Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with HTTPS Tidserv Request 2

  • This topic is locked This topic is locked
7 replies to this topic

#1 mastersf


  • Members
  • 6 posts
  • Local time:08:44 AM

Posted 16 April 2010 - 05:57 AM

I was surfing the net using Google Chrome when all of a sudden I started seeing some fishy activity. The Java Icon came up, some Java was being run, and after that I've been getting notifications from Norton saying An Intrusion Attempt was blocked. There's a few different attacking computers that are in the logs. Says, the attack resulted from DEVICEHARDDISKVOLUME1WINDOWSSYSTEM32SVCHOST.EXE. Lately, I've been using Firefox to browse the net and, strangely, when I click on google search results I am brought to something completely irrelevant, and can see the URL is different. Not sure if these two are involved or if some other nasty is playing games with me. Forgot to mention, Google Chrome isn't working anymore. I can start the browser but can't use it to surf the net. It just seems to continuously load the page, though the page stays blank. Another thing I noticed, I can't access history and extensions in the browser. Not sure what's going on. Any help is appreciated!

DDS (Ver_10-03-17.01) - NTFSx86
Run by *censored* at 6:29:48.09 on Fri 04/16/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2046.753 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k RPCSS
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
C:Program FilesSeagateSeagateManagerSyncFreeAgentService.exe
C:Program FilesiolocommonlibioloServiceManager.exe
C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
C:Program FilesNorton 360Engine4.1.0.32ccSvcHst.exe
C:Windowssystem32svchost.exe -k imgsvc
C:Program FilesTeamViewerVersion5TeamViewer_Service.exe
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSVC.EXE
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSvcM.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Windowssystem32svchost.exe -k LocalServiceAndNoImpersonation
C:Program FilesNorton 360Engine4.1.0.32ccSvcHst.exe
C:Program FilesCommon FilesResearch In MotionAuto UpdateRIMAutoUpdate.exe
C:Program FilesSeagateSeagateManagerFreeAgent Statusstxmenumgr.exe
C:Program FilesElaborate BytesVirtualCloneDriveVCDDaemon.exe
C:Program FilesAdobeAcrobat 9.0Acrobatacrotray.exe
C:Program FilesLogitechLogitech WebCam SoftwareLWS.exe
C:Program FilesCyberLinkPowerDVD9PDVD9Serv.exe
C:Program FilesCyberLinkShared filesbrs.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesSteganos Safe 11SteganosHotKeyService.exe
C:Program FilesSteganos Safe 11fredirstarter.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe
C:Program FilesSiber SystemsAI RoboFormrobotaskbaricon.exe
C:Program FilesSlySoftAnyDVDAnyDVDtray.exe
C:Program FilesWIDCOMMBluetooth SoftwareBTTray.exe
C:Program FilesCommon FilesLogishrdLQCVFXCOCIManager.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:Program FilesioloSystem Mechanic ProfessionalSMSystemAnalyzer.exe
C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe
C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
C:Program FilesLavasoftAd-AwareAAWService.exe
C:Program FilesLavasoftAd-AwareAAWWSC.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesLavasoftAd-AwareAAWWSC.exe
C:Program FilesWindows LiveMessengermsnmsgr.exe
C:Program FilesWindows LiveContactswlcomm.exe
C:Program FilesLavasoftAd-AwareAAWWSC.exe
C:Program FilesMozilla Firefoxfirefox.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:program filesflashgetjccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:program filesspybot - search & destroySDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:program filesnorton 360engine4.1.0.32coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:program filesnorton 360engine4.1.0.32IPSBHO.DLL
BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:program filessiber systemsai roboformroboform.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:program filessiber systemsai roboformroboform.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:program filesnorton 360engine4.1.0.32coIEPlg.dll
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
uRun: [ISUSPM] "c:program filescommon filesinstallshieldupdateserviceISUSPM.exe" -scheduler
uRun: [AdobeBridge]
uRun: [RoboForm] "c:program filessiber systemsai roboformRoboTaskBarIcon.exe"
uRun: [AnyDVD] c:program filesslysoftanydvdAnyDVDtray.exe
mRun: [BlackBerryAutoUpdate] c:program filescommon filesresearch in motionauto updateRIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:program filescommon filesroxio shared9.0sharedcomRoxWatchTray9.exe"
mRun: [MaxMenuMgr] "c:program filesseagateseagatemanagerfreeagent statusStxMenuMgr.exe"
mRun: [VirtualCloneDrive] "c:program fileselaborate bytesvirtualclonedriveVCDDaemon.exe" /s
mRun: [AdobeCS4ServiceManager] "c:program filescommon filesadobecs4servicemanagerCS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:program filesadobeacrobat 9.0acrobatAcrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:program filesadobeacrobat 9.0acrobatAcrotray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:windowssystem32nvHotkey.dll,Start
mRun: [LogitechQuickCamRibbon] "c:program fileslogitechlogitech webcam softwareLWS.exe" /hide
mRun: [iolo Startup] "c:program filesiolocommonlibioloLManager.exe"
mRun: [RemoteControl9] "c:program filescyberlinkpowerdvd9PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:program filescyberlinkpowerdvd9languageLanguage.exe"
mRun: [BDRegion] c:program filescyberlinkshared filesbrs.exe
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [SAFE2009 HotKeys] "c:program filessteganos safe 11SteganosHotKeyService.exe"
mRun: [SAFE2009 File Redirection Starter] "c:program filessteganos safe 11fredirstarter.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:program filesmalwarebytes' anti-malwarembamgui.exe /install /silent
StartupFolder: c:users*censored*appdataroamingmicros~1windowsstartm~1programsstartuponenot~1.lnk - c:program filesmicrosoft officeoffice12ONENOTEM.EXE
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupblueto~1.lnk - c:program fileswidcommbluetooth softwareBTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &Download All with FlashGet - c:program filesflashgetjc_all.htm
IE: &Download with FlashGet - c:program filesflashgetjc_link.htm
IE: Append Link Target to Existing PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:program filessiber systemsai roboformRoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: Fill Forms - file://c:program filessiber systemsai roboformRoboFormComFillForms.html
IE: Identities Editor - file://c:program filessiber systemsai roboformRoboFormComEditIdent.html
IE: Open using &Advanced JPEG Compressor - c:program filesadvanced jpeg compressorajcieex.htm
IE: Passcards Editor - file://c:program filessiber systemsai roboformRoboFormComEditPass.html
IE: Password Generator - file://c:program filessiber systemsai roboformRoboFormComPasswordGenerator.html
IE: RoboForm Options - file://c:program filessiber systemsai roboformRoboFormComOptions.html
IE: RoboForm Toolbar - file://c:program filessiber systemsai roboformRoboFormComShowToolbar.html
IE: Save Forms - file://c:program filessiber systemsai roboformRoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:program fileswidcommbluetooth softwarebtsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:program filessiber systemsai roboformRoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:program filessiber systemsai roboformRoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:program filessiber systemsai roboformRoboFormComShowToolbar.html
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:program filesflashgetFlashGet.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:program filesspybot - search & destroySDHelper.dll
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
AppInit_DLLs: acaptuser32.dll

