Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTP Tidserv Request and HTTPS Tidserv Request 2


  • This topic is locked This topic is locked
14 replies to this topic

#1 kingwanabee

kingwanabee

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 25 May 2010 - 12:37 PM

Please help me remove this virus. I've done the suggested preparation steps, but GMER is still not done scanning. It's been going for 18 hours! Is that normal? I'll post what I have so far.


DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 16:53:59.31 on Mon 05/24/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3070.1392 [GMT -7:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Pandora\Pandora.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\DllHost.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hp\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\User\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/mycomcast/
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [lucdpavy] c:\users\user\appdata\local\qhouanrer\berrwustssd.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.17\AsRunHelp.exe
mRun: [<NO NAME>]
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\pandora.lnk - c:\program files\pandora\Pandora.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F}
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll
Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\matrix games\puresim baseball 2007\wowctl2.dll
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration

============= SERVICES / DRIVERS ===============

R0 AFS;AFS;c:\windows\system32\drivers\AFS.SYS [2008-1-7 79052]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-2-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100518.002\IDSvix86.sys [2010-5-24 344112]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-10-5 12672]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-1-31 2560]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 rt61x86;Gigabyte RT61 Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr61.sys [2009-6-10 335872]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nis\1008000.029\symndisv.sys [2010-2-2 48688]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-3 25832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-6 21504]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2009\RpcAgentSrv.exe [2008-10-20 98488]

=============== Created Last 30 ================

2010-05-22 10:25:15 0 d-----w- c:\users\user\appdata\roaming\PeerNetworking
2010-05-15 20:15:40 0 d-----w- C:\NorbSoftDev
2010-05-12 23:06:16 675 ------w- c:\windows\hpomdl43.dat.temp
2010-05-12 23:06:16 192543 ------w- c:\windows\hpoins43.dat.temp
2010-05-12 01:53:18 0 d-----w- c:\programdata\WEBREG
2010-05-12 01:40:10 0 d-----w- c:\programdata\Yahoo! Companion
2010-05-12 01:40:10 0 d-----w- c:\program files\Yahoo!
2010-05-12 01:38:38 0 d-----w- c:\programdata\HP Product Assistant
2010-05-12 01:37:54 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-05-12 01:36:40 966656 ----a-w- c:\windows\system32\hpost_p02c.dll
2010-05-12 01:36:40 712704 ----a-w- c:\windows\system32\hposwia_p02c.dll
2010-05-12 01:36:40 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2010-05-12 01:36:40 315392 ----a-w- c:\windows\system32\hposc_p02a.dll
2010-05-12 01:36:40 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-05-12 01:36:35 452408 ----a-w- c:\windows\system32\hpzids01.dll
2010-05-12 01:36:31 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2010-05-12 01:33:20 192543 ----a-w- c:\windows\hpoins43.dat
2010-05-11 19:52:46 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-09 01:26:49 0 d-----w- c:\users\user\appdata\roaming\com.pandora.desktop.FB9956FD96E03239939108614098AD95535EE674.1
2010-05-09 01:26:47 0 d-----w- c:\program files\Pandora
2010-05-08 15:30:51 0 d-----w- c:\programdata\RoboForm
2010-05-08 15:29:28 0 d-----w- c:\program files\Siber Systems
2010-05-07 02:06:38 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2010-05-07 02:05:29 0 d-----w- C:\Netgear

==================== Find3M ====================

2010-05-24 22:49:45 52528 ----a-w- c:\programdata\nvModes.dat
2010-05-24 22:49:45 10145 --sha-w- c:\windows\system32\mmf.sys
2010-05-22 14:23:06 743680 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-12 01:47:44 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-12 01:47:44 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-12 01:36:41 86016 ----a-w- c:\windows\inf\infstor.dat
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-11-03 21:59:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-07-23 14:56:43 604 ---ha-w- c:\program files\STLL Notifier
2008-04-09 18:57:01 328 ----a-w- c:\program files\log.txt
2008-04-09 17:09:28 0 ----a-w- c:\program files\ctrlDl-DD-SOTS-BOB
2008-04-06 12:58:09 174 --sha-w- c:\program files\desktop.ini
2008-03-22 17:56:46 0 ----a-w- c:\program files\ctrlDl-DD-CKDV
2008-01-12 16:11:56 0 ----a-w- c:\program files\ctrlDl-DD-PDX11ENG
2008-01-12 15:55:09 0 ----a-w- c:\program files\ctrlDl-DD-PQ
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-21 19:59:27 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 16:55:13.33 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:50 PM

Posted 25 May 2010 - 01:34 PM

Hi kingwanabee,

Welcome to BC Malware Removal (VTSMR) forum.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes.

You may stop GMER from running if it is still running.
  1. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  3. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

    Double-click to run TDLfix.exe, type the following in the command window and press Enter:

    mbr

    A log file opens up. please post the content to your reply.


#3 kingwanabee

kingwanabee
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 25 May 2010 - 03:45 PM

Thank-you very much for your help. Here's the results you asked for:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4143

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/25/2010 1:26:18 PM
mbam-log-2010-05-25 (13-26-18).txt

Scan type: Quick scan
Objects scanned: 135411
Time elapsed: 7 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lucdpavy (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\User\AppData\Local\Temp\~DF8DE9.tmp (Malware.Packer.Gen) -> Delete on reboot.
C:\Users\User\AppData\Local\Temp\b6eacfa1.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:50 PM

Posted 25 May 2010 - 03:56 PM

I forgot to adjust it to Vista. Please right-click TDLfix to run it as administrator, type mbr then press Enter and post the log.

#5 kingwanabee

kingwanabee
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 25 May 2010 - 04:00 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x886E6D01]<<
kernel: MBR read successfully
user & kernel MBR OK


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:50 PM

Posted 25 May 2010 - 04:04 PM

  1. Close all the open windows.
    • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Right-click TDLfix.exe to run the tool as admin, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      rasacd

    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.

  2. Reboot the computer once manually then run TDLFix again as admin, type mbr and press Enter. Copy and paste the log it creates.


#7 kingwanabee

kingwanabee
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 25 May 2010 - 04:09 PM

Norton's just blocked another attack. Is it safe to disable it? This will also disable my firewall. Thanks again, farbar!

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:50 PM

Posted 25 May 2010 - 04:14 PM

If Norton is not disabled it interfere with the tool and it will certainly not work. The tool need to disable the rootkit to remove it, Norton can't do much when the rootkit is loaded, when the tool unload it to remove it Norton blocks the rootkit but not remove it because it is a patched system file. So it remains there until the next boot and becomes active again. Make sure Norton will not even run at next startup when the tool restarts to remove the rootkit.

#9 kingwanabee

kingwanabee
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 25 May 2010 - 04:34 PM

OK I did as you asked. MBR rebooted my system fine. Then I did a manual reboot which went fine. I ran MBR as requested. Then I turned my firewall back on. Hope that's ok. Thanks

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
kernel: MBR read successfully
user & kernel MBR OK


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:50 PM

Posted 25 May 2010 - 04:49 PM

The rootkit is taken care of and the main infection is gone. thumbup2.gif

Of course Norton should be turned on to protect you.

Let's give the system a full checkup for any inactive malware.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push




#11 kingwanabee

kingwanabee
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 25 May 2010 - 09:30 PM

Wow. That took 4 hours. It found 3 infected files and quarantined 2 of them. Should I delete those?

C:\Users\Kyra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MWURVCVF\burtsed[1].js probably a variant of JS/TrojanDownloader.FraudLoad.NAC trojan cleaned by deleting - quarantined
C:\vir\rasacd.sys.old Win32/Olmarik.ZC trojan cleaned - quarantined
C:\Windows\winsxs\x86_microsoft-windows-rasautodial_31bf3856ad364e35_6.0.6001.18000_none_0fd9feb665531f63\rasacd.sys Win32/Olmarik.ZC trojan error while cleaning


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:50 PM

Posted 26 May 2010 - 05:04 AM

One of the infected files was is the file quarantined by TDLfix (C:\vir\rasacd.sys.old). The one we would remove at the end when the tool is removed.
The other one was in the Internet Temporary Files.
You may delete those quarantined files by ESET even though they are harmless now.
  1. Remove the following file ESET could not remove, you might have to disable the Norton auto protection if it is locked by Norton to be able to remove it:

    C:\Windows\winsxs\x86_microsoft-windows-rasautodial_31bf3856ad364e35_6.0.6001.18000_none_0fd9feb665531f63\rasacd.sys

    To remove it open the folder and delete the file.

  2. Run CCleaner (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked). Then click run cleaner.

  3. Run TDLfix.exe, type del and press Enter. It removes the leftovers and the tool too. Also delete any tool of logs we used from your computer.

  4. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

Happy Surfing kingwanabee. smile.gif



#13 kingwanabee

kingwanabee
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 26 May 2010 - 06:45 AM

farbar -

Thank-you very much again for all your help. It looks like my problem is solved. Are there other things I can do to protect myself online? It looks like Norton's doesn't cover everything.

#14 kingwanabee

kingwanabee
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 26 May 2010 - 06:51 AM

I just noticed that still MBAM installed. I might keep it. It has 5 file in quarantine. They are mostly registry keys. Is it safe to delete them?

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:50 PM

Posted 26 May 2010 - 08:30 AM

You are most welcome. smile.gif

You may keep MBAM. Update it once a while. You may remove the quarantined items.

I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

There is no perfect AV. The best way is to avoid p2p programs, avoid bad sites, check your download (the size of the download) and try to download from known secure sites and try to enjoy surfing. If you still get infected we are here to assist you. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.








0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users