007-10-31 10:38 -------- d-----w- c:\documents and settings\EDWARD STAHL\Application Data\WeatherBug
2010-01-05 21:39 . 2005-05-31 19:01 -------- d-----w- c:\program files\inKline Global
2010-01-04 14:48 . 2009-02-25 16:31 -------- d-----w- c:\documents and settings\EDWARD STAHL\Application Data\U3
2009-12-30 09:17 . 2009-06-18 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-12-25 03:31 . 2009-12-25 03:29 -------- d-----w- c:\program files\iTunes
2009-12-25 03:29 . 2004-11-26 01:24 -------- d-----w- c:\program files\iPod
2009-12-25 03:29 . 2007-07-01 22:35 -------- d-----w- c:\program files\Common Files\Apple
2009-12-25 03:26 . 2006-04-25 17:36 -------- d-----w- c:\program files\QuickTime
2009-12-24 14:13 . 2008-08-10 16:51 -------- d-----w- c:\program files\RegCure
2009-12-21 19:14 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 20:41 . 2005-09-07 21:07 -------- d-----w- c:\program files\Cryptainer ME
2009-12-08 05:33 . 2009-12-08 05:33 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2009-12-03 00:10 . 2007-10-27 23:06 -------- d-----w- c:\program files\ESET
2009-12-01 16:04 . 2004-10-15 15:17 -------- d-----w- c:\program files\Java
2009-12-01 15:56 . 2009-12-01 15:56 152576 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-01 15:56 . 2009-12-01 13:54 79488 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-16 14:06 . 2009-11-16 14:06 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-11-16 14:06 . 2009-11-16 14:06 135048 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-11-16 14:03 . 2009-11-16 14:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 13:56 . 2009-11-16 13:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2005-04-04 17:18 . 2005-05-05 11:13 212992 -c--a-w- c:\program files\xAutoUpdate.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-09-11 17:34 . 2007-09-10 15:19 88 --sh--r- c:\windows\SYSTEM32\99842D7CE1.sys
2008-02-10 19:01 . 2007-09-10 15:19 2516 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-10-20 1693184]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ParetoLogic Anti-Spyware"="c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2009-08-05 2643312]
"WeatherBug Desktop"="c:\program files\AWS\WEATHERBUG\Weather.exe" [2009-10-20 1693184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"QuickTime Task"="c:\program files\QUICKTIME\QTTASK.EXE" [2009-11-11 417792]

c:\documents and settings\EDWARD STAHL\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\MemTurbo30\MemTurbo.exe [2006-1-24 424960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= "c:\program files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2009-08-05 98304]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^EDWARD STAHL^Start Menu^Programs^Startup^Alpha Key Saver 3.lnk]
backup=c:\windows\pss\Alpha Key Saver 3.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EDWARD STAHL^Start Menu^Programs^Startup^Password Safe.lnk]
backup=c:\windows\pss\Password Safe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EDWARD STAHL^Start Menu^Programs^Startup^RedBox Reminder.lnk]
backup=c:\windows\pss\RedBox Reminder.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCure

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 21:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosGbWatcher]
2005-11-07 07:00 118837 ----a-w- c:\program files\TOSHIBA\gigabeat room 3.0\TosGBWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\Audible\\Bin\\Manager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\documents and settings\EDWARD STAHL\Local Settings\Apps\2.0\Z79H4G8V.431\8MED0KJL.GNB\thef...app_0d221d3645bc6701_0002.0005_ab7cf4693a6927d4\The Filter.exe"= c:\documents and settings\EDWARD STAHL\Local Settings\Apps\2.0\Z79H4G8V.431\8MED0KJL.GNB\thef...app_0d221d3645bc6701_0002.0005_ab7cf4693a6927d4\The Filter.exe:127.0.0.1/255.255.255.255:Enabled:The Filter: Windows Media Player plugin
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundPacketTooBig"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)

R0 Spssys;Toshiba SPS Service;c:\windows\SYSTEM32\DRIVERS\spssys.sys [7/13/2008 2:05 PM 164256]
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [11/16/2009 9:03 AM 108792]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 9:04 AM 735960]
R2 ssoftnt4;ssoftnt4;c:\windows\SYSTEM32\DRIVERS\ssoftnt4.sys [5/21/2004 12:30 AM 114944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2007 2:13 PM 112688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-23 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe [2009-08-05 14:58]

