Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with HTTPD Tidserv C


  • This topic is locked This topic is locked
5 replies to this topic

#1 ifonenerd

ifonenerd

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 02 January 2010 - 10:37 PM

Hi

I am getting repeated alerts from Norton Internet Security every 15 minutes or so. I'm fairly sure it started when I downloaded a dubious bit of software.

My alert summary states:-

Severity - High
Activity - An intrusion attempt by a57990057.cn was blocked. Application path \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SPOOLSV.EXE
Date & time - (Always the time of the last alert)
Status - Blocked
Recommended Action - No Action Required

Advanced Details
Risk Name - HTTPS Tidserv C and C Domain Request
Severity - High
Attacking Computer - a57990057.cn (212.117.174.176,443)
Destination Address - "my computer name and ip
Source Address - 212.117.174.176(212.117.174.176)
Traffic Description - TCP,https


Norton Internet Security gives the option to disable this notification but I'm not comfortable with that.

The folder in which the software files were downloaded to cannot be deleted in the normal way. The error message that the folder is in use by another programme is displayed.
I have not tried to restart as I'm concerned that I'll make the problem worse.

Any help will be appreciated.

I'm running Windows XP.


DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 21:49:55.15 on Sat 01/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.45 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HLW\iTap\iTap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\PdaNet for iPhone\PdaNetPC.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\program files\mozilla firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearch Bar = hxxp://search.imesh.com/sidebar.html?src=ssb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80252
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80252
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: UrlHelper Class: {474597c5-ab09-49d6-a4d5-2e8d7341384e} - c:\program files\imesh applications\imesh mediabar\iMeshIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: : {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
TB: iMesh MediaBar: {b7d3e479-cc68-42b5-a338-938ece35f419} - c:\program files\imesh applications\imesh mediabar\iMeshMediaBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [iTap] c:\program files\hlw\itap\iTap.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [<NO NAME>]
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for iphone\PdaNetPC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\prayer.lnk - c:\had\PTW.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-9 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-9 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-9 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091217.002\IDSXpx86.sys [2009-12-18 329592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-9 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091231.041\NAVENG.SYS [2010-1-1 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091231.041\NAVEX15.SYS [2010-1-1 1323568]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-9-9 9472]

=============== Created Last 30 ================

2010-01-03 00:15:32 0 d-----w- c:\program files\trend micro
2009-12-29 01:39:31 0 ----a-w- c:\windows\PTWebCam.INI
2009-12-29 01:36:13 36 ----a-w- c:\windows\Pt.dll
2009-12-29 01:06:40 144669 ----a-w- c:\windows\screenshot14098.jpg
2009-12-29 00:49:54 0 d-----w- c:\program files\PhoTags Express
2009-12-28 03:14:51 194103 ----a-w- c:\windows\screenshot13098.jpg
2009-12-27 00:05:26 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat
2009-12-26 21:40:29 191180 ----a-w- c:\windows\screenshot12098.jpg
2009-12-26 06:43:39 0 d-----w- c:\windows\system32\XPSViewer
2009-12-26 06:36:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-26 06:36:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-12-26 06:36:05 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-26 06:36:03 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-12-26 06:36:03 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-26 06:36:01 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-12-26 06:36:01 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-12-26 04:16:47 98579 ----a-w- c:\windows\screenshot11098.jpg
2009-12-26 03:46:53 197977 ----a-w- c:\windows\screenshot11097.jpg
2009-12-26 03:16:58 143338 ----a-w- c:\windows\screenshot11096.jpg
2009-12-26 02:48:45 170409 ----a-w- c:\windows\screenshot11095.jpg
2009-12-26 02:18:48 211606 ----a-w- c:\windows\screenshot11094.jpg
2009-12-26 01:48:52 189878 ----a-w- c:\windows\screenshot11093.jpg
2009-12-26 01:18:57 185625 ----a-w- c:\windows\screenshot11092.jpg
2009-12-26 00:51:11 186999 ----a-w- c:\windows\screenshot11091.jpg
2009-12-26 00:21:17 203178 ----a-w- c:\windows\screenshot11090.jpg
2009-12-25 23:53:11 204286 ----a-w- c:\windows\screenshot11089.jpg
2009-12-25 23:23:16 197397 ----a-w- c:\windows\screenshot11088.jpg
2009-12-25 22:58:47 165545 ----a-w- c:\windows\screenshot11087.jpg
2009-12-25 22:28:52 175796 ----a-w- c:\windows\screenshot11086.jpg
2009-12-25 22:01:42 239452 ----a-w- c:\windows\screenshot11085.jpg
2009-12-25 21:31:47 220594 ----a-w- c:\windows\screenshot11084.jpg
2009-12-25 21:01:51 173837 ----a-w- c:\windows\screenshot11083.jpg
2009-12-25 04:40:17 210263 ----a-w- c:\windows\screenshot10083.jpg
2009-12-25 04:10:22 221326 ----a-w- c:\windows\screenshot10082.jpg
2009-12-25 03:40:29 196088 ----a-w- c:\windows\screenshot10081.jpg
2009-12-25 03:10:37 195649 ----a-w- c:\windows\screenshot10080.jpg
2009-12-25 02:40:42 205748 ----a-w- c:\windows\screenshot10079.jpg
2009-12-25 02:10:49 202877 ----a-w- c:\windows\screenshot10078.jpg
2009-12-25 01:40:59 182385 ----a-w- c:\windows\screenshot10077.jpg
2009-12-25 01:10:56 177202 ----a-w- c:\windows\screenshot10076.jpg
2009-12-25 00:40:58 115643 ----a-w- c:\windows\screenshot10075.jpg
2009-12-25 00:11:04 199988 ----a-w- c:\windows\screenshot10074.jpg
2009-12-24 23:41:09 168624 ----a-w- c:\windows\screenshot10073.jpg
2009-12-24 23:11:11 222014 ----a-w- c:\windows\screenshot10072.jpg
2009-12-24 22:41:16 222003 ----a-w- c:\windows\screenshot10071.jpg
2009-12-24 21:41:27 222007 ----a-w- c:\windows\screenshot10070.jpg
2009-12-24 21:11:31 221994 ----a-w- c:\windows\screenshot10069.jpg
2009-12-24 20:41:36 222001 ----a-w- c:\windows\screenshot10068.jpg
2009-12-24 20:11:41 222013 ----a-w- c:\windows\screenshot10067.jpg
2009-12-24 19:41:46 222005 ----a-w- c:\windows\screenshot10066.jpg
2009-12-24 19:11:51 222001 ----a-w- c:\windows\screenshot10065.jpg
2009-12-24 18:41:56 222009 ----a-w- c:\windows\screenshot10064.jpg
2009-12-24 18:12:01 222100 ----a-w- c:\windows\screenshot10063.jpg
2009-12-24 17:12:11 222115 ----a-w- c:\windows\screenshot10062.jpg
2009-12-24 16:42:16 222118 ----a-w- c:\windows\screenshot10061.jpg
2009-12-24 16:12:23 222097 ----a-w- c:\windows\screenshot10060.jpg
2009-12-24 15:42:26 222112 ----a-w- c:\windows\screenshot10059.jpg
2009-12-24 15:12:31 222003 ----a-w- c:\windows\screenshot10058.jpg
2009-12-24 14:42:36 222015 ----a-w- c:\windows\screenshot10057.jpg
2009-12-24 13:42:46 222011 ----a-w- c:\windows\screenshot10056.jpg
2009-12-24 13:12:51 222016 ----a-w- c:\windows\screenshot10055.jpg
2009-12-24 12:13:01 221995 ----a-w- c:\windows\screenshot10054.jpg
2009-12-24 11:43:06 222028 ----a-w- c:\windows\screenshot10053.jpg
2009-12-24 11:13:11 222021 ----a-w- c:\windows\screenshot10052.jpg
2009-12-24 10:43:16 222028 ----a-w- c:\windows\screenshot10051.jpg
2009-12-24 06:03:08 0 d-----w- c:\program files\Norton Support
2009-12-24 05:44:06 222028 ----a-w- c:\windows\screenshot10050.jpg
2009-12-23 19:57:30 196301 ----a-w- c:\windows\screenshot8050.jpg
2009-12-23 19:33:00 203756 ----a-w- c:\windows\screenshot8049.jpg
2009-12-23 19:03:05 207837 ----a-w- c:\windows\screenshot8048.jpg
2009-12-23 18:38:35 197630 ----a-w- c:\windows\screenshot8047.jpg
2009-12-23 18:08:51 196752 ----a-w- c:\windows\screenshot8046.jpg
2009-12-23 17:44:10 211233 ----a-w- c:\windows\screenshot8045.jpg
2009-12-23 17:14:15 197023 ----a-w- c:\windows\screenshot8044.jpg
2009-12-23 16:49:41 216651 ----a-w- c:\windows\screenshot8043.jpg
2009-12-23 16:19:46 214286 ----a-w- c:\windows\screenshot8042.jpg
2009-12-23 15:55:14 204469 ----a-w- c:\windows\screenshot8041.jpg
2009-12-23 15:25:19 209647 ----a-w- c:\windows\screenshot8040.jpg
2009-12-23 15:00:45 197345 ----a-w- c:\windows\screenshot8039.jpg
2009-12-23 14:30:50 215272 ----a-w- c:\windows\screenshot8038.jpg
2009-12-23 14:06:18 208791 ----a-w- c:\windows\screenshot8037.jpg
2009-12-23 13:36:23 202745 ----a-w- c:\windows\screenshot8036.jpg
2009-12-23 13:11:38 207571 ----a-w- c:\windows\screenshot8035.jpg
2009-12-23 12:16:51 212209 ----a-w- c:\windows\screenshot8034.jpg
2009-12-23 11:46:56 203856 ----a-w- c:\windows\screenshot8033.jpg
2009-12-23 11:22:28 199873 ----a-w- c:\windows\screenshot8032.jpg
2009-12-23 10:52:33 219431 ----a-w- c:\windows\screenshot8031.jpg
2009-12-23 08:30:42 199371 ----a-w- c:\windows\screenshot8030.jpg
2009-12-22 23:26:48 172997 ----a-w- c:\windows\screenshot7030.jpg
2009-12-22 22:56:50 167019 ----a-w- c:\windows\screenshot7029.jpg
2009-12-22 22:26:55 167019 ----a-w- c:\windows\screenshot7028.jpg
2009-12-22 21:57:00 176003 ----a-w- c:\windows\screenshot7027.jpg
2009-12-22 21:27:08 176003 ----a-w- c:\windows\screenshot7026.jpg
2009-12-21 23:23:40 222806 ----a-w- c:\windows\screenshot6026.jpg
2009-12-21 22:53:36 69611 ----a-w- c:\windows\screenshot6025.jpg
2009-12-21 22:23:41 209187 ----a-w- c:\windows\screenshot6024.jpg
2009-12-21 21:53:48 209187 ----a-w- c:\windows\screenshot6023.jpg
2009-12-21 21:23:51 153906 ----a-w- c:\windows\screenshot6022.jpg
2009-12-21 20:53:59 182510 ----a-w- c:\windows\screenshot6021.jpg
2009-12-21 20:24:02 182510 ----a-w- c:\windows\screenshot6020.jpg
2009-12-21 19:54:08 196363 ----a-w- c:\windows\screenshot6019.jpg
2009-12-21 19:24:11 193737 ----a-w- c:\windows\screenshot6018.jpg
2009-12-21 18:54:16 191015 ----a-w- c:\windows\screenshot6017.jpg
2009-12-21 18:24:23 182272 ----a-w- c:\windows\screenshot6016.jpg
2009-12-21 17:34:10 0 d-----w- c:\docume~1\hp_adm~1\applic~1\licenses
2009-12-21 17:32:45 0 d-----w- c:\docume~1\hp_adm~1\applic~1\PCMM2009
2009-12-21 17:24:31 137386 ----a-w- c:\windows\screenshot6015.jpg
2009-12-21 16:54:42 137386 ----a-w- c:\windows\screenshot6014.jpg
2009-12-21 16:24:45 137393 ----a-w- c:\windows\screenshot6013.jpg
2009-12-21 15:54:47 137393 ----a-w- c:\windows\screenshot6012.jpg
2009-12-21 15:24:53 137288 ----a-w- c:\windows\screenshot6011.jpg
2009-12-21 14:54:58 137288 ----a-w- c:\windows\screenshot6010.jpg
2009-12-21 14:25:01 137286 ----a-w- c:\windows\screenshot6009.jpg
2009-12-21 13:55:06 137289 ----a-w- c:\windows\screenshot6008.jpg
2009-12-21 13:25:15 137286 ----a-w- c:\windows\screenshot6007.jpg
2009-12-21 12:55:16 130031 ----a-w- c:\windows\screenshot6006.jpg
2009-12-21 12:25:21 130022 ----a-w- c:\windows\screenshot6005.jpg
2009-12-21 11:55:26 130047 ----a-w- c:\windows\screenshot6004.jpg
2009-12-21 11:25:31 130038 ----a-w- c:\windows\screenshot6003.jpg
2009-12-21 10:25:45 130707 ----a-w- c:\windows\screenshot6002.jpg
2009-12-21 06:56:16 130685 ----a-w- c:\windows\screenshot6001.jpg
2009-12-21 04:10:18 173640 ----a-w- c:\windows\screenshot3001.jpg
2009-12-21 04:09:02 360054 ----a-w- C:\test.bmp
2009-12-20 22:18:04 118936 ----a-w- c:\windows\screenshot2001.jpg
2009-12-20 22:17:34 117067 ----a-w- c:\windows\screenshot1001.jpg
2009-12-20 21:48:09 32768 ----a-w- c:\windows\screenshot1.jpg
2009-12-13 19:59:23 0 d-----w- c:\program files\PocketRAR
2009-12-08 23:35:32 1970176 ----a-w- c:\windows\system32\d3dx9.dll
2009-12-08 23:35:30 679936 ----a-w- c:\windows\system32\D3DX81ab.dll

==================== Find3M ====================

2009-10-31 18:48:07 177725 ----a-w- c:\windows\hpwins20.dat
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2005-11-05 20:59:56 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-09-08 04:39:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090820090909\index.dat

============= FINISH: 21:53:06.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:02:07 AM

Posted 11 January 2010 - 01:56 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#3 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:02:07 AM

Posted 12 January 2010 - 01:29 AM

User PM'd the reply:

Hello, I am the person you were helping with the HTTPD Tidserv problem. You recently told me to rescan my computer. When I ran the program, I waited for a while and nothing happened so I restarted my computer and ever since, I have been stuck on the screen that says "please wait while Windows prepares to start" and it does not get out of the screen. When I try to start the system in safe mode, it starts out perfectly but then at the end of all the comands--or what ever they are, it gets stuck on the screen. Can you please help me with this problem? I would liketo thank you for the time you put intolooking at the Tidserv problem, I really apreciate it.

Ifonenerd
p.s sorry about any spelling or grammer mistakes I am using my iPhone lol smile.gif
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:07 AM

Posted 12 January 2010 - 02:51 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Tidserv is TDSS rootkit by another name and this type of trojan/backdoor can seemingly cripple your PC. This can sometimes be recovered and so we will try and boot the PC using this method.

Download and burn Dr.Web LiveCD from another clean computer first..

From another clean computer, go to this website for instruction on how to create a bootable Dr.Web LiveCD

GO HERE and download the Dr.Web LiveCD .iso file from the most below link option. Then burn the .iso file into a blank CD/DVD.. Refer HERE for "Free ISO Burner" page and tutorial..



After you successfully create the CD, simply put the CD into your infected computer CD/DVD ROM and proceed with below step..

First, we need to get into BIOS first to configure boot priority.. Visit this website for tutorial on how to set first Boot Device to CD/DVD ROM


After that, reboot into Normal Mode and do below,

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Finally download and run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

These steps need to be done together. If you get stuck then stop and post about the problem.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:07 AM

Posted 16 January 2010 - 09:54 PM

Hi,

I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:07 AM

Posted 20 January 2010 - 07:50 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users