Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
Hi,

I think I may have a virus on my computer and am trying to follow the instructions given in the top thread, and have already run and saved hijackthis on my desktop.

However, when i try and run the DDs.scr program, it prompts that "this tool does not support your operating system.
I am using windows 2003.

Kindly guide as to how to proceed.

Many thanks in advance.
 

·
Registered
Joined
·
3 Posts
Discussion Starter · #2 ·
This is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:04:22 PM, on 31/12/2010
Platform: Windows 2003 SP2, v.2845 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.15.1/
F2 - REG:system.ini: Shell=explorer.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [SkyTel] "SkyTel.EXE"
O4 - HKLM\..\Run: [Alcmtr] "ALCMTR.EXE"
O4 - HKLM\..\Run: [vptray] "C:\PROGRA~1\SYMANT~1\VPTray.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] "D:\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" /title="CorelDRAW Graphics Suite 12" /date=010211 serial=DR12WEF-5646037-WEC lang=EN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted IP range: http://192.168.15.1
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E62193C-518B-4A88-9BD8-21B1ACFCFEEA}: NameServer = 115.167.74.254,115.167.75.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E62193C-518B-4A88-9BD8-21B1ACFCFEEA}: NameServer = 115.167.74.254,115.167.75.254
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E62193C-518B-4A88-9BD8-21B1ACFCFEEA}: NameServer = 115.167.74.254,115.167.75.254
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 7907 bytes
 

·
Registered
Joined
·
3 Posts
Discussion Starter · #3 ·
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-31 15:02:02
Windows 5.2.3790 Service Pack 2, v.2845 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6 ST3250318AS rev.CC44
Running: so0wbm43.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtdrpow.sys

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2736] ntdll.dll!LdrLoadDll 7C833F63 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3100] USER32.dll!TrackPopupMenu 773D6CDA 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
CODE C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe[3516] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe entry point in "CODE" section [0x004050F4]
.ifc C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe[3516] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe unknown last code section [0x00410000, 0x2307B, 0xE0000060]

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}@ IFlashBroker2
Reg HKLM\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32
Reg HKLM\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\[email protected] {00020424-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib
Reg HKLM\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\[email protected] {FAB3E735-69C7-453B-A446-B6823C6DF1C9}
Reg HKLM\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\[email protected] 1.0

---- EOF - GMER 1.0.15 ----
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top