Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Opera Hijacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Opera Hijacked

Unread postby nineinchheel » January 4th, 2011, 8:48 am

Good afternoon
When I search using my google chrome browser I am often redirected to search results at a website called "scour search". Below are my logs

hijackthis.log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:40:20, on 04/01/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Documents and Settings\George\Application Data\Microsoft\conhost.exe
C:\DOCUME~1\George\LOCALS~1\Temp\csrss.exe
C:\Documents and Settings\George\Application Data\dwm.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\George\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\George\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\George\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:62545
F3 - REG:win.ini: load=C:\DOCUME~1\George\LOCALS~1\Temp\csrss.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [conhost] C:\Documents and Settings\George\Application Data\Microsoft\conhost.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA7423] command.com /c del "C:\Documents and Settings\George\Local Settings\temp\csrss.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5955] cmd.exe /c del "C:\Documents and Settings\George\Local Settings\temp\csrss.exe_old"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\George\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [cfmnrktv] C:\DOCUME~1\George\LOCALS~1\Temp\urkjkoeob\tsndsmxlajb.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2843] command.com /c del "C:\Documents and Settings\George\Local Settings\temp\csrss.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7896] cmd.exe /c del "C:\Documents and Settings\George\Local Settings\temp\csrss.exe_old"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CAB6673-C405-4896-A009-3733EFC52065}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 7134 bytes


uninstall_list.txt

32 Bit HP CIO Components Installer
AC3Filter (remove only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player
ALPS Touch Pad Driver
ANNO 1602 - Gold Edition
Apple Software Update
Atheros Wireless LAN MiniPCI/PCIe card Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
AVIConverter 3.0
Bluesoleil2.6.0.1 Release 070402
BT Fabric Keyboard
CamStudio Lossless Codec
CD/DVD Drive Acoustic Silencer
Coda codec pack
Command & Conquer Tiberian Sun
CoreVorbis Audio Decoder (remove only)
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DivX Player
DivX Plus DirectShow Filters
DOOM Collector's Edition
Dungeon Keeper Gold
ETHNIC CLEANSING
FileZilla Client 3.2.4.1
FLV Player 1.3.3
Free M4a to MP3 Converter 6.0
GMail Drive Shell Extension
GoldWave v5.23
Great Battles of WWII: Stalingrad (Demo)
GTK+ Runtime 2.6.9 rev a (remove only)
Half-Life
Half-Life 1.1.1.2 Retail Update
Half-Life Decay PC 1.0
Heroes of Might and Magic II
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB894871)
Hotfix for Windows XP (KB895200)
Hotfix for Windows XP (KB896243)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP Deskjet All-In-One Software 9.0
Huffyuv AVI lossless video codec (Remove Only)
Icewind Dale
Icewind Dale - Heart of Winter
InternetPlayer
InterVideo FilterSDK for Hauppauge
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 14
Macromedia Flash Player
Malwarebytes' Anti-Malware
Maxthon Browser (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Morgan Stream Switcher
Mozilla Firefox (3.6.3)
Mozilla Thunderbird (2.0.0.23)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
OpenOffice.org 3.0
Opera 10.63
Paint Shop Pro 7
PIG Mod
PowerISO
QuickTime
QuickTime Alternative 1.66
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Replay AV 8
RPG Maker 2000 - Super Columbine Massacre RPG!
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Segoe UI
ShellExView
Sierra Utilities
Skype™ 4.2
smartision ScreenCopy 2.3
Spotify
Spybot - Search & Destroy
StarCraft
Stronghold
SUPER © Version 2009.bld.35 (Jan 5, 2009)
SWF & FLV Toolbox 3.5 (build 3.5.25.503)
Tag&Rename 3.2
Theme Hospital
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA Manuals
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA Software Modem
TOSHIBA Supervisor Password
TOSHIBA Virtual Sound
Touch and Launch
TouchPad On/Off Utility
Trillian
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
VDMSound 2.0.4
VideoLAN VLC media player 0.8.1
Westwood Shared Internet Components
Winamp
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888622
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893056
Windows XP Hotfix - KB896626
WinRAR archiver
XP Codec Pack
XviD MPEG-4 Video Codec
YouSendIt Express
Zip Motion Block Video codec (Remove Only)
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands
Advertisement
Register to Remove

