Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

View previous topic View next topic Go down

Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by akg32 on 25th February 2010, 4:52 pm

My system has been infected with a Trojan that appears to be the "Tidserv C Domain Request", based on my searching. What happens is that when I run a Google (or Bing, Yahoo, etc) search, I receive a list of search results as normal, but then when I click on any of the results links, about 90% of the time I get redirected, first to some fake-appearing search page, and then immediately to "[You must be registered and logged in to see this link.] Also, on occasion some browser windows spontaneously open, first to the fake search page and then to the above Google link. Overall it seems to have also affected my system performance and stability as well.

My HijackThis log is posted below - I'm grateful for any help you can provide. Thanks.

--

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:31 AM, on 2/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\proquota.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\akg14980\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\akg14980\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Workshare3GW] C:\Program Files\Workshare\Modules\WMConfigAssistant.exe /userinit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\akg14980\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O16 - DPF: CabCCT - [You must be registered and logged in to see this link.]
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = firm.omm.com
O17 - HKLM\Software\..\Telephony: DomainName = firm.omm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = firm.omm.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13878 bytes

akg32
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-12
OS OS : Windows XP Professional
Points Points : 25351
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by Belahzur on 25th February 2010, 10:48 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555



  • Press "Fix Checked"
  • Close Hijack This.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by akg32 on 25th February 2010, 11:07 pm

Thanks very much. I'm pasting below the contents of my MBAM log. I will now restart my system, and hopefully everything should be back to functioning normally. I do note, however, that one of the items MBAM found to be infected was the file that runs HijackThis - is this normal?

akg32
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-12
OS OS : Windows XP Professional
Points Points : 25351
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by akg32 on 25th February 2010, 11:12 pm

Apologies - here is the MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3793
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

2/25/2010 6:06:39 PM
mbam-log-2010-02-25 (18-06-39).txt

Scan type: Quick Scan
Objects scanned: 143630
Time elapsed: 12 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\akg14980\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

akg32
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-12
OS OS : Windows XP Professional
Points Points : 25351
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by Belahzur on 25th February 2010, 11:19 pm

Hello.

Don't worry about that, it's just heuristics, because Hijack This is using a Windows system filename, but we have to do that to get around malware restrictions sometimes.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by akg32 on 26th February 2010, 12:46 am

OK thanks - here is my Combofix.txt pasted below. Please let me know if further action is necessary, and thanks for all your help.
--

ComboFix 10-02-25.02 - akg14980 02/25/2010 19:22:16.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1919.1352 [GMT -5:00]
Running from: c:\documents and settings\akg14980\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\akg14980\Application Data\iniasd.txt
c:\recycler\S-1-5-21-1960408961-1708537768-1343024091-500
c:\windows\akabica.reg
c:\windows\hawe.vbs
c:\windows\ocizetun._sy
c:\windows\srchasst\nls302en.lex
c:\windows\system32\win.ini
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\ucutusun.vbs

