Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeated attacks - "HTTPS Tidserv C and C Domain Request"


  • This topic is locked This topic is locked
4 replies to this topic

#1 Omac

Omac

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Durban, SOuth Africa
  • Local time:10:37 AM

Posted 28 December 2009 - 10:43 AM

Hi

I am getting repeated alerts from Norton 360 every 30 minutes or so. I'm fairly sure it started when I downloaded a dubious bit of software.

My alert summary states:-

Severity - High
Activity - An intrusion attempt by a57990057.cn was blocked. Application path \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SPOOLSV.EXE
Date & time - (Always the time of the last alert)
Status - Blocked
Recommended Action - No Action Required

Advanced Details
Risk Name - HTTPS Tidserv C and C Domain Request
Severity - High
Attacking Computer - a57990057.cn (212.117.174.176,443)
Destination Address - "my computer name and ip
Source Address - 212.117.174.176(212.117.174.176)
Traffic Description - TCP,https


Norton 360 gives the option to disable this notification but I'm not comfortable with that.

The folder in which the software files were downloaded to cannot be deleted in the normal way. The error message that the folder is in use by another programme is displayed.
I have not tried to restart as I'm concerned that I'll make the problem worse.

Any help will be appreciated.

I'm running Vista SP2.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:37 AM

Posted 28 December 2009 - 01:08 PM

Hello and welcome...
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Omac

Omac
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Durban, SOuth Africa
  • Local time:10:37 AM

Posted 28 December 2009 - 02:59 PM

Thanks for the help.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-28 21:56:24
Windows 6.0.6002 Service Pack 2
Running: tuuy89zu.exe; Driver: C:\Users\Owen\AppData\Local\Temp\pxldapog.sys


---- System - GMER 1.0.15 ----

SSDT 927A7138 ZwAlertResumeThread
SSDT 927F1CA0 ZwAlertThread
SSDT 94BD3310 ZwAllocateVirtualMemory
SSDT 93A7C350 ZwAlpcConnectPort
SSDT 93B28048 ZwAssignProcessToJobObject
SSDT 94BD0B40 ZwCreateMutant
SSDT 94BD11F0 ZwCreateSymbolicLinkObject
SSDT 94BD0160 ZwCreateThread
SSDT 93B0C048 ZwDebugActiveProcess
SSDT 9501ED38 ZwDuplicateObject
SSDT 94BD1008 ZwFreeVirtualMemory
SSDT 92B83268 ZwImpersonateAnonymousToken
SSDT 929A9048 ZwImpersonateThread
SSDT 93A7C2B8 ZwLoadDriver
SSDT 94BD1F28 ZwMapViewOfSection
SSDT 92BC0048 ZwOpenEvent
SSDT 94BD3B50 ZwOpenProcess
SSDT 91EB8578 ZwOpenProcessToken
SSDT 927FC048 ZwOpenSection
SSDT 94BD4008 ZwOpenThread
SSDT 94BD13F8 ZwProtectVirtualMemory
SSDT 91E4F570 ZwResumeThread
SSDT 92680A88 ZwSetContextThread
SSDT 94BD1D68 ZwSetInformationProcess
SSDT 9279C048 ZwSetSystemInformation
SSDT 927F8048 ZwSuspendProcess
SSDT 927A8128 ZwSuspendThread
SSDT 91E3D118 ZwTerminateProcess
SSDT 927F3150 ZwTerminateThread
SSDT 91E5D7B8 ZwUnmapViewOfSection
SSDT 94BD3218 ZwWriteVirtualMemory
SSDT 94BD1338 ZwCreateThreadEx

INT 0x51 ? 86BE0BF8
INT 0x52 ? 86BE0BF8
INT 0x72 ? 86BE0BF8
INT 0x72 ? 86BE0BF8
INT 0x82 ? 8468DBF8
INT 0x92 ? 84689BF8
INT 0xA2 ? 84689BF8
INT 0xB3 ? 86BE0BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 820B6860 8 Bytes [38, 71, 7A, 92, A0, 1C, 7F, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 820B6874 4 Bytes [10, 33, BD, 94]
.text ntkrnlpa.exe!KeSetEvent + 13D 820B6880 4 Bytes [50, C3, A7, 93] {PUSH EAX; RET ; CMPSD ; XCHG EBX, EAX}
.text ntkrnlpa.exe!KeSetEvent + 191 820B68D4 4 Bytes [48, 80, B2, 93]
.text ntkrnlpa.exe!KeSetEvent + 1F5 820B6938 4 Bytes [40, 0B, BD, 94]
.text ...
? System32\Drivers\spbr.sys The system cannot find the path specified. !
.rsrc C:\Windows\system32\DRIVERS\iaStor.sys entry point in ".rsrc" section [0x8815D024]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CA00340, 0x3FA057, 0xE8000020]
.text USBPORT.SYS!DllUnload 8C53D41B 5 Bytes JMP 86BE01D8
? System32\Drivers\aw5himqy.SYS The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [826956D6] \SystemRoot\System32\Drivers\spbr.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82695042] \SystemRoot\System32\Drivers\spbr.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82695800] \SystemRoot\System32\Drivers\spbr.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [826950C0] \SystemRoot\System32\Drivers\spbr.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8269513E] \SystemRoot\System32\Drivers\spbr.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [826A4B90] \SystemRoot\System32\Drivers\spbr.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73C67817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73CBA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73C6BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73C5F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73C675E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73C5E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73C98395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73C6DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73C5FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73C5FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73C571CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73CECAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73C8C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73C5D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73C56853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73C5687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73C62AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 850281F8
Device \FileSystem\udfs \UdfsCdRom 849531F8
Device \FileSystem\udfs \UdfsDisk 849531F8
Device \Driver\netbt \Device\NetBT_Tcpip_{9333E5F1-9B3D-40CD-8670-815948D1DE2F} 93A5E1F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 8468B1F8
Device \Driver\usbuhci \Device\USBPDO-0 86BD21F8
Device \Driver\usbuhci \Device\USBPDO-1 86BD21F8
Device \Driver\usbehci \Device\USBPDO-2 86BD81F8
Device \Driver\usbuhci \Device\USBPDO-3 86BD21F8
Device \Driver\usbuhci \Device\USBPDO-4 86BD21F8

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBPDO-5 86BD21F8
Device \Driver\usbehci \Device\USBPDO-6 86BD81F8
Device \Driver\volmgr \Device\HarddiskVolume1 8468B1F8
Device \Driver\volmgr \Device\HarddiskVolume2 8468B1F8
Device \Driver\cdrom \Device\CdRom0 86D271F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 850261F8
Device \Driver\iaStor \Device\Ide\iaStor0 [880D0D10] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 850261F8
Device \Driver\atapi \Device\Ide\IdePort1 850261F8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [880D0D10] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\volmgr \Device\HarddiskVolume3 8468B1F8
Device \Driver\cdrom \Device\CdRom1 86D271F8
Device \Driver\sptd \Device\2799741078 spbr.sys
Device \Driver\netbt \Device\NetBt_Wins_Export 93A5E1F8
Device \Driver\Smb \Device\NetbiosSmb 93A601F8
Device \Driver\iScsiPrt \Device\RaidPort0 86D7A1F8

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\PCI_PNP9066 \Device\0000005f spbr.sys
Device \Driver\usbuhci \Device\USBFDO-0 86BD21F8
Device \Driver\usbuhci \Device\USBFDO-1 86BD21F8
Device \Driver\usbehci \Device\USBFDO-2 86BD81F8
Device \Driver\usbuhci \Device\USBFDO-3 86BD21F8
Device \Driver\usbuhci \Device\USBFDO-4 86BD21F8
Device \Driver\usbuhci \Device\USBFDO-5 86BD21F8
Device \Driver\netbt \Device\NetBT_Tcpip_{206C5355-3B4C-43C3-BF97-31503A1F6686} 93A5E1F8
Device \Driver\usbehci \Device\USBFDO-6 86BD81F8
Device \Driver\netbt \Device\NetBT_Tcpip_{4DB3FA02-CDDA-4278-B18D-7306B761B0A5} 93A5E1F8
Device \Driver\aw5himqy \Device\Scsi\aw5himqy1Port4Path0Target0Lun0 86D851F8
Device \Driver\aw5himqy \Device\Scsi\aw5himqy1 86D851F8
Device \FileSystem\cdfs \Cdfs 86B71500
Device -> \Driver\iaStor \Device\Harddisk0\DR0 866AC826

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37b3c6e1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0x36 0x35 0x75 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x06 0x66 0x91 0x5E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xFC 0x44 0xC9 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0xC4 0x6A 0x1B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x2B 0xBF 0x65 0xD0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x45 0xD4 0x61 0xF9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x45 0xD4 0x61 0xF9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e37b3c6e1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0x36 0x35 0x75 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x06 0x66 0x91 0x5E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xFC 0x44 0xC9 0xA4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0xC4 0x6A 0x1B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x2B 0xBF 0x65 0xD0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x45 0xD4 0x61 0xF9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x45 0xD4 0x61 0xF9 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\DRIVERS\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:37 AM

Posted 28 December 2009 - 03:56 PM

Hello again,This does indeed appear to be infected. This is a system critical file. It must be properly taken care of or you may lose the ability to boot.

You will need to run HJT/DDS.
Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:37 AM

Posted 28 December 2009 - 11:08 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/282377/repeated-attacks-https-tidserv-c-and-c-domain-request/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users