Re: Opera Hijacked

Unread postby deltalima » January 4th, 2011, 5:22 pm

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Opera Hijacked

Unread postby deltalima » January 4th, 2011, 5:49 pm

Hi nineinchheel,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your malware issue.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

No anti-virus

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors.


Note: You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Please reboot the computer.

Please uninstall Spybot - Search & Destroy as it will interfere with our work and can be reinstalled later if still required.

Now reboot again.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Opera Hijacked

Unread postby nineinchheel » January 5th, 2011, 6:34 am

Thank you so much for responding. The situation with my computer has become much worse since my original post, I have continious windows popping up from a fake anti-virus program as well as IE windows for porno.com and viagra.com. When I try and open most programs I get the message "Application cannot be executed. The fule whatever.exe is infected. Do you want to activiate your antivirus software now? "Yes" "No". As a consequence I am struggling to uninstall spybot (I get the above message when I run the uninstall). I downloaded microsoft security essentials (it was the one of the three that would download) and can't install it (the same error message). I can't run OTL for the same reason.
Any advice would be welcome, my computer is almost entirely reduntant in functionality.
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Opera Hijacked

Unread postby deltalima » January 5th, 2011, 6:45 am

Hi nineinchheel,


Rkill

Please download Rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • A notepad windows will open, please post the contents in your next reply
  • This log can also be found at C:\rkill.log
  • Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Now try to run OTL and post both logs if successful. If not let me know.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Opera Hijacked

Unread postby nineinchheel » January 5th, 2011, 8:26 am

Bad news I'm afriad, I can download Rkill but can't run it (the same happens). I've checked C:\rkill.log to see if a log was made at all, but none exists. I can't run OTL for the same reason.
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Opera Hijacked

Unread postby deltalima » January 5th, 2011, 8:30 am

Hi nineinchheel,


Run Combofix

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Double click combofix.exe and follow the prompts.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Opera Hijacked

Unread postby nineinchheel » January 5th, 2011, 12:39 pm

Hello

I did as you instructed. Combofix ran but only got as far as scanning my system and then no further even when I left it for a long time. Should I run in safe mode and try again? There is also a new folder c:\combofix which contains 275 files and is nearly 20 mb in size. It has the 'my computer' icon.
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Opera Hijacked

Unread postby deltalima » January 5th, 2011, 1:24 pm

Yes please run again in safe mode.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Opera Hijacked

