Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTPS Tidserv Request and HTTPS Tidserv Request 2


  • This topic is locked This topic is locked
9 replies to this topic

#1 arc14716

arc14716

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 27 May 2010 - 05:26 PM

Hello:

I was referred to this part of the forum for help in resolving and removing HTTPS Tidserv Request and HTTPS Tidserv Request 2.

A brief explanation of the problem can be found here, as well as the steps I've taken thus far. However, this is what happened:

Last Friday, I went to a website and Norton Download Insight detected the launch of something called skxntv.exe. It quarantined the item. At about the time, Norton also logged an unauthorized access attempt. Roughly thirty minutes later, Norton logged an intrusion attempt by an IP address which contained HTTPS Tidserv Request 2. This attempt was blocked. An hour later, another attempt was blocked. If I remember correctly, I may have launched Norton to scan my computer. It detected fifty low level tracking cookies which were deleted.

The next morning, I got up and found that I could no longer use my keyboard. I found a code 38 error in the control panel section for the keyboard. After numerous attempts at rebooting and reinstalling the driver, nothing seemed to work. This went on until Monday morning when I discoverd my keyboard was working again.

In between all of this, I researched what could be causing the keyboard to stop working. I have a Nintendo Wii with internet access and an Opera browser, so I used that to do my research. I discovered that one of the causes could be a virus. At some point, these forums were mentioned and that was when I made my first post.

For the last few days, I've had my keyboard work off and on (it is now currently working). I've had to deal with Norton being set off by HTTPS Tidserv Request 1 or 2 about every thirty or so minutes, and also at the same time, trying the various steps and aids you people have been assisting me with. Other than that, nothing out of the ordinary has been happening. I've haven't gone onto any search engines in the last few days, I haven't done any financial transactions on my PC (and rarely do anyway, and I keep no financial records on my PC anyway). I have numerous game folders, video, pictures, music files. That's about it. The PC is connected via cable modem and is not used for business, just personal use.

I hope you can help me with resolving this issue and I hope I've told you everything you need to know. I await your reply and thank you for your help.

What follows are the DDS logs and gamr logs. I hope they are of some help to you.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Stanley K. Emmsley at 7:35:59.50 on Thu 05/27/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2558 [GMT -10:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineScheduler.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell DataSafe Online\Bin\DataSafeOnlineTrayIcon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.2.543\SymcPCCULaunchSvc.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.2.543\ccSvcHst.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.2.543\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Stanley K. Emmsley\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080314
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080314
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Dell DataSafe Scheduler] "c:\program files\dell datasafe online\bin\DataSafeOnlineScheduler.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: []
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://gameadvisor.futuremark.com/global/msc3121.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-24 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-24 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-24 116784]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-24 126392]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\engine\2.0.2.543\SymcPCCULaunchSvc.exe [2010-4-22 103280]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.2.543\ccSvcHst.exe [2010-4-22 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100520.001\IDSXpx86.sys [2009-10-28 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100526.039\NAVENG.SYS [2010-5-26 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100526.039\NAVEX15.SYS [2010-5-26 1347504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]

=============== Created Last 30 ================

2010-05-27 09:22:08 0 ----a-w- c:\documents and settings\stanley k. emmsley\defogger_reenable
2010-05-26 22:00:22 0 d-----w- c:\program files\Search Toolbar
2010-05-25 15:40:09 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-05-25 10:20:38 0 d-----w- c:\docume~1\stanle~1.emm\applic~1\SUPERAntiSpyware.com
2010-05-25 10:20:38 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-25 10:20:32 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-24 20:24:10 0 d-----w- c:\docume~1\stanle~1.emm\applic~1\Malwarebytes
2010-05-24 20:24:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 20:24:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-24 20:24:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-24 20:24:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-22 21:22:14 5 ----a-w- c:\windows\system32\drivers\DELL_INS_530.MRK
2010-05-22 21:20:31 0 d-----w- c:\windows\system32\vmm32
2010-05-22 20:55:56 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-05-22 21:22:14 5 ----a-w- c:\windows\system32\drivers\1028_Dell_INS_530.mrk
2010-05-21 10:59:36 18038 ----a-w- c:\docume~1\stanle~1.emm\applic~1\wklnhst.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2008-05-09 20:48:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050920080510\index.dat

============= FINISH: 7:37:00.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:41 PM

Posted 29 May 2010 - 07:46 AM

Hi arc14716,

Welcome to VTSMR forum.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) as long as we are not done. Doing that might interfere with our fixes.
  1. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  2. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

    Double-click to run TDLfix.exe, type the following in the command window and press Enter:

    mbr

    A log file opens up. please post the content to your reply.


#3 arc14716

arc14716
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 29 May 2010 - 08:05 AM

Here's the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AAFBD01]<<
kernel: MBR read successfully
user & kernel MBR OK


I should let you know two things:

Yesterday, while I was on-line, Norton File Insight picked up a file being downloaded. It was removed. The log entry is as follows: File Insight 0.9680493960081502.exe (Backdoor.Tidserv) Virus has been removed. Downloaded from ttyur.com/ddrz/_ch_qx/qmmxphp&0 file c:\documents & settings\Stanley K. Emmsley\local settngs\temp\0.9680493960081502.exe removed.

Also, a pop-up appeared at around the same time that read: 16-bit MS-DOS Subsystem C:\Docume~1XStanle~1.EMM/LOCALS~1\e.exe The NTVDM CPU has encountered an illegal instruction Co:OeOe IP:ffb OP: ff fe ff 00 00 Choose Close to terminate application. (I may not have copied this correctly though and it's kind of hard to read my own handwriting this late).

And finally, when I turn on my PC sometimes, I find that the keyboard doesn't work and at other times, it does. The error message is Code 38 under the Control Panel for keyboard.

I hope this added information helps.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:41 PM

Posted 29 May 2010 - 08:37 AM

Thanks for the info but the problem is very clear and we will take care of the rootkit causing it.

The key here is to disable Norton prior to running the tool and making sure Norton will not run at the next boot otherwise Norton locks the rootkit file without removing it and the tool can not replace the file with a legit copy. Then at the next boot rootkit becomes active again.
  1. Close all the open windows.
    • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type in the command window and press Enter:

      kbdhid

    • The application shall restart the computer immediately. It runs after restart briefly then closes.
    • Tell me if the computer rebooted and ran to completion.

  2. Reboot the computer once manually then run TDLFix again, type mbr and press Enter. Copy and paste the log it creates.


#5 arc14716

arc14716
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 29 May 2010 - 02:00 PM

By the numbers:

1) Completed. TDLfix ran successfully and I rebooted after it finished. Also, while it was running (and as a precaution), disconnected my modem from my PC until it was finished. Then turned Auto-Protect on Norton back on and then reconnected back to the net.

2) Here is the log from TDLfix after step 1:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

Also, forgot to mention that my Google searches started being redirected to other sites. That is no longer the case since I ran three searches and they came up legit.

Any additional instructions? Should I delete MBR from my PC or move it to a different location on my PC? How can I be sure this rootkit is gone for good and any additonal scans I should run? Please advise. Thanks.





#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:41 PM

Posted 29 May 2010 - 05:16 PM

FYI all the problem with keyboard and those warnings was because the TDL rootkit had patched the keyboard driver. It is now gone for good as the log is clean and you don't have to worry about this rootkit any more. Your computer is clean from any active malware. But to make sure of any leftover we will do a full scan.
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. Run TDLfix, type del and press Enter. This will delete the quarantined infected file, mbr.exe and the tool itself.

  3. I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the icon on your desktop.
    • Check
    • Click the button.
    • Accept any security warnings from your browser.
    • Check
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
    • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the button.
    • Push


#7 arc14716

arc14716
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 29 May 2010 - 08:09 PM

OK, by the numbers:

Steps 1 and 2 are done.

Step 3 just finished. The log is listed below and attached.

C:\Documents and Settings\Stanley K. Emmsley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a536c868c18984c5fd8f44667a230ce9.jar-681de8cb-71145eaf.zip a variant of Java/TrojanDownloader.Agent.NAX trojan deleted - quarantined
C:\Documents and Settings\Stanley K. Emmsley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\_nnfm.jar-51c39f6-47bf7fe8.zip a variant of Java/TrojanDownloader.Agent.NAX trojan deleted - quarantined

Anything else I need to do, like run Norton or any of the antispyware/antimalware stuff I've downloaded in the last few days? Should I keep these things around for future use? How can I prevent this from happening again in the future?

And one last question: Could you recommend a good program for backing up data files/video/MP3/music/photo files?

Thank you very much for the assistance that you have provided so far.

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:41 PM

Posted 30 May 2010 - 03:55 AM

Hi arc14716,

It looks good. thumbup2.gif
  1. Please download OTC and save it to Desktop.
    • Make sure you have internet connection.
    • Double-click OTC. In Windows Vista right-click to run it as administrator.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

*******

You may keep Malwarebytes to have besides Norton Internet Security. The best way to prevent from reinfection is to avoid bad sites and p2p sharing programs.

Recommendations:
  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

About a good backup program I have no idea. I personally create new folders for new stuff and then back them up to an external HD manually.

Happy Surfing.


#9 arc14716

arc14716
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 30 May 2010 - 05:35 AM

All done. Thanks and mahalo for your help.

((If whoever closes this topic could recommend some good backup software, that would be appreciated as well. Thanks and mahalo as well)).


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:41 PM

Posted 30 May 2010 - 05:42 AM

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users