www.www.google.com.org

zitsu · October 1, 2006, 7:16am

when i logged into ie, my browser got hijacked…and when i turn off ComodoFirewall, the ie works. I tried webroot scanning but cannot find the source of problem. Also run ieregfix.reg but to no avail. When i turn on ComodoFirewall to custom, my ie browser got hijacked.

Appreciate help on this.

system · October 1, 2006, 8:28am

May I first ask something , how do you know it’s hijacked? What signs are showing of a hijack? Personally, from my opinion , I don’t see turning on a firewall to custom can in any way cause a hijack. Perhaps your browser IS hijacked and turning on Comodo is allowing you to see this? I really need more info before i can answer properly.

Thank you,

Paul

zitsu · October 1, 2006, 8:58am

what happened is this. When i type “www.google.com” on ie6, the status bar show i) connecting to 66.102.7.147 then to 203.109.106.50.9, then another website before showing finding site www.www.google.com.org and the error message, “internet explorer could not open the search page”. So my guess is that the ie6 was 'hijacked by another application".

Now when i set Comodo to allow all (instead of custom), i could get to www.google.com.

Again you are right, its likely the case that Comodo is protecting the computer against such ‘hijacker’ therefore preventing access when Comodo is in ‘custom’.

But i scanned using webroot, adaware, spybot, and trendofficescan - couldn’t find anything.

Your thoughts are much appreciated - on next step. Thanks.

system · October 1, 2006, 9:10am

What I would do is this, clear your history, cookies, and all else. If this helps, immediately make sure you get all windows updates, keep your firewall ON, keep anti-virus going. Normally I would suggest using Firefox browser but my heart was broken tonight learning they have a flaw just as large as IE does. Nowhere to run, lol. But do this and also, do you have any other cleaners like Ccleaner? It’s free. I have also had 2 hijacking attempts, thwarted by me and CPF, and 15 on the Hotmail page. It’s getting bad.

Paul

panic · October 1, 2006, 9:55am

Can you please download HiJack This (from www.merijn.org/downloads), run it and post the logs back here. It sounds like you’ve been hijacked and HJT will show the browser modifications.

Cheers,
Ewen

zitsu · October 1, 2006, 10:14am

Here’s the file. I tried deleted items (O17) but ie6 stopped working (can’t resolve address when i key in www.google.com for example) when i do that.

Logfile of HijackThis v1.99.1
Scan saved at 6:10:09 PM, on 10/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\OfficeScan\ntrtscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\OfficeScan\tmlisten.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\HDDK\SUservice.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\OfficeScan\OfcPfwSvc.exe
C:\TEMP\NRCF36.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\OfficeScan\pccntmon.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\OfficeScan\Pop3Trap.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\X1\X1Systray.exe
C:\Program Files\X1\X1.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\X1\X1Service.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijaackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tmnet.vic/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Internet Explorer 6 Search Companion is no longer supported.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = tmnet.proxy.is:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .vic;.is;.omni;10.;
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [SynTPLpr] “C:\Program Files\Synaptics\SynTP\SynTPLpr.exe”
O4 - HKLM..\Run: [SynTPEnh] “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe”
O4 - HKLM..\Run: [OfficeScanNT Monitor] “C:\OfficeScan\pccntmon.exe” -HideWindow
O4 - HKLM..\Run: [Acronis True Image Monitor] “C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe”
O4 - HKLM..\Run: [Acronis Scheduler2 Service] “C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe”
O4 - HKLM..\Run: [BMMLREF] “C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE”
O4 - HKLM..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM..\Run: [QCWLICON] “C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE”
O4 - HKLM..\Run: [USBTA] C:\WINDOWS\system32\usbtapnp.exe
O4 - HKLM..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM..\Run: [itype] “C:\Program Files\Microsoft IntelliType Pro\itype.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe”
O4 - HKLM..\Run: [FinePrint Dispatcher v5] “C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe” /source=HKLM
O4 - HKLM..\Run: [PCSuiteTrayApplication] “C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE” -startup
O4 - HKLM..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM..\Run: [Comodo Firewall] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe” /startintray
O4 - HKCU..\Run: [TPKMAPMN] “C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [googletalk] “C:\Program Files\Google\Google Talk\googletalk.exe” /autostart
O4 - HKCU..\Run: [PcSync] “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” /NoDialog
O4 - Startup: X1 System Tray.lnk = C:\Program Files\X1\X1Systray.exe
O4 - Startup: X1.lnk = C:\Program Files\X1\X1.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hr.vic
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121484883457
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145152492595
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://hr.vic/ars/overview/ocx/iemenu.ocx
O16 - DPF: {80922B68-D8DE-11D5-8D10-0050DAD09327} (Batch Processing Control) - https://www.thomsononeim.com/plugins/BatchPrintNT.cab
O16 - DPF: {BF0D51A8-3A73-4CEC-8B1C-58CDAB8244D5} (ActiveChart.ActiveXChart) - DBS Vickers | DBS Vickers Online Trading
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://hr.vic/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {DEF7CADC-83C0-11D0-A0F1-00A024703500} (True OLE DBGrid 7 Control) - http://hr.vic/ars/Overview/OCX/todg7.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://access.mdc.tmnet.com/dana-cached/setup/JuniperSetup.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmnet.corp.root
O17 - HKLM\Software..\Telephony: DomainName = tmnet.corp.root
O17 - HKLM\System\CCS\Services\Tcpip..{231FCDCD-CA1E-4E14-AB50-3F18EEB87808}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmnet.corp.root
O17 - HKLM\System\CS1\Services\Tcpip..{231FCDCD-CA1E-4E14-AB50-3F18EEB87808}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tmnet.corp.root
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan\OfcPfwSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan\tmlisten.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: VCON MXMSU Service - Unknown owner - C:\PROGRA~1\HDDK\SUservice.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Thanks for your help!

system · October 1, 2006, 10:21am

By any chance Ewen, did you catch the X1?
I will wait on this, but if Ewen agrees, I would say the X1 is not good. However, it can be a legit process as well.

Paul

panic · October 1, 2006, 12:08pm

zitsu post:6:

Here’s the file. I tried deleted items (O17) but ie6 stopped working (can’t resolve address when i key in www.google.com for example) when i do that.

Logfile of HijackThis v1.99.1
Scan saved at 6:10:09 PM, on 10/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\OfficeScan\ntrtscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\OfficeScan\tmlisten.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\HDDK\SUservice.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\OfficeScan\OfcPfwSvc.exe
C:\TEMP\NRCF36.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\OfficeScan\pccntmon.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\OfficeScan\Pop3Trap.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\X1\X1Systray.exe
C:\Program Files\X1\X1.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\X1\X1Service.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijaackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tmnet.vic/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Internet Explorer 6 Search Companion is no longer supported.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = tmnet.proxy.is:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .vic;.is;.omni;10.;
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [SynTPLpr] “C:\Program Files\Synaptics\SynTP\SynTPLpr.exe”
O4 - HKLM..\Run: [SynTPEnh] “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe”
O4 - HKLM..\Run: [OfficeScanNT Monitor] “C:\OfficeScan\pccntmon.exe” -HideWindow
O4 - HKLM..\Run: [Acronis True Image Monitor] “C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe”
O4 - HKLM..\Run: [Acronis Scheduler2 Service] “C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe”
O4 - HKLM..\Run: [BMMLREF] “C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE”
O4 - HKLM..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM..\Run: [QCWLICON] “C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE”
O4 - HKLM..\Run: [USBTA] C:\WINDOWS\system32\usbtapnp.exe
O4 - HKLM..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM..\Run: [itype] “C:\Program Files\Microsoft IntelliType Pro\itype.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe”
O4 - HKLM..\Run: [FinePrint Dispatcher v5] “C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe” /source=HKLM
O4 - HKLM..\Run: [PCSuiteTrayApplication] “C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE” -startup
O4 - HKLM..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM..\Run: [Comodo Firewall] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe” /startintray
O4 - HKCU..\Run: [TPKMAPMN] “C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [googletalk] “C:\Program Files\Google\Google Talk\googletalk.exe” /autostart
O4 - HKCU..\Run: [PcSync] “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” /NoDialog
O4 - Startup: X1 System Tray.lnk = C:\Program Files\X1\X1Systray.exe
O4 - Startup: X1.lnk = C:\Program Files\X1\X1.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: .hr.vic
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121484883457
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145152492595
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://hr.vic/ars/overview/ocx/iemenu.ocx
O16 - DPF: {80922B68-D8DE-11D5-8D10-0050DAD09327} (Batch Processing Control) - https://www.thomsononeim.com/plugins/BatchPrintNT.cab
O16 - DPF: {BF0D51A8-3A73-4CEC-8B1C-58CDAB8244D5} (ActiveChart.ActiveXChart) - DBS Vickers | DBS Vickers Online Trading
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://hr.vic/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {DEF7CADC-83C0-11D0-A0F1-00A024703500} (True OLE DBGrid 7 Control) - http://hr.vic/ars/Overview/OCX/todg7.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://access.mdc.tmnet.com/dana-cached/setup/JuniperSetup.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmnet.corp.root
O17 - HKLM\Software..\Telephony: DomainName = tmnet.corp.root
O17 - HKLM\System\CCS\Services\Tcpip..{231FCDCD-CA1E-4E14-AB50-3F18EEB87808}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmnet.corp.root
O17 - HKLM\System\CS1\Services\Tcpip..{231FCDCD-CA1E-4E14-AB50-3F18EEB87808}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tmnet.corp.root
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: DVD-RAM_Service - Matsu***a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan\OfcPfwSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan\tmlisten.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: VCON MXMSU Service - Unknown owner - C:\PROGRA~1\HDDK\SUservice.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Thanks for your help!

G’day,

The only really odd thing is

C:\TEMP\NRCF36.EXE

I can’t find any info anywhere on this, under this name, but it could be a randomly generated filename. Why do you have a running exe out of your TEMP folder? Is this where it’s supposed to be??? TEMP is renowned as a malware launching spot. Is this file referenced in MSCONFIG as autostarting? I would try and track down the origins of this and validate the EXE ASAP.

There is also some debate about “s24evmon.exe”.

Have a look at Is S24EvMon.exe safe? How to remove a S24EvMon error? for more info. You should verify the byte count of your copy against a known working copy. I’ve found a handful reports of malware that masquerades as this exe.

X1 is OK, as its a desktop search app from X1.com, a legitimate vendor.

Am I correct in assuming that you access the internet from this PC via a proxy located within the tmnet domain? If so, are the proxy details in IE still correct?

Other than these things to check out, I can’t really see anything that could cause the conditions you’ve described.

Hope this helps,
Ewen

system · October 1, 2006, 5:29pm

I agree. There is debate with the X1.exe as well,(called winkiller) but he seems to have the correct files so I don’t think it’s a virus either. There is a free hijacking program, but I don’t know how well it works, haven’t tried it.

http://www.hijackfree.com/en/

Just a mention, the browser may be scanned and changed without anything being put on the computer as well. As long as you don’t click on anything “weird” . Just as my Hotmail page has been getting changed, nothing is on my pc. I deny the certs, close out, clear history, cookies, etc…and it’s usually fine when I go back. When I was typing in www.hotmail.com it would go to a whole new\different mail page called mail wind or something like that. Anyway, make sure you check the files\things Ewen mentioned, and let us know.

Paul

testuser · October 1, 2006, 7:07pm

Well, you can ever run to safety with opera. I have never had problems so far (except sites that dislike opera, which I don’t visit )

zitsu · October 2, 2006, 4:43am

Dear all,

Thank you for your feedbacks. I tried all (except HijackFree) which I only saw recently. Same problem occured - www.google.com becomes www.www.google.com.org.

I installed ie7 (RC1) and turned on phishing filter. Everything is working fine now with with Comodo now back to custom.

I really appreciate the speedy responses.

This is awesome! - the free exchange of information and what the Comodo team is doing and contributing to the world and community at large.

Your work and contributions are very much appreciated - by a fellow earthian in Malaysia.

system · October 2, 2006, 4:53am

You are very welcome, glad to have you aboard! Check out the forum a bit further, General Discussion for all the crazy stuff, if you will.

Cheers,

Paul