Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Hijack


  • Please log in to reply
15 replies to this topic

#1 MattyD23

MattyD23

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 01 January 2009 - 07:58 PM

Hey guys,

I have windows XP on my computer and I'm pretty sure I've come down with one of those Search Engine Redirecting viruses. I use Mozilla firefox as my generic browser, and when I use the search feature (no matter if its google, yahoo, or anything else) I get the results fine. Then, when I click on the site I want to be taken to I am redirected to some totally different site. I've studied the redirections at the bottom of my browser, and I noticed it follows the same pattern every search. The numbers 216.195.52.100 appear first, followed by iad.xml.search.miva.com, and then it will take me to the redirected site. The virus also prevents me from downloading or installing specific malware programs like malawarebytes, and won't let me access specific sites that have to do with antivirus programs or pretty much anything that can possibly help me rid this nasty virus.

I've already run Norton Anti-Virus scans, Adaware, Regcure, and Yahoo Anti-Spy but none of these programs have been able to remove this virus. I would greatly appreciate any help you guys can supply me with! Thanks in advance for all your help!


Here's the DDS log (the attach log is attached):


DDS (Version 1.1.0) - NTFSx86
Run by Matt Dobi at 19:20:27.42 on Thu 01/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.378 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
AV: Norton 360 *On-access scanning disabled* (Outdated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt Dobi\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: {c85151fd-a006-39d9-2184-c01cff47d5a6}: {6a5d74ff-c10c-4812-9d93-600adf15158c} - c:\windows\system32\dvqfhk.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {a78deae0-cf02-4409-83de-b9a4c6ef9960} - c:\windows\system32\urqOGVOI.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: SpeedRunner Bar: {cafb2180-ba09-11dc-95ff-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [PackersScreenServer] "c:\program files\packersscreenserver\PackersScreenServer.exe" -tb
uRun: [Pareto_Update] c:\program files\common files\paretologic\uus2\Pareto_Update.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: gzipmod - gzipmod.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqOGVOI

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mattdo~1\applic~1\mozilla\firefox\profiles\d8whe4km.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - component: c:\program files\mozilla firefox\components\srff.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-14 109616]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-1 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-1 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-1 170408]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20080213.036\NAVENG.SYS [2008-12-14 82256]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20080213.036\NAVEX15.SYS [2008-12-14 895312]

=============== Created Last 30 ================

2009-01-01 13:21 1,307,356 ---sh--- c:\windows\system32\ewmciqgi.ini
2009-01-01 13:21 72,704 a------- c:\windows\system32\igqicmwe.dll
2009-01-01 13:21 129,024 a------- c:\windows\system32\ehalxp.dll
2009-01-01 13:21 129,024 a------- c:\windows\system32\ljjgodfy.dll
2008-12-31 23:37 1,307,356 ---sh--- c:\windows\system32\rhuopucd.ini
2008-12-31 23:37 72,704 -------- c:\windows\system32\dcupouhr.dll
2008-12-31 23:37 129,024 a------- c:\windows\system32\dvqfhk.dll
2008-12-31 23:37 129,024 a------- c:\windows\system32\poslywdw.dll
2008-12-31 20:37 <DIR> --d----- c:\program files\Trend Micro
2008-12-31 15:19 <DIR> --d----- c:\docume~1\mattdo~1\applic~1\ParetoLogic
2008-12-31 15:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2008-12-31 15:18 <DIR> --d----- c:\program files\ParetoLogic
2008-12-31 15:18 <DIR> --d----- c:\program files\common files\ParetoLogic
2008-12-31 15:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2008-12-30 23:37 1,307,356 ---sh--- c:\windows\system32\crbgrujn.ini
2008-12-30 23:37 72,704 a------- c:\windows\system32\njurgbrc.dll
2008-12-30 23:35 129,024 a------- c:\windows\system32\crmoea.dll
2008-12-30 23:35 129,024 a------- c:\windows\system32\reucwivq.dll
2008-12-30 11:53 <DIR> --d----- c:\program files\Norton 360
2008-12-30 11:22 1,307,356 ---sh--- c:\windows\system32\wcaxqeme.ini
2008-12-30 11:19 129,024 a------- c:\windows\system32\ggtivq.dll
2008-12-30 11:19 129,024 a------- c:\windows\system32\ceecnlsc.dll
2008-12-29 11:19 1,308,203 ---sh--- c:\windows\system32\gpwlbnvs.ini
2008-12-28 15:40 22,016 a------- c:\windows\system32\~.exe
2008-12-28 14:34 1,306,974 ---sh--- c:\windows\system32\hxdwbkvo.ini
2008-12-27 14:32 1,306,974 ---sh--- c:\windows\system32\ommkufty.ini
2008-12-27 14:32 72,704 a------- c:\windows\system32\ytfukmmo.dll
2008-12-27 12:19 1,301,095 ---sh--- c:\windows\system32\nmlklrmg.ini
2008-12-27 12:19 72,704 a------- c:\windows\system32\gmrlklmn.dll
2008-12-27 08:43 <DIR> --d----- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2008-12-25 11:53 1,661,209 ---sh--- c:\windows\system32\asiuebka.ini
2008-12-24 19:04 <DIR> --d----- c:\windows\woiz
2008-12-24 19:04 <DIR> --d----- c:\program files\common files\woiz
2008-12-24 17:17 1,661,209 ---sh--- c:\windows\system32\icjlfall.ini
2008-12-23 17:15 1,661,209 ---sh--- c:\windows\system32\ticysory.ini
2008-12-23 12:13 1,661,209 ---sh--- c:\windows\system32\npmcwroc.ini
2008-12-22 14:06 <DIR> --d----- c:\program files\Network Monitor
2008-12-22 14:06 <DIR> --dsh--- c:\windows\TWF0dCBEb2Jp
2008-12-22 14:01 <DIR> --d----- c:\docume~1\mattdo~1\applic~1\SpeedRunner
2008-12-22 12:22 <DIR> --d----- c:\program files\Webtools
2008-12-22 12:18 <DIR> --d----- c:\program files\Mjcore
2008-12-22 12:11 1,661,209 ---sh--- c:\windows\system32\gahmvucc.ini
2008-12-21 12:17 1,661,209 ---sh--- c:\windows\system32\qbgwvyyq.ini
2008-12-21 12:16 724,791 a--sh--- c:\windows\system32\IOVGOqru.ini2
2008-12-21 12:16 724,791 a--sh--- c:\windows\system32\IOVGOqru.ini
2008-12-21 12:16 302,592 a------- c:\windows\system32\urqOGVOI.dll
2008-12-21 12:11 <DIR> --d----- c:\docume~1\mattdo~1\applic~1\gadcom
2008-12-14 16:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2008-12-14 13:46 <DIR> --d----- c:\program files\common files\Scanner
2008-12-14 11:24 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-14 11:24 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-14 11:24 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-14 11:24 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-14 11:24 <DIR> --d----- c:\program files\Symantec
2008-12-08 16:39 68,144 a------- c:\windows\system32\tremir.bin

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 13:41 262,144 a------- C:\ntuser.dat
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2007-11-14 19:22 1,164,456 a------- c:\program files\install_flash_player.exe
2007-09-23 15:37 7,002,776 a------- c:\program files\packerssetup.exe
2007-09-20 22:18 436,360 a------- c:\program files\msgr8us.exe
2007-09-02 09:47 9,953,914 a------- c:\program files\CCAAgent_Setup.exe
2007-02-04 11:09 9,418,520 a------- c:\program files\FullTiltSetup.exe
2007-01-30 19:39 359,112 a------- c:\program files\LimeWireWin.exe
2007-01-30 19:28 6,168,096 a------- c:\program files\PokerStarsInstall.exe
2008-09-25 17:00 0 a--sh--- c:\windows\system32\duhavevo.dll
2008-09-25 17:00 0 a--sh--- c:\windows\system32\fapateni.dll
2008-09-25 17:00 0 a--sh--- c:\windows\system32\lomehane.dll
2008-09-07 10:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 19:26:33.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 09 January 2009 - 10:19 AM

MattyD23

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 MattyD23

MattyD23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 09 January 2009 - 01:48 PM

As I mentioned before, I am unable to install programs like combofix and have them work properly on my computer because of this virus. The virus is so picky that I cannot even access bleeping computer from the infected pc. I have to use my desktop to get here to post. Since I cannot directly download combofix to my pc, I attempted to download the combofix file by writing it to a CD, as well as transfering it by USB to my cpu, but the program wouldn't start either time. The program would download fine to my pc, but then when I double clicked on it, nothing would happen. A process would show up under my windows task manager, but the program would not run. It's not my antivirus programs interferring with it either, as I disabled both of them prior to even installing combofix.

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 09 January 2009 - 02:18 PM

MattyD23

O.K. It may take a couple of runs at this to completely remove so please be patient.

Let's use this tool.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
    (How to extract (decompress) zipped or compressed files, help in the link here: )
2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to Delete:
c:\windows\system32\icjlfall.ini
c:\windows\system32\ticysory.ini
c:\windows\system32\npmcwroc.ini
c:\windows\system32\gahmvucc.ini
c:\windows\system32\qbgwvyyq.ini
c:\windows\system32\IOVGOqru.ini2
c:\windows\system32\IOVGOqru.ini
c:\windows\system32\urqOGVOI.dll
c:\windows\system32\wcaxqeme.ini
c:\windows\system32\ggtivq.dll
c:\windows\system32\ceecnlsc.dll
c:\windows\system32\gpwlbnvs.ini
c:\windows\system32\~.exe
c:\windows\system32\hxdwbkvo.ini
c:\windows\system32\ommkufty.ini
c:\windows\system32\ytfukmmo.dll
c:\windows\system32\nmlklrmg.ini
c:\windows\system32\gmrlklmn.dll
c:\windows\system32\asiuebka.ini
c:\windows\system32\crbgrujn.ini
c:\windows\system32\njurgbrc.dll
c:\windows\system32\crmoea.dll
c:\windows\system32\reucwivq.dll
c:\windows\system32\ewmciqgi.ini
c:\windows\system32\igqicmwe.dll
c:\windows\system32\ehalxp.dll
c:\windows\system32\ljjgodfy.dll
c:\windows\system32\rhuopucd.ini
c:\windows\system32\dcupouhr.dll
c:\windows\system32\dvqfhk.dll
c:\windows\system32\poslywdw.dll

Folders to Delete:
c:\program files\Network Monitor
c:\windows\TWF0dCBEb2Jp
c:\docume~1\mattdo~1\applic~1\SpeedRunner
c:\program files\Webtools
c:\program files\Mjcore
c:\docume~1\mattdo~1\applic~1\gadcom
c:\docume~1\alluse~1\applic~1\SecTaskMan


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Select Load Script
  • Select Paste from Clipboard
  • The information should now appear in the Open window
  • Select Execute
  • Answer Yes When prompted "Are you sure you want to execute the current script?"
4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DDS log
Posted Image
Microsoft MVP - Windows Security

#5 MattyD23

MattyD23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 10 January 2009 - 03:02 PM

Here's the Avenger File:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Completed script processing.

*******************

Finished! Terminate.



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Completed script processing.

*******************

Finished! Terminate.



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Completed script processing.

*******************

Finished! Terminate.



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Completed script processing.

*******************

Finished! Terminate.



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sat Jan 10 14:43:02 2009

14:43:02: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSguew.sys
Start Type: 1 (System)

Rootkit scan completed.


Error: could not open file ":\windows\system32\icjlfall.ini"
Deletion of file ":\windows\system32\icjlfall.ini" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

File "c:\windows\system32\ticysory.ini" deleted successfully.
File "c:\windows\system32\npmcwroc.ini" deleted successfully.
File "c:\windows\system32\gahmvucc.ini" deleted successfully.
File "c:\windows\system32\qbgwvyyq.ini" deleted successfully.
File "c:\windows\system32\IOVGOqru.ini2" deleted successfully.
File "c:\windows\system32\IOVGOqru.ini" deleted successfully.

Error: file "c:\windows\system32\urqOGVOI.dll" not found!
Deletion of file "c:\windows\system32\urqOGVOI.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\wcaxqeme.ini" deleted successfully.

Error: file "c:\windows\system32\ggtivq.dll" not found!
Deletion of file "c:\windows\system32\ggtivq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\ceecnlsc.dll" not found!
Deletion of file "c:\windows\system32\ceecnlsc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\gpwlbnvs.ini" deleted successfully.

Error: file "c:\windows\system32\~.exe" not found!
Deletion of file "c:\windows\system32\~.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\hxdwbkvo.ini" deleted successfully.
File "c:\windows\system32\ommkufty.ini" deleted successfully.

Error: file "c:\windows\system32\ytfukmmo.dll" not found!
Deletion of file "c:\windows\system32\ytfukmmo.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\nmlklrmg.ini" deleted successfully.

Error: file "c:\windows\system32\gmrlklmn.dll" not found!
Deletion of file "c:\windows\system32\gmrlklmn.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\asiuebka.ini" deleted successfully.
File "c:\windows\system32\crbgrujn.ini" deleted successfully.

Error: file "c:\windows\system32\njurgbrc.dll" not found!
Deletion of file "c:\windows\system32\njurgbrc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\crmoea.dll" not found!
Deletion of file "c:\windows\system32\crmoea.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\reucwivq.dll" not found!
Deletion of file "c:\windows\system32\reucwivq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\ewmciqgi.ini" deleted successfully.

Error: file "c:\windows\system32\igqicmwe.dll" not found!
Deletion of file "c:\windows\system32\igqicmwe.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\ehalxp.dll" not found!
Deletion of file "c:\windows\system32\ehalxp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\ljjgodfy.dll" not found!
Deletion of file "c:\windows\system32\ljjgodfy.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\rhuopucd.ini" deleted successfully.

Error: file "c:\windows\system32\dcupouhr.dll" not found!
Deletion of file "c:\windows\system32\dcupouhr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\dvqfhk.dll" not found!
Deletion of file "c:\windows\system32\dvqfhk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\poslywdw.dll" not found!
Deletion of file "c:\windows\system32\poslywdw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\program files\Network Monitor" not found!
Deletion of folder "c:\program files\Network Monitor" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "c:\windows\TWF0dCBEb2Jp" deleted successfully.

Error: folder "c:\docume~1\mattdo~1\applic~1\SpeedRunner" not found!
Deletion of folder "c:\docume~1\mattdo~1\applic~1\SpeedRunner" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\program files\Webtools" not found!
Deletion of folder "c:\program files\Webtools" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\program files\Mjcore" not found!
Deletion of folder "c:\program files\Mjcore" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\docume~1\mattdo~1\applic~1\gadcom" not found!
Deletion of folder "c:\docume~1\mattdo~1\applic~1\gadcom" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\docume~1\alluse~1\applic~1\SecTaskMan" not found!
Deletion of folder "c:\docume~1\alluse~1\applic~1\SecTaskMan" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


Here's the DDS File:
DDS (Version 1.1.0) - NTFSx86
Run by Matt Dobi at 14:52:51.59 on Sat 01/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.411 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
AV: Norton 360 *On-access scanning disabled* (Outdated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Documents and Settings\Matt Dobi\Application Data\PackersScreenServer\bin\ss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt Dobi\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: {c85151fd-a006-39d9-2184-c01cff47d5a6}: {6a5d74ff-c10c-4812-9d93-600adf15158c} - c:\windows\system32\dvqfhk.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {ca3cb7ab-cd4d-4f2f-b814-c96dc5abb55f} - c:\windows\system32\urqOGVOI.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: SpeedRunner Bar: {cafb2180-ba09-11dc-95ff-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [PackersScreenServer] "c:\program files\packersscreenserver\PackersScreenServer.exe" -tb
uRun: [Pareto_Update] c:\program files\common files\paretologic\uus2\Pareto_Update.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [8c9232c9] rundll32.exe "c:\windows\system32\bitsajqh.dll",b
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: gzipmod - gzipmod.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqOGVOI

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mattdo~1\applic~1\mozilla\firefox\profiles\d8whe4km.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - component: c:\program files\mozilla firefox\components\srff.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2008-9-1 104000]
R2 McShield;McAfee McShield;"c:\program files\mcafee\virusscan enterprise\Mcshield.exe" [2007-2-22 144960]
R2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe" [2007-2-22 54872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-14 109616]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-1 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-1 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-1 170408]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20080213.036\NAVENG.SYS [2008-12-14 82256]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20080213.036\NAVEX15.SYS [2008-12-14 895312]
S2 Network Monitor; ; []
S2 Viewpoint Manager Service;Viewpoint Manager Service; []
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-12-30 1245064]

=============== Created Last 30 ================

2009-01-09 18:08 129,024 a------- c:\windows\system32\qukvbh.dll
2009-01-09 18:08 129,024 a------- c:\windows\system32\vkoldnyv.dll
2009-01-09 18:08 1,257,552 a--sh--- c:\windows\system32\hqjastib.ini
2009-01-09 18:08 72,704 a------- c:\windows\system32\bitsajqh.dll
2009-01-08 18:09 129,024 a------- c:\windows\system32\eyigmi.dll
2009-01-08 18:09 129,024 a------- c:\windows\system32\eyiflqpu.dll
2009-01-08 18:06 1,250,178 a--sh--- c:\windows\system32\nyxdgdxc.ini
2009-01-07 18:06 1,321,922 a--sh--- c:\windows\system32\ssqqspbq.ini
2009-01-07 18:05 129,024 a------- c:\windows\system32\yydotm.dll
2009-01-07 18:05 129,024 a------- c:\windows\system32\ynmltfmn.dll
2009-01-06 18:08 129,024 a------- c:\windows\system32\oxblbq.dll
2009-01-06 18:08 129,024 a------- c:\windows\system32\flgtfsxw.dll
2009-01-06 18:05 1,321,922 a--sh--- c:\windows\system32\lkxkieva.ini
2009-01-05 18:08 1,306,349 a--sh--- c:\windows\system32\ctipxuot.ini
2009-01-04 12:41 1,307,356 a--sh--- c:\windows\system32\atnfeget.ini
2009-01-04 12:41 72,704 a------- c:\windows\system32\tegefnta.dll
2009-01-04 12:38 129,024 a------- c:\windows\system32\tlhkrn.dll
2009-01-04 12:38 129,024 a------- c:\windows\system32\yaitomel.dll
2009-01-03 12:40 1,307,356 a--sh--- c:\windows\system32\ilbnkyiu.ini
2009-01-03 12:37 129,024 a------- c:\windows\system32\hsahes.dll
2009-01-03 12:37 129,024 a------- c:\windows\system32\mxjycuyo.dll
2009-01-02 13:24 129,024 a------- c:\windows\system32\rmswyd.dll
2009-01-02 13:24 1,307,356 a--sh--- c:\windows\system32\ijfwfglc.ini
2009-01-02 13:24 129,024 a------- c:\windows\system32\lccdytvr.dll
2008-12-31 20:37 <DIR> --d----- c:\program files\Trend Micro
2008-12-31 15:19 <DIR> --d----- c:\docume~1\mattdo~1\applic~1\ParetoLogic
2008-12-31 15:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2008-12-31 15:18 <DIR> --d----- c:\program files\ParetoLogic
2008-12-31 15:18 <DIR> --d----- c:\program files\common files\ParetoLogic
2008-12-31 15:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2008-12-30 11:53 <DIR> --d----- c:\program files\Norton 360
2008-12-27 08:43 <DIR> --d----- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2008-12-24 19:04 <DIR> --d----- c:\windows\woiz
2008-12-24 19:04 <DIR> --d----- c:\program files\common files\woiz
2008-12-24 17:17 1,661,209 a--sh--- c:\windows\system32\icjlfall.ini
2008-12-14 13:46 <DIR> --d----- c:\program files\common files\Scanner
2008-12-14 11:24 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-14 11:24 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-14 11:24 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-14 11:24 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-14 11:24 <DIR> --d----- c:\program files\Symantec

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-08 16:41 68,144 a------- c:\windows\system32\tremir.bin
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 13:41 262,144 a------- C:\ntuser.dat
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2007-11-14 19:22 1,164,456 a------- c:\program files\install_flash_player.exe
2007-09-23 15:37 7,002,776 a------- c:\program files\packerssetup.exe
2007-09-20 22:18 436,360 a------- c:\program files\msgr8us.exe
2007-09-02 09:47 9,953,914 a------- c:\program files\CCAAgent_Setup.exe
2007-02-04 11:09 9,418,520 a------- c:\program files\FullTiltSetup.exe
2007-01-30 19:39 359,112 a------- c:\program files\LimeWireWin.exe
2007-01-30 19:28 6,168,096 a------- c:\program files\PokerStarsInstall.exe
2008-09-25 17:00 0 a--sh--- c:\windows\system32\duhavevo.dll
2008-09-25 17:00 0 a--sh--- c:\windows\system32\fapateni.dll
2008-09-25 17:00 0 a--sh--- c:\windows\system32\lomehane.dll
2008-09-07 10:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 14:54:32.07 ===============



The attach portion of the attach DDS is attached

Attached Files



#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 12 January 2009 - 09:59 AM

MattyD23

Nice work. We are going to repeat the proceedure with a new script file

1. Rerun Avenger
2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to Delete:
TDSSserv.sys

Files to Delete:
C:Windows\system32\drivers\TDSSguew.sys
C:\windows\system32\icjlfall.ini
c:\windows\system32\dvqfhk.dll
c:\windows\system32\urqOGVOI.dll
c:\windows\system32\qukvbh.dll
c:\windows\system32\vkoldnyv.dll
c:\windows\system32\hqjastib.ini
c:\windows\system32\bitsajqh.dll
c:\windows\system32\eyigmi.dll
c:\windows\system32\eyiflqpu.dll
c:\windows\system32\nyxdgdxc.ini
c:\windows\system32\ssqqspbq.ini
c:\windows\system32\yydotm.dll
c:\windows\system32\ynmltfmn.dll
c:\windows\system32\oxblbq.dll
c:\windows\system32\flgtfsxw.dll
c:\windows\system32\lkxkieva.ini
c:\windows\system32\ctipxuot.ini
c:\windows\system32\atnfeget.ini
c:\windows\system32\tegefnta.dll
c:\windows\system32\tlhkrn.dll
c:\windows\system32\yaitomel.dll
c:\windows\system32\ilbnkyiu.ini
c:\windows\system32\hsahes.dll
c:\windows\system32\mxjycuyo.dll
c:\windows\system32\rmswyd.dll
c:\windows\system32\ijfwfglc.ini
c:\windows\system32\lccdytvr.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Select Load Script
  • Select Paste from Clipboard
  • The information should now appear in the Open window
  • Select Execute
  • Answer Yes When prompted "Are you sure you want to execute the current script?"
4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DDS log
Posted Image
Microsoft MVP - Windows Security

#7 MattyD23

MattyD23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 16 January 2009 - 03:32 PM

Here's the Avenger LogFile:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSguew.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "TDSSserv.sys" deleted successfully.

Error: could not open file "C:Windows\system32\drivers\TDSSguew.sys"
Deletion of file "C:Windows\system32\drivers\TDSSguew.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

File "C:\windows\system32\icjlfall.ini" deleted successfully.

Error: file "c:\windows\system32\dvqfhk.dll" not found!
Deletion of file "c:\windows\system32\dvqfhk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\urqOGVOI.dll" not found!
Deletion of file "c:\windows\system32\urqOGVOI.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\qukvbh.dll" deleted successfully.
File "c:\windows\system32\vkoldnyv.dll" deleted successfully.
File "c:\windows\system32\hqjastib.ini" deleted successfully.
File "c:\windows\system32\bitsajqh.dll" deleted successfully.
File "c:\windows\system32\eyigmi.dll" deleted successfully.
File "c:\windows\system32\eyiflqpu.dll" deleted successfully.
File "c:\windows\system32\nyxdgdxc.ini" deleted successfully.
File "c:\windows\system32\ssqqspbq.ini" deleted successfully.
File "c:\windows\system32\yydotm.dll" deleted successfully.
File "c:\windows\system32\ynmltfmn.dll" deleted successfully.
File "c:\windows\system32\oxblbq.dll" deleted successfully.
File "c:\windows\system32\flgtfsxw.dll" deleted successfully.
File "c:\windows\system32\lkxkieva.ini" deleted successfully.
File "c:\windows\system32\ctipxuot.ini" deleted successfully.
File "c:\windows\system32\atnfeget.ini" deleted successfully.
File "c:\windows\system32\tegefnta.dll" deleted successfully.
File "c:\windows\system32\tlhkrn.dll" deleted successfully.
File "c:\windows\system32\yaitomel.dll" deleted successfully.
File "c:\windows\system32\ilbnkyiu.ini" deleted successfully.
File "c:\windows\system32\hsahes.dll" deleted successfully.
File "c:\windows\system32\mxjycuyo.dll" deleted successfully.
File "c:\windows\system32\rmswyd.dll" deleted successfully.
File "c:\windows\system32\ijfwfglc.ini" deleted successfully.
File "c:\windows\system32\lccdytvr.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Heres the DDS Log:

DDS (Version 1.1.0) - NTFSx86
Run by Matt Dobi at 15:25:52.51 on Fri 01/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.549 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
AV: Norton 360 *On-access scanning disabled* (Outdated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Matt Dobi\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: {6a5d74ff-c10c-4812-9d93-600adf15158c}: {c85151fd-a006-39d9-2184-c01cff47d5a6}
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
{ca3cb7ab-cd4d-4f2f-b814-c96dc5abb55f}
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: SpeedRunner Bar: {cafb2180-ba09-11dc-95ff-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [PackersScreenServer] "c:\program files\packersscreenserver\PackersScreenServer.exe" -tb
uRun: [Pareto_Update] c:\program files\common files\paretologic\uus2\Pareto_Update.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [8c9232c9] rundll32.exe "c:\windows\system32\bitsajqh.dll",b
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: gzipmod - gzipmod.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqOGVOI

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mattdo~1\applic~1\mozilla\firefox\profiles\d8whe4km.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - component: c:\program files\mozilla firefox\components\srff.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2008-9-1 104000]
R2 McShield;McAfee McShield;"c:\program files\mcafee\virusscan enterprise\Mcshield.exe" [2007-2-22 144960]
R2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe" [2007-2-22 54872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-14 109616]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-1 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-1 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-1 170408]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20080213.036\NAVENG.SYS [2008-12-14 82256]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20080213.036\NAVEX15.SYS [2008-12-14 895312]
S2 Network Monitor; ; []
S2 Viewpoint Manager Service;Viewpoint Manager Service; []
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-12-30 1245064]

=============== Created Last 30 ================

2008-12-31 20:37 <DIR> --d----- c:\program files\Trend Micro
2008-12-31 15:19 <DIR> --d----- c:\docume~1\mattdo~1\applic~1\ParetoLogic
2008-12-31 15:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2008-12-31 15:18 <DIR> --d----- c:\program files\ParetoLogic
2008-12-31 15:18 <DIR> --d----- c:\program files\common files\ParetoLogic
2008-12-31 15:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2008-12-30 11:53 <DIR> --d----- c:\program files\Norton 360
2008-12-27 08:43 <DIR> --d----- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2008-12-24 19:04 <DIR> --d----- c:\windows\woiz
2008-12-24 19:04 <DIR> --d----- c:\program files\common files\woiz

==================== Find3M ====================

2009-01-15 23:15 2,715 a------- c:\windows\system32\TDSSfaky.dll
2009-01-08 18:31 31,232 a------- c:\windows\system32\TDSSqreh.dll
2009-01-08 18:31 29,696 a------- c:\windows\system32\TDSSwrwy.dll
2009-01-08 18:31 35,840 a------- c:\windows\system32\TDSSbswm.dll
2009-01-08 18:31 60,416 a------- c:\windows\system32\drivers\TDSSguew.sys
2008-12-30 11:46 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-30 11:46 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-30 11:46 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-30 11:46 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-08 16:41 68,144 a------- c:\windows\system32\tremir.bin
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-11-14 19:22 1,164,456 a------- c:\program files\install_flash_player.exe
2007-09-23 15:37 7,002,776 a------- c:\program files\packerssetup.exe
2007-09-20 22:18 436,360 a------- c:\program files\msgr8us.exe
2007-09-02 09:47 9,953,914 a------- c:\program files\CCAAgent_Setup.exe
2007-02-04 11:09 9,418,520 a------- c:\program files\FullTiltSetup.exe
2007-01-30 19:39 359,112 a------- c:\program files\LimeWireWin.exe
2007-01-30 19:28 6,168,096 a------- c:\program files\PokerStarsInstall.exe
2008-09-25 17:00 0 a--sh--- c:\windows\system32\duhavevo.dll
2008-09-25 17:00 0 a--sh--- c:\windows\system32\fapateni.dll
2008-09-25 17:00 0 a--sh--- c:\windows\system32\lomehane.dll
2008-09-07 10:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 15:26:48.70 ===============


And as always, the attached file is attached. Thank you for all your help so far, it is greatly appreciated!

Attached Files



#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 19 January 2009 - 09:05 AM

MattyD23

Sorry for the delay.

I. We are going to use Avenger one more time.

1. Rerun Avenger
2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to Delete:
c:\windows\system32\drivers\TDSSguew.sys

Files to Delete:
c:\windows\system32\TDSSfaky.dll
c:\windows\system32\TDSSqreh.dll
c:\windows\system32\TDSSwrwy.dll
c:\windows\system32\TDSSbswm.dll
c:\windows\system32\drivers\TDSSguew.sys
c:\windows\system32\bitsajqh.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Select Load Script
  • Select Paste from Clipboard
  • The information should now appear in the Open window
  • Select Execute
  • Answer Yes When prompted "Are you sure you want to execute the current script?"
4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply

II. Your log does show you are running 2 Antivirus programs: Norton (symantec) and McAfee.

Running 2 Antivirus programs is never a good idea.
Since they both do the same job, running 2 can cause conflicts, system slowdowns, and may even allow some malware to slip by.
I recommend that you unistall one of them through Add or Remove Programs.

And in your reply tell me which one you decided to keep.
Posted Image
Microsoft MVP - Windows Security

#9 MattyD23

MattyD23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 20 January 2009 - 06:55 PM

Here's the Avenger Logfile:


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\c:\windows\system32\drivers\TDSSguew.sys" not found!
Deletion of driver "c:\windows\system32\drivers\TDSSguew.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\TDSSfaky.dll" deleted successfully.
File "c:\windows\system32\TDSSqreh.dll" deleted successfully.
File "c:\windows\system32\TDSSwrwy.dll" deleted successfully.
File "c:\windows\system32\TDSSbswm.dll" deleted successfully.
File "c:\windows\system32\drivers\TDSSguew.sys" deleted successfully.

Error: file "c:\windows\system32\bitsajqh.dll" not found!
Deletion of file "c:\windows\system32\bitsajqh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************


Finished! Terminate.



I have to keep McAfee because my version of Norton 360 is not compatible with my college's internet service. They made me download McAfee and uninstall Norton back in september, and I only reinstalled it recently to see if it could find and delete my virus because McAfee couldn't find it. I have successfully unistalled norton 360, and McAfee is now the only installed AV on my computer. Thanks again for all your help thus far!

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 21 January 2009 - 09:37 AM

MattyD23

Nice work.

Do you have Hijackthis installed? I would like to see a hijackthis log. If not here are the instructions

Please download HJT Installer from Here to your desktop.
If not available use this alternate link: HereDouble click on the HJTInstall.exe.
at the next window Select Install.
It will be installed by default here: C:\Program Files\Trend Micro\HijackThis.
A shortcut to the application will also be placed on your Desktop.
The program will open automatically after installation.
Select "Do a system scan and save logfile"
It will open in Notepad. save it to your Desktop
Before closing HJT, please click on the AnalyzeThis button. "Analyze This" is for use by TrendMicro, and DOES NOT mean "Analyze My Log". You will need to post your log on the Hijackthis Board.
Close the web page that appears and then close the program.
Open the Hijackthis log you saved to your desktop and copy and paste the results as a reply to this thread.
Use the Hijackthis shortcut to run future scans.

Posted Image
Microsoft MVP - Windows Security

#11 MattyD23

MattyD23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 21 January 2009 - 05:53 PM

Here's the HijackThis Logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:52 PM, on 1/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Matt Dobi\Application Data\PackersScreenServer\bin\ss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: {c85151fd-a006-39d9-2184-c01cff47d5a6} - {6a5d74ff-c10c-4812-9d93-600adf15158c} - (no file)
O2 - BHO: (no name) - {CA3CB7AB-CD4D-4F2F-B814-C96DC5ABB55F} - (no file)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [8c9232c9] rundll32.exe "C:\WINDOWS\system32\bitsajqh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PackersScreenServer] "C:\Program Files\PackersScreenServer\PackersScreenServer.exe" -tb
O4 - HKCU\..\Run: [Pareto_Update] C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: gzipmod - gzipmod.dll (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 5153 bytes

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 21 January 2009 - 08:09 PM

MattyD23

1. Rerun Hijackthis (scan only) and place checks beside the following entries
O2 - BHO: {c85151fd-a006-39d9-2184-c01cff47d5a6} - {6a5d74ff-c10c-4812-9d93-600adf15158c} - (no file)
O2 - BHO: (no name) - {CA3CB7AB-CD4D-4F2F-B814-C96DC5ABB55F} - (no file)
O4 - HKLM\..\Run: [8c9232c9] rundll32.exe "C:\WINDOWS\system32\bitsajqh.dll",b
O20 - Winlogon Notify: gzipmod - gzipmod.dll (file missing)

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
Posted Image
Microsoft MVP - Windows Security

#13 MattyD23

MattyD23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 22 January 2009 - 05:56 PM

Here's the fresh log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:45 PM, on 1/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Matt Dobi\Application Data\PackersScreenServer\bin\ss.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PackersScreenServer] "C:\Program Files\PackersScreenServer\PackersScreenServer.exe" -tb
O4 - HKCU\..\Run: [Pareto_Update] C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 4835 bytes

#14 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 23 January 2009 - 09:59 AM

MattyD23

How's your PC running now?
Posted Image
Microsoft MVP - Windows Security

#15 MattyD23

MattyD23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 23 January 2009 - 11:49 AM

It's running fantastic. It runs faster, I can access any web page, and I can use my search engine and actually make it through to the link I click on. It doesn't appear there are any more signs of the search engine hijacker that I was plagued with before. Thanks for all your help Bamajim, it is truly appreciated!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users