Unread postby nineinchheel » January 5th, 2011, 2:06 pm

Hi, here is the combofix log

ComboFix 09-04-22.02 - Administrator 05/01/2011 17:34.10 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.382.234 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2011-01-05 14:27 . 2010-11-08 01:20 89088 ----a-w c:\windows\MBR.exe
2011-01-05 14:27 . 2010-04-26 15:58 256512 ----a-w c:\windows\PEV.exe
2011-01-04 19:27 . 2011-01-04 01:36 138240 ----a-w c:\documents and settings\George\Application Data\dwmu.exe
2010-12-24 02:29 . 2011-01-04 01:36 138240 ----a-w c:\documents and settings\George\Application Data\dwm.exe
2010-12-07 16:36 . 2006-07-13 11:11 28032 ----a-w c:\windows\system32\drivers\RTSTOR.sys
2010-12-07 16:36 . 2004-07-05 21:07 83968 ----a-w c:\windows\system\DriveIcon.dll
2010-12-07 16:35 . 2009-11-13 05:04 256544 ----a-r c:\windows\system32\RtsUCcid.dll
2010-12-07 16:34 . 2010-12-07 16:34 -------- d-----w c:\windows\system32\sda
2010-12-07 16:34 . 2009-11-13 05:03 7367200 ------r c:\windows\system32\RTSUSTORicon.dll
2010-12-07 16:34 . 2009-11-13 05:03 277024 ----a-r c:\windows\system32\RtsUStor.dll
2010-12-07 16:32 . 2009-11-13 05:04 50720 ----a-r c:\windows\system32\drivers\RtsUCcid.sys
2010-12-07 16:32 . 2009-11-13 05:04 181280 ----a-r c:\windows\system32\drivers\RtsUStor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-05 16:31 . 2006-09-21 12:50 -------- d-----w c:\documents and settings\George\Application Data\Skype
2010-12-23 23:06 . 2009-05-02 19:53 -------- d-----w c:\documents and settings\George\Application Data\uTorrent
2010-12-20 11:36 . 2009-05-10 22:30 -------- d-----w c:\program files\uTorrent
2010-12-07 16:36 . 2006-05-22 11:43 -------- d--h--w c:\program files\InstallShield Installation Information
2010-12-07 16:32 . 2006-05-22 11:46 -------- d-----w c:\program files\Realtek
2010-11-28 23:19 . 2007-04-18 00:07 -------- d-----w c:\documents and settings\George\Application Data\vlc
2010-11-28 01:34 . 2006-09-03 14:57 -------- d-----w c:\program files\Opera
2010-08-03 15:34 . 2010-03-19 15:01 80480 ----a-w c:\documents and settings\George\Local Settings\Application Data\Schedule8.dat
2009-09-16 08:00 . 2006-09-03 14:31 66768 ----a-w c:\documents and settings\George\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-12-03 15:35 . 2006-12-03 15:35 0 ----a-w c:\documents and settings\George\Application Data\wklnhst.dat
2006-05-22 12:23 . 2007-02-03 22:50 12328 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-04-17 23:20 . 2007-04-17 23:20 56 --sh--r c:\windows\system32\512601FDB7.sys
2006-05-03 10:06 . 2009-04-16 19:01 163328 --sh--r c:\windows\system32\flvDX.dll
2007-04-17 23:20 . 2007-04-17 23:20 1890 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-02-21 11:47 . 2009-04-16 19:01 31232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-04-16 19:01 216064 --sh--r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-03-16 634880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"conhost"="c:\documents and settings\George\Application Data\Microsoft\conhost.exe" [2011-01-04 129024]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-18 16143872]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-08-11 266240]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\inf\\explorer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22178:TCP"= 22178:TCP:*:Disabled:BitComet 22178 TCP
"22178:UDP"= 22178:UDP:*:Disabled:BitComet 22178 UDP
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 d83568e8;d83568e8; [x]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe [2004-08-04 14336]
R2 PEVSystemStart;PEVSystemStart; [x]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\DRIVERS\tdudf.sys [2006-04-18 98816]
R3 RSUSBCCID;Realtek Smartcard Reader Driver;c:\windows\system32\DRIVERS\RtsUCcid.sys [2009-11-13 50720]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-11-13 181280]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-227175942-290336581-80609558-1006Core.job
- c:\documents and settings\George\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 11:54]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-227175942-290336581-80609558-1006UA.job
- c:\documents and settings\George\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 11:54]

2008-06-27 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2006-05-22 12:00]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4CAB6673-C405-4896-A009-3733EFC52065} = 208.67.222.222,208.67.220.220
TCP: {B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232} = 208.67.220.220,208.67.222.222
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", "-1");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); // now unused
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.delay", 50);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-05 17:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PEVSystemStart]
"ImagePath"="\"c:\combofix\PEV.cfxxe\" EXEC /i \"c:\combofix\HIDEC.exe\" \"c:\combofix\SWREG.EXE\" ACL \"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep\" /RESET /Q"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-01-05 17:40
ComboFix-quarantined-files.txt 2011-01-05 17:40
ComboFix2.txt 2009-05-06 23:50

Pre-Run: 538,271,744 bytes free
Post-Run: 553,820,160 bytes free

256
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Opera Hijacked

Unread postby deltalima » January 5th, 2011, 2:35 pm

That is an old version of Combofix. Please download from the link I posted and run again in safe mode.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Opera Hijacked

Unread postby nineinchheel » January 5th, 2011, 5:58 pm

ComboFix 11-01-05.01 - Administrator 05/01/2011 21:31:13.12.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.382.101 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2010-12-07 16:36 . 2006-07-13 11:11 28032 ----a-w- c:\windows\system32\drivers\RTSTOR.sys
2010-12-07 16:36 . 2004-07-05 21:07 83968 ----a-w- c:\windows\system\DriveIcon.dll
2010-12-07 16:35 . 2009-11-13 05:04 256544 ----a-r- c:\windows\system32\RtsUCcid.dll
2010-12-07 16:34 . 2010-12-07 16:34 -------- d-----w- c:\windows\system32\sda
2010-12-07 16:34 . 2009-11-13 05:03 7367200 ------r- c:\windows\system32\RTSUSTORicon.dll
2010-12-07 16:34 . 2009-11-13 05:03 277024 ----a-r- c:\windows\system32\RtsUStor.dll
2010-12-07 16:32 . 2009-11-13 05:04 50720 ----a-r- c:\windows\system32\drivers\RtsUCcid.sys
2010-12-07 16:32 . 2009-11-13 05:04 181280 ----a-r- c:\windows\system32\drivers\RtsUStor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-05-03 10:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-18 16143872]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-03-16 634880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]
"TPSMain"="TPSMain.exe" [2005-08-11 266240]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"conhost"="c:\documents and settings\George\Application Data\Microsoft\conhost.exe" [2011-01-05 128512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2006-03-18 07:22 89541 ----a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-03-17 14:37 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2005-12-21 12:52 1077330 ----a-w- c:\program files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 15:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
2005-06-06 08:58 24576 ----a-w- c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\inf\\explorer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22178:TCP"= 22178:TCP:*:Disabled:BitComet 22178 TCP
"22178:UDP"= 22178:UDP:*:Disabled:BitComet 22178 UDP
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S1 d83568e8;d83568e8;c:\windows\system32\drivers\d83568e8.sys --> c:\windows\system32\drivers\d83568e8.sys [?]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [22/05/2006 07:36 14336]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [18/04/2006 14:12 98816]
S3 RSUSBCCID;Realtek Smartcard Reader Driver;c:\windows\system32\drivers\RtsUCcid.sys [07/12/2010 16:32 50720]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [07/12/2010 16:32 181280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-227175942-290336581-80609558-1006Core.job
- c:\documents and settings\George\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 11:54]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-227175942-290336581-80609558-1006UA.job
- c:\documents and settings\George\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 11:54]

2008-06-27 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2006-05-22 12:00]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4CAB6673-C405-4896-A009-3733EFC52065} = 208.67.222.222,208.67.220.220
TCP: {B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232} = 208.67.220.220,208.67.222.222
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-05 21:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-01-05 21:50:23
ComboFix-quarantined-files.txt 2011-01-05 21:50
ComboFix2.txt 2011-01-05 21:18
ComboFix3.txt 2011-01-05 17:40
ComboFix4.txt 2009-05-06 23:50

Pre-Run: 1,251,827,712 bytes free
Post-Run: 1,238,810,624 bytes free

- - End Of File - - BD1BBAE2FF5998A6AD4187E976AB7B5B
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Opera Hijacked

Unread postby deltalima » January 5th, 2011, 6:25 pm

Hi nineinchheel,

Please let me know what happened when you ran the latest version of Combofix. It looks like it ran twice. I need to see the log from the first of the two runs.