================= FIREFOX ===================

FF - ProfilePath - c:users*censored*appdataroamingmozillafirefoxprofiless8me2s69.default
FF - component: c:program filessiber systemsai roboformfirefoxcomponentsrfproxy_31.dll
FF - component: c:programdatanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}n360_4.0.0.127coffplgncomponentscoFFPlgn.dll
FF - component: c:programdatanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}n360_4.0.0.127ipsffplgncomponentsIPSFFPl.dll
FF - plugin: c:program filescommon filesresearch in motionbbwebsllauncherNPWebSLLauncher.dll
FF - plugin: c:program filesgoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesmicrosoftoffice livenpOLW.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpOGAPlugin.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpwachk.dll
FF - plugin: c:users*censored*appdatalocallowunitywebplayerloadernpUnity3D32.dll

c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2010-4-15 64288]
R0 SymDS;Symantec Data Store;c:windowssystem32driversn3600401000.020symds.sys [2010-3-31 328752]
R0 SymEFA;Symantec Extended File Attributes;c:windowssystem32driversn3600401000.020symefa.sys [2010-3-31 172592]
R1 BHDrvx86;BHDrvx86;c:programdatanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}n360_4.0.0.127definitionsbashdefs20100324.001BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash Provider;c:windowssystem32driversn3600401000.020cchpx86.sys [2010-3-31 501888]
R1 ElRawDisk;ElRawDisk;c:windowssystem32driverselrawdsk.sys [2009-11-11 20392]
R1 IDSVix86;IDSVix86;c:programdatanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}n360_4.0.0.127definitionsipsdefs20100409.001IDSvix86.sys [2010-4-12 343088]
R1 SLEE_15_DRIVER;Steganos Live Encryption Engine 15 [Driver];c:windowssystem32driverssleen15.sys [2007-2-21 80232]
R1 SLEE_17_DRIVER;Steganos Live Encryption Engine 17 [Driver];c:windowssystem32driversSleeN17.sys [2010-2-17 94560]
R1 SymIRON;Symantec Iron Driver;c:windowssystem32driversn3600401000.020ironx86.sys [2010-3-31 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:windowssystem32driversn3600401000.020symtdiv.sys [2010-3-31 340016]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/03/12 17:08:53];c:program filescyberlinkpowerdvd9navfilter000.fcl [2009-12-15 87536]
R2 FreeAgentGoNext Service;Seagate Service;c:program filesseagateseagatemanagersyncFreeAgentService.exe [2009-9-26 189736]
R2 ioloFileInfoList;iolo FileInfoList Service;c:program filesiolocommonlibioloServiceManager.exe [2010-2-28 665008]
R2 ioloSystemService;iolo System Service;c:program filesiolocommonlibioloServiceManager.exe [2010-2-28 665008]
R2 N360;Norton 360;c:program filesnorton 360engine4.1.0.32ccsvchst.exe [2010-3-31 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filescommon filessymantec sharedeengineEraserUtilRebootDrv.sys [2010-3-6 102448]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:windowssystem32driversNETw5v32.sys [2009-12-18 6000640]
S2 gupdate1ca6306c45ce963;Google Update Service (gupdate1ca6306c45ce963);c:program filesgoogleupdateGoogleUpdate.exe [2009-11-11 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:windowssystem32driversb57nd60x.sys [2009-7-13 229888]
S3 commcs;CommCisco Driver by TamoSoft;c:windowssystem32driverscommcs.sys [2010-3-28 15360]
S3 epmntdrv;epmntdrv;c:windowssystem32epmntdrv.sys [2010-2-20 14216]
S3 EuGdiDrv;EuGdiDrv;c:windowssystem32EuGdiDrv.sys [2010-2-20 8456]
S3 SrvHsfHDA;SrvHsfHDA;c:windowssystem32driversVSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:windowssystem32driversVSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:windowssystem32driversVSTCNXT3.SYS [2009-7-13 661504]

============== File Associations ===============


=============== Created Last 30 ================

2010-04-16 10:24:08 54016 ----a-w- c:windowssystem32driversfhep.sys
2010-04-16 10:15:06 0 d-----w- c:users*censored*appdataroamingMalwarebytes
2010-04-16 10:14:48 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-04-16 10:14:45 20824 ----a-w- c:windowssystem32driversmbam.sys
2010-04-16 10:14:45 0 d-----w- c:programdataMalwarebytes
2010-04-16 10:14:44 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-04-15 15:00:21 15880 ----a-w- c:windowssystem32lsdelete.exe
2010-04-15 04:52:18 64 ----a-w- c:windowssystem32rp_stats.dat
2010-04-15 04:52:18 44 ----a-w- c:windowssystem32statistics.dat
2010-04-15 04:52:18 44 ----a-w- c:windowssystem32rp_rules.dat
2010-04-15 04:46:27 64288 ----a-w- c:windowssystem32driversLbd.sys
2010-04-15 04:46:22 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-04-15 04:40:36 0 dc-h--w- c:programdata{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-15 04:39:55 0 d-----w- c:programdataLavasoft
2010-04-15 04:39:55 0 d-----w- c:program filesLavasoft
2010-04-14 16:28:37 3954568 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-04-14 16:28:37 3899280 ----a-w- c:windowssystem32ntoskrnl.exe
2010-04-14 16:28:36 172032 ----a-w- c:windowssystem32wintrust.dll
2010-04-14 16:28:35 427520 ----a-w- c:windowssystem32vbscript.dll
2010-04-14 16:28:27 132608 ----a-w- c:windowssystem32cabview.dll
2010-04-14 16:28:12 221696 ----a-w- c:windowssystem32driversmrxsmb10.sys
2010-04-14 16:28:12 123392 ----a-w- c:windowssystem32driversmrxsmb.sys
2010-04-14 16:28:11 95744 ----a-w- c:windowssystem32driversmrxsmb20.sys
2010-04-13 04:34:23 0 d-----w- c:users*censored*appdataroaming47997BFAFC9399651E3A2B5467A02DD7
2010-04-11 08:19:01 0 d-----w- c:programdataGoodSync
2010-04-11 08:18:59 0 d-----w- c:users*censored*appdataroamingRoboForm
2010-04-10 04:01:18 139920 ----a-w- c:windowssystem32driversPnkBstrK.sys
2010-04-10 01:34:44 214808 ----a-w- c:windowssystem32PnkBstrB.exe
2010-04-10 01:34:28 214808 ----a-w- c:windowssystem32PnkBstrB.xtr
2010-04-10 01:34:15 75064 ----a-w- c:windowssystem32PnkBstrA.exe
2010-04-10 01:34:05 0 d-----w- c:users*censored*appdataroamingNeed for Speed World Online
2010-04-08 07:40:17 22872 ----a-r- c:windowssystem32AdobePDFUI.dll
2010-04-03 16:36:08 0 d-----w- c:program filesTeamViewer
2010-04-03 16:33:59 0 d-----w- c:users*censored*appdataroamingTeamViewer
2010-03-31 00:21:43 977920 ----a-w- c:windowssystem32wininet.dll
2010-03-28 06:43:21 0 d-----w- c:users*censored*appdataroamingTific
2010-03-28 06:42:59 65536 --sha-w- c:users*censored*ntuser.dat{0b356ad7-3a35-11df-af37-0015c53898a3}.TM.blf
2010-03-28 06:42:59 524288 --sha-w- c:users*censored*ntuser.dat{0b356ad7-3a35-11df-af37-0015c53898a3}.TMContainer00000000000000000002.regtrans-ms
2010-03-28 06:42:59 524288 --sha-w- c:users*censored*ntuser.dat{0b356ad7-3a35-11df-af37-0015c53898a3}.TMContainer00000000000000000001.regtrans-ms
2010-03-28 06:42:31 287527339 ----a-w- c:windowsMEMORY.DMP
2010-03-28 05:29:28 15360 ----a-w- c:windowssystem32driverscommcs.sys
2010-03-28 05:29:27 0 d-----w- c:program filesCommViewWiFi
2010-03-27 04:19:58 0 d-----w- c:windowssystem32InstallShield Installation Information
2010-03-27 02:42:33 0 d-----w- c:program filesSteganos Live Encryption Engine 15
2010-03-27 02:27:42 0 d-----w- c:users*censored*appdataroamingSteganos
2010-03-27 02:26:26 0 d-----w- c:program filesSteganos Safe 11
2010-03-26 18:16:56 0 d-----w- c:program filesstarcraft
2010-03-21 03:56:08 0 d-----w- c:users*censored*appdataroamingCommand and Conquer 4

==================== Find3M ====================

2010-04-14 17:05:11 0 ----a-w- c:windowssystem32driverslvuvc.hs
2010-03-12 22:05:03 29480 ----a-w- c:windowssystem32msxml3a.dll
2010-03-12 22:05:02 505128 ----a-w- c:windowssystem32msvcp71.dll
2010-03-12 22:05:02 353576 ----a-w- c:windowssystem32msvcr71.dll
2010-03-08 22:24:00 104768 ----a-w- c:windowssystem32driversAnyDVD.sys
2010-03-06 20:37:41 805 ----a-w- c:windowssystem32driversSYMEVENT.INF
2010-03-06 20:37:41 7443 ----a-w- c:windowssystem32driversSYMEVENT.CAT
2010-03-06 20:37:41 124976 ----a-w- c:windowssystem32driversSYMEVENT.SYS
2010-02-17 10:40:14 94560 ----a-w- c:windowssystem32driversSleeN17.sys
2010-02-17 10:40:14 108256 ----a-w- c:windowsSleeN1764.sys
2010-02-09 22:09:30 93096 ----a-w- c:windowssystem32IncContxMenu.dll
2010-02-09 22:09:22 2164648 ----a-w- c:windowssystem32Incinerator.dll
2010-02-02 07:45:54 2048 ----a-w- c:windowssystem32tzres.dll
2010-01-29 01:35:44 1692288 ----a-w- c:windowssystem32BootMan.exe
2010-01-28 22:13:18 30208 ----a-w- c:windowssystem32iolobtdfg.exe
2010-01-28 22:13:18 12288 ----a-w- c:windowssystem32smrgdf.exe
2010-01-20 21:53:06 14216 ----a-w- c:windowssystem32epmntdrv.sys
2010-01-20 21:53:04 86408 ----a-w- c:windowssystem32setupempdrv03.exe
2010-01-20 21:53:04 8456 ----a-w- c:windowssystem32EuGdiDrv.sys
2010-01-20 21:52:48 14848 ----a-w- c:windowssystem32EuEpmGdi.dll
2010-01-18 23:29:31 85504 ----a-w- c:windowssystem32secproc_ssp_isv.dll
2010-01-18 23:29:31 85504 ----a-w- c:windowssystem32secproc_ssp.dll
2010-01-18 23:29:31 365568 ----a-w- c:windowssystem32secproc_isv.dll
2010-01-18 23:29:30 369152 ----a-w- c:windowssystem32secproc.dll
2010-01-18 23:28:33 324608 ----a-w- c:windowssystem32RMActivate_isv.exe
2010-01-18 23:28:33 277504 ----a-w- c:windowssystem32RMActivate_ssp_isv.exe
2010-01-18 23:28:30 320512 ----a-w- c:windowssystem32RMActivate.exe
2010-01-18 23:28:30 280064 ----a-w- c:windowssystem32RMActivate_ssp.exe
2009-07-14 04:56:42 31548 ----a-w- c:windowsinfperflib0409perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:windowsinfperflib0409perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:windowsinfperflib0409perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:windowsinfperflib0409perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:program filesdesktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:windowsinfperflib0000perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:windowsinfperflib0000perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:windowsinfperflib0000perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:windowsinfperflib0000perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:windowsfontsStaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:windowswinsxsx86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86cWinMail.exe

============= FINISH: 6:31:59.34 ===============

wow this seems to be a major issue all over the internet, eh? Bunch of my friends are going through this same problem!

EDIT: Bump removed ~BP

Attached Files

Edited by Budapest, 17 April 2010 - 10:08 PM.
Posts merged ~BP

BC AdBot (Login to Remove)


#2 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:08:44 AM

Posted 18 April 2010 - 05:37 PM


My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.

For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 mastersf

  • Topic Starter

  • Members
  • 6 posts
  • Local time:08:44 AM

Posted 18 April 2010 - 10:43 PM

Hello Extremeboy,
thank you for your reply.
I haven't used the computer since.
Same problems persist.
Please refer to my first post.

#4 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:08:44 AM

Posted 20 April 2010 - 04:32 PM


Sorry for the delay.

In this case, let's continue. One of the infection you have is the TDL3 rootkit: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

If you want to remove this, let's continue.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Once you post the Combofix log we'll continue and see.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 mastersf

  • Topic Starter

  • Members
  • 6 posts
  • Local time:08:44 AM

Posted 20 April 2010 - 10:44 PM

I have attached the logfile.
Thank you for your help!
I await further instruction and am eager to rid my computer of this pest!

Attached Files

#6 mastersf

  • Topic Starter

  • Members
  • 6 posts
  • Local time:08:44 AM

Posted 20 April 2010 - 10:47 PM

By the way, I saw that bluetooth is not loading up (icon) and was deleted by ComboFix. Should this be restored? Why was it deleted?

#7 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:08:44 AM

Posted 21 April 2010 - 02:33 PM


Yes, appears to be a false-positive. We will restore that next post.

Also, please do not edit the logs. I understand you wish to keep your privacy and hide your name. We can always remove it at the end if you wish.

Please post the C:\Qoobox\Combofix-quarantine-files.txt report for me in your next reply.

The logs are look a lot better.

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:08:44 AM

Posted 08 May 2010 - 11:50 AM


Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users