.
((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-25 07:11 . 2010-02-25 07:05 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-25 07:11 . 2010-02-25 07:05 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-25 07:05 . 2010-02-25 07:05 -------- d-----w- C:\$AVG
2010-02-25 07:04 . 2010-02-25 07:04 -------- d-----w- c:\program files\AVG
2010-02-25 06:46 . 2010-02-25 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-25 05:28 . 2010-02-09 22:02 93096 ----a-w- c:\windows\system32\IncContxMenu.dll
2010-02-25 05:28 . 2010-02-09 22:01 2164648 ----a-w- c:\windows\system32\Incinerator.dll
2010-02-25 05:28 . 2010-01-28 22:13 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2010-02-25 05:28 . 2010-01-28 22:13 12288 ----a-w- c:\windows\system32\smrgdf.exe
2010-02-25 05:28 . 2010-02-25 05:28 -------- d-----w- c:\program files\iolo
2010-02-24 23:55 . 2010-02-24 23:55 -------- d-----w- c:\program files\Alwil Software
2010-02-24 23:55 . 2010-02-24 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-01 16:49 . 2010-02-01 16:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 00:36 . 2007-06-18 16:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-25 07:02 . 2007-12-10 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-25 06:00 . 2004-08-03 22:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-25 05:29 . 2010-01-13 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2010-02-03 14:41 . 2010-01-13 23:14 1533 ----a-w- c:\documents and settings\akg14980\Application Data\iolo\restore.bat
2010-02-02 15:58 . 2009-07-02 01:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-01 16:44 . 2007-12-10 17:47 -------- d-----w- c:\program files\Google
2010-01-29 15:53 . 2010-01-21 00:46 -------- d-----w- c:\documents and settings\akg14980\Application Data\Move Networks
2010-01-21 14:48 . 2008-02-15 18:17 -------- d-----w- c:\documents and settings\akg14980\Application Data\Skype
2010-01-21 14:48 . 2008-02-15 18:24 -------- d-----w- c:\documents and settings\akg14980\Application Data\skypePM
2010-01-21 00:46 . 2010-01-21 00:46 144160 ----a-w- c:\documents and settings\akg14980\Application Data\Move Networks\uninstall.exe
2010-01-13 23:30 . 2010-01-13 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2010-01-13 23:29 . 2008-09-01 19:26 -------- d-----w- c:\program files\Sierra Wireless
2010-01-13 23:29 . 2008-09-01 19:25 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-01-13 23:14 . 2010-01-13 20:35 -------- d-----w- c:\documents and settings\akg14980\Application Data\iolo
2010-01-13 20:40 . 2010-01-13 20:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2010-01-13 20:36 . 2010-01-13 20:36 74703 ----a-w- c:\windows\system32\mfc45.dll
2010-01-12 19:58 . 2009-10-14 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 19:51 . 2010-01-12 19:09 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-12 16:01 . 2009-10-14 04:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-07 21:07 . 2010-01-12 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-12 19:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-16 21:05 . 2010-01-14 04:20 471040 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2009-12-16 21:05 . 2010-01-14 04:20 347136 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 21:05 . 2010-01-14 04:20 340992 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 21:05 . 2010-01-14 04:20 43008 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 21:05 . 2010-01-14 04:20 1452032 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\documents and settings\akg14980\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-14 04:06 . 2009-10-14 04:06 16740 ----a-w- c:\program files\Common Files\uvibosyged.com
2009-10-14 04:06 . 2009-10-14 04:06 15289 ----a-w- c:\program files\Common Files\lizudecaq.exe
2009-10-14 04:06 . 2009-10-14 04:06 13621 ----a-w- c:\program files\Common Files\awutexelo.dat
2009-12-08 22:40 . 2007-12-10 20:03 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-10 68856]
"Google Update"="c:\documents and settings\akg14980\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"Workshare3GW"="c:\program files\Workshare\Modules\WMConfigAssistant.exe" [2006-06-09 1609728]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2004-10-07 161096]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-08 30192]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-09-18 880640]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-6-18 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOscriptWait"= 300 (0x12c)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ProfileQuotaMessage"= You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"MaxProfileSize"= 30000 (0x7530)
"WarnUserTimeout"= 15 (0xf)
"ConnectHomeDirToRoot"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"NoStartMenuEjectPC"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-43454\scripts\Logon\0\0]
"script"=ommIEseczone.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-43454\scripts\Logon\1\0]
"script"=lasertrak.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-43454\scripts\Logon\2\0]
"script"=addsubnetprinters.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-43454\scripts\Logon\3\0]
"script"=usr_logon-main.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-43454\scripts\Logon\3\1]
"script"=lprocess.vbs
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qexvvbwy

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\akg14980\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\akg14980\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [6/18/2007 10:29 AM 11026]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2/25/2010 12:28 AM 665008]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2/25/2010 12:28 AM 665008]
R2 iPCAgent;iPCAgent;c:\program files\iPass\iPassConnect\iPCAgent.exe [12/8/2007 3:12 PM 90112]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [12/8/2007 3:12 PM 15793]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [10/6/2004 7:56 PM 173392]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/3/2008 12:14 AM 24652]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [12/8/2007 3:14 PM 9049]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/18/2007 10:28 AM 36608]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 11:44 AM 135664]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [12/8/2007 3:14 PM 115008]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/10/2007 3:03 PM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Office2003_FullInstall]
2007-01-09 19:51 207336 ----a-w- c:\program files\OMM\Clnicons.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{581432DF-FCAD-4201-A7D1-8ADEAFE68A2B}]
2005-05-03 19:58 78848 ----a-w- c:\windows\system32\msiexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5A840B7D-AEB5-4298-9210-D9A97E29D7A2}]
2005-05-03 19:58 78848 ----a-w- c:\windows\system32\msiexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7B153B16-57D0-4A25-930E-28D82BDE0C13}]
2005-05-03 19:58 78848 ----a-w- c:\windows\system32\msiexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CA9BE80D-54B3-4AA8-AD72-4EF0CEAA0A98}]
2005-05-03 19:58 78848 ----a-w- c:\windows\system32\msiexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\~{70D8E50D-0A74-453A-A23B-A2611D89B1DD}]
2005-05-03 19:58 78848 ----a-w- c:\windows\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-02-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-10 02:34]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 16:44]

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 16:44]

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-179605362-839522115-43454Core.job
- c:\documents and settings\akg14980\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-30 01:33]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-179605362-839522115-43454UA.job
- c:\documents and settings\akg14980\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-30 01:33]

2007-06-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-06-18 21:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: bna.com
Trusted Zone: cch.com
Trusted Zone: cchgroup.com
Trusted Zone: heinonline.org
Trusted Zone: lexis-nexis.com
Trusted Zone: lexis.com
Trusted Zone: lexisnexis.com
Trusted Zone: lexisone.com
Trusted Zone: nexis.com
Trusted Zone: omm.com
Trusted Zone: omm.com\*.intranet
Trusted Zone: omm.com\precedent.intranet
Trusted Zone: ommconnect.com
Trusted Zone: reed-elsevier.com
Trusted Zone: westlaw.com
Trusted Zone: bna.com
Trusted Zone: cch.com
Trusted Zone: cchgroup.com
Trusted Zone: heinonline.org
Trusted Zone: lexis-nexis.com
Trusted Zone: lexis.com
Trusted Zone: lexisnexis.com
Trusted Zone: lexisone.com
Trusted Zone: nexis.com
Trusted Zone: omm.com\*.intranet
Trusted Zone: ommconnect.com
Trusted Zone: reed-elsevier.com
Trusted Zone: westlaw.com
DPF: CabCCT - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\akg14980\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\akg14980\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
SafeBoot-ati5ejxx.sys
AddRemove-HijackThis - c:\documents and settings\akg14980\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-25 19:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x8A4C2A9A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba96cfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba6057b4
\Driver\iaStor -> iaStor.sys @ 0xba629b58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582490
ParseProcedure -> ntkrnlpa.exe @ 0x805815d0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582490
ParseProcedure -> ntkrnlpa.exe @ 0x805815d0
NDIS: Broadcom 4321AG 802.11a/b/g/draft-n Wi-Fi Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba4ccba0
PacketIndicateHandler -> NDIS.sys @ 0xba4d9b21
SendHandler -> NDIS.sys @ 0xba4b787b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1740)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4176)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iPass\iPassConnect\downloader\ipccheck.exe
c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
c:\program files\iolo\System Mechanic\SMTrayNotify.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-02-25 19:42:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 00:42

Pre-Run: 38,051,725,312 bytes free
Post-Run: 38,930,231,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 796075971F8D09D22F14039D419095A9

akg32
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-12
OS OS : Windows XP Professional
Points Points : 25351
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by akg32 on 26th February 2010, 12:58 am

Just as a follow up, the search-result redirect problem is still occurring despite all of the steps above.

akg32
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-12
OS OS : Windows XP Professional
Points Points : 25351
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by Belahzur on 26th February 2010, 11:18 pm

Not a problem, the log is showing me why.


  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by akg32 on 27th February 2010, 12:45 am

Thank you - the TDSSkiller.txt log is pasted below:

--
19:40:12:241 6000 TDSS rootkit removing tool 2.2.7 Feb 25 2010 10:44:44
19:40:12:241 6000 ================================================================================
19:40:12:241 6000 SystemInfo:

19:40:12:241 6000 OS Version: 5.1.2600 ServicePack: 2.0
19:40:12:241 6000 Product type: Workstation
19:40:12:241 6000 ComputerName: LCNU74700D5
19:40:12:241 6000 UserName: akg14980
19:40:12:241 6000 Windows directory: C:\WINDOWS
19:40:12:241 6000 Processor architecture: Intel x86
19:40:12:241 6000 Number of processors: 2
19:40:12:241 6000 Page size: 0x1000
19:40:12:241 6000 Boot type: Normal boot
19:40:12:241 6000 ================================================================================
19:40:12:257 6000 UnloadDriverW: NtUnloadDriver error 2
19:40:12:257 6000 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:40:12:272 6000 Initialize success
19:40:12:272 6000
19:40:12:272 6000 Scanning Services ...
19:40:12:272 6000 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:40:12:272 6000 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:40:12:272 6000 wfopen_ex: Trying to KLMD file open
19:40:12:272 6000 wfopen_ex: File opened ok (Flags 2)
19:40:12:272 6000 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:40:12:272 6000 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:40:12:272 6000 wfopen_ex: Trying to KLMD file open
19:40:12:272 6000 wfopen_ex: File opened ok (Flags 2)
19:40:12:756 6000 GetAdvancedServicesInfo: Raw services enum returned 399 services
19:40:12:756 6000 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:40:12:756 6000 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:40:12:756 6000
19:40:12:756 6000 Scanning Kernel memory ...
19:40:12:756 6000 Devices to scan: 2
19:40:12:756 6000
19:40:12:756 6000 Driver Name: Disk
19:40:12:756 6000 IRP_MJ_CREATE : BA96EC30
19:40:12:756 6000 IRP_MJ_CREATE_NAMED_PIPE : 804F4536
19:40:12:756 6000 IRP_MJ_CLOSE : BA96EC30
19:40:12:756 6000 IRP_MJ_READ : BA968D9B
19:40:12:756 6000 IRP_MJ_WRITE : BA968D9B
19:40:12:756 6000 IRP_MJ_QUERY_INFORMATION : 804F4536
19:40:12:756 6000 IRP_MJ_SET_INFORMATION : 804F4536
19:40:12:756 6000 IRP_MJ_QUERY_EA : 804F4536
19:40:12:756 6000 IRP_MJ_SET_EA : 804F4536
19:40:12:756 6000 IRP_MJ_FLUSH_BUFFERS : BA969366
19:40:12:756 6000 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4536
19:40:12:756 6000 IRP_MJ_SET_VOLUME_INFORMATION : 804F4536
19:40:12:756 6000 IRP_MJ_DIRECTORY_CONTROL : 804F4536
19:40:12:756 6000 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4536
19:40:12:756 6000 IRP_MJ_DEVICE_CONTROL : BA96944D
19:40:12:756 6000 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA96CFC3
19:40:12:756 6000 IRP_MJ_SHUTDOWN : BA969366
19:40:12:756 6000 IRP_MJ_LOCK_CONTROL : 804F4536
19:40:12:756 6000 IRP_MJ_CLEANUP : 804F4536
19:40:12:756 6000 IRP_MJ_CREATE_MAILSLOT : 804F4536
19:40:12:756 6000 IRP_MJ_QUERY_SECURITY : 804F4536
19:40:12:756 6000 IRP_MJ_SET_SECURITY : 804F4536
19:40:12:756 6000 IRP_MJ_POWER : BA96AEF3
19:40:12:756 6000 IRP_MJ_SYSTEM_CONTROL : BA96FA24
19:40:12:756 6000 IRP_MJ_DEVICE_CHANGE : 804F4536
19:40:12:756 6000 IRP_MJ_QUERY_QUOTA : 804F4536
19:40:12:756 6000 IRP_MJ_SET_QUOTA : 804F4536
19:40:12:756 6000 sion
19:40:12:772 6000 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
19:40:12:772 6000
19:40:12:772 6000 Driver Name: atapi
19:40:12:772 6000 IRP_MJ_CREATE : 8A43FA9A
19:40:12:772 6000 IRP_MJ_CREATE_NAMED_PIPE : 8A43FA9A
19:40:12:772 6000 IRP_MJ_CLOSE : 8A43FA9A
19:40:12:772 6000 IRP_MJ_READ : 8A43FA9A
19:40:12:772 6000 IRP_MJ_WRITE : 8A43FA9A
19:40:12:772 6000 IRP_MJ_QUERY_INFORMATION : 8A43FA9A
19:40:12:772 6000 IRP_MJ_SET_INFORMATION : 8A43FA9A
19:40:12:772 6000 IRP_MJ_QUERY_EA : 8A43FA9A
19:40:12:772 6000 IRP_MJ_SET_EA : 8A43FA9A
19:40:12:772 6000 IRP_MJ_FLUSH_BUFFERS : 8A43FA9A
19:40:12:772 6000 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A43FA9A
19:40:12:772 6000 IRP_MJ_SET_VOLUME_INFORMATION : 8A43FA9A
19:40:12:772 6000 IRP_MJ_DIRECTORY_CONTROL : 8A43FA9A
19:40:12:772 6000 IRP_MJ_FILE_SYSTEM_CONTROL : 8A43FA9A
19:40:12:772 6000 IRP_MJ_DEVICE_CONTROL : 8A43FA9A
19:40:12:772 6000 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A43FA9A
19:40:12:772 6000 IRP_MJ_SHUTDOWN : 8A43FA9A
19:40:12:772 6000 IRP_MJ_LOCK_CONTROL : 8A43FA9A
19:40:12:772 6000 IRP_MJ_CLEANUP : 8A43FA9A
19:40:12:772 6000 IRP_MJ_CREATE_MAILSLOT : 8A43FA9A
19:40:12:772 6000 IRP_MJ_QUERY_SECURITY : 8A43FA9A
19:40:12:772 6000 IRP_MJ_SET_SECURITY : 8A43FA9A
19:40:12:772 6000 IRP_MJ_POWER : 8A43FA9A
19:40:12:772 6000 IRP_MJ_SYSTEM_CONTROL : 8A43FA9A
19:40:12:772 6000 IRP_MJ_DEVICE_CHANGE : 8A43FA9A
19:40:12:772 6000 IRP_MJ_QUERY_QUOTA : 8A43FA9A
19:40:12:772 6000 IRP_MJ_SET_QUOTA : 8A43FA9A
19:40:12:772 6000 ihd: 0, 0, 607, 138, 3, 120, 1
19:40:12:772 6000 Driver "atapi" Irp handler infected by TDSS rootkit ... 19:40:12:772 6000 cured
19:40:12:772 6000 siohd: 1
19:40:12:772 6000 Driver "atapi" StartIo handler infected by TDSS rootkit ... 19:40:12:772 6000 cured
19:40:12:788 6000 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
19:40:12:788 6000 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 19:40:12:788 6000 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
19:40:12:788 6000 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
19:40:13:006 6000 vfvi6
19:40:13:006 6000 !dsvbh1
19:40:13:225 6000 dsvbh2
19:40:13:225 6000 fdfb2
19:40:13:225 6000 Backup copy found, using it..
19:40:13:318 6000 will be cured on next reboot
19:40:13:318 6000 Reboot required for cure complete..
19:40:13:334 6000 Cure on reboot scheduled successfully
19:40:13:334 6000
19:40:13:334 6000 Completed
19:40:13:334 6000
19:40:13:334 6000 Results:
19:40:13:334 6000 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
19:40:13:334 6000 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:40:13:334 6000 File objects infected / cured / cured on reboot: 1 / 0 / 1
19:40:13:334 6000
19:40:13:334 6000 UnloadDriverW: NtUnloadDriver error 1
19:40:13:334 6000 KLMD_Unload: UnloadDriverW(klmd21) error 1
19:40:13:334 6000 KLMD(ARK) unloaded successfully

akg32
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-12
OS OS : Windows XP Professional
Points Points : 25351
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by Belahzur on 27th February 2010, 1:02 am

Hello.

Good work, the re-direct will have stopped now, but were not done, more malware is still there.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by akg32 on 27th February 2010, 1:15 am

Here is the results list -- thanks again for all your help:
--
Adobe Acrobat 7.0.8 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Agere Systems HDA Modem
AIM 6
ALN Case Profile 3.5 QFE2
Apple Mobile Device Support
Apple Software Update
Application Settings Tool 3.4 OMM_C
AppSight 5.5 COM Black Box
ATI Display Driver
BlackBerry Desktop Software 4.3
BlackBerry Desktop Software 4.3
Brother BRAdmin Light 1.11
Brother HL-2170W
Business Fonts 1.0 OMM_A
Case Menu 1.0 OMM_A
CheckCite 8.7 QFE2
Citrix Presentation Server Client
ClearMetadata C230 Circular 4.0c OMM_A
Compatibility Pack for the 2007 Office system
DOCS Open 3.9.6.77 OMM_H
Folio Views 4.2 OMM_B
Garmin Communicator Plugin
Garmin USB Drivers
Google Desktop
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Infopath Form Authorization 1.0 OMM_A
Informix Client 2.5 OMM_B
iPassConnect
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Lexis-Nexis Web Client 1.1 OMM_A
Lexmark Software Uninstall
LiveUpdate 2.0 (Symantec Corporation)
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech Updater
MacPac 9.6.2 OMM_E
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL 2000 SP4 Client 8.00.194 OMM_A
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser
Nortel Networks Contivity VPN Client
ODBC Elite SQL Reporting 1.0 OMM_A
OMM Integration 1.5 OMM_A
OMM Main 4.1.1 OMM_A
OMM Signature 1.0 OMM_A
PaperPort
Picasa 3
PowerPoint Templates 3.0 OMM_A
Precedent 3.2.3 OMM_A
PrimoPDF
PS|Ship (tm) for Outlook®
QuickTime
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
Skype™ 3.6
Symantec Client Security 2.0.2 OMM_B
TBS WMP Plug-in
Update for Windows XP (KB914882)
Update for Windows XP (KB933360)
Update for Windows XP (KB942763)
Viewpoint Media Player
WestCheck 4.54
WestMate 7.38
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinZip 11.0.7313 OMM_A
Workshare Professional 4.5.8680.0 OMM_E

akg32
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-12
OS OS : Windows XP Professional
Points Points : 25351
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by Belahzur on 27th February 2010, 1:30 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Viewpoint Media Player

Next,

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\program files\Common Files\uvibosyged.com
    c:\program files\Common Files\lizudecaq.exe
    c:\program files\Common Files\awutexelo.dat

    DDS::
    uInternet Settings,ProxyOverride =
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by akg32 on 27th February 2010, 5:57 am

Here is my latest ComboFix log - thank you:

--
ComboFix 10-02-25.02 - akg14980 02/27/2010 0:43.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1919.1310 [GMT -5:00]
Running from: c:\documents and settings\akg14980\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\akg14980\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-26 19:04 . 2010-02-26 19:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-25 07:11 . 2010-02-25 07:05 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-25 07:11 . 2010-02-25 07:05 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-25 07:05 . 2010-02-25 07:05 -------- d-----w- C:\$AVG
2010-02-25 07:04 . 2010-02-25 07:04 -------- d-----w- c:\program files\AVG
2010-02-25 06:46 . 2010-02-25 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-24 23:55 . 2010-02-24 23:55 -------- d-----w- c:\program files\Alwil Software
2010-02-24 23:55 . 2010-02-24 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-01 16:49 . 2010-02-01 16:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 05:51 . 2007-06-18 16:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-27 03:31 . 2008-06-03 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-27 03:30 . 2007-12-13 02:09 -------- d-----w- c:\program files\Java
2010-02-27 00:41 . 2004-08-03 22:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-26 23:54 . 2010-01-13 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2010-02-26 08:03 . 2007-12-10 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-03 14:41 . 2010-01-13 23:14 1533 ----a-w- c:\documents and settings\akg14980\Application Data\iolo\restore.bat
2010-02-02 15:58 . 2009-07-02 01:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-01 16:44 . 2007-12-10 17:47 -------- d-----w- c:\program files\Google
2010-01-29 15:53 . 2010-01-21 00:46 -------- d-----w- c:\documents and settings\akg14980\Application Data\Move Networks
2010-01-21 14:48 . 2008-02-15 18:17 -------- d-----w- c:\documents and settings\akg14980\Application Data\Skype
2010-01-21 14:48 . 2008-02-15 18:24 -------- d-----w- c:\documents and settings\akg14980\Application Data\skypePM
2010-01-21 00:46 . 2010-01-21 00:46 144160 ----a-w- c:\documents and settings\akg14980\Application Data\Move Networks\uninstall.exe
2010-01-13 23:30 . 2010-01-13 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Sprint
2010-01-13 23:29 . 2008-09-01 19:26 -------- d-----w- c:\program files\Sierra Wireless
2010-01-13 23:29 . 2008-09-01 19:25 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-01-13 23:14 . 2010-01-13 20:35 -------- d-----w- c:\documents and settings\akg14980\Application Data\iolo
2010-01-13 20:40 . 2010-01-13 20:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2010-01-13 20:36 . 2010-01-13 20:36 74703 ----a-w- c:\windows\system32\mfc45.dll
2010-01-12 19:58 . 2009-10-14 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 19:51 . 2010-01-12 19:09 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-12 16:01 . 2009-10-14 04:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-07 21:07 . 2010-01-12 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-12 19:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-16 21:05 . 2010-01-14 04:20 471040 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2009-12-16 21:05 . 2010-01-14 04:20 347136 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 21:05 . 2010-01-14 04:20 340992 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 21:05 . 2010-01-14 04:20 43008 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 21:05 . 2010-01-14 04:20 1452032 ----a-w- c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\documents and settings\akg14980\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-14 04:06 . 2009-10-14 04:06 16740 ----a-w- c:\program files\Common Files\uvibosyged.com
2009-10-14 04:06 . 2009-10-14 04:06 15289 ----a-w- c:\program files\Common Files\lizudecaq.exe
2009-10-14 04:06 . 2009-10-14 04:06 13621 ----a-w- c:\program files\Common Files\awutexelo.dat
2009-12-08 22:40 . 2007-12-10 20:03 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-18 15:34 . 2010-02-27 00:46 64684 c:\windows\system32\perfc009.dat
- 2007-06-18 15:34 . 2010-02-25 23:51 64684 c:\windows\system32\perfc009.dat
+ 2007-06-18 15:34 . 2010-02-27 00:46 407134 c:\windows\system32\perfh009.dat
- 2007-06-18 15:34 . 2010-02-25 23:51 407134 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-10 68856]
"Google Update"="c:\documents and settings\akg14980\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"Workshare3GW"="c:\program files\Workshare\Modules\WMConfigAssistant.exe" [2006-06-09 1609728]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2004-10-07 161096]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-08 30192]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-09-18 880640]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-6-18 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 300 (0x12c)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ProfileQuotaMessage"= You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"MaxProfileSize"= 30000 (0x7530)
"WarnUserTimeout"= 15 (0xf)
"ConnectHomeDirToRoot"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"NoStartMenuEjectPC"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-43454\Scripts\Logon\0\0]
"Script"=ommIEseczone.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-43454\Scripts\Logon\1\0]
"Script"=lasertrak.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-43454\Scripts\Logon\2\0]
"Script"=addsubnetprinters.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-43454\Scripts\Logon\3\0]
"Script"=usr_logon-main.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-43454\Scripts\Logon\3\1]
"Script"=lprocess.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\akg14980\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\akg14980\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [6/18/2007 10:29 AM 11026]
R2 iPCAgent;iPCAgent;c:\program files\iPass\iPassConnect\iPCAgent.exe [12/8/2007 3:12 PM 90112]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;c:\windows\system32\drivers\mdc80211.sys [12/8/2007 3:12 PM 15793]
R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [10/6/2004 7:56 PM 173392]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [12/8/2007 3:14 PM 9049]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/18/2007 10:28 AM 36608]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 11:44 AM 135664]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [12/8/2007 3:14 PM 115008]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/10/2007 3:03 PM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Office2003_FullInstall]
2007-01-09 19:51 207336 ----a-w- c:\program files\OMM\Clnicons.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{581432DF-FCAD-4201-A7D1-8ADEAFE68A2B}]
2005-05-03 19:58 78848 ----a-w- c:\windows\system32\msiexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5A840B7D-AEB5-4298-9210-D9A97E29D7A2}]
2005-05-03 19:58 78848 ----a-w- c:\windows\system32\msiexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7B153B16-57D0-4A25-930E-28D82BDE0C13}]
2005-05-03 19:58 78848 ----a-w- c:\windows\system32\msiexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CA9BE80D-54B3-4AA8-AD72-4EF0CEAA0A98}]
2005-05-03 19:58 78848 ----a-w- c:\windows\system32\msiexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\~{70D8E50D-0A74-453A-A23B-A2611D89B1DD}]
2005-05-03 19:58 78848 ----a-w- c:\windows\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-02-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-10 02:34]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 16:44]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 16:44]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-179605362-839522115-43454Core.job
- c:\documents and settings\akg14980\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-30 01:33]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-179605362-839522115-43454UA.job
- c:\documents and settings\akg14980\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-30 01:33]

2007-06-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-06-18 21:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: bna.com
Trusted Zone: cch.com
Trusted Zone: cchgroup.com
Trusted Zone: heinonline.org
Trusted Zone: lexis-nexis.com
Trusted Zone: lexis.com
Trusted Zone: lexisnexis.com
Trusted Zone: lexisone.com
Trusted Zone: nexis.com
Trusted Zone: omm.com
Trusted Zone: omm.com\*.intranet
Trusted Zone: omm.com\precedent.intranet
Trusted Zone: ommconnect.com
Trusted Zone: reed-elsevier.com
Trusted Zone: westlaw.com
Trusted Zone: bna.com
Trusted Zone: cch.com
Trusted Zone: cchgroup.com
Trusted Zone: heinonline.org
Trusted Zone: lexis-nexis.com
Trusted Zone: lexis.com
Trusted Zone: lexisnexis.com
Trusted Zone: lexisone.com
Trusted Zone: nexis.com
Trusted Zone: omm.com\*.intranet
Trusted Zone: ommconnect.com
Trusted Zone: reed-elsevier.com
Trusted Zone: westlaw.com
DPF: CabCCT - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\akg14980\Application Data\Mozilla\Firefox\Profiles\yiok3rwy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\akg14980\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\akg14980\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-27 00:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1740)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(8712)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
c:\program files\iPass\iPassConnect\downloader\ipccheck.exe
c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-02-27 00:54:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-27 05:54
ComboFix2.txt 2010-02-26 00:42

Pre-Run: 38,970,220,544 bytes free
Post-Run: 38,949,232,640 bytes free

- - End Of File - - 47C42D0B86E7F6FF9D929AF056C67123

akg32
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-12
OS OS : Windows XP Professional
Points Points : 25351
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by Belahzur on 27th February 2010, 8:04 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by akg32 on 28th February 2010, 5:48 am

It seems to be running quite well. Thank you so much for all your help -- it's really an excellent service you all provide here.

akg32
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-12
OS OS : Windows XP Professional
Points Points : 25351
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by Belahzur on 28th February 2010, 8:48 pm

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by akg32 on 2nd March 2010, 5:29 am

Here is my ESET Online Scanner log, pasted below. Thanks.

--
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.5730.13 (longhorn(wmbla).070711-1130)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d8b0dcc41ff77344b272f0b4ce14efc4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-02 05:15:42
# local_time=2010-03-02 12:15:42 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 366330 366330 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776574 0 5 3260987 3260987 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=69716
# found=0
# cleaned=0
# scan_time=2096

akg32
Novice
Novice

Posts Posts : 11
Joined Joined : 2010-01-12
OS OS : Windows XP Professional
Points Points : 25351
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Spyware/Trojan - Tidserv C Domain Request / Search results getting redirected

Post by Belahzur on 2nd March 2010, 1:25 pm

This should be fine now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum