Skip to content


Reply
Stone Emissary
waldo
Posts: 10
Registered: ‎05-25-2012
Accepted Solution

Possible IE 8 browser hi-jack

Good afternoon,

Recently started having problems with IE 8 and desktop links.  Link issue was fixed with registry edit, however when I launch IE, it starts and closes immediately.  Attempted Microsoft Fix it # 50195 to reset IE, but same issue.

 

Attached is HT log for review.

 

Thank you in advance!

Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,979
Registered: ‎08-08-2011

Re: Possible IE 8 browser hi-jack

Welcome aboard! Posted Image

 

Download OTL  to your Desktop.

http://www.geekstogo.com/forum/files/file/398-otl-oldtimers-list-it/

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe

netbt.sys

atapi.sys

volsnap.sys

redbook.sys

lsi_sas.sys

lsi_scsi.sys

cdrom*

tcpip.sys
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
C:\Windows\assembly\tmp\U\*.* /s

C:\Program Files\Common Files\ComObjects\*.* /s
CREATERESTOREPOINT


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • attach both logs

 NEXT

 

Download aswmbr.exe ( 1.8mb ) to your desktop. 

http://public.avast.com/~gmerek/aswMBR.htm
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan.

  • Click the [Scan] button to start scan

  • On completion of the scan click [Save log], save it to your desktop and post in your next reply.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
waldo
Posts: 10
Registered: ‎05-25-2012

Re: Possible IE 8 browser hi-jack

Thank you Malwarekiller for your help!  As requested, all log files are attached.

Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,979
Registered: ‎08-08-2011

Re: Possible IE 8 browser hi-jack

Looks like we have some sort of remanential Zaccess infection to deal with...

 

 

Download ComboFix from the any of the locations given in this website:

    • IMPORTANT !!! You need to Save ComboFix.exe to your Desktop
      • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here
      • Double click on ComboFix.exe & follow the prompts.
      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • If you already have the Recovery Console preinstalled, it will not ask for the following. If it does prompt, allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

      Posted Image

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      Posted Image

      Click Yes, to continue scanning for malware. Please be patient and don't use the PC whilst it is scanning.

      When finished, it shall produce a log for you. Please copy & paste the contents of this log (also found at C:\ComboFix.txt) in your next reply at your topic.
—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
waldo
Posts: 10
Registered: ‎05-25-2012

Re: Possible IE 8 browser hi-jack

Malwarekiller,

 

Below are contents of the combofix.txt log as requested.  Also attached is a screen shot of an error message I know get when I launch Peachtree.  In your opinion, is this error message related to this malware infection, or I am looking at possible hardware failure?

 

Thank you!

 

 

ComboFix 12-05-27.01 - Wareham 1 05/27/2012  10:02:39.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3543.2896 [GMT -4:00]
Running from: c:\documents and settings\Wareham 1\Desktop\ComboFix.exe
AV: Norton Business Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Business Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\documents and settings\Wareham 1\Application Data\416b5364
c:\documents and settings\Wareham 1\Application Data\a1b6ac9b
c:\documents and settings\Wareham 1\Application Data\b613249e
c:\documents and settings\Wareham 1\GoToAssistDownloadHelper.exe
c:\documents and settings\Wareham 1\WINDOWS
c:\windows\EventSystem.log
c:\windows\system32\HPBHealr.1
c:\windows\system32\hppadt40.1
c:\windows\system32\hppamon0.1
c:\windows\system32\HPZidr12.1
c:\windows\system32\OLD13.tmp
c:\windows\system32\OLDF.tmp
c:\windows\system32\sens32.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
.
.
(((((((((((((((((((((((((   Files Created from 2012-04-27 to 2012-05-27  )))))))))))))))))))))))))))))))
.
.
2012-05-26 17:09 . 2012-05-26 17:09    --------    d-----w-    c:\documents and settings\Wareham 1\Local Settings\Application Data\Mozilla
2012-05-25 19:12 . 2012-05-25 19:12    388096    ------r-    c:\documents and settings\Wareham 1\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-25 19:12 . 2012-05-25 19:12    --------    d-----w-    c:\program files\Trend Micro
2012-05-25 19:00 . 2012-05-25 19:01    --------    dc-h--w-    c:\windows\ie8
2012-05-25 15:45 . 2012-05-25 15:46    3993600    ------w-    c:\program files\GUT8.tmp
2012-05-25 15:45 . 2012-05-25 15:45    --------    d-----w-    c:\program files\GUM7.tmp
2012-05-25 15:43 . 2012-05-25 15:43    --------    d-s---w-    c:\documents and settings\Wareham 1\UserData
2012-05-25 14:29 . 2012-05-25 14:29    --------    d-----w-    c:\documents and settings\Wareham 1\Local Settings\Application Data\visi_coupon
2012-05-25 13:50 . 2012-05-25 13:50    --------    d-----w-    c:\documents and settings\All Users\Application Data\Yahoo!
2012-05-25 13:50 . 2012-05-25 17:58    --------    d-----w-    c:\documents and settings\All Users\Application Data\Yahoo! Companion
2012-05-25 13:50 . 2012-05-25 13:50    --------    d-----w-    c:\documents and settings\Wareham 1\Application Data\Yahoo!
2012-05-25 13:50 . 2012-05-25 13:50    --------    d-----w-    c:\program files\Yahoo!
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-12 21:03 . 2012-04-12 20:57    60872    ----a-w-    c:\windows\system32\S32EVNT1.DLL
2012-04-12 21:03 . 2012-04-12 20:57    126584    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-04 19:56 . 2011-12-16 17:05    22344    ------w-    c:\windows\system32\drivers\mbam.sys
2012-04-21 01:19 . 2012-05-26 17:09    97208    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-01-14 . 1CB54BE018258D47FD3FB3278B387793 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2009-08-11 11258368]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"PeachtreePrefetcher.exe"="c:\progra~1\Sage\PEACHT~1\PeachtreePrefetcher.exe" [2011-10-25 28488]
"Panasonic Device Monitor Wakeup"="c:\program files\Panasonic\Panasonic-DMS\Device Monitor\DMWakeup.exe" [2004-12-27 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-26 142872]
"RPT Msgsrv"="c:\program files\Panasonic\Panasonic-DMS\RPT Network Printer Port\Msgsrv.exe" [2007-04-11 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Passport Web Edition Client"="c:\program files\NCR\Passport Web Edition\pwecsrvc.exe" [2010-09-21 20579]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dyn Updater Tray Icon.lnk - c:\program files\Dyn Updater\DynTray.exe [2011-11-15 78192]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
Job Status Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe [2006-4-4 147456]
Panasonic Communications Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe [2006-5-9 176128]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2009-06-03 23:14    113152    ------w-    c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2009-06-03 23:13    299520    ------w-    c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2009-09-08 22:34    75320    ------w-    c:\windows\system32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Port Controller\\Mfpscdl.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Network MFP Utilities\\CnfgEditor\\SYSTEM\\mfrspool.exe"=
"c:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LRecvTrap\\LRecvTrap.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LFax\\NaeCMN.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Device Monitor\\DMList.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:smileytongue:ervasive DBEngine
"3351:TCP"= 3351:TCP:smileytongue:ervasive DBEngine
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [10/5/2009 7:25 PM 110520]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/5/2009 7:26 PM 51800]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [10/5/2009 7:26 PM 13256]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502010.003\symds.sys [4/23/2012 10:29 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502010.003\symefa.sys [4/23/2012 10:29 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120517.001\BHDrvx86.sys [5/23/2012 7:20 PM 821880]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [10/5/2009 7:26 PM 40088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502010.003\ironx86.sys [4/23/2012 10:29 PM 136312]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [6/3/2009 7:16 PM 207400]
R2 Dyn Updater;Dyn Updater;c:\program files\Dyn Updater\DynUpSvc.exe [11/15/2011 1:20 PM 95608]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [10/5/2009 7:25 PM 277096]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [8/11/2009 4:45 PM 293376]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [11/8/2011 5:55 PM 99896]
R2 N360;Norton Business Suite;c:\program files\Norton Business Suite\Engine\5.2.1.3\ccsvchst.exe [4/23/2012 10:29 PM 130008]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 1:03 PM 435496]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [5/6/2010 4:47 PM 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [5/6/2010 4:35 PM 160424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2012 3:45 AM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120525.001\IDSXpx86.sys [5/25/2012 10:44 PM 356792]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 1:46 PM 44800]
R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TsUSB2.sys [1/20/2012 11:36 AM 54016]
S3 Crystal Query Server;Crystal Query Server;c:\program files\Seagate Software\Query Server\querysrv.exe [11/8/1998 12:00 PM 375296]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [9/8/2009 12:14 PM 32312]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [9/8/2009 6:34 PM 362040]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-22 c:\windows\Tasks\Wareham Backup [1].job
- c:\windows\system32\ntbackup.exe [2008-04-14 09:00]
.
2012-05-23 c:\windows\Tasks\Wareham Backup [2].job
- c:\windows\system32\ntbackup.exe [2008-04-14 09:00]
.
2012-05-24 c:\windows\Tasks\Wareham Backup [3].job
- c:\windows\system32\ntbackup.exe [2008-04-14 09:00]
.
2012-05-25 c:\windows\Tasks\Wareham Backup [4].job
- c:\windows\system32\ntbackup.exe [2008-04-14 09:00]
.
2012-05-26 c:\windows\Tasks\Wareham Backup [5].job
- c:\windows\system32\ntbackup.exe [2008-04-14 09:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: meaningfulfunerals.net\www
TCP: Interfaces\{2AEDF79D-DA78-4226-B1E9-EBD19ECDE3EC}: NameServer = 192.168.1.1
DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://192.168.1.75/img/LinksysMLViewer.cab
DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab
FF - ProfilePath - c:\documents and settings\Wareham 1\Application Data\Mozilla\Firefox\Profiles\iygqoe9t.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-27 10:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton Business Suite\Engine\5.2.1.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Business Suite\Engine\5.2.1.3\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(816)
c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
c:\program files\ActivIdentity\ActivClient\aclog.dll
c:\program files\ActivIdentity\ActivClient\accrypto.dll
c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\program files\ActivIdentity\ActivClient\aipingui.dll
c:\program files\ActivIdentity\ActivClient\acevtsub.dll
c:\program files\ActivIdentity\ActivClient\asphat32.dll
c:\program files\ActivIdentity\ActivClient\acerrmes.dll
c:\program files\ActivIdentity\ActivClient\aiwinext.dll
c:\program files\ActivIdentity\ActivClient\aspcom.dll
c:\program files\ActivIdentity\ActivClient\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
c:\windows\system32\DeviceNP.dll
c:\windows\system32\SSREGLIB.dll
c:\windows\system32\HPPTLog.dll
.
- - - - - - - > 'explorer.exe'(2388)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Panasonic\TrapMonitor\Trapmnnt.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-05-27  10:35:28 - machine was rebooted
ComboFix-quarantined-files.txt  2012-05-27 14:35
.
Pre-Run: 285,990,797,312 bytes free
Post-Run: 285,939,802,112 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /bootlog
.
- - End Of File - - 89B84198AAFFF149666BBF8BD77BE486

Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,979
Registered: ‎08-08-2011

Re: Possible IE 8 browser hi-jack

OK...u have a partial installation of zeraccess malware...No the error message is just a normal crash of software

 

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
3. Open notepad and copy/paste the text in the code box below into notepad:

 

FCopy::
C:\symbols\tcpip.sys\48025CEC58380\tcpip.sys|C:\windows\system32\drivers\tcpip.sys

Netsvc::
6to4

Save this as CFScript.txt, in the same location as ComboFix.exe

 

Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
waldo
Posts: 10
Registered: ‎05-25-2012

Re: Possible IE 8 browser hi-jack

Latest Combofix.txt log results as requested.

 

Thank you!

 

ComboFix 12-05-27.01 - Wareham 1 05/28/2012  14:34:43.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3543.2754 [GMT -4:00]
Running from: c:\documents and settings\Wareham 1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wareham 1\Desktop\CFscript.txt
AV: Norton Business Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Business Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\symbols\tcpip.sys\48025CEC58380\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((   Files Created from 2012-04-28 to 2012-05-28  )))))))))))))))))))))))))))))))
.
.
2012-05-26 17:09 . 2012-05-26 17:09    --------    d-----w-    c:\documents and settings\Wareham 1\Local Settings\Application Data\Mozilla
2012-05-25 19:12 . 2012-05-25 19:12    388096    ------r-    c:\documents and settings\Wareham 1\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-25 19:12 . 2012-05-25 19:12    --------    d-----w-    c:\program files\Trend Micro
2012-05-25 19:00 . 2012-05-25 19:01    --------    dc-h--w-    c:\windows\ie8
2012-05-25 15:45 . 2012-05-25 15:46    3993600    ------w-    c:\program files\GUT8.tmp
2012-05-25 15:45 . 2012-05-25 15:45    --------    d-----w-    c:\program files\GUM7.tmp
2012-05-25 15:43 . 2012-05-25 15:43    --------    d-s---w-    c:\documents and settings\Wareham 1\UserData
2012-05-25 14:29 . 2012-05-25 14:29    --------    d-----w-    c:\documents and settings\Wareham 1\Local Settings\Application Data\visi_coupon
2012-05-25 13:50 . 2012-05-25 13:50    --------    d-----w-    c:\documents and settings\All Users\Application Data\Yahoo!
2012-05-25 13:50 . 2012-05-25 17:58    --------    d-----w-    c:\documents and settings\All Users\Application Data\Yahoo! Companion
2012-05-25 13:50 . 2012-05-25 13:50    --------    d-----w-    c:\documents and settings\Wareham 1\Application Data\Yahoo!
2012-05-25 13:50 . 2012-05-25 13:50    --------    d-----w-    c:\program files\Yahoo!
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-12 21:03 . 2012-04-12 20:57    60872    ----a-w-    c:\windows\system32\S32EVNT1.DLL
2012-04-12 21:03 . 2012-04-12 20:57    126584    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-04 19:56 . 2011-12-16 17:05    22344    ------w-    c:\windows\system32\drivers\mbam.sys
2012-04-21 01:19 . 2012-05-26 17:09    97208    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-05-27_14.32.40   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 09:00 . 2008-04-13 16:20    361344              c:\windows\system32\dllcache\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2009-08-11 11258368]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"PeachtreePrefetcher.exe"="c:\progra~1\Sage\PEACHT~1\PeachtreePrefetcher.exe" [2011-10-25 28488]
"Panasonic Device Monitor Wakeup"="c:\program files\Panasonic\Panasonic-DMS\Device Monitor\DMWakeup.exe" [2004-12-27 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-26 142872]
"RPT Msgsrv"="c:\program files\Panasonic\Panasonic-DMS\RPT Network Printer Port\Msgsrv.exe" [2007-04-11 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Passport Web Edition Client"="c:\program files\NCR\Passport Web Edition\pwecsrvc.exe" [2010-09-21 20579]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dyn Updater Tray Icon.lnk - c:\program files\Dyn Updater\DynTray.exe [2011-11-15 78192]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
Job Status Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\LRecvTrap\LRecvTrap.exe [2006-4-4 147456]
Panasonic Communications Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe [2006-5-9 176128]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2009-06-03 23:14    113152    ------w-    c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2009-06-03 23:13    299520    ------w-    c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2009-09-08 22:34    75320    ------w-    c:\windows\system32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Port Controller\\Mfpscdl.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Network MFP Utilities\\CnfgEditor\\SYSTEM\\mfrspool.exe"=
"c:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LRecvTrap\\LRecvTrap.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\LFax\\NaeCMN.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Device Monitor\\DMList.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:smileytongue:ervasive DBEngine
"3351:TCP"= 3351:TCP:smileytongue:ervasive DBEngine
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [10/5/2009 7:25 PM 110520]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/5/2009 7:26 PM 51800]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [10/5/2009 7:26 PM 13256]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502010.003\symds.sys [4/23/2012 10:29 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502010.003\symefa.sys [4/23/2012 10:29 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120517.001\BHDrvx86.sys [5/23/2012 7:20 PM 821880]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [10/5/2009 7:26 PM 40088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502010.003\ironx86.sys [4/23/2012 10:29 PM 136312]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [6/3/2009 7:16 PM 207400]
R2 Dyn Updater;Dyn Updater;c:\program files\Dyn Updater\DynUpSvc.exe [11/15/2011 1:20 PM 95608]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [10/5/2009 7:25 PM 277096]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [8/11/2009 4:45 PM 293376]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [11/8/2011 5:55 PM 99896]
R2 N360;Norton Business Suite;c:\program files\Norton Business Suite\Engine\5.2.1.3\ccsvchst.exe [4/23/2012 10:29 PM 130008]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 1:03 PM 435496]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [5/6/2010 4:47 PM 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [5/6/2010 4:35 PM 160424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2012 3:45 AM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120525.001\IDSXpx86.sys [5/25/2012 10:44 PM 356792]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 1:46 PM 44800]
R3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TsUSB2.sys [1/20/2012 11:36 AM 54016]
S3 Crystal Query Server;Crystal Query Server;c:\program files\Seagate Software\Query Server\querysrv.exe [11/8/1998 12:00 PM 375296]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [9/8/2009 12:14 PM 32312]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [9/8/2009 6:34 PM 362040]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-22 c:\windows\Tasks\Wareham Backup [1].job
- c:\windows\system32\ntbackup.exe [2008-04-14 09:00]
.
2012-05-23 c:\windows\Tasks\Wareham Backup [2].job
- c:\windows\system32\ntbackup.exe [2008-04-14 09:00]
.
2012-05-24 c:\windows\Tasks\Wareham Backup [3].job
- c:\windows\system32\ntbackup.exe [2008-04-14 09:00]
.
2012-05-25 c:\windows\Tasks\Wareham Backup [4].job
- c:\windows\system32\ntbackup.exe [2008-04-14 09:00]
.
2012-05-26 c:\windows\Tasks\Wareham Backup [5].job
- c:\windows\system32\ntbackup.exe [2008-04-14 09:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: meaningfulfunerals.net\www
TCP: Interfaces\{2AEDF79D-DA78-4226-B1E9-EBD19ECDE3EC}: NameServer = 192.168.1.1
DPF: {8D59819B-2067-4A6B-84F4-7F84570E3C30} - hxxp://192.168.1.75/img/LinksysMLViewer.cab
DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab
FF - ProfilePath - c:\documents and settings\Wareham 1\Application Data\Mozilla\Firefox\Profiles\iygqoe9t.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-28 14:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton Business Suite\Engine\5.2.1.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Business Suite\Engine\5.2.1.3\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(816)
c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
c:\program files\ActivIdentity\ActivClient\aclog.dll
c:\program files\ActivIdentity\ActivClient\accrypto.dll
c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\program files\ActivIdentity\ActivClient\aipingui.dll
c:\program files\ActivIdentity\ActivClient\acevtsub.dll
c:\program files\ActivIdentity\ActivClient\asphat32.dll
c:\program files\ActivIdentity\ActivClient\acerrmes.dll
c:\program files\ActivIdentity\ActivClient\aiwinext.dll
c:\program files\ActivIdentity\ActivClient\aspcom.dll
c:\program files\ActivIdentity\ActivClient\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
c:\windows\system32\DeviceNP.dll
c:\windows\system32\SSREGLIB.dll
c:\windows\system32\HPPTLog.dll
.
- - - - - - - > 'winlogon.exe'(2796)
c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
c:\program files\ActivIdentity\ActivClient\aclog.dll
c:\program files\ActivIdentity\ActivClient\accrypto.dll
c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll
.
- - - - - - - > 'explorer.exe'(4568)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-05-28  14:38:11
ComboFix-quarantined-files.txt  2012-05-28 18:38
.
Pre-Run: 285,807,579,136 bytes free
Post-Run: 285,780,422,656 bytes free
.
- - End Of File - - C185CA37C4D4F97111E898E2DEC33E03


Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,979
Registered: ‎08-08-2011

Re: Possible IE 8 browser hi-jack

Can run microsoft Fix it once more as given here:

http://support.microsoft.com/kb/318378

 

and tell me how IE behaves now?

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
waldo
Posts: 10
Registered: ‎05-25-2012

Re: Possible IE 8 browser hi-jack

[ Edited ]

Malwarekiller,

 

I am unable to run the Microsoft Fix-it you requested.  Attached is a screen shot of the error message.

 

When I click "Explore additional solutions online", the screen flashes white for a second, then displays the desktop.

 

I also attempted all fixes manually as well.

 

IE still behaves the same.  Launch, then immediate close.

Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,979
Registered: ‎08-08-2011

Re: Possible IE 8 browser hi-jack

Download Windows Repair (all in one) from here:
http://www.tweaking.com/content/page/win...n_one.html

Install the program then run

Go to step 2 and allow it to run Disc check


[Image: Capture3.gif]


Once that is done then go to step 3 and allow it to run SFC


[Image: Capture.gif]


On the start repairs tab select advanced mode and click start


[Image: Capture1.gif]


Select all the items given and tick restart system when finished then click Start

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.