Please post the contents of the log C:\Qoobox\ComboFix2.txt
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Opera Hijacked

Unread postby nineinchheel » January 5th, 2011, 6:28 pm

ComboFix 11-01-05.01 - Administrator 05/01/2011 20:59:18.11.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.382.241 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\explorer.exebackup

.
((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2010-12-07 16:36 . 2006-07-13 11:11 28032 ----a-w- c:\windows\system32\drivers\RTSTOR.sys
2010-12-07 16:36 . 2004-07-05 21:07 83968 ----a-w- c:\windows\system\DriveIcon.dll
2010-12-07 16:35 . 2009-11-13 05:04 256544 ----a-r- c:\windows\system32\RtsUCcid.dll
2010-12-07 16:34 . 2010-12-07 16:34 -------- d-----w- c:\windows\system32\sda
2010-12-07 16:34 . 2009-11-13 05:03 7367200 ------r- c:\windows\system32\RTSUSTORicon.dll
2010-12-07 16:34 . 2009-11-13 05:03 277024 ----a-r- c:\windows\system32\RtsUStor.dll
2010-12-07 16:32 . 2009-11-13 05:04 50720 ----a-r- c:\windows\system32\drivers\RtsUCcid.sys
2010-12-07 16:32 . 2009-11-13 05:04 181280 ----a-r- c:\windows\system32\drivers\RtsUStor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-05-03 10:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-01-05_17.35.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-05-22 08:48 . 2004-08-04 12:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2009-09-16 07:56 . 2009-09-16 07:56 27136 c:\windows\Installer\647d9.msi
+ 2009-09-16 07:55 . 2009-09-16 07:55 83456 c:\windows\Installer\647bf.msi
+ 2009-09-16 07:55 . 2009-09-16 07:55 59904 c:\windows\Installer\647ba.msi
+ 2008-07-29 20:07 . 2008-07-29 20:07 23040 c:\windows\Installer\366b751.msp
+ 2009-05-11 10:08 . 2009-05-11 10:08 88576 c:\windows\Installer\35c0ed8.msi
+ 2008-03-22 23:15 . 2008-03-22 23:15 55296 c:\windows\Installer\294737.msi
+ 2010-02-16 13:29 . 2010-02-16 13:29 68096 c:\windows\Installer\212cef.msi
+ 2006-05-22 07:37 . 2004-08-16 13:07 684032 c:\windows\oemdrv\install_flash_player_7.msi
+ 2009-05-11 10:13 . 2009-05-11 10:13 652800 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi
+ 2006-05-22 12:21 . 2006-05-22 12:21 618496 c:\windows\Installer\fc87.msi
+ 2007-02-28 14:36 . 2007-02-28 14:36 189952 c:\windows\Installer\99e0e.msi
+ 2006-05-22 12:04 . 2006-05-22 12:04 704512 c:\windows\Installer\90c35.msi
+ 2009-05-31 15:56 . 2009-05-31 15:56 429056 c:\windows\Installer\74e964.msi
+ 2009-09-16 07:57 . 2009-09-16 07:57 430080 c:\windows\Installer\647e7.msi
+ 2009-09-16 07:56 . 2009-09-16 07:56 155648 c:\windows\Installer\647de.msi
+ 2009-09-16 07:56 . 2009-09-16 07:56 140288 c:\windows\Installer\647d4.msi
+ 2009-09-16 07:56 . 2009-09-16 07:56 202752 c:\windows\Installer\647c9.msi
+ 2009-09-16 07:56 . 2009-09-16 07:56 152576 c:\windows\Installer\647c4.msi
+ 2009-09-16 07:55 . 2009-09-16 07:55 107008 c:\windows\Installer\647b5.msi
+ 2009-09-16 07:55 . 2009-09-16 07:55 301056 c:\windows\Installer\647b0.msi
+ 2009-05-11 10:31 . 2009-05-11 10:31 432640 c:\windows\Installer\36906c8.msi
+ 2008-12-13 08:58 . 2008-12-13 08:58 754688 c:\windows\Installer\36906ba.msp
+ 2009-05-11 10:14 . 2009-05-11 10:14 648192 c:\windows\Installer\3690697.msi
+ 2008-07-29 20:23 . 2008-07-29 20:23 250880 c:\windows\Installer\366b75a.msp
+ 2008-07-29 20:28 . 2008-07-29 20:28 278016 c:\windows\Installer\366b758.msp
+ 2008-07-29 18:40 . 2008-07-29 18:40 291840 c:\windows\Installer\366b756.msp
+ 2009-05-11 10:12 . 2009-05-11 10:12 137728 c:\windows\Installer\366b750.msi
+ 2008-07-29 16:35 . 2008-07-29 16:35 553472 c:\windows\Installer\35c0edd.msp
+ 2008-07-29 16:33 . 2008-07-29 16:33 506368 c:\windows\Installer\35c0edb.msp
+ 2008-07-29 16:37 . 2008-07-29 16:37 911360 c:\windows\Installer\35c0eda.msp
+ 2009-05-11 09:52 . 2009-05-11 09:52 972800 c:\windows\Installer\34dca70.msi
+ 2009-05-11 09:44 . 2009-05-11 09:44 470528 c:\windows\Installer\34dca6a.msi
+ 2009-04-09 00:10 . 2009-04-09 00:10 152576 c:\windows\Installer\31a1f8c.msi
+ 2006-12-20 08:19 . 2006-12-20 08:19 133120 c:\windows\Installer\271090b.msi
+ 2010-02-16 13:32 . 2010-02-16 13:32 811520 c:\windows\Installer\212d03.msi
+ 2010-02-16 13:31 . 2010-02-16 13:31 326144 c:\windows\Installer\212cfe.msi
+ 2010-02-16 13:31 . 2010-02-16 13:31 391168 c:\windows\Installer\212cf9.msi
+ 2010-02-16 13:31 . 2010-02-16 13:31 306688 c:\windows\Installer\212cf4.msi
+ 2006-05-22 09:48 . 2006-05-22 09:48 264704 c:\windows\Installer\204c82.msi
+ 2008-12-18 21:45 . 2008-12-18 21:45 562176 c:\windows\Installer\16d403.msi
+ 2008-05-21 00:27 . 2008-05-21 00:27 287232 c:\windows\Installer\155c07.msi
+ 2006-05-22 13:00 . 2006-05-22 13:00 758784 c:\windows\Installer\14d62.msi
+ 2007-11-26 17:36 . 2007-11-26 17:36 213504 c:\windows\Installer\14ab27.msi
+ 2006-05-22 07:36 . 2004-08-04 12:00 1326080 c:\windows\system32\webfldrs.msi
+ 2007-05-25 11:08 . 2007-05-25 11:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp
+ 2009-06-19 20:43 . 2009-06-19 20:43 1180160 c:\windows\Installer\a22be.msi
+ 2006-10-04 13:37 . 2006-10-04 13:37 7415296 c:\windows\Installer\7529ce.msi
+ 2006-10-04 13:37 . 2006-10-04 13:37 1510400 c:\windows\Installer\7529ca.msi
+ 2006-05-22 09:01 . 2006-05-22 09:01 5864960 c:\windows\Installer\4d138.msp
+ 2008-12-21 22:40 . 2008-12-21 22:40 9772544 c:\windows\Installer\3ca6b3.msi
+ 2006-05-22 08:58 . 2006-05-22 08:58 3443712 c:\windows\Installer\3bfbb.msi
+ 2009-01-21 16:11 . 2009-01-21 16:11 1359360 c:\windows\Installer\390b0a.msi
+ 2006-05-22 12:58 . 2006-05-22 12:58 1474560 c:\windows\Installer\37ad1.msi
+ 2009-01-15 02:35 . 2009-01-15 02:35 4830720 c:\windows\Installer\36906c2.msp
+ 2008-12-13 08:57 . 2008-12-13 08:57 8397824 c:\windows\Installer\36906a5.msp
+ 2008-07-29 18:26 . 2008-07-29 18:26 1043456 c:\windows\Installer\366b759.msp
+ 2008-07-29 19:37 . 2008-07-29 19:37 2679808 c:\windows\Installer\366b757.msp
+ 2008-07-29 20:15 . 2008-07-29 20:15 3697664 c:\windows\Installer\366b755.msp
+ 2008-07-29 18:34 . 2008-07-29 18:34 1448448 c:\windows\Installer\366b754.msp
+ 2008-07-29 19:22 . 2008-07-29 19:22 4137984 c:\windows\Installer\366b753.msp
+ 2008-07-29 18:18 . 2008-07-29 18:18 3376640 c:\windows\Installer\366b752.msp
+ 2008-07-29 16:45 . 2008-07-29 16:45 2543616 c:\windows\Installer\35c0ee1.msp
+ 2008-07-29 16:29 . 2008-07-29 16:29 2926080 c:\windows\Installer\35c0ee0.msp
+ 2008-07-29 16:41 . 2008-07-29 16:41 6487040 c:\windows\Installer\35c0edf.msp
+ 2008-07-29 16:39 . 2008-07-29 16:39 3403264 c:\windows\Installer\35c0ede.msp
+ 2008-07-29 16:43 . 2008-07-29 16:43 1013248 c:\windows\Installer\35c0edc.msp
+ 2008-07-29 16:31 . 2008-07-29 16:31 6083072 c:\windows\Installer\35c0ed9.msp
+ 2006-05-22 13:05 . 2006-05-22 13:05 3037184 c:\windows\Installer\3067d.msi
+ 2008-01-08 21:53 . 2008-01-08 21:53 1298944 c:\windows\Installer\29473d.msp
+ 2011-01-04 12:39 . 2011-01-04 12:39 1094656 c:\windows\Installer\27eafc7.msi
+ 2010-11-28 01:34 . 2010-11-28 01:34 2647552 c:\windows\Installer\21bd7a3.msi
+ 2006-05-16 22:24 . 2006-05-16 22:24 9299456 c:\windows\Installer\1f4f5.msp
+ 2010-04-01 18:44 . 2010-04-01 18:44 1575936 c:\windows\Installer\1d145.msi
+ 2008-03-31 21:11 . 2008-03-31 21:11 1298432 c:\windows\Installer\14e2d7a.msp
+ 2008-05-01 16:39 . 2008-05-01 16:39 1417216 c:\windows\Installer\10ffa169.msi
+ 2006-05-22 12:19 . 2006-05-22 12:19 2105856 c:\windows\Installer\1011b.msi
+ 2009-05-31 15:55 . 2009-05-31 15:55 1344000 c:\windows\Downloaded Installations\{405F2575-4490-43B7-BBE0-B15B31DBB347}\YouSendIt Express.msi
+ 2006-09-03 14:30 . 2006-05-22 09:12 12125696 c:\windows\system32\config\systemprofile\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}\J2SE Runtime Environment 5.0 Update 6.msi
+ 2007-09-17 16:49 . 2007-01-19 12:20 16633344 c:\windows\Installer\MSN Messenger 8.1.0178\MsnMsgs.Msi
+ 2006-09-21 21:08 . 2006-07-29 19:38 15524352 c:\windows\Installer\MSN Messenger 8.0.0812\MsnMsgs.Msi
+ 2006-05-22 12:07 . 2006-05-22 12:07 10253824 c:\windows\Installer\ece8.msi
+ 2006-05-22 12:05 . 2006-05-22 12:05 10636800 c:\windows\Installer\d5c6.msi
+ 2006-05-22 12:04 . 2006-05-22 12:04 10394624 c:\windows\Installer\90c31.msi
+ 2009-09-16 07:57 . 2009-09-16 07:57 15706112 c:\windows\Installer\64836.msp
+ 2006-05-22 08:59 . 2006-05-22 08:59 19210240 c:\windows\Installer\4d131.msp
+ 2006-01-30 13:10 . 2006-01-30 13:10 13048832 c:\windows\Installer\38094.msp
+ 2008-12-13 09:21 . 2008-12-13 09:21 10473472 c:\windows\Installer\36906af.msp
+ 2006-05-22 12:17 . 2006-05-22 12:17 10352128 c:\windows\Installer\12454.msi
+ 2006-05-22 12:09 . 2006-05-22 12:09 10253824 c:\windows\Installer\11456.msi
+ 2009-05-11 10:52 . 2009-05-11 10:52 15256576 c:\windows\Installer\10bc71.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-18 16143872]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-03-16 634880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]
"TPSMain"="TPSMain.exe" [2005-08-11 266240]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"conhost"="c:\documents and settings\George\Application Data\Microsoft\conhost.exe" [2011-01-05 128512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2006-03-18 07:22 89541 ----a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-03-17 14:37 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2005-12-21 12:52 1077330 ----a-w- c:\program files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 15:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
2005-06-06 08:58 24576 ----a-w- c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\inf\\explorer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\George\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22178:TCP"= 22178:TCP:*:Disabled:BitComet 22178 TCP
"22178:UDP"= 22178:UDP:*:Disabled:BitComet 22178 UDP
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S1 d83568e8;d83568e8;c:\windows\system32\drivers\d83568e8.sys --> c:\windows\system32\drivers\d83568e8.sys [?]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [22/05/2006 07:36 14336]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [18/04/2006 14:12 98816]
S3 RSUSBCCID;Realtek Smartcard Reader Driver;c:\windows\system32\drivers\RtsUCcid.sys [07/12/2010 16:32 50720]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [07/12/2010 16:32 181280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-227175942-290336581-80609558-1006Core.job
- c:\documents and settings\George\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 11:54]

2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-227175942-290336581-80609558-1006UA.job
- c:\documents and settings\George\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 11:54]

2008-06-27 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2006-05-22 12:00]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4CAB6673-C405-4896-A009-3733EFC52065} = 208.67.222.222,208.67.220.220
TCP: {B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232} = 208.67.220.220,208.67.222.222
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-IntelliPoint - c:\program files\Microsoft IntelliPoint\ipoint.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-Waiting1690 - c:\windows\stid1690.exe
AddRemove-Heroes of Might and Magic II - c:\program files\Heroes2\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-05 21:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-01-05 21:18:42
ComboFix-quarantined-files.txt 2011-01-05 21:18
ComboFix2.txt 2011-01-05 17:40
ComboFix3.txt 2009-05-06 23:50

Pre-Run: 1,280,860,160 bytes free
Post-Run: 1,241,038,848 bytes free

- - End Of File - - 2AA384AC53906E3AF4D38A7EE4E06EF4
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Opera Hijacked

Unread postby deltalima » January 5th, 2011, 7:00 pm

Hi nineinchheel,

Boot into Safe Mode

Please re-open HijackThis and select Scan. Check the boxes next to all the entries listed below (if present):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:62545
F3 - REG:win.ini: load=C:\DOCUME~1\George\LOCALS~1\Temp\csrss.exe
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [conhost] C:\Documents and Settings\George\Application Data\Microsoft\conhost.exe
O4 - HKCU\..\Run: [cfmnrktv] C:\DOCUME~1\George\LOCALS~1\Temp\urkjkoeob\tsndsmxlajb.exe


Now you need to show all files and folders

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types* Uncheck the Hide protected operating system files (recommended) option.
  • Click Apply to confirm.
  • Click OK

Using Windows Explorer (to get there right-click your Start button and go to Explore), please delete these files (if present):

C:\Documents and Settings\George\Application Data\Microsoft\conhost.exe
C:\DOCUME~1\George\LOCALS~1\Temp\csrss.exe
C:\Documents and Settings\George\Application Data\dwm.exe
C:\DOCUME~1\George\LOCALS~1\Temp\urkjkoeob\tsndsmxlajb.exe

Now reboot into normal mode and try to run OTL.

Please post the logs if OTL runs, if not let me know.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 72 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware