Jump to content

Infected/Hijack This file


Recommended Posts

I appear to be infected with malware that alters search engine results. For major search engines, searches reveal results, but clicking on the links direct to spam sites.

When I open Malwarebytes and run a QUICK SCAN with ALWAYS SCAN MEMORY OBJECTS unchecked under settings, the scan runs for a few seconds (always less than ten in about eight attempts) and Malwarebytes freezes. This freeze occurs on different files in the WINDOWS/SYSTEM32 directory. After Malwarebytes freezes, I open TASK MANAGER to kill the application and two instances of Malwarebytes are running (and not responding).

Similarly, if I select START then RUN and type in IEXPLORE.EXE I am unable to start Internet Explorer. Again, the program does not respond, I open Task Manager and Task Manager shows two non-responding instances of IE. Firefox runs fine.

This is my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:25:22 AM, on 1/20/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Polaris Auto-Print\bin\wrapper.exe

C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\java.exe

C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe

C:\Program Files\CVS Manager\MyService.exe

C:\Program Files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\ClamWin\bin\ClamTray.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\Qualcomm\Eudora\Eudora.exe

C:\WINDOWS\SYSTEM32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.polaris

O15 - Trusted Zone: http://*.sf12b

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O17 - HKLM\Software\..\Telephony: DomainName = fdsi-private.fielddiagnostics.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

O23 - Service: Polaris Auto Print (autoprint) - Unknown owner - c:\Program Files\Polaris Auto-Print\bin\wrapper.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe

O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe

O23 - Service: Polaris CVS Manager - Alexandria Software Consulting + Multiplan Consultants - C:\Program Files\CVS Manager\MyService.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 9621 bytes

Thank you.

Link to post
Share on other sites

Hi. ;)

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

-----------------------------

download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the Scan All Users checkbox on the toolbar.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessry).

Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

Link to post
Share on other sites

Paste this into the fix box (where it says paste fix here):

[Kill Explorer][Registry - Safe List]< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunYN -> "Sonic RecordNow!" -> []< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\YN -> {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab [Java Plug-in 1.5.0_03][Files/Folders - Created Within 30 Days]NY -> 2 C:\*.tmp files -> C:\*.tmpNY -> 9B13A86D.plf -> %SystemRoot%\System32\9B13A86D.plf[Files/Folders - Modified Within 30 Days]NY -> 2 C:\*.tmp files -> C:\*.tmpNY -> 5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmpNY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp[Alternate Data Streams]NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\Thumbs.db:encryptable[Purity][Empty Temp Folders][start Explorer]

It will produce a log. Please post that here.

Link to post
Share on other sites

Here is the log produced by running the fix:

Process Explorer.EXE killed successfully!

[Registry - Safe List]

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Sonic RecordNow! deleted successfully.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\Contains\Files\ not found.

not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ deleted successfully.

[Files/Folders - Created Within 30 Days]

C:\WINDOWS\System32\9B13A86D.plf moved successfully.

[Files/Folders - Modified Within 30 Days]

[Alternate Data Streams]

ADS C:\Documents and Settings\Erik.FDSI-PRIVATE\Desktop\Thumbs.db:encryptable deleted successfully.

[Purity]

Purity scan complete.

[Empty Temp Folders]

File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Temp\ClamWin1.log scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Temp\Perflib_Perfdata_f98.dat scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\hsperfdata_SYSTEM\1860 scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\hsperfdata_SYSTEM\292 scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\XUL.mfl scheduled to be deleted on reboot.

FireFox cache emptied.

RecycleBin -> emptied.

Explorer started successfully

< End of fix log >

OTScanIt2 by OldTimer - Version 1.0.6.2 fix logfile created on 01212009_090358

Files moved on Reboot...

C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Temp\ClamWin1.log moved successfully.

File C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Temp\Perflib_Perfdata_f98.dat not found!

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be moved on reboot.

File C:\WINDOWS\temp\hsperfdata_SYSTEM\1860 not found!

File C:\WINDOWS\temp\hsperfdata_SYSTEM\292 not found!

C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_001_ moved successfully.

C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_002_ moved successfully.

C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_003_ moved successfully.

C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_MAP_ moved successfully.

C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

Here is my new HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:33:11 AM, on 1/21/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Polaris Auto-Print\bin\wrapper.exe

C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe

C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe

C:\WINDOWS\system32\java.exe

C:\Program Files\CVS Manager\MyService.exe

C:\Program Files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe

C:\Program Files\ClamWin\bin\ClamTray.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\winpt-0.7.96-exe\WinPT.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.polaris

O15 - Trusted Zone: http://*.sf12b

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O17 - HKLM\Software\..\Telephony: DomainName = fdsi-private.fielddiagnostics.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

O23 - Service: Polaris Auto Print (autoprint) - Unknown owner - c:\Program Files\Polaris Auto-Print\bin\wrapper.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe

O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe

O23 - Service: Polaris CVS Manager - Alexandria Software Consulting + Multiplan Consultants - C:\Program Files\CVS Manager\MyService.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 8810 bytes

Link to post
Share on other sites

I still have a problem with search engine results. If I clear my cache/history/temporary files and go to Google and do a search for "dogs", for example, I have attached the results of the screen shot. In the screen shot example, the second result is "Dogs & Puppies -- Next Day Pets" but the green text under the result indicates a different site. Clicking on the link directs to the spam site in green text.

This happens in both IE and Netscape and at search engines other than Google.

Also, I don't have a C:\OtScanIT\ directory. I have C:\_OTScanIt and C:\Program Files\Mozilla Firefox\OTScanIt2 directories. Just wanted to make sure I understood what you were suggesting I delete.

Thanks.

post-8378-1232568115_thumb.png

post-8378-1232568115_thumb.png

Link to post
Share on other sites

Yes delete C:\_OTScanIt

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:C:\WINDOWS\system32\drivers\TDSSmqlt.sys C:\windows\system32\drivers\tdssserv.sysC:\WINDOWS\system32\drivers\TDSSmact.sysC:\WINDOWS\system32\drivers\TDSSrvdc.sys C:\WINDOWS\system32\TDSSwpyd.dat C:\WINDOWS\system32\TDSStkdv.log  C:\WINDOWS\system32\TDSSotxb.dll C:\WINDOWS\system32\TDSScrrn.dll C:\WINDOWS\system32\TDSSbvqh.dll C:\WINDOWS\system32\TDSSjnmx.dllc:\windows\system32\TDSShrxr.dllc:\windows\system32\TDSSkkbi.logc:\windows\system32\TDSSlrvd.datc:\windows\system32\TDSSlxwp.dllc:\windows\system32\TDSSnmxh.logc:\windows\system32\TDSSoiqt.dllc:\windows\system32\TDSSrhyp.logc:\windows\system32\TDSSrtqp.dllc:\windows\system32\TDSSsihc.dllc:\windows\system32\TDSSxfum.dllC:\WINDOWS\SYSTEM32\qoMfefde.dll
    Drivers to delete:tdssserv
    Registry keys to delete:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sysHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssservHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssservHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata HKEY_LOCAL_MACHINE\SOFTWARE\tdss HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Link to post
Share on other sites

Here are the Avenger results. I had one false start you'll see in the logs when there was a prompt/warning I hadn't expected from your instructions. I hit cancel then did it again, dismissing the warning.

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)

Wed Jan 21 16:40:08 2009

16:40:06: Warning: Skipping potentially dangerous line:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" (Registry key deletion mode)

16:40:08: Error: Execution aborted by user!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!

Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!

Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!

Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSShrxr.dll" not found!

Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSkkbi.log" not found!

Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlrvd.dat" not found!

Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlxwp.dll" not found!

Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSnmxh.log" not found!

Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSoiqt.dll" not found!

Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrhyp.log" not found!

Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrtqp.dll" not found!

Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSsihc.dll" not found!

Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSxfum.dll" not found!

Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\qoMfefde.dll" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\qoMfefde.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!

Deletion of driver "tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

I believe my problem has been solved by your latest suggestion. My search engine results are normal again. I am not aware of any problems on the machine related to malware. Thank you very much for your help.

Here is the combofix log and, below it, the HijackThis log:

ComboFix 09-01-21.02 - erik 2009-01-22 9:11:25.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1342 [GMT -5:00]

Running from: c:\documents and settings\Erik.FDSI-PRIVATE\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\123.txt

c:\program files\alexa toolbar

c:\windows\Downloaded Program Files\Temp

c:\windows\Downloaded Program Files\Temp\pmupd806.xml

c:\windows\system32\drivers\fad.sys

c:\windows\system32\drivers\npf.sys

c:\windows\system32\packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\wanpacket.dll

c:\windows\system32\wdmaud.sys

c:\windows\system32\wpcap.dll

E:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))

.

2009-01-21 14:54 . 2009-01-21 14:54 80,067 --a------ C:\sshot.GIF

2009-01-21 14:38 . 2009-01-14 15:09 410,112 --a------ C:\COMSConsumerIntake_A.rpt

2009-01-20 11:24 . 2009-01-20 11:24 <DIR> d-------- c:\program files\Trend Micro

2009-01-20 10:56 . 2009-01-20 10:56 21,580 --a------ C:\polaris.log.2009-01-16

2009-01-19 13:12 . 2009-01-19 13:12 <DIR> d-------- c:\documents and settings\Erik.FDSI-PRIVATE\Application Data\Malwarebytes

2009-01-19 13:11 . 2009-01-19 13:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-19 13:11 . 2009-01-19 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-19 13:11 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys

2009-01-19 13:11 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

2009-01-16 15:51 . 2009-01-16 15:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-16 15:51 . 2009-01-19 13:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-16 11:59 . 2009-01-16 12:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard

2009-01-16 11:58 . 2009-01-16 11:58 <DIR> d-------- c:\program files\Common Files\iS3

2009-01-16 11:58 . 2009-01-16 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-01-16 11:52 . 2009-01-16 11:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-01-16 11:52 . 2009-01-16 11:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton

2009-01-16 11:17 . 2009-01-16 11:49 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-16 09:39 . 2009-01-16 09:39 <DIR> d-------- c:\program files\ParetoLogic

2009-01-16 09:39 . 2009-01-16 09:39 <DIR> d-------- c:\program files\Common Files\ParetoLogic

2009-01-16 09:39 . 2009-01-16 09:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-01-16 09:38 . 2009-01-16 09:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Cached Installations

2009-01-15 14:39 . 2009-01-15 14:39 <DIR> d-------- c:\program files\Alwil Software

2009-01-13 13:26 . 2009-01-13 10:44 3,509 --a------ C:\ServiceTokenRetriever.class

2009-01-09 08:58 . 2009-01-08 16:26 9,047 --a------ C:\edit_consumer.jsp

2009-01-08 12:50 . 2009-01-08 12:51 <DIR> d-------- C:\darssa2

2009-01-07 11:23 . 2009-01-07 11:23 <DIR> d-------- c:\program files\Polaris Auto-Print

2009-01-06 10:17 . 2009-01-06 10:17 39,424 --a------ C:\Configuring a Kiosk Member Computer.doc

2008-12-31 10:16 . 2009-01-06 10:45 <DIR> d-------- C:\dutch_mh

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-21 19:25 --------- d-----w c:\documents and settings\Erik.FDSI-PRIVATE\Application Data\AdobeUM

2009-01-20 18:17 --------- d-----w c:\program files\Symantec_Client_Security

2009-01-20 18:15 --------- d-----w c:\program files\Symantec

2009-01-20 18:14 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-15 22:20 --------- d-----w c:\program files\KeyStore Explorer 2.3_2

2009-01-15 18:48 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-01-15 14:33 --------- d-----w c:\program files\ClamWin

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2008-11-20 14:29 4,523 ----a-w C:\friendshiphouse_youth.zip

2008-11-18 13:49 7,205,511 ----a-w C:\pics.zip

2008-01-04 18:09 56,912 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\g2mdlhlpx.exe

2006-08-03 13:08 483,401 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\gotomypc_314.exe

2006-05-01 16:09 462,919 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\276_gotomypc.exe

2006-03-14 15:42 563,712 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\370_gotomypc.exe

2006-01-09 20:03 3,167,744 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\gosetup.exe

2005-11-18 18:20 0 -c--a-w c:\program files\larson.csv

2005-09-30 13:59 483,401 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\314_gotomypc.exe

2005-08-29 20:29 483,401 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\gotomypc.exe

2004-12-01 19:27 5,212,168 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\web_1129.zip

2004-11-24 15:18 2,629,178 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\new_www.zip

2004-11-23 16:14 318,793 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\doug.zip

2004-11-17 20:30 1,352,976 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\new_life_upgrade.zip

2004-09-30 15:52 19,445 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\WS.ZIP

2004-09-28 19:07 2,074,662 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\autoexport.zip

2004-08-31 19:27 29,550,025 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\MH_SETUPEX.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-03-24 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-11 196608]

"PDFCreatorClient"="c:\program files\JawsSystems\Jaws PDF Creator\PDFClient.exe" [2003-12-09 315392]

"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]

"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-05-11 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2003-10-31 11:01 8704 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= wdmaud.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 VADriver;VADriver;c:\windows\SYSTEM32\DRIVERS\VADriver.sys [2004-06-08 3712]

R4 autoprint;Polaris Auto Print;c:\program files\Polaris Auto-Print\bin\wrapper.exe [2009-01-07 135168]

R4 pgsql-8.1;PostgreSQL Database Server 8.1;c:\program files\PostgreSQL\8.1\bin\pg_ctl.exe [2005-11-05 68289]

R4 Polaris CVS Manager;Polaris CVS Manager;c:\program files\CVS Manager\MyService.exe [2005-06-01 57344]

R4 Tomcat5;Apache Tomcat;c:\program files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe [2004-08-28 94208]

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-11 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90c3b98a-8b21-11d9-90a1-00038a000015}]

\Shell\AutoRun\command - SetupWizard.exe

.

Contents of the 'Scheduled Tasks' folder

2009-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-22 c:\windows\Tasks\backup_in.job

- c:\program files\Qualcomm\Eudora\backup_in.bat [2004-09-22 15:44]

2009-01-16 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\SYSTEM32\CLEANMGR.EXE [2004-08-04 02:56]

2009-01-22 c:\windows\Tasks\download_websecure_BU.job

- c:\shared\websecure\backup_FTP\download.bat [2007-09-27 12:36]

2009-01-22 c:\windows\Tasks\get_kpsatss_and_phdsec.job

- c:\shared\encrypted_kpsatss_bu\get_kpsatss_and_phdsec.bat [2007-07-27 12:19]

2009-01-21 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 12:25]

2009-01-22 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]

2009-01-22 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 09:04]

.

- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)

HKLM-Run-URLLSTCK.exe - c:\program files\Norton Internet Security\UrlLstCk.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

Trusted Zone: polaris

Trusted Zone: polarishealth.com\assessment

Trusted Zone: sf12b

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

FF - ProfilePath - c:\documents and settings\Erik.FDSI-PRIVATE\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.polaris

O15 - Trusted Zone: http://*.sf12b

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O17 - HKLM\Software\..\Telephony: DomainName = fdsi-private.fielddiagnostics.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

O23 - Service: Polaris Auto Print (autoprint) - Unknown owner - c:\Program Files\Polaris Auto-Print\bin\wrapper.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe

O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe

O23 - Service: Polaris CVS Manager - Alexandria Software Consulting + Multiplan Consultants - C:\Program Files\CVS Manager\MyService.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 8285 bytes

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.