Hijacked home page

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Hijacked home page

Post by bryanc on 15th December 2009, 8:45 am

G'day I hope you can help. I have something hijacking my home page. Superantispyware keeps telling me something is trying to change the home page. I cant access the web with explorer.

MY Hijackthis log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:27 PM, on 15/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r213367\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ext2Fsd\Ext2Mgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\bryanc\Application Data\U3\0D416A7063218885\LaunchPad.exe
H:\antiv\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.254:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nexus.*;nexus;
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] "C:\WINDOWS\system32\AESTFltr.exe" /NoDlg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] "C:\Program Files\Wave Systems Corp\SecureUpgrade.exe"
O4 - HKLM\..\Run: [EmbassySecurityCheck] "C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ext2 Volume Manager] "C:\Program Files\Ext2Fsd\Ext2Mgr.exe" -quiet
O4 - HKLM\..\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
O4 - HKLM\..\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SRS Premium Sound] "C:\Program Files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe" /hideme
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Telstra Turbo Modem Manager.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Append Link Target to Existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Northrop-Canb.local
O17 - HKLM\Software\..\Telephony: DomainName = Northrop-Canb.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Northrop-Canb.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Dell ControlPoint Button Service (buttonsvc32) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Credential Vault Host Control Service - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
O23 - Service: Credential Vault Host Storage - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r213367\stacsv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

--
End of file - 17111 bytes

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29630
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 15th December 2009, 10:36 am

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 15th December 2009, 8:00 pm

Here you go. My home page and internet access via explorer is not yet possible. My guess is that if I run malwarebytes again, I'll find the same thing :-(

thankyou


Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/12/2009 6:49:30 AM
mbam-log-2009-12-16 (06-49-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 289377
Time elapsed: 1 hour(s), 40 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29630
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 15th December 2009, 11:33 pm

Please re-open HijackThis and scan. Check the boxes to the left of all the entries listed below.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.254:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nexus.*;nexus;
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - [You must be registered and logged in to see this link.]
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

Then, please exit all programs except for HijackThis (System Tray (bottom right of screen): right-click on each program icon and click an Exit or shut down option, etc.), then click Fix Checked.

After it completes its process, please close HijackThis and reboot your computer.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\NTRU Cryptosystems

Please reboot your computer again, and post a new HijackThis log here in your next reply.

==

Please start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options.
  • Now click on the Connections tab and then the Lan Settings button
  • Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen. Then press the Apply button and then the OK button to close the Internet Options screen. Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.


==

Post the new HijackThis log, and let me know if you can access the Internet now.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 16th December 2009, 10:30 am

Here is my hijackthis log. Also I think I might just have been reinfected again. I had a pop up form superantivirus saying my homepage was about to change again.

It might be possible that this is comming from my thumb drive. I get a message from Symantec about vbrun.auto each time I plug it in?

see ya


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:16 PM, on 16/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r213367\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ext2Fsd\Ext2Mgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
G:\LaunchU3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.254:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nexus.*;nexus;
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] "C:\WINDOWS\system32\AESTFltr.exe" /NoDlg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] "C:\Program Files\Wave Systems Corp\SecureUpgrade.exe"
O4 - HKLM\..\Run: [EmbassySecurityCheck] "C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ext2 Volume Manager] "C:\Program Files\Ext2Fsd\Ext2Mgr.exe" -quiet
O4 - HKLM\..\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
O4 - HKLM\..\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SRS Premium Sound] "C:\Program Files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe" /hideme
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Telstra Turbo Modem Manager.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Append Link Target to Existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Northrop-Canb.local
O17 - HKLM\Software\..\Telephony: DomainName = Northrop-Canb.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Northrop-Canb.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Dell ControlPoint Button Service (buttonsvc32) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Credential Vault Host Control Service - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
O23 - Service: Credential Vault Host Storage - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r213367\stacsv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe (file missing)
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

--
End of file - 16959 bytes

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29630
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 16th December 2009, 10:37 am

It was vbs.runauto

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29630
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 16th December 2009, 10:39 am

the new page trying to load is securityresponse.symantec.com/avcentre/fix_homepage

I keep blocking it.

see ya

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29630
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 16th December 2009, 1:12 pm


  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


  • Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 16th December 2009, 8:32 pm

    This all I got :-(

    Running from: C:\Documents and Settings\bryanc\Desktop\Win32kDiag.exe

    Log file at : C:\Documents and Settings\bryanc\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...





    Finished!

    By the way I ran Malwarebytes again and found the disabled.securitycentre again

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 16th December 2009, 11:05 pm

    Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any
    "<--- ROOKIT" entries unless advised!

    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

    • Click NO
    • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
    • Now click the Scan button.
      Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
    • Save it where you can easily find it, such as your desktop.

    Post the contents of GMER.txt in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 18th December 2009, 8:44 pm

    At last, that took some doing......

    here is gmer.txt

    GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
    Rootkit scan 2009-12-19 07:22:48
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\bryanc\LOCALS~1\Temp\kgrorpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8A67DA80 ZwAlertResumeThread
    SSDT 8A681EC0 ZwAlertThread
    SSDT 8A483EE8 ZwAllocateVirtualMemory
    SSDT 8A42A170 ZwConnectPort
    SSDT 8A439D20 ZwCreateMutant
    SSDT 8A432918 ZwCreateThread
    SSDT 8A5A6EC0 ZwFreeVirtualMemory
    SSDT 8A42FEA8 ZwImpersonateAnonymousToken
    SSDT 8A67F5F0 ZwImpersonateThread
    SSDT 8A6283C8 ZwMapViewOfSection
    SSDT 8A42A940 ZwOpenEvent
    SSDT 8A5672E8 ZwOpenProcessToken
    SSDT 8A403420 ZwOpenThreadToken
    SSDT 87C1C4E0 ZwResumeThread
    SSDT 8B00D678 ZwSetContextThread
    SSDT 8A3F6378 ZwSetInformationProcess
    SSDT 87B31910 ZwSetInformationThread
    SSDT 8A445BC8 ZwSuspendProcess
    SSDT 8B013388 ZwSuspendThread
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB204F0B0]
    SSDT 8A67C450 ZwTerminateThread
    SSDT 8A67D9A0 ZwUnmapViewOfSection
    SSDT 8A48CEE8 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2C08 805044A4 4 Bytes CALL 14DA8CE7
    .text ntkrnlpa.exe!ZwCallbackReturn + 2DB0 8050464C 4 Bytes CALL 14DA9CC3
    .text ntkrnlpa.exe!ZwCallbackReturn + 3018 805048B4 4 Bytes CALL 68DA9187
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB827E380, 0x381B8D, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\SearchIndexer.exe[1704] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Ext2Fsd.SYS (Ext2 File System Driver for Windows/www.ext2fsd.com)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

    AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 18th December 2009, 10:38 pm

    Please download ComboFix from [You must be registered and logged in to see this link.]

    Rename ComboFix.exe to commy.exe before you save it to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
    • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 19th December 2009, 12:06 am

    I'm doing this now. While it happens, one quick question please. Is the vbs.runauto that Symantic picks up everytime I plug in the thumb drives anything to worry about?

    see ya

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 19th December 2009, 12:17 am

    Combo fix log follows


    ComboFix 09-12-18.01 - BryanC 19/12/2009 11:05:29.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3572.2580 [GMT 11:00]
    Running from: c:\documents and settings\bryanc\desktop\commy.exe
    Command switches used :: /stepdel
    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\windows\system32\st326159.dll

    ----- BITS: Possible infected sites -----

    [You must be registered and logged in to see this link.]
    .
    ((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
    .

    2009-12-16 09:54 . 2009-12-16 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
    2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
    2009-12-10 00:23 . 2009-10-21 05:38 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
    2009-12-10 00:23 . 2009-10-21 05:38 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
    2009-12-10 00:23 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
    2009-12-10 00:23 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2009-12-10 00:23 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
    2009-12-10 00:23 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
    2009-12-10 00:23 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
    2009-12-04 19:27 . 2009-12-04 19:27 -------- d-----w- c:\program files\Trend Micro
    2009-12-04 14:56 . 2009-12-04 14:56 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
    2009-12-04 09:50 . 2009-12-04 20:36 117760 ----a-w- c:\documents and settings\bryanc\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-12-04 09:50 . 2009-12-04 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-12-04 09:49 . 2009-12-04 09:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-12-03 10:29 . 2009-12-03 10:29 -------- d-----w- c:\windows\system32\wbem\Repository
    2009-12-02 20:19 . 2009-12-02 20:19 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2009-12-02 20:18 . 2009-12-03 05:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-02 20:18 . 2009-12-03 05:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-02 12:00 . 2009-12-02 12:00 -------- d-----w- c:\documents and settings\bryanc\Application Data\Malwarebytes
    2009-12-02 12:00 . 2009-12-15 11:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-02 12:00 . 2009-12-02 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-12-02 08:59 . 2009-12-04 20:36 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-12-02 08:59 . 2009-12-02 08:59 -------- d-----w- c:\documents and settings\bryanc\Application Data\SUPERAntiSpyware.com
    2009-11-27 19:28 . 2009-11-27 19:28 -------- d-----w- c:\program files\Common Files\DivX Shared
    2009-11-27 19:28 . 2009-11-27 19:28 -------- d-----w- c:\windows\system32\winrm
    2009-11-26 22:27 . 2009-11-27 19:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-11-26 22:27 . 2009-11-27 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-11-23 20:13 . 2009-11-23 20:13 4150 ----a-r- c:\documents and settings\bryanc\Application Data\Microsoft\Installer\{1F9ED934-AD0F-4879-BDFB-ED02BA2BB14F}\ARPPRODUCTICON.exe
    2009-11-23 20:12 . 2009-11-23 20:12 -------- d-----w- c:\program files\Microsoft Voice Command
    2009-11-23 12:28 . 2008-10-16 22:30 621056 ----a-r- c:\windows\system32\drivers\mod7700.sys
    2009-11-23 12:28 . 2008-10-16 22:30 113664 ----a-r- c:\windows\system32\drivers\ewusbnet.sys
    2009-11-23 12:28 . 2008-10-16 22:30 101376 ----a-r- c:\windows\system32\drivers\ewusbmdm.sys
    2009-11-23 12:28 . 2008-10-16 22:30 24448 ----a-r- c:\windows\system32\drivers\ewdcsc.sys
    2009-11-23 12:28 . 2009-11-27 19:29 -------- d-----w- c:\program files\Optus Wireless Broadband
    2009-11-20 11:39 . 2009-11-27 19:29 -------- d-----w- c:\documents and settings\bryanc\Application Data\DivX
    2009-11-20 11:37 . 2009-11-27 19:28 -------- d-----w- c:\program files\DivX

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-19 00:03 . 2009-09-07 10:03 -------- d-----w- c:\documents and settings\bryanc\Application Data\U3
    2009-12-18 23:49 . 2009-09-05 23:41 -------- d-----w- c:\documents and settings\bryanc\Application Data\Skype
    2009-12-18 21:01 . 2009-09-05 23:44 -------- d-----w- c:\documents and settings\bryanc\Application Data\skypePM
    2009-12-18 20:41 . 2009-09-04 11:15 -------- d-----w- c:\documents and settings\bryanc\Application Data\uTorrent
    2009-12-18 20:40 . 2009-09-02 23:31 0 ----a-w- c:\documents and settings\bryanc\Local Settings\Application Data\WavXMapDrive.bat
    2009-12-18 06:36 . 2009-10-07 07:48 708928 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2009-12-18 05:57 . 2009-09-03 02:30 -------- d-----w- c:\program files\Paint Shop Pro 5
    2009-12-16 21:40 . 2009-08-26 09:53 42206 ----a-w- c:\windows\system32\nvModes.dat
    2009-12-10 07:06 . 2009-08-26 10:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-12-10 01:47 . 2009-08-26 10:38 -------- d-----w- c:\program files\Microsoft SQL Server
    2009-12-10 01:42 . 2009-08-26 10:33 -------- d-----w- c:\program files\Microsoft.NET
    2009-12-10 01:40 . 2009-08-26 10:40 -------- d-----w- c:\program files\Microsoft Small Business
    2009-12-04 14:56 . 2009-09-03 07:40 -------- d-----w- c:\program files\Google
    2009-11-29 04:41 . 2009-09-03 12:37 -------- d-----w- c:\program files\Microsoft ActiveSync
    2009-11-29 04:41 . 2009-08-26 10:07 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-11-21 15:51 . 2008-04-25 16:16 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-11-18 12:28 . 2009-09-04 09:18 -------- d-----w- c:\program files\Photomatix
    2009-11-14 02:07 . 2009-11-14 02:06 -------- d-----w- c:\program files\iTunes
    2009-11-14 02:06 . 2009-11-14 02:06 -------- d-----w- c:\program files\iPod
    2009-11-14 02:06 . 2009-09-03 06:39 -------- d-----w- c:\program files\Common Files\Apple
    2009-11-14 01:58 . 2009-11-14 01:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
    2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
    2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
    2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
    2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
    2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
    2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
    2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
    2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- c:\windows\system32\imapi2fs.dll
    2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- c:\windows\system32\imapi2.dll
    2009-10-29 07:45 . 2008-04-25 16:16 916480 ------w- c:\windows\system32\wininet.dll
    2009-10-27 07:04 . 2009-09-03 04:24 -------- d-----w- c:\program files\Common Files\Adobe
    2009-10-21 05:38 . 2008-04-25 16:16 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2008-04-25 16:16 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
    2009-10-19 02:06 . 2009-10-19 02:06 223232 ------w- c:\windows\system32\wksprt.exe
    2009-10-19 02:06 . 2009-10-19 02:06 46080 ------w- c:\windows\system32\TSWbPrxy.exe
    2009-10-19 02:06 . 2009-10-19 02:06 12800 ------w- c:\windows\system32\wksprtPS.dll
    2009-10-19 02:06 . 2008-04-25 21:26 36864 ----a-w- c:\windows\system32\tsgQec.dll
    2009-10-19 02:06 . 2008-04-25 21:26 1033728 ----a-w- c:\windows\system32\mstsc.exe
    2009-10-19 02:06 . 2008-04-25 21:26 2689024 ----a-w- c:\windows\system32\mstscax.dll
    2009-10-19 02:06 . 2009-10-19 02:06 44544 ------w- c:\windows\system32\MsRdpWebAccess.dll
    2009-10-19 02:06 . 2008-04-25 21:26 130560 ----a-w- c:\windows\system32\aaclient.dll
    2009-10-18 21:32 . 2009-10-18 21:32 152576 ----a-w- c:\documents and settings\bryanc\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
    2009-10-15 21:53 . 2009-09-02 23:40 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2009-10-15 21:53 . 2009-09-02 23:40 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2009-10-13 10:30 . 2008-04-25 16:16 270336 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:38 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\rastls.dll
    2009-10-12 13:38 . 2008-04-25 16:16 79872 ----a-w- c:\windows\system32\raschap.dll
    2009-10-09 05:23 . 2009-10-09 05:23 1107456 ------w- c:\windows\system32\WsmSvc.dll
    2009-10-09 05:23 . 2009-10-09 05:23 178176 ------w- c:\windows\system32\wevtfwd.dll
    2009-10-09 05:22 . 2009-10-09 05:22 368640 ------w- c:\windows\system32\WsmRes.dll
    2009-10-09 05:22 . 2009-10-09 05:22 69632 ------w- c:\windows\system32\winrs.exe
    2009-10-09 05:22 . 2009-10-09 05:22 42496 ------w- c:\windows\system32\pwrshplugin.dll
    2009-10-09 03:56 . 2009-10-09 03:56 209408 ------w- c:\windows\system32\WsmWmiPl.dll
    2009-10-09 03:56 . 2009-10-09 03:56 14848 ------w- c:\windows\system32\wsmprovhost.exe
    2009-10-09 03:56 . 2009-10-09 03:56 22528 ------w- c:\windows\system32\winrshost.exe
    2009-10-09 03:56 . 2009-10-09 03:56 25088 ------w- c:\windows\system32\winrmprov.dll
    2009-10-09 03:56 . 2009-10-09 03:56 12288 ------w- c:\windows\system32\wsmplpxy.dll
    2009-10-09 03:56 . 2009-10-09 03:56 2048 ------w- c:\windows\system32\winrsmgr.dll
    2009-10-09 03:56 . 2009-10-09 03:56 233984 ------w- c:\windows\system32\winrscmd.dll
    2009-10-09 03:56 . 2009-10-09 03:56 225280 ------w- c:\windows\system32\wsmanhttpconfig.exe
    2009-10-09 03:56 . 2009-10-09 03:56 12288 ------w- c:\windows\system32\winrssrv.dll
    2009-10-09 03:56 . 2009-10-09 03:56 139776 ------w- c:\windows\system32\WsmAuto.dll
    2009-10-08 03:57 . 2007-10-09 05:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2009-10-08 03:57 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
    2009-10-08 03:56 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2009-10-01 22:36 . 2009-10-01 22:36 45056 ----a-r- c:\documents and settings\bryanc\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
    2009-10-01 22:36 . 2009-10-01 22:36 10134 ----a-r- c:\documents and settings\bryanc\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
    .

    ((((((((((((((((((((((((((((( SnapShot_2009-12-14_11.38.43 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-12-18 21:53 . 2009-12-18 21:53 16384 c:\windows\temp\Perflib_Perfdata_490.dat
    + 2008-04-25 16:16 . 2009-12-18 20:43 84372 c:\windows\system32\perfc009.dat
    - 2008-04-25 16:16 . 2009-12-14 11:30 84372 c:\windows\system32\perfc009.dat
    + 2009-09-01 07:29 . 2009-12-19 00:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-09-01 07:29 . 2009-12-13 23:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2009-12-15 08:40 . 2009-12-19 00:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2009-12-06 23:02 . 2009-12-13 23:09 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2008-04-25 16:16 . 2009-12-18 20:43 474570 c:\windows\system32\perfh009.dat
    - 2008-04-25 16:16 . 2009-12-14 11:30 474570 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-04-22 02:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-04-22 02:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SRS Premium Sound"="c:\program files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe" [2009-03-25 3261688]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-12-10 289584]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-04 2001648]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483420]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-28 13537280]
    "nwiz"="nwiz.exe" [2008-08-28 1630208]
    "NVHotkey"="nvHotkey.dll" [2008-08-28 90112]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-28 86016]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-02-26 184320]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-04-22 656696]
    "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-04-22 95544]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-04 128232]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-11 115560]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
    "Ext2 Volume Manager"="c:\program files\Ext2Fsd\Ext2Mgr.exe" [2009-07-30 1216648]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-04-22 15360]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-03-19 667648]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-02 38768]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-02 640376]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-4-9 1106720]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-10-2 50688]
    Telstra Turbo Modem Manager.lnk - c:\program files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe [2009-9-23 454656]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-12-04 20:36 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

    R1 Ext2Fsd;Linux ext2 file system driver;c:\windows\system32\drivers\ext2fsd.sys [10/10/2009 12:10 PM 651264]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 2:22 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 2:22 PM 74480]
    R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [19/04/2007 8:56 AM 133968]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [29/12/2008 2:07 PM 320800]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [22/01/2009 1:19 PM 808296]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [22/01/2009 1:19 PM 20840]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [9/04/2009 5:02 PM 447264]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [27/08/2009 12:42 PM 112512]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [27/08/2009 12:43 PM 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [27/08/2009 12:42 PM 244368]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/12/2009 6:56 AM 102448]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 2:22 PM 7408]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [26/08/2009 9:31 PM 232744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2009 5:43 PM 133104]
    S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [23/09/2009 6:57 AM 81152]
    S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [23/09/2009 6:57 AM 87040]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
    S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [26/04/2008 3:16 AM 14336]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    uDefault_Search_URL = [You must be registered and logged in to see this link.]
    uInternet Settings,ProxyServer = 10.10.10.254:3128
    uInternet Settings,ProxyOverride = nexus.*;nexus;
    uSearchURL,(Default) = [You must be registered and logged in to see this link.]
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    .

    **************************************************************************
    scanning hȋdden processes ...

    scanning hȋdden autostart entries ...

    scanning hȋdden files ...

    scan completed successfully
    hȋdden files:

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(912)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\NetProvCredMan.dll

    - - - - - - - > 'lsass.exe'(968)
    c:\windows\system32\wvauth.dll
    .
    Completion time: 2009-12-19 11:12:22
    ComboFix-quarantined-files.txt 2009-12-19 00:12
    ComboFix2.txt 2009-12-14 11:41
    ComboFix3.txt 2009-12-04 19:47

    Pre-Run: 2,608,992,256 bytes free
    Post-Run: 2,597,015,552 bytes free

    - - End Of File - - F63B8E7DFAABE61C512D9A8180791607

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 19th December 2009, 5:34 am

    Re-running ComboFix to remove infections:

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Open notepad and copy/paste the text in the quotebox below into it:

      File::
      c:\windows\system32\GPhotos.scr
      c:\windows\system32\WsmSvc.dll
      c:\windows\system32\wevtfwd.dll
      c:\windows\system32\WsmRes.dll
      c:\windows\system32\winrs.exe
      c:\windows\system32\pwrshplugin.dll
      c:\windows\system32\WsmWmiPl.dll
      c:\windows\system32\wsmprovhost.exe
      c:\windows\system32\winrshost.exe
      c:\windows\system32\winrmprov.dll
      c:\windows\system32\wsmplpxy.dll
      c:\windows\system32\winrsmgr.dll
      c:\windows\system32\winrscmd.dll
      c:\windows\system32\wsmanhttpconfig.exe
      c:\windows\system32\winrssrv.dll
      c:\windows\system32\WsmAuto.dll
      c:\windows\system32\uiautomationcore.dll
      c:\windows\system32\oleacc.dll
      c:\windows\system32\oleaccrc.dll

      DDS::
      uStart Page = [You must be registered and logged in to see this link.]
      uInternet Settings,ProxyServer = 10.10.10.254:3128
      uInternet Settings,ProxyOverride = nexus.*;nexus;

    4. Save this as CFScript.txt, in the same location as ComboFix.exe



    5. Referring to the picture above, drag CFScript into ComboFix.exe
    6. When finished, it shall produce a log for you at C:\ComboFix.txt
    7. Please post the contents of the log in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 19th December 2009, 7:12 am

    Done. Combofix ran and the computer rebooted. A few error messages and then Superantispyware picked up an attempt to change the home page to go.microsoft.com.fwlink/?linkId=69157

    Here's the log:

    ComboFix 09-12-18.01 - BryanC 19/12/2009 17:38:17.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3572.2729 [GMT 11:00]
    Running from: c:\documents and settings\bryanc\Desktop\commy.exe
    Command switches used :: c:\documents and settings\bryanc\Desktop\CFScript.txt.txt
    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\windows\system32\GPhotos.scr"
    "c:\windows\system32\oleacc.dll"
    "c:\windows\system32\oleaccrc.dll"
    "c:\windows\system32\pwrshplugin.dll"
    "c:\windows\system32\uiautomationcore.dll"
    "c:\windows\system32\wevtfwd.dll"
    "c:\windows\system32\winrmprov.dll"
    "c:\windows\system32\winrs.exe"
    "c:\windows\system32\winrscmd.dll"
    "c:\windows\system32\winrshost.exe"
    "c:\windows\system32\winrsmgr.dll"
    "c:\windows\system32\winrssrv.dll"
    "c:\windows\system32\wsmanhttpconfig.exe"
    "c:\windows\system32\WsmAuto.dll"
    "c:\windows\system32\wsmplpxy.dll"
    "c:\windows\system32\wsmprovhost.exe"
    "c:\windows\system32\WsmRes.dll"
    "c:\windows\system32\WsmSvc.dll"
    "c:\windows\system32\WsmWmiPl.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\GPhotos.scr
    c:\windows\system32\pwrshplugin.dll
    c:\windows\system32\uiautomationcore.dll
    c:\windows\system32\wevtfwd.dll
    c:\windows\system32\winrmprov.dll
    c:\windows\system32\winrs.exe
    c:\windows\system32\winrscmd.dll
    c:\windows\system32\winrshost.exe
    c:\windows\system32\winrsmgr.dll
    c:\windows\system32\winrssrv.dll
    c:\windows\system32\wsmanhttpconfig.exe
    c:\windows\system32\WsmAuto.dll
    c:\windows\system32\wsmplpxy.dll
    c:\windows\system32\wsmprovhost.exe
    c:\windows\system32\WsmRes.dll
    c:\windows\system32\WsmSvc.dll
    c:\windows\system32\WsmWmiPl.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_WinRM


    ((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
    .

    2009-12-19 00:04 . 2009-12-19 00:12 -------- d-----w- C:\commy
    2009-12-16 09:54 . 2009-12-16 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
    2009-12-10 00:23 . 2009-10-21 05:38 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
    2009-12-10 00:23 . 2009-10-21 05:38 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
    2009-12-10 00:23 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
    2009-12-10 00:23 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2009-12-10 00:23 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
    2009-12-10 00:23 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
    2009-12-10 00:23 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
    2009-12-04 19:27 . 2009-12-04 19:27 -------- d-----w- c:\program files\Trend Micro
    2009-12-04 14:56 . 2009-12-04 14:56 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
    2009-12-04 09:50 . 2009-12-04 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-12-04 09:49 . 2009-12-04 09:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-12-03 10:29 . 2009-12-03 10:29 -------- d-----w- c:\windows\system32\wbem\Repository
    2009-12-02 20:18 . 2009-12-03 05:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-02 20:18 . 2009-12-03 05:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-02 12:00 . 2009-12-02 12:00 -------- d-----w- c:\documents and settings\bryanc\Application Data\Malwarebytes
    2009-12-02 12:00 . 2009-12-15 11:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-12-02 12:00 . 2009-12-02 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-12-02 08:59 . 2009-12-04 20:36 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-12-02 08:59 . 2009-12-02 08:59 -------- d-----w- c:\documents and settings\bryanc\Application Data\SUPERAntiSpyware.com
    2009-11-27 19:28 . 2009-11-27 19:28 -------- d-----w- c:\program files\Common Files\DivX Shared

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-19 06:53 . 2009-09-02 23:31 0 ----a-w- c:\documents and settings\bryanc\Local Settings\Application Data\WavXMapDrive.bat
    2009-12-19 06:37 . 2009-09-05 23:41 -------- d-----w- c:\documents and settings\bryanc\Application Data\Skype
    2009-12-19 05:01 . 2009-09-05 23:44 -------- d-----w- c:\documents and settings\bryanc\Application Data\skypePM
    2009-12-19 00:31 . 2009-09-04 11:15 -------- d-----w- c:\documents and settings\bryanc\Application Data\uTorrent
    2009-12-19 00:03 . 2009-09-07 10:03 -------- d-----w- c:\documents and settings\bryanc\Application Data\U3
    2009-12-18 06:36 . 2009-10-07 07:48 708928 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2009-12-18 05:57 . 2009-09-03 02:30 -------- d-----w- c:\program files\Paint Shop Pro 5
    2009-12-16 21:40 . 2009-08-26 09:53 42206 ----a-w- c:\windows\system32\nvModes.dat
    2009-12-10 07:06 . 2009-08-26 10:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-12-10 01:47 . 2009-08-26 10:38 -------- d-----w- c:\program files\Microsoft SQL Server
    2009-12-10 01:42 . 2009-08-26 10:33 -------- d-----w- c:\program files\Microsoft.NET
    2009-12-10 01:40 . 2009-08-26 10:40 -------- d-----w- c:\program files\Microsoft Small Business
    2009-12-04 20:36 . 2009-12-04 09:50 117760 ----a-w- c:\documents and settings\bryanc\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-12-04 14:56 . 2009-09-03 07:40 -------- d-----w- c:\program files\Google
    2009-12-02 20:19 . 2009-12-02 20:19 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2009-11-29 04:41 . 2009-09-03 12:37 -------- d-----w- c:\program files\Microsoft ActiveSync
    2009-11-29 04:41 . 2009-08-26 10:07 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-11-27 19:29 . 2009-11-26 22:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-11-27 19:29 . 2009-11-26 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-11-27 19:29 . 2009-11-20 11:39 -------- d-----w- c:\documents and settings\bryanc\Application Data\DivX
    2009-11-27 19:29 . 2009-11-23 12:28 -------- d-----w- c:\program files\Optus Wireless Broadband
    2009-11-27 19:28 . 2009-11-20 11:37 -------- d-----w- c:\program files\DivX
    2009-11-23 20:13 . 2009-11-23 20:13 4150 ----a-r- c:\documents and settings\bryanc\Application Data\Microsoft\Installer\{1F9ED934-AD0F-4879-BDFB-ED02BA2BB14F}\ARPPRODUCTICON.exe
    2009-11-23 20:12 . 2009-11-23 20:12 -------- d-----w- c:\program files\Microsoft Voice Command
    2009-11-21 15:51 . 2008-04-25 16:16 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-11-18 12:28 . 2009-09-04 09:18 -------- d-----w- c:\program files\Photomatix
    2009-11-14 02:07 . 2009-11-14 02:06 -------- d-----w- c:\program files\iTunes
    2009-11-14 02:06 . 2009-11-14 02:06 -------- d-----w- c:\program files\iPod
    2009-11-14 02:06 . 2009-09-03 06:39 -------- d-----w- c:\program files\Common Files\Apple
    2009-11-14 01:58 . 2009-11-14 01:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
    2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
    2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
    2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
    2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
    2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
    2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
    2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
    2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- c:\windows\system32\imapi2fs.dll
    2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- c:\windows\system32\imapi2.dll
    2009-10-29 07:45 . 2008-04-25 16:16 916480 ------w- c:\windows\system32\wininet.dll
    2009-10-27 07:04 . 2009-09-03 04:24 -------- d-----w- c:\program files\Common Files\Adobe
    2009-10-21 05:38 . 2008-04-25 16:16 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2008-04-25 16:16 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
    2009-10-19 02:06 . 2009-10-19 02:06 223232 ------w- c:\windows\system32\wksprt.exe
    2009-10-19 02:06 . 2009-10-19 02:06 46080 ------w- c:\windows\system32\TSWbPrxy.exe
    2009-10-19 02:06 . 2009-10-19 02:06 12800 ------w- c:\windows\system32\wksprtPS.dll
    2009-10-19 02:06 . 2008-04-25 21:26 36864 ----a-w- c:\windows\system32\tsgQec.dll
    2009-10-19 02:06 . 2008-04-25 21:26 1033728 ----a-w- c:\windows\system32\mstsc.exe
    2009-10-19 02:06 . 2008-04-25 21:26 2689024 ----a-w- c:\windows\system32\mstscax.dll
    2009-10-19 02:06 . 2009-10-19 02:06 44544 ------w- c:\windows\system32\MsRdpWebAccess.dll
    2009-10-19 02:06 . 2008-04-25 21:26 130560 ----a-w- c:\windows\system32\aaclient.dll
    2009-10-18 21:32 . 2009-10-18 21:32 152576 ----a-w- c:\documents and settings\bryanc\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
    2009-10-15 21:53 . 2009-09-02 23:40 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2009-10-15 21:53 . 2009-09-02 23:40 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2009-10-13 10:30 . 2008-04-25 16:16 270336 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:38 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\rastls.dll
    2009-10-12 13:38 . 2008-04-25 16:16 79872 ----a-w- c:\windows\system32\raschap.dll
    2009-10-08 03:57 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
    2009-10-08 03:56 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2009-10-01 22:36 . 2009-10-01 22:36 45056 ----a-r- c:\documents and settings\bryanc\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
    2009-10-01 22:36 . 2009-10-01 22:36 10134 ----a-r- c:\documents and settings\bryanc\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
    .

    ((((((((((((((((((((((((((((( SnapShot_2009-12-14_11.38.43 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-04-25 16:16 . 2009-12-19 06:54 84372 c:\windows\system32\perfc009.dat
    - 2008-04-25 16:16 . 2009-12-14 11:30 84372 c:\windows\system32\perfc009.dat
    - 2009-09-01 07:29 . 2009-12-13 23:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2009-09-01 07:29 . 2009-12-19 00:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-04-25 16:16 . 2009-12-19 06:54 474570 c:\windows\system32\perfh009.dat
    - 2008-04-25 16:16 . 2009-12-14 11:30 474570 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2009-04-22 02:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2009-04-22 02:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SRS Premium Sound"="c:\program files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe" [2009-03-25 3261688]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-12-10 289584]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-04 2001648]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483420]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-28 13537280]
    "nwiz"="nwiz.exe" [2008-08-28 1630208]
    "NVHotkey"="nvHotkey.dll" [2008-08-28 90112]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-28 86016]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
    "ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-02-26 184320]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-04-22 656696]
    "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-04-22 95544]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-04 128232]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-11 115560]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
    "Ext2 Volume Manager"="c:\program files\Ext2Fsd\Ext2Mgr.exe" [2009-07-30 1216648]
    "USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-04-22 15360]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-03-19 667648]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-02 38768]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-02 640376]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-4-9 1106720]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-10-2 50688]
    Telstra Turbo Modem Manager.lnk - c:\program files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe [2009-9-23 454656]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-12-04 20:36 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

    R1 Ext2Fsd;Linux ext2 file system driver;c:\windows\system32\drivers\ext2fsd.sys [10/10/2009 12:10 PM 651264]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 2:22 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 2:22 PM 74480]
    R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [19/04/2007 8:56 AM 133968]
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [29/12/2008 2:07 PM 320800]
    R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [22/01/2009 1:19 PM 808296]
    R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [22/01/2009 1:19 PM 20840]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [9/04/2009 5:02 PM 447264]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [27/08/2009 12:42 PM 112512]
    R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [27/08/2009 12:43 PM 32808]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [27/08/2009 12:42 PM 244368]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/12/2009 6:56 AM 102448]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 2:22 PM 7408]
    R3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [26/08/2009 9:31 PM 232744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/10/2009 5:43 PM 133104]
    S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [23/09/2009 6:57 AM 81152]
    S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [23/09/2009 6:57 AM 87040]
    S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    uDefault_Search_URL = [You must be registered and logged in to see this link.]
    uSearchURL,(Default) = [You must be registered and logged in to see this link.]
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2009-12-19 17:52
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hȋdden processes ...

    scanning hȋdden autostart entries ...

    scanning hȋdden files ...

    scan completed successfully
    hȋdden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(916)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\NetProvCredMan.dll

    - - - - - - - > 'lsass.exe'(972)
    c:\windows\system32\wvauth.dll

    - - - - - - - > 'explorer.exe'(2864)
    c:\windows\system32\WININET.dll
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\btmmhook.dll
    c:\program files\iTunes\iTunesMiniPlayer.dll
    c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
    c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\drivers\audio\r213367\stacsv.exe
    c:\windows\System32\SCardSvr.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\program files\DellTPad\ApMsgFwd.exe
    c:\program files\DellTPad\HidFind.exe
    c:\program files\DellTPad\Apntex.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Microsoft ActiveSync\wcescomm.exe
    c:\progra~1\MI3AA1~1\rapimgr.exe
    c:\windows\system32\msiexec.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\imapi.exe
    .
    **************************************************************************
    .
    Completion time: 2009-12-19 17:58:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-12-19 06:58
    ComboFix2.txt 2009-12-19 00:12
    ComboFix3.txt 2009-12-14 11:41
    ComboFix4.txt 2009-12-04 19:47

    Pre-Run: 2,556,612,608 bytes free
    Post-Run: 2,444,931,072 bytes free

    - - End Of File - - 30DF3AEE82F1AA0434B498716E6C3C62


    see ya

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 19th December 2009, 7:34 am

    Now time to clean up.

    To uninstall ComboFix

    • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
    • In the field, type in ComboFix /uninstall



    (Note: Make sure there's a space between the word ComboFix and the forward-slash.)

    • Then, press Enter, or click OK.
    • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.


    ==

    Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 19th December 2009, 9:21 am

    this is the security check log

    Results of screen317's Security Check version 0.99.1
    Windows XP Service Pack 3
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Symantec Endpoint Protection
    Antivirus up to date! (On Access scanning disabled!)
    ``````````````````````````````
    Anti-malware/Other Utilities Check:

    SUPERAntiSpyware Free Edition
    HijackThis 2.0.2
    Adobe Flash Player 10
    Adobe Reader 9.2
    ``````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Norton ccSvcHst.exe
    SRS Labs SRS Premium Sound SRSPremiumSoundBig_Small.exe
    ``````````````````````````````
    DNS Vulnerability Check:

    Unknown. This method cannot test your vulnerability to DNS cache poisoning.

    `````````End of Log```````````

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 19th December 2009, 9:24 am

    Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

    Software recommendations

    AntiSpyware

    • [You must be registered and logged in to see this link.]
      SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
    • [You must be registered and logged in to see this link.].
      Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


    NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

    Resident Protection help
    A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

    Rogue programs help
    There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
    [You must be registered and logged in to see this link.]

    Securing your computer

    • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
    • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


    Please consider using an alternate browser
    Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

    If you are interested:


    Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 19th December 2009, 10:56 am

    Thankyou, explorer is working on my laptop again.
    However on bootup I get a lot of error messages. About 6 of them.
    Also superantispyware picked up an attemp to change the homepage again.

    I can give you more details if you wish.

    see ya

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 19th December 2009, 1:15 pm

    Download WhoCrashed [You must be registered and logged in to see this link.]
    This program checks for any drivers which may have been causing your computer to crash....

    Click on the file you just downloaded and run it.
    Put a tick in Accept then click on Next
    Put a tick in the Don't create a start menu folder then click Next
    Put a tick in Create a Desktop Icon then click on Install and make sure there is a tick in Launch Whocrashed before clicking Finish
    Click Analyze
    It will want to download the Debugger and install it Say Yes

    WhoCrashed will create report but you have to scroll down to see it
    Copy and paste it into your next reply


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 19th December 2009, 8:01 pm

    here's the report. It didn't ask to download debugger.

    see ya


    --------------------------------------------------------------------------------
    Welcome to WhoCrashed Home Edition 2.00
    --------------------------------------------------------------------------------

    This program checks for drivers which have been crashing your computer.

    Whenever a computer suddenly reboots without displaying any notice or blue screen of death, the first thing that is often though about is a hardware failure. In reality, on Windows most crashes are caused by malfunctioning device drivers and kernel modules. In case of a kernel error, most computers do not show a blue screen unless they are configured to do so. Instead these systems suddenly reboot without any notice.

    This program does post-mortem crash dump analysis with the single click of a button.


    To obtain technical support visit [You must be registered and logged in to see this link.]

    To check if a newer version of this program is available, click here.

    Just click the Analyze button for a comprehensible report ...



    --------------------------------------------------------------------------------
    Home Edition notice
    --------------------------------------------------------------------------------

    This version of WhoCrashed is free for use at home only. If you would like to use this software at work or in a commercial environment you should get the professional edition. The professional edition of WhoCrashed also allows analysis of crashdumps on remote drives and computers on the network and offers more detailed analysis.


    --------------------------------------------------------------------------------
    Analysis
    --------------------------------------------------------------------------------

    Crash dump directory: C:\WINDOWS\Minidump

    Crash dumps are enabled on your computer.


    No valid crash dumps have been found on your computer


    --------------------------------------------------------------------------------
    Conclusion
    --------------------------------------------------------------------------------

    Crash dumps are enabled and no valid crash dumps have been found on your computer. In case your computer does experience sudden reboots it is likely these are caused by malfunctioning hardware, power failure or a thermal issue. To troubleshoot a thermal issue, check the temperature using your BIOS setup program, check for dust in CPU and motherboard fans and if your computer is portable make sure it's located on a hard surface. Otherwise it's suggested you contact the support department of the manufacturer of your system or test your system with a memory test utility for further investigation.

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 20th December 2009, 12:49 am

    Just had an attempt to change the home page to the microsoft site I mentioned back a bit.
    go.microsoft.com.fwlink/?linkId=69157

    any clues

    see ya

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 20th December 2009, 2:59 am

    How to capture a System event log and upload it to the forum:

    • First, open Event Viewer by clicking Start -> Run -> type eventvwr.msc and press ENTER.
    • In the Event Viewer please right click the requested event log (i.e. Application, system, etc...) and click Save Log File As.
    • Please save the logfile to your desktop and give it a recognizable name.
    • Do this for each log that has been requested.
    • When you are finished saving the necessary logs, close Event Viewer.
    • On your desktop find the saved log files. Hold the CTRL key and click to select each event log.
    • When all event logs are selected, right-click one of them, click Send to -> Compressed Zip Folder.
    • A new .ZIP file will have been created on your desktop. Please attach that file to this forum in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 20th December 2009, 4:39 am

    This program wont run. Error message is:

    "The application failed to initialize properly (0xc000007b). Click on OK to terminate the application."

    I get this same error message on other programes such as Skype.

    see ya

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 20th December 2009, 10:06 am

    Go Start and then to Run,
    Type in: sfc /scannow
    Click OK.
    Have Windows CD/DVD handy.
    If System File Checker (sfc) finds any errors, it may ask you for the CD/DVD.
    If sfc does not find any errors in Windows XP, it will simply quit, without any message.

    If you don't have Windows CD....

    Go Start and then Run
    type in regedit and click OK


    Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

    On the right hand side, find: SourcePath

    It probably has an entry pointing to your CD-ROM drive, usually D and that is why it is asking for the XP CD.
    All we need to do is change it to: C:
    Now, double click the SourcePath setting and a new box will pop up.
    Change the drive letter from your CD drive to your root drive, usually C:
    Close Registry Editor.

    Now restart your computer and try sfc /scannow again!

    After the first run, reboot your computer. Do a second run. Now the scan and fix is finished.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 20th December 2009, 9:38 pm

    You guys are very clever!! Almost there...

    Still get one error message on startup

    Cant find component.
    ChangeTPMAuth.exe ......can't find Tspl.dll


    also can't connect to the web when at work. I can get the compony homepage and navigate through it, but can't go anywhere else, including here.

    see ya

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 21st December 2009, 9:10 am

    Please download the latest version of Kaspersky GetSystemInfo (GSI) from [You must be registered and logged in to see this link.] and save it to your Desktop.
    Please close all other applications running on your system.

    Please double click GetSystemInfo.exe to open it.

    Click the Settings button.



    Set it to Maximum



    IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


    Click Create Report to run it.

    It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to [You must be registered and logged in to see this link.] and click the Submit button.

    Please copy and paste the url of the GSI Parser report (not the log) in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 21st December 2009, 10:48 am

    here you go Kaspersky log adress

    [You must be registered and logged in to see this link.]

    see ya

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 22nd December 2009, 3:41 am

    Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 22nd December 2009, 5:53 am

    Explorer was working for a bit today, then I had a homepage change attempt and it stopped again. I'm on new computer.

    When I try to update Malwarebytes I get an error message.
    Än error has occurred. Please report the following error code to the MWB support team Error code 732 (12029,0)

    I didn't run the scan.

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 22nd December 2009, 6:47 am

    Please navigate to this webpage: [You must be registered and logged in to see this link.] and see the section "Fix it for me" and click the Microsoft Fix-It button. This will download a fix utility to repair the security settings on your computer, due to damages of malware or other harmful system changes. Install the file after download.

    ==

    Open a run line by clicking start -> run

    Copy and paste the following bolded text into the Open: box and click OK

    cmd /k cd\ && dir c:\atapi.sys /a /s > atapi.txt && notepad atapi.txt

    Paste back the contents of the atapi.txt


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 22nd December 2009, 12:12 pm

    here ya go:

    Volume in drive C is OS
    Volume Serial Number is 2AFE-9375

    Directory of c:\WINDOWS\ERDNT\cache

    14/04/2008 11:10 PM 96,512 atapi.sys
    1 File(s) 96,512 bytes

    Directory of c:\WINDOWS\system32\dllcache

    14/04/2008 11:10 PM 96,512 atapi.sys
    1 File(s) 96,512 bytes

    Directory of c:\WINDOWS\system32\drivers

    14/04/2008 11:10 PM 96,512 atapi.sys
    1 File(s) 96,512 bytes

    Total Files Listed:
    3 File(s) 289,536 bytes
    0 Dir(s) 16,415,948,800 bytes free

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 22nd December 2009, 1:06 pm

    All done. I updated Malwarebytes and ran it.

    This is what I had:
    Malwarebytes' Anti-Malware 1.42
    Database version: 3407
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    22/12/2009 11:57:58 PM
    mbam-log-2009-12-22 (23-57-53).txt

    Scan type: Quick Scan
    Objects scanned: 146288
    Time elapsed: 6 minute(s), 48 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\oleacc.dll.tmp (Rootkit.Agent) -> No action taken.


    and this is the log after fixing the issues with malwarebytes:

    Malwarebytes' Anti-Malware 1.42
    Database version: 3407
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    22/12/2009 11:57:58 PM
    mbam-log-2009-12-22 (23-57-53).txt

    Scan type: Quick Scan
    Objects scanned: 146288
    Time elapsed: 6 minute(s), 48 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\oleacc.dll.tmp (Rootkit.Agent) -> No action taken.


    see ya

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 22nd December 2009, 7:19 pm

    Please download [You must be registered and logged in to see this link.] and Save it to your desktop

    1. Double click it to start the tool.
    2. Click Scan.
    3. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 22nd December 2009, 8:20 pm

    here ya go:

    Rooter log

    Rooter.exe (v1.0.2) by Eric_71
    .
    SeDebugPrivilege granted successfully ...
    .
    Windows XP . (5.1.2600) Service Pack 3
    [32_bits] - x86 Family 6 Model 23 Stepping 10, GenuineIntel
    .
    [wscsvc] (Security Center) RUNNING (state:4)
    [SharedAccess] RUNNING (state:4)
    Windows Firewall -> Enabled
    .
    Internet Explorer 8.0.6001.18702
    .
    C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:15 Go )
    D:\ [CD_Rom]
    E:\ [Removable]
    F:\ [Removable]
    I:\ [Network] .. ( Total:0 Go - Free:0 Go )
    J:\ [Network] .. ( Total:0 Go - Free:0 Go )
    S:\ [Network] .. ( Total:0 Go - Free:0 Go )
    .
    Scan : 07:18.51
    Path : C:\Documents and Settings\bryanc\Desktop\Rooter.exe
    User : BryanC ( Administrator -> YES )
    .
    ----------------------\\ Processes
    .
    Locked [System Process] (0)
    ______ System (4)
    ______ \SystemRoot\System32\smss.exe (828)
    ______ \??\C:\WINDOWS\system32\csrss.exe (884)
    ______ \??\C:\WINDOWS\system32\winlogon.exe (912)
    ______ C:\WINDOWS\system32\services.exe (956)
    ______ C:\WINDOWS\system32\lsass.exe (968)
    ______ C:\WINDOWS\system32\svchost.exe (1148)
    ______ C:\WINDOWS\system32\svchost.exe (1216)
    ______ C:\WINDOWS\System32\svchost.exe (1256)
    ______ C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (1344)
    ______ C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (1396)
    ______ C:\WINDOWS\system32\svchost.exe (1432)
    ______ C:\WINDOWS\system32\svchost.exe (1508)
    ______ C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (1776)
    ______ C:\WINDOWS\system32\spoolsv.exe (1908)
    ______ c:\drivers\audio\r213367\stacsv.exe (1996)
    ______ C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe (312)
    ______ C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe (332)
    ______ C:\WINDOWS\System32\SCardSvr.exe (356)
    ______ C:\WINDOWS\system32\svchost.exe (212)
    ______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (328)
    ______ C:\Program Files\Intel\ASF Agent\ASFAgent.exe (500)
    ______ C:\Program Files\Bonjour\mDNSResponder.exe (508)
    ______ C:\Program Files\Intel\WiFi\bin\EvtEng.exe (584)
    ______ C:\WINDOWS\system32\nvsvc32.exe (1336)
    ______ C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (1332)
    ______ C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (1784)
    ______ C:\WINDOWS\system32\svchost.exe (444)
    ______ C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (2060)
    ______ C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (2264)
    ______ C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe (2460)
    ______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2632)
    ______ C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe (2816)
    ______ C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe (2932)
    ______ C:\WINDOWS\system32\SearchIndexer.exe (2996)
    ______ C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (3316)
    ______ C:\WINDOWS\System32\alg.exe (3716)
    ______ C:\WINDOWS\Explorer.EXE (3872)
    ______ C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (3988)
    ______ C:\Program Files\DellTPad\Apoint.exe (1696)
    ______ C:\Program Files\DellTPad\ApMsgFwd.exe (1724)
    ______ C:\Program Files\DellTPad\HidFind.exe (2144)
    ______ C:\Program Files\IDT\WDM\sttray.exe (2376)
    ______ C:\Program Files\DellTPad\Apntex.exe (2260)
    ______ C:\WINDOWS\system32\AESTFltr.exe (3328)
    ______ C:\WINDOWS\system32\rundll32.exe (1016)
    ______ C:\WINDOWS\system32\RUNDLL32.EXE (1356)
    ______ C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (1304)
    ______ C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe (548)
    ______ C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (1188)
    ______ C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (1640)
    ______ C:\Program Files\Common Files\Symantec Shared\ccApp.exe (1680)
    ______ C:\Program Files\Ext2Fsd\Ext2Mgr.exe (2396)
    ______ C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe (3264)
    ______ C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (3612)
    ______ C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (2452)
    ______ C:\Program Files\iTunes\iTunesHelper.exe (3148)
    ______ C:\Program Files\Microsoft ActiveSync\wcescomm.exe (1648)
    ______ C:\Program Files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe (2308)
    ______ C:\Program Files\uTorrent\uTorrent.exe (3960)
    ______ C:\PROGRA~1\MI3AA1~1\rapimgr.exe (1888)
    ______ C:\Program Files\Skype\Phone\Skype.exe (2684)
    ______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (820)
    ______ C:\WINDOWS\system32\ctfmon.exe (4504)
    ______ C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (4900)
    ______ C:\Program Files\iPod\bin\iPodService.exe (5396)
    ______ C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (1564)
    ______ C:\Program Files\Digital Line Detect\DLG.exe (4160)
    ______ C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe (4204)
    ______ C:\Program Files\Windows Desktop Search\WindowsSearch.exe (4260)
    ______ C:\Program Files\Skype\Plugin Manager\skypePM.exe (5136)
    ______ C:\WINDOWS\System32\svchost.exe (5360)
    ______ C:\WINDOWS\system32\wuauclt.exe (4324)
    ______ C:\Program Files\Internet Explorer\iexplore.exe (2068)
    ______ C:\Program Files\Internet Explorer\iexplore.exe (5764)
    ______ C:\Program Files\Windows Live\Toolbar\wltuser.exe (2192)
    ______ C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe (1252)
    ______ C:\WINDOWS\system32\SearchProtocolHost.exe (4176)
    ______ C:\WINDOWS\system32\SearchFilterHost.exe (5228)
    ______ C:\Program Files\Internet Explorer\iexplore.exe (5868)
    ______ C:\WINDOWS\system32\SearchProtocolHost.exe (2648)
    ______ C:\Documents and Settings\bryanc\Desktop\Rooter.exe (5408)
    .
    ----------------------\\ Device\Harddisk0\
    .
    \Device\Harddisk0 [Sectors : 63 x 512 Bytes]
    .
    \Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:222050304)
    \Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:222082560 | Length:249834654720)
    .
    ----------------------\\ Scheduled Tasks
    .
    C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\Tasks\desktop.ini
    C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    C:\WINDOWS\Tasks\SA.DAT
    C:\WINDOWS\Tasks\User_Feed_Synchronization-{FD13B3EA-061B-4977-B7E0-44EEA53537C9}.job
    .
    ----------------------\\ Registry
    .
    .
    ----------------------\\ Files & Folders
    .
    ----------------------\\ Scan completed at 07:19.32
    .
    C:\Rooter$\Rooter_1.txt - (23/12/2009 | 07:19.32)

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 23rd December 2009, 3:42 am

    Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any
    "<--- ROOKIT" entries unless advised!

    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

    • Click NO
    • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
    • Now click the Scan button.
      Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
    • Save it where you can easily find it, such as your desktop.

    Post the contents of GMER.txt in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 23rd December 2009, 4:47 am

    got a blue screen error message half way through the scan:

    Culpritt seemed to be kgrorpog.sys.

    I'll try again

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 23rd December 2009, 5:39 am

    Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

    Code:
    @echo off
    Copy /y gmer.exe ark.exe
    Start ark.exe

    Save it into the gmer folder as File name: ark.cmd
    Save as type: All Files

    Once done, double click ark.cmd to run it.

    This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 23rd December 2009, 8:39 am

    Gmer log. I just ran it again and it worked.

    GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
    Rootkit scan 2009-12-23 19:21:08
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\bryanc\LOCALS~1\Temp\kgrorpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8B128A70 ZwAlertResumeThread
    SSDT 8A451438 ZwAlertThread
    SSDT 8A483CD8 ZwAllocateVirtualMemory
    SSDT 8A35E108 ZwConnectPort
    SSDT 8A547BB8 ZwCreateMutant
    SSDT 8A4B9FB0 ZwCreateThread
    SSDT 8A46BDF0 ZwFreeVirtualMemory
    SSDT 8A63F918 ZwImpersonateAnonymousToken
    SSDT 8AAC19E0 ZwImpersonateThread
    SSDT 8A4CF340 ZwMapViewOfSection
    SSDT 8B0112C8 ZwOpenEvent
    SSDT 8A479EA8 ZwOpenProcessToken
    SSDT 8A63D888 ZwOpenThreadToken
    SSDT 8A374108 ZwResumeThread
    SSDT 8A453C08 ZwSetContextThread
    SSDT 8B00B348 ZwSetInformationProcess
    SSDT 8A64E258 ZwSetInformationThread
    SSDT 8A446C28 ZwSuspendProcess
    SSDT 8A450A20 ZwSuspendThread
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAD18A0B0]
    SSDT 8A44A838 ZwTerminateThread
    SSDT 8A6224B8 ZwUnmapViewOfSection
    SSDT 8A46AAE0 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB903A380, 0x381B8D, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\SearchIndexer.exe[2780] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Ext2Fsd.SYS (Ext2 File System Driver for Windows/www.ext2fsd.com)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

    AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 23rd December 2009, 9:30 am

    Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan. Remove selected, and post the log in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 23rd December 2009, 12:33 pm

    mbytes log

    Malwarebytes' Anti-Malware 1.42
    Database version: 3414
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    23/12/2009 11:25:47 PM
    mbam-log-2009-12-23 (23-25-47).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 289351
    Time elapsed: 2 hour(s), 24 minute(s), 30 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 13

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP140\A0048107.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP145\A0055151.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP146\A0055360.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP146\A0055445.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP147\A0055756.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP147\A0055757.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP147\A0055759.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP120\A0041601.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP122\A0042886.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP124\A0044198.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP125\A0045090.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP126\A0045928.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP126\A0046020.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 23rd December 2009, 12:44 pm

    Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 23rd December 2009, 7:44 pm

    Looks good?

    Malwarebytes' Anti-Malware 1.42
    Database version: 3418
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    24/12/2009 6:42:23 AM
    mbam-log-2009-12-24 (06-42-23).txt

    Scan type: Quick Scan
    Objects scanned: 146226
    Time elapsed: 4 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 23rd December 2009, 8:47 pm

    Yes.

    Right On!


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 23rd December 2009, 8:55 pm

    Thanks mate I appreciate all your time. I'll be heading off to the "donate" page shortly :-)

    I have symantec endpoint protection as part of my work stuff. I now have superantispyware, spyware blaster running. Just the free versions. Is there a benefit in getting the paid version of either of these? Real time protection?

    Also how about that vbs.runauto thingy on my thumb drives. Is it bad?

    see ya and Merry Christmas

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 23rd December 2009, 8:58 pm

    You can remove those. That is Symantec's reaction to autorun.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 23rd December 2009, 10:25 pm

    do you know what the tsp1.dll error on start up is related to. It says reinstalling the program may help. Which program? I repaired Active sync that didn't help

    see ya

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 24th December 2009, 12:20 am

    See if you can find the following file:

    c:\windows\system32\Tsp1.dll

    Then let me know if you see it.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14317
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 303008
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 24th December 2009, 2:29 am

    Nope, it's not there.

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29630
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Page 1 of 2 1, 2  Next

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum