Jump to content

Malwarebytes

Infected/Hijack This file

- - - - -
Started by poiuyt2, Jan 20 2009 06:00 PM

13 replies to this topic

#1
poiuyt2
Posted 20 January 2009 - 06:00 PM

    New Member

  • Members
  • Pip
  • 7 posts
I appear to be infected with malware that alters search engine results. For major search engines, searches reveal results, but clicking on the links direct to spam sites.

When I open Malwarebytes and run a QUICK SCAN with ALWAYS SCAN MEMORY OBJECTS unchecked under settings, the scan runs for a few seconds (always less than ten in about eight attempts) and Malwarebytes freezes. This freeze occurs on different files in the WINDOWS/SYSTEM32 directory. After Malwarebytes freezes, I open TASK MANAGER to kill the application and two instances of Malwarebytes are running (and not responding).

Similarly, if I select START then RUN and type in IEXPLORE.EXE I am unable to start Internet Explorer. Again, the program does not respond, I open Task Manager and Task Manager shows two non-responding instances of IE. Firefox runs fine.

This is my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:22 AM, on 1/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Polaris Auto-Print\bin\wrapper.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
C:\Program Files\CVS Manager\MyService.exe
C:\Program Files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Qualcomm\Eudora\Eudora.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-556418474-1633761096-3573652574-1009\..\Run: [Sonic RecordNow!] (User 'postgres')
O4 - HKUS\S-1-5-21-556418474-1633761096-3573652574-1009\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'postgres')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.polaris
O15 - Trusted Zone: http://assessment.polarishealth.com
O15 - Trusted Zone: http://*.sf12b
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O17 - HKLM\Software\..\Telephony: DomainName = fdsi-private.fielddiagnostics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Polaris Auto Print (autoprint) - Unknown owner - c:\Program Files\Polaris Auto-Print\bin\wrapper.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe
O23 - Service: Polaris CVS Manager - Alexandria Software Consulting + Multiplan Consultants - C:\Program Files\CVS Manager\MyService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9621 bytes

Thank you.

#2
Tigger93
Posted 20 January 2009 - 09:55 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Hi. ;)

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

-----------------------------

download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the Scan All Users checkbox on the toolbar.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessry).
Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

#3
poiuyt2
Posted 20 January 2009 - 10:22 PM

    New Member

  • Members
  • Pip
  • 7 posts
Thank you.

I have attached the scan results from OTScanit2.

Attached Files


#4
Tigger93
Posted 20 January 2009 - 11:22 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Paste this into the fix box (where it says paste fix here):
[Kill Explorer]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Sonic RecordNow!" -> []
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab [Java Plug-in 1.5.0_03]
[Files/Folders - Created Within 30 Days]
NY -> 2 C:\*.tmp files -> C:\*.tmp
NY -> 9B13A86D.plf -> %SystemRoot%\System32\9B13A86D.plf
[Files/Folders - Modified Within 30 Days]
NY -> 2 C:\*.tmp files -> C:\*.tmp
NY -> 5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Alternate Data Streams]
NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\Thumbs.db:encryptable
[Purity]
[Empty Temp Folders]
[Start Explorer]

It will produce a log. Please post that here.

#5
poiuyt2
Posted 21 January 2009 - 02:12 PM

    New Member

  • Members
  • Pip
  • 7 posts
Here is the log produced by running the fix:

Process Explorer.EXE killed successfully!
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Sonic RecordNow! deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\System32\9B13A86D.plf moved successfully.
[Files/Folders - Modified Within 30 Days]
[Alternate Data Streams]
ADS C:\Documents and Settings\Erik.FDSI-PRIVATE\Desktop\Thumbs.db:encryptable deleted successfully.
[Purity]
Purity scan complete.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Temp\ClamWin1.log scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Temp\Perflib_Perfdata_f98.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\hsperfdata_SYSTEM\1860 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\hsperfdata_SYSTEM\292 scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.6.2 fix logfile created on 01212009_090358

Files moved on Reboot...
C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Temp\ClamWin1.log moved successfully.
File C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Temp\Perflib_Perfdata_f98.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be moved on reboot.
File C:\WINDOWS\temp\hsperfdata_SYSTEM\1860 not found!
File C:\WINDOWS\temp\hsperfdata_SYSTEM\292 not found!
C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Erik.FDSI-PRIVATE\Local Settings\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...

#6
Tigger93
Posted 21 January 2009 - 04:27 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Please post a new HijackThis log.

#7
poiuyt2
Posted 21 January 2009 - 04:34 PM

    New Member

  • Members
  • Pip
  • 7 posts
Here is my new HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:11 AM, on 1/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Polaris Auto-Print\bin\wrapper.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\CVS Manager\MyService.exe
C:\Program Files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\winpt-0.7.96-exe\WinPT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-556418474-1633761096-3573652574-1009\..\Run: [Sonic RecordNow!] (User 'postgres')
O4 - HKUS\S-1-5-21-556418474-1633761096-3573652574-1009\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'postgres')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.polaris
O15 - Trusted Zone: http://assessment.polarishealth.com
O15 - Trusted Zone: http://*.sf12b
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O17 - HKLM\Software\..\Telephony: DomainName = fdsi-private.fielddiagnostics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Polaris Auto Print (autoprint) - Unknown owner - c:\Program Files\Polaris Auto-Print\bin\wrapper.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe
O23 - Service: Polaris CVS Manager - Alexandria Software Consulting + Multiplan Consultants - C:\Program Files\CVS Manager\MyService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8810 bytes

#8
Tigger93
Posted 21 January 2009 - 07:41 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Go ahead and delete this folder:
C:\OtScanIT\

You look clean. Are you still having any problems?

#9
poiuyt2
Posted 21 January 2009 - 08:03 PM

    New Member

  • Members
  • Pip
  • 7 posts
I still have a problem with search engine results. If I clear my cache/history/temporary files and go to Google and do a search for "dogs", for example, I have attached the results of the screen shot. In the screen shot example, the second result is "Dogs & Puppies -- Next Day Pets" but the green text under the result indicates a different site. Clicking on the link directs to the spam site in green text.

This happens in both IE and Netscape and at search engines other than Google.

Also, I don't have a C:\OtScanIT\ directory. I have C:\_OTScanIt and C:\Program Files\Mozilla Firefox\OTScanIt2 directories. Just wanted to make sure I understood what you were suggesting I delete.

Thanks.

Attached Files


#10
Tigger93
Posted 21 January 2009 - 09:34 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Yes delete C:\_OTScanIt

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
C:\WINDOWS\system32\drivers\TDSSmqlt.sys 
C:\windows\system32\drivers\tdssserv.sys
C:\WINDOWS\system32\drivers\TDSSmact.sys
C:\WINDOWS\system32\drivers\TDSSrvdc.sys 
C:\WINDOWS\system32\TDSSwpyd.dat 
C:\WINDOWS\system32\TDSStkdv.log  
C:\WINDOWS\system32\TDSSotxb.dll 
C:\WINDOWS\system32\TDSScrrn.dll 
C:\WINDOWS\system32\TDSSbvqh.dll 
C:\WINDOWS\system32\TDSSjnmx.dll
c:\windows\system32\TDSShrxr.dll
c:\windows\system32\TDSSkkbi.log
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSrhyp.log
c:\windows\system32\TDSSrtqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSSxfum.dll
C:\WINDOWS\SYSTEM32\qoMfefde.dll

Drivers to delete:
tdssserv

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata 
HKEY_LOCAL_MACHINE\SOFTWARE\tdss 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

#11
poiuyt2
Posted 21 January 2009 - 09:49 PM

    New Member

  • Members
  • Pip
  • 7 posts
Here are the Avenger results. I had one false start you'll see in the logs when there was a prompt/warning I hadn't expected from your instructions. I hit cancel then did it again, dismissing the warning.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Jan 21 16:40:08 2009

16:40:06: Warning: Skipping potentially dangerous line:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" (Registry key deletion mode)
16:40:08: Error: Execution aborted by user!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!
Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSrvdc.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!
Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!
Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!
Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSShrxr.dll" not found!
Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSkkbi.log" not found!
Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSlrvd.dat" not found!
Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSlxwp.dll" not found!
Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSnmxh.log" not found!
Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSoiqt.dll" not found!
Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSrhyp.log" not found!
Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSrtqp.dll" not found!
Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSsihc.dll" not found!
Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\TDSSxfum.dll" not found!
Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\SYSTEM32\qoMfefde.dll" not found!
Deletion of file "C:\WINDOWS\SYSTEM32\qoMfefde.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!
Deletion of driver "tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

#12
Tigger93
Posted 21 January 2009 - 11:57 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Download ComboFix from one of the locations below, and save it to your Desktop.
[indent] Link 1
Link 2 [/indent]Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

#13
poiuyt2
Posted 22 January 2009 - 02:34 PM

    New Member

  • Members
  • Pip
  • 7 posts
I believe my problem has been solved by your latest suggestion. My search engine results are normal again. I am not aware of any problems on the machine related to malware. Thank you very much for your help.

Here is the combofix log and, below it, the HijackThis log:

ComboFix 09-01-21.02 - erik 2009-01-22 9:11:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1342 [GMT -5:00]
Running from: c:\documents and settings\Erik.FDSI-PRIVATE\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\123.txt
c:\program files\alexa toolbar
c:\windows\Downloaded Program Files\Temp
c:\windows\Downloaded Program Files\Temp\pmupd806.xml
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wanpacket.dll
c:\windows\system32\wdmaud.sys
c:\windows\system32\wpcap.dll
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-21 14:54 . 2009-01-21 14:54 80,067 --a------ C:\sshot.GIF
2009-01-21 14:38 . 2009-01-14 15:09 410,112 --a------ C:\COMSConsumerIntake_A.rpt
2009-01-20 11:24 . 2009-01-20 11:24 <DIR> d-------- c:\program files\Trend Micro
2009-01-20 10:56 . 2009-01-20 10:56 21,580 --a------ C:\polaris.log.2009-01-16
2009-01-19 13:12 . 2009-01-19 13:12 <DIR> d-------- c:\documents and settings\Erik.FDSI-PRIVATE\Application Data\Malwarebytes
2009-01-19 13:11 . 2009-01-19 13:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-19 13:11 . 2009-01-19 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-19 13:11 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-19 13:11 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-16 15:51 . 2009-01-16 15:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-16 15:51 . 2009-01-19 13:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-16 11:59 . 2009-01-16 12:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-01-16 11:58 . 2009-01-16 11:58 <DIR> d-------- c:\program files\Common Files\iS3
2009-01-16 11:58 . 2009-01-16 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-01-16 11:52 . 2009-01-16 11:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-16 11:52 . 2009-01-16 11:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-01-16 11:17 . 2009-01-16 11:49 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-16 09:39 . 2009-01-16 09:39 <DIR> d-------- c:\program files\ParetoLogic
2009-01-16 09:39 . 2009-01-16 09:39 <DIR> d-------- c:\program files\Common Files\ParetoLogic
2009-01-16 09:39 . 2009-01-16 09:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-01-16 09:38 . 2009-01-16 09:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Cached Installations
2009-01-15 14:39 . 2009-01-15 14:39 <DIR> d-------- c:\program files\Alwil Software
2009-01-13 13:26 . 2009-01-13 10:44 3,509 --a------ C:\ServiceTokenRetriever.class
2009-01-09 08:58 . 2009-01-08 16:26 9,047 --a------ C:\edit_consumer.jsp
2009-01-08 12:50 . 2009-01-08 12:51 <DIR> d-------- C:\darssa2
2009-01-07 11:23 . 2009-01-07 11:23 <DIR> d-------- c:\program files\Polaris Auto-Print
2009-01-06 10:17 . 2009-01-06 10:17 39,424 --a------ C:\Configuring a Kiosk Member Computer.doc
2008-12-31 10:16 . 2009-01-06 10:45 <DIR> d-------- C:\dutch_mh

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 19:25 --------- d-----w c:\documents and settings\Erik.FDSI-PRIVATE\Application Data\AdobeUM
2009-01-20 18:17 --------- d-----w c:\program files\Symantec_Client_Security
2009-01-20 18:15 --------- d-----w c:\program files\Symantec
2009-01-20 18:14 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-15 22:20 --------- d-----w c:\program files\KeyStore Explorer 2.3_2
2009-01-15 18:48 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-01-15 14:33 --------- d-----w c:\program files\ClamWin
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-20 14:29 4,523 ----a-w C:\friendshiphouse_youth.zip
2008-11-18 13:49 7,205,511 ----a-w C:\pics.zip
2008-01-04 18:09 56,912 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\g2mdlhlpx.exe
2006-08-03 13:08 483,401 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\gotomypc_314.exe
2006-05-01 16:09 462,919 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\276_gotomypc.exe
2006-03-14 15:42 563,712 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\370_gotomypc.exe
2006-01-09 20:03 3,167,744 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\gosetup.exe
2005-11-18 18:20 0 -c--a-w c:\program files\larson.csv
2005-09-30 13:59 483,401 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\314_gotomypc.exe
2005-08-29 20:29 483,401 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\gotomypc.exe
2004-12-01 19:27 5,212,168 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\web_1129.zip
2004-11-24 15:18 2,629,178 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\new_www.zip
2004-11-23 16:14 318,793 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\doug.zip
2004-11-17 20:30 1,352,976 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\new_life_upgrade.zip
2004-09-30 15:52 19,445 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\WS.ZIP
2004-09-28 19:07 2,074,662 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\autoexport.zip
2004-08-31 19:27 29,550,025 -c--a-w c:\documents and settings\Erik.FDSI-PRIVATE\MH_SETUPEX.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-03-24 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-11 196608]
"PDFCreatorClient"="c:\program files\JawsSystems\Jaws PDF Creator\PDFClient.exe" [2003-12-09 315392]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-05-11 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 11:01 8704 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= wdmaud.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 VADriver;VADriver;c:\windows\SYSTEM32\DRIVERS\VADriver.sys [2004-06-08 3712]
R4 autoprint;Polaris Auto Print;c:\program files\Polaris Auto-Print\bin\wrapper.exe [2009-01-07 135168]
R4 pgsql-8.1;PostgreSQL Database Server 8.1;c:\program files\PostgreSQL\8.1\bin\pg_ctl.exe [2005-11-05 68289]
R4 Polaris CVS Manager;Polaris CVS Manager;c:\program files\CVS Manager\MyService.exe [2005-06-01 57344]
R4 Tomcat5;Apache Tomcat;c:\program files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe [2004-08-28 94208]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-11 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90c3b98a-8b21-11d9-90a1-00038a000015}]
\Shell\AutoRun\command - SetupWizard.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-22 c:\windows\Tasks\backup_in.job
- c:\program files\Qualcomm\Eudora\backup_in.bat [2004-09-22 15:44]

2009-01-16 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\CLEANMGR.EXE [2004-08-04 02:56]

2009-01-22 c:\windows\Tasks\download_websecure_BU.job
- c:\shared\websecure\backup_FTP\download.bat [2007-09-27 12:36]

2009-01-22 c:\windows\Tasks\get_kpsatss_and_phdsec.job
- c:\shared\encrypted_kpsatss_bu\get_kpsatss_and_phdsec.bat [2007-07-27 12:19]

2009-01-21 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 12:25]

2009-01-22 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 12:25]

2009-01-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 09:04]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-Run-URLLSTCK.exe - c:\program files\Norton Internet Security\UrlLstCk.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: polaris
Trusted Zone: polarishealth.com\assessment
Trusted Zone: sf12b
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Erik.FDSI-PRIVATE\Application Data\Mozilla\Firefox\Profiles\25ayg1v9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 09:14:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Licenses\Visible Advantage\{B0000136-50CF-11D1-A140-0000F802C250}]
@Denied: (A 1 2 3 4) (Everyone)
@="The component {B0000136-50CF-11D1-A140-0000F802C250} is licensed for use on this machine by LICENSED VIA SWREG . Any modification or duplication of this information is in direct violation of Canadian and international copyright laws. c:\\test\\temp.htm989f135c1770000100002d8d93d430e353f8a"

[HKEY_LOCAL_MACHINE\software\Classes\Licenses\Visible Advantage\{B0000167-50CF-11D1-A140-0000F802C250}]
@Denied: (A 1 2 3 4) (Everyone)
@="The component {B0000167-50CF-11D1-A140-0000F802C250} is licensed for use on this machine by LICENSED VIA SWREG . Any modification or duplication of this information is in direct violation of Canadian and international copyright laws. c:\\test\\temp.htm989f135c17700001000010a858abba675bf8a"

[HKEY_LOCAL_MACHINE\software\Classes\Licenses\Visible Advantage\{B5A0FEC8-888C-4A31-8154-C46A3B57FC91}]
@Denied: (A 1 2 3 4) (Everyone)
@="The component {B5A0FEC8-888C-4A31-8154-C46A3B57FC91} is licensed for use on this machine by LICENSED VIA SWREG . Any modification or duplication of this information is in direct violation of Canadian and international copyright laws. c:\\test\\temp.htm989f135c177000010000654ade9877d073f8a"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\windows\SYSTEM32\PDFCreatorMessages.exe
c:\windows\SYSTEM32\java.exe
c:\program files\PostgreSQL\8.1\bin\postmaster.exe
c:\windows\wanmpsvc.exe
c:\program files\PostgreSQL\8.1\bin\postgres.exe
c:\program files\PostgreSQL\8.1\bin\postgres.exe
c:\program files\PostgreSQL\8.1\bin\postgres.exe
c:\program files\PostgreSQL\8.1\bin\postgres.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-01-22 9:27:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-22 14:27:17

Pre-Run: 5,066,637,312 bytes free
Post-Run: 4,973,793,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=4 Default=4 Failed=3 LastKnownGood=2 Sets=1,2,3,4
211 --- E O F --- 2009-01-14 07:03:51





And here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:30, on 2009-01-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Polaris Auto-Print\bin\wrapper.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\CVS Manager\MyService.exe
C:\Program Files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-556418474-1633761096-3573652574-1009\..\Run: [Sonic RecordNow!] (User 'postgres')
O4 - HKUS\S-1-5-21-556418474-1633761096-3573652574-1009\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'postgres')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.polaris
O15 - Trusted Zone: http://assessment.polarishealth.com
O15 - Trusted Zone: http://*.sf12b
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O17 - HKLM\Software\..\Telephony: DomainName = fdsi-private.fielddiagnostics.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = fdsi-private.fielddiagnostics.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Polaris Auto Print (autoprint) - Unknown owner - c:\Program Files\Polaris Auto-Print\bin\wrapper.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
O23 - Service: PostgreSQL Database Server 8.1 (pgsql-8.1) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe
O23 - Service: Polaris CVS Manager - Alexandria Software Consulting + Multiplan Consultants - C:\Program Files\CVS Manager\MyService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat-5\bin\tomcat5.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8285 bytes

#14
Tigger93
Posted 22 January 2009 - 10:31 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Go start -> run and type in combofix /u to remove Combofix.

Restart your computer and post a new HJT log please.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us