2010-01-28 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2010-01-29 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2010-01-29 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2009-08-05 17:39]

2010-01-28 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-29 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-28 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - f:\msoffi~1\Office12\EXCEL.EXE/3000
IE: Subscribe in RSS Bandit - c:\documents and settings\EDWARD STAHL\Application Data\RssBandit\iecontext_subscribebandit.htm
Trusted Zone: synchrogenix.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/rap ... loader.cab
FF - ProfilePath - c:\documents and settings\EDWARD STAHL\Application Data\Mozilla\Firefox\Profiles\t4vn3hew.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?cl ... e=en_US&q=
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
MSConfigStartUp-Adobe Photo Downloader - F:\apdproxy.exe
MSConfigStartUp-VerizonServicepoint - (no file)
AddRemove-CoffeeCup Flash Blogger - Registered - f:\coffee~1\COFFEE~1\UNWISE.EXE
AddRemove-CoffeeCup Flash Website Font - f:\progra~1\COFFEE~1\COFFEE~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-29 07:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2731633163-1187809266-1330281862-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3672)
c:\windows\system32\WININET.dll
c:\program files\MemTurbo30\cpurocket.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\ssoftsrv.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\SYSTEM32\Rundll32.exe
c:\program files\CREATIVE\SOUND BLASTER LIVE! 24-BIT\SURROUND MIXER\CTSYSVOL.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-29 08:05:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-29 13:04

Pre-Run: 6,629,851,136 bytes free
Post-Run: 7,274,582,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - FA227EB3A11B00A11EB797A805853146
AngusPodgorney
Regular Member
 
Posts: 17
Joined: January 20th, 2010, 8:30 pm

Re: Searches hijacked

Unread postby AngusPodgorney » January 29th, 2010, 9:52 am

At this point, the problem "appears" to be resolved.
AngusPodgorney
Regular Member
 
Posts: 17
Joined: January 20th, 2010, 8:30 pm

Re: Searches hijacked

Unread postby deltalima » January 29th, 2010, 10:35 am

Hi AngusPodgorney,

  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs,
    highlight Ask Toolbar
    click Remove
  • Close the Add or Remove Programs and the Control Panel windows.

If Ask Toolbar is not listed then please close Control Panel and continue.

ComboFix - CFScript
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!


You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

    Image

    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!

    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  5. Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Please run a new HijackThis scan and post the log and log.txt from Combofix in your next reply. Please also let me know how the computer is now running.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Searches hijacked

Unread postby AngusPodgorney » January 29th, 2010, 11:21 am

My system seems to be running ok. The browser is gonig to the correct links.


ComboFix 10-01-28.05 - EDWARD STAHL 01/29/2010 9:56.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.504 [GMT -5:00]
Running from: c:\documents and settings\EDWARD STAHL\Desktop\Combofx.exe
Command switches used :: c:\documents and settings\EDWARD STAHL\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-29 )))))))))))))))))))))))))))))))
.

2010-01-22 22:01 . 2010-01-22 22:01 -------- d-----w- c:\documents and settings\EDWARD STAHL\Local Settings\Application Data\WeatherBug
2010-01-22 22:01 . 2010-01-22 22:01 18944 ----a-r- c:\documents and settings\EDWARD STAHL\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A16301.exe
2010-01-22 22:01 . 2010-01-22 22:01 11264 ----a-r- c:\documents and settings\EDWARD STAHL\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A1630.exe
2010-01-22 21:23 . 2004-08-10 18:04 0 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\WinPatrol\Config.sys
2010-01-22 21:23 . 2004-08-10 18:04 0 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\WinPatrol\Autoexec.bat
2010-01-22 21:23 . 2010-01-22 21:23 -------- d-----w- c:\documents and settings\EDWARD STAHL\Application Data\WinPatrol
2010-01-22 21:20 . 2010-01-22 21:20 -------- d-----w- c:\program files\BillP Studios
2010-01-22 19:56 . 2010-01-22 19:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2010-01-22 19:55 . 2010-01-22 19:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thunderbird
2010-01-22 19:55 . 2010-01-22 19:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thunderbird
2010-01-22 19:38 . 2010-01-22 19:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-22 19:34 . 2010-01-22 19:38 -------- d-----w- c:\documents and settings\Administrator
2010-01-21 00:12 . 2010-01-21 00:12 -------- d-----w- c:\program files\Trend Micro
2010-01-21 00:02 . 2010-01-21 00:02 -------- d-----w- c:\documents and settings\EDWARD STAHL\Local Settings\Application Data\WMTools Downloaded Files
2010-01-20 14:02 . 2010-01-20 14:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-20 13:51 . 2010-01-20 13:51 -------- d-----w- c:\program files\Lavasoft
2010-01-20 13:51 . 2010-01-28 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-12 22:26 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-29 14:45 . 2005-02-13 20:15 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-28 19:49 . 2005-10-15 15:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-28 19:49 . 2005-02-05 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 22:00 . 2004-10-24 22:59 -------- d-----w- c:\program files\AWS
2010-01-20 12:11 . 2008-01-11 17:27 -------- d-----w- c:\program files\Password Safe
2010-01-18 00:58 . 2009-08-05 14:19 1 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-07 19:46 . 2009-06-01 21:02 -------- d-----w- c:\program files\Common Files\Motive
2010-01-05 23:36 . 2007-10-31 10:38 -------- d-----w- c:\documents and settings\EDWARD STAHL\Application Data\WeatherBug
2010-01-05 21:39 . 2005-05-31 19:01 -------- d-----w- c:\program files\inKline Global
2010-01-04 14:48 . 2009-02-25 16:31 -------- d-----w- c:\documents and settings\EDWARD STAHL\Application Data\U3
2009-12-30 09:17 . 2009-06-18 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-12-25 03:31 . 2009-12-25 03:29 -------- d-----w- c:\program files\iTunes
2009-12-25 03:29 . 2004-11-26 01:24 -------- d-----w- c:\program files\iPod
2009-12-25 03:29 . 2007-07-01 22:35 -------- d-----w- c:\program files\Common Files\Apple
2009-12-25 03:26 . 2006-04-25 17:36 -------- d-----w- c:\program files\QuickTime
2009-12-24 14:13 . 2008-08-10 16:51 -------- d-----w- c:\program files\RegCure
2009-12-21 19:14 . 2004-08-04 10:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-18 20:41 . 2005-09-07 21:07 -------- d-----w- c:\program files\Cryptainer ME
2009-12-08 05:33 . 2009-12-08 05:33 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2009-12-03 00:10 . 2007-10-27 23:06 -------- d-----w- c:\program files\ESET
2009-12-01 16:04 . 2004-10-15 15:17 -------- d-----w- c:\program files\Java
2009-12-01 15:56 . 2009-12-01 15:56 152576 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-01 15:56 . 2009-12-01 13:54 79488 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 14:06 . 2009-11-16 14:06 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-11-16 14:06 . 2009-11-16 14:06 135048 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-11-16 14:03 . 2009-11-16 14:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 13:56 . 2009-11-16 13:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2005-04-04 17:18 . 2005-05-05 11:13 212992 -c--a-w- c:\program files\xAutoUpdate.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-09-11 17:34 . 2007-09-10 15:19 88 --sh--r- c:\windows\SYSTEM32\99842D7CE1.sys
2008-02-10 19:01 . 2007-09-10 15:19 2516 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-10-20 1693184]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ParetoLogic Anti-Spyware"="c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2009-08-05 2643312]
"WeatherBug Desktop"="c:\program files\AWS\WEATHERBUG\Weather.exe" [2009-10-20 1693184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"QuickTime Task"="c:\program files\QUICKTIME\QTTASK.EXE" [2009-11-11 417792]

c:\documents and settings\EDWARD STAHL\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\MemTurbo30\MemTurbo.exe [2006-1-24 424960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= "c:\program files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2009-08-05 98304]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^EDWARD STAHL^Start Menu^Programs^Startup^Alpha Key Saver 3.lnk]
backup=c:\windows\pss\Alpha Key Saver 3.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EDWARD STAHL^Start Menu^Programs^Startup^Password Safe.lnk]
backup=c:\windows\pss\Password Safe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EDWARD STAHL^Start Menu^Programs^Startup^RedBox Reminder.lnk]
backup=c:\windows\pss\RedBox Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 21:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosGbWatcher]
2005-11-07 07:00 118837 ----a-w- c:\program files\TOSHIBA\gigabeat room 3.0\TosGBWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\Audible\\Bin\\Manager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\documents and settings\EDWARD STAHL\Local Settings\Apps\2.0\Z79H4G8V.431\8MED0KJL.GNB\thef...app_0d221d3645bc6701_0002.0005_ab7cf4693a6927d4\The Filter.exe"= c:\documents and settings\EDWARD STAHL\Local Settings\Apps\2.0\Z79H4G8V.431\8MED0KJL.GNB\thef...app_0d221d3645bc6701_0002.0005_ab7cf4693a6927d4\The Filter.exe:127.0.0.1/255.255.255.255:Enabled:The Filter: Windows Media Player plugin
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundPacketTooBig"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)

R0 Spssys;Toshiba SPS Service;c:\windows\SYSTEM32\DRIVERS\spssys.sys [7/13/2008 2:05 PM 164256]
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [11/16/2009 9:03 AM 108792]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 9:04 AM 735960]
R2 ssoftnt4;ssoftnt4;c:\windows\SYSTEM32\DRIVERS\ssoftnt4.sys [5/21/2004 12:30 AM 114944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2007 2:13 PM 112688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-28 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2010-01-29 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2010-01-29 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2009-08-05 17:39]

2010-01-28 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-29 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-28 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - f:\msoffi~1\Office12\EXCEL.EXE/3000
IE: Subscribe in RSS Bandit - c:\documents and settings\EDWARD STAHL\Application Data\RssBandit\iecontext_subscribebandit.htm
Trusted Zone: synchrogenix.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/rap ... loader.cab
FF - ProfilePath - c:\documents and settings\EDWARD STAHL\Application Data\Mozilla\Firefox\Profiles\t4vn3hew.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL -
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-29 10:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2731633163-1187809266-1330281862-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2524)
c:\windows\system32\WININET.dll
c:\program files\MemTurbo30\cpurocket.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-29 10:10:20
ComboFix-quarantined-files.txt 2010-01-29 15:10
ComboFix2.txt 2010-01-29 13:05

Pre-Run: 7,241,752,576 bytes free
Post-Run: 7,200,317,440 bytes free

- - End Of File - - AB62BC2463B33EA2747015488FAF41F6


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:58 AM, on 1/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\SYSTEM32\Rundll32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRAM FILES\CREATIVE\SOUND BLASTER LIVE! 24-BIT\SURROUND MIXER\CTSYSVOL.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: RedBox Toolbar - {e6d87380-6e47-11db-9fe1-0800200c9a66} - C:\Program Files\Studio V5\RedBox7\RedBoxBar.dll
O4 - HKLM\..\Run: [P17Helper] "C:\WINDOWS\SYSTEM32\Rundll32.exe" P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - HKCU\..\Run: [WeatherBug Desktop] C:\PROGRAM FILES\AWS\WEATHERBUG\Weather.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - S-1-5-18 Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe (User 'Default user')
O4 - .DEFAULT Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (User 'Default user')
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MSOFFI~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Documents and Settings\EDWARD STAHL\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/rap ... loader.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCo ... taller.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - F:\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe

--
End of file - 8968 bytes
AngusPodgorney
Regular Member
 
Posts: 17
Joined: January 20th, 2010, 8:30 pm

Re: Searches hijacked

Unread postby deltalima » January 29th, 2010, 12:32 pm

Hi AngusPodgorney,

Please re-open HijackThis and select Scan. Check the boxes next to all the entries listed below (if present):

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)

Now close all other open windows and then click on Fix Checked. Close HijackThis.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds.

If TFC does not ask you to reboot then please reboot your computer now.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log and also let me know how your computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware