Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTP Tidserv Request 2


  • This topic is locked This topic is locked
18 replies to this topic

#1 otherdaughter

otherdaughter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 28 May 2010 - 01:41 PM

Here is a link to my previous post, which I was asked to include in my post: http://www.bleepingcomputer.com/forums/topic319829.html

I continue to get a Norton intrusion notice at least once every ten minutes that has been BLOCKED. It says "An intrusion attempt by (several different computer sources) xxxxx.com was blocked. Application path \device\harddiskvolume1\windows\system32\scvhost.exe" Additionally, I saw that one moderator (syler) expressed concerns about banking and doing other personally business on a computer, after being supposedly cleaned http://www.bleepingcomputer.com/forums/t/319381/http-tidserv-request-blocked-by-norton-internet-security-2010/ , this course concerns me as I pay bills online and do work that requires my SS# when signing in. But since the attack is being blocked I am uncertain of how much of a concern this should be.

My computer is a Fujitsu: Lifebook. I am running Windows XP or the one before that computer is about 4 years old. I also have Norton 360.

Risk name: "HTTPS Tidserv Request 2"

I am not being redirected to other webpages as some have stated. Just have the Norton Warning alerting me when on the internet.

I also have a list of the attacking computers and the ISP numbers. Which I can provide if it could be of any help to me or just the issue at large.

Here are my Logs


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:51:39.95 on Fri 05/28/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.61 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\CyberLink Codec\PDVDServ.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Imation\ImationFlashDetect.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.computers.us.fujitsu.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [34733096180141537428553512155136] c:\program files\av9\av2009.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [LoadFujitsuQuickTouch] c:\program files\fujitsu\application panel\QuickTouch.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [RemoteControl] "c:\program files\cyberlink codec\PDVDServ.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\imatio~1.lnk - c:\program files\imation\ImationFlashDetect.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ziaalaso.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.bellsouth.net/s/s.dll?spage=hb/index.htm
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-5-23 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-5-23 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-5-23 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100520.001\IDSXpx86.sys [2009-10-28 329592]
R2 FlashDrv;FlashDrv;c:\progra~1\fujitsu\flashaid\FlashDrv.sys [2005-9-12 7196]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-5-23 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2005-9-12 4864]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100528.002\NAVENG.SYS [2010-5-28 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100528.002\NAVEX15.SYS [2010-5-28 1347504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-23 135664]
S3 UXDCMN;UXDCMN;\??\d:\e__\uxdcmn.sys --> d:\e__\UXDCMN.SYS [?]

=============== Created Last 30 ================

2010-05-28 16:32:05 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-05-23 16:26:15 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-05-21 01:34:33 0 d-----w- c:\windows\system32\N360_BACKUP
2010-05-21 00:56:05 0 d-----w- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2010-05-21 00:55:05 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-05-21 00:54:36 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-21 00:54:36 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-21 00:54:35 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-21 00:54:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-21 00:54:35 0 d-----w- c:\program files\Symantec
2010-05-21 00:52:36 0 d-----w- c:\windows\system32\drivers\N360
2010-05-21 00:42:28 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSettings
2010-05-21 00:38:57 0 d-----w- c:\program files\NortonInstaller
2010-05-21 00:38:57 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-05-18 14:13:02 59188 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-16 00:59:58 0 d-----w- c:\program files\iPod
2010-05-16 00:58:53 0 d-----w- c:\program files\iTunes
2010-05-16 00:58:53 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-16 00:50:18 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-05-16 00:49:37 0 d-----w- c:\program files\Bonjour
2010-05-15 21:52:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton

==================== Find3M ====================

2010-05-23 16:24:18 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-16 12:33:36 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-04-01 07:08:04 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040120090402\index.dat

============= FINISH: 12:54:16.42 ===============





Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:59 PM

Posted 29 May 2010 - 08:05 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



=======================================


P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case LimeWire).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."




Backdoor warning:
One or more of the identified infections is a Rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.




=======================================



Please follow the next instructions only if you do not wish to reformat.


1. We need to disable Spybot S&D's "TeaTimer"

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy




2. Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.







~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:59 PM

Posted 02 June 2010 - 05:35 AM

Hi,

Do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 otherdaughter

otherdaughter
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 02 June 2010 - 08:32 AM

Before I acted on the actions you were suggesting I found out that there was an IT person that I knew who could provide me the same help. He ran the programs for me. And the issue appears to be cleared. However, I do want to know if there are any of the programs that I ran to get the logs that I need to remove. Additionally, do I need to run the DeFogger.exe again to Enable the CD Emulation drivers.

#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:59 PM

Posted 03 June 2010 - 06:11 AM

Hi,

You can simply delete DDS and Gmer. With regards to Defogger, yes run it again to enable your CD Emulation drivers, you can also delete it afterward. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 otherdaughter

otherdaughter
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 03 June 2010 - 11:14 AM

I now have another question. After, my friend ran the programs he ran, the final one of which I am pretty certain was ComboFix, my Norton (unresolved security risk) uncovered two Backdoor.Tidserv!inf threats that require manual removal. They have both been on my computer since 2004, but then were last used Tuesday night after he finished running the programs. I asked the individual who ran the programs and he said he was pretty certain that one of the programs he ran on Tuesday night (which maybe why he cannot remember it was a little late) quarantined those items. I can see this morning that Norton tried a Statistical Submission for removal, but it failed. I thought I would get your input also.

One is effecting the A0342005.sys (located in a RP265 folder-c:/system volume information/_restore{0ef90d3e-5690-4367-bdef-72890fc4db64}/RP265/A0342005.sys) and the other imapi.sys.vir (located in the Drivers folder-c:/Qoobox/quarantine/C/WINDOWS/system32/Drivers/imapi.sys.vir. The second one popped back up on my Norton Resent History this morning.

Additionally, I am now getting Unauthorized access blocked messages (Open Process Token, Create Registry Key, and Duplicate Object). And I am not sure if I need to be concerned about them or not. TMost of them being
(Open Process Token)
Actor C:/Program Files/Google/update/googleupdate.exe
Target C:/program files/norton 360/engine/4.2.0.12/ccsvchst.exe.
The other 2 are
(Create Registry Key)
Actor C:/program files/spybot - search & Destory/teatimer.exe
target- HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}/
(Duplicate Object)
Actor: C:/Windows/Systems32/Services.exe
Target: /Device/HarddiskVolume1/Program Files/Norton 360/Engine/4.2.0.12/ccsvchst.exe

Also, this morning I decided to run a full system scan and while doing so look at my recent history. I found 3 downloaders (saxonia.class, bavarian.class, silezia.class, all located in a folder called jar file name des.jar-444648f9.16ddf4f6.zip) were quarantined and deleted. I have not been to any sites but facebook, youtube, AT&T email, and Bleeping Computers.

I just run a Norton Virus and Spyware scan, which ran much faster than it did last week when I started having the original issue, so that tells me things must be improving. It detected 4 Security Risk and resolved 3 all of them. The Security Risk Requiring Attention is the Backdoor.Tidserv!inf. Previously it was not finding any risk even though I was getting the intrusion attempt blocked message. Also the Norton icon in my toolbar shows a green check.

So after this long post. I am really asking for your input on the Backdoor.Tidserv!inf and if you think that the file was likely quarantined in another program. And then your thoughts on the Unauthorized access blocked messages that I am now receiving.



#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:59 PM

Posted 04 June 2010 - 07:39 AM

Hi,

QUOTE
So after this long post. I am really asking for your input on the Backdoor.Tidserv!inf and if you think that the file was likely quarantined in another program. And then your thoughts on the Unauthorized access blocked messages that I am now receiving.

The Backdoor.Tidserv!inf that you've mentioned are located in the Combofix quarantine folder and the other one is a system restore entry. Please tell your friend to complete the fix and properly remove the tools that he/she used.

Those "Unauthorized access blocked messages" are from legit files and should allow access.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 otherdaughter

otherdaughter
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 04 June 2010 - 08:48 AM

The system restore entry I assume is the imapi.sys.vir, because when I ran the full system scan yesterday afternoon that is the only one that showed up. It is not easy to get my friend to come over and I had not even expected him to come over when I asked for his thoughts on the issue. Could you provide me any help in fixing the system restore issue and on how to allow the Unauthorized access blocked messages to be allowed access.

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:59 PM

Posted 04 June 2010 - 09:57 AM

Hi,

I can only help you on how to delete system restore entries, Combofix may still be present and I can also guide you on how to remove it properly, but since I didn't see any logs, I want you to understand that I will not be held responsible if legitimate files were deleted when you run it, and by removing the tool you may not be able to restore them back.

I can't offer any help with regards to the "Unauthorized access blocked" issue, I will recommend you to start a topic HERE.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 otherdaughter

otherdaughter
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 04 June 2010 - 10:46 AM

I am certainly willing to rerun the logs again so you can see the information you might need. I do not think Combofix is still on my computer as it was never downloaded. He used a CD, which I still have, that had Combofix along with many other rootkill/malware programs on it. Let me know what I need to do so that we can proceed with cleaning up my computer.
Thanks for your continued help.

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:59 PM

Posted 04 June 2010 - 11:01 AM

Alright, I will remind you again that you're not asking for any malware removal but to remove the tools and quarantine files, right? So please do the following:

Click Start > Run then copy/paste the following bolded text below. A log file will open, please post the contents in your next reply.
C:\QooBox\ComboFix-quarantined-files.txt


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 otherdaughter

otherdaughter
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 04 June 2010 - 11:48 AM

Before I run the log on the issue, since I finally see that it is apparently a quarantined item. Do I need to even be concerned about this item, would you if it was on yours? It just concerns me since it comes up as a high risk.





#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:59 PM

Posted 04 June 2010 - 12:02 PM

As long as it remain inside the quarantine folder... it's safe.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 otherdaughter

otherdaughter
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 04 June 2010 - 12:20 PM

Then I will leave it alone so I avoid running any risk of mess my computer up. Should I be concerned about the other one -A0342005.sys (located in a RP265 folder-c:/system volume information/_restore{0ef90d3e-5690-4367-bdef-72890fc4db64}. It did not show up on the the scan, but does appear in the unresolved risk.

Thank you for continuing to answer my questions.

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:59 PM

Posted 04 June 2010 - 12:23 PM

It's a system restore entry.


Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users