Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTP Tidserv Request


  • This topic is locked This topic is locked
16 replies to this topic

#1 Mal90

Mal90

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 01 June 2010 - 09:50 AM

I've been getting several "Intrusion attempt blocked" alerts from Norton saying that it blocked a "HTTP Tidserv Request" I've ran several scans but they all come up clean.

Thanks in advance.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Trevor at 21:58:41.17 on Mon 05/31/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.616 [GMT -4:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Trevor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gamefaqs.com/
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
mRun: [SoundMan] "SOUNDMAN.EXE"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\trevor\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-3 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-3 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100520.001\IDSXpx86.sys [2009-10-28 329592]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-3 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100531.024\NAVENG.SYS [2010-5-31 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100531.024\NAVEX15.SYS [2010-5-31 1347504]
S2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\drivers\Ca1528av.sys [2010-4-25 516480]
S3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\drivers\Bulk1528.sys [2010-4-25 11648]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\trevor\locals~1\temp\mdxgthkn.sys --> c:\docume~1\trevor\locals~1\temp\mdxgthkn.sys [?]

=============== Created Last 30 ================

2010-06-01 01:56:59 0 ----a-w- c:\documents and settings\trevor\defogger_reenable
2010-05-31 23:29:19 0 d-----w- c:\program files\MSSOAP
2010-05-31 23:28:47 0 d-----w- c:\program files\Webroot
2010-05-31 23:25:49 164 ----a-w- c:\windows\install.dat
2010-05-31 23:21:05 0 d-----w- c:\program files\Uniblue
2010-05-30 14:47:34 25088 ----a-w- c:\program files\SMASH2.EXE
2010-05-27 14:47:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-27 14:47:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-25 23:20:53 0 d-----w- C:\Sega
2010-05-25 22:14:55 0 d-----w- c:\program files\directx
2010-05-25 22:11:25 0 d-----w- c:\program files\Strategy First
2010-05-25 21:54:33 0 d-----w- c:\program files\Enlight
2010-05-20 11:32:12 19 ----a-w- c:\windows\popcinfo.dat
2010-05-20 11:07:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-05-18 19:42:03 0 d-----w- c:\program files\Plants vs. Zombies
2010-05-18 19:41:11 0 d-----w- c:\program files\bfgclient
2010-05-18 19:40:04 0 d-----w- c:\docume~1\alluse~1\applic~1\BigFishGamesCache
2010-05-13 17:17:20 0 d-----w- c:\docume~1\trevor\applic~1\LimeWire
2010-05-13 17:14:42 0 d-----w- c:\program files\LimeWire
2010-05-05 11:27:17 0 d-----w- c:\docume~1\trevor\applic~1\ieSpell
2010-05-05 11:25:22 0 d-----w- c:\program files\ieSpell

==================== Find3M ====================

2010-05-25 22:59:39 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-04-19 14:13:11 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-19 14:13:11 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-12 06:40:28 19200 ----a-w- c:\windows\system32\drivers\srvkp.sys
2010-04-12 06:40:08 1571001 ----a-w- c:\windows\system32\sisgl.dll
2010-04-12 06:22:38 3468288 ----a-w- c:\windows\system32\sisgrv.dll
2010-04-12 06:17:36 324608 ----a-w- c:\windows\system32\drivers\sisgrp.sys
2010-04-12 06:08:42 9728 ----a-w- c:\windows\system32\SiSPIns2.dll
2010-04-12 06:07:14 172032 ----a-w- c:\windows\system32\SiSInst.dll
2010-04-12 06:07:02 258048 ----a-w- c:\windows\system32\SiSParse.dll
2010-04-12 06:06:42 49152 ----a-w- c:\windows\system32\SiSBase.dll
2010-04-09 11:54:38 35835 ----a-w- c:\windows\DIIUnin.dat
2010-04-09 11:54:01 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-09 11:54:01 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-09 11:54:01 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-03-26 16:45:35 113152 ----a-w- c:\documents and settings\trevor\ryan.exe
2010-03-24 20:19:38 2829 ----a-w- c:\windows\DIIUnin.pif
2010-03-24 20:19:37 94208 ----a-w- c:\windows\DIIUnin.exe
2010-03-22 17:42:55 136704 ----a-w- c:\documents and settings\trevor\Mars.exe
2010-03-22 17:31:05 136704 ----a-w- c:\documents and settings\trevor\bool.exe
2010-03-22 17:23:57 137216 ----a-w- c:\documents and settings\trevor\sr.exe
2010-03-22 17:06:55 137216 ----a-w- c:\documents and settings\trevor\12.exe
2010-03-22 15:36:58 136192 ----a-w- c:\documents and settings\trevor\function.exe
2010-03-22 15:30:22 136704 ----a-w- c:\documents and settings\trevor\FtoMTable.exe
2010-03-22 03:07:49 148480 ----a-w- c:\documents and settings\trevor\FtoM.exe
2010-03-22 02:52:49 137216 ----a-w- c:\documents and settings\trevor\dif.exe
2010-03-22 02:44:16 112640 ----a-w- c:\documents and settings\trevor\nline.exe
2010-03-22 02:38:26 148480 ----a-w- c:\documents and settings\trevor\input.exe
2010-03-22 00:53:45 136704 ----a-w- c:\documents and settings\trevor\area.exe
2010-03-22 00:45:46 122368 ----a-w- c:\documents and settings\trevor\hayd.exe
2010-03-22 00:42:55 136704 ----a-w- c:\documents and settings\trevor\practice.exe
2010-03-22 00:26:31 112640 ----a-w- c:\documents and settings\trevor\sample.exe
2010-03-21 00:18:28 150016 ----a-w- c:\documents and settings\trevor\age.exe
2010-03-19 18:58:59 146432 ----a-w- c:\documents and settings\trevor\chart1.exe
2010-03-19 18:41:44 144896 ----a-w- c:\documents and settings\trevor\array1.exe
2010-03-19 18:22:44 156160 ----a-w- c:\documents and settings\trevor\321.exe
2010-03-19 18:20:02 144384 ----a-w- c:\documents and settings\trevor\loop2.exe
2010-03-19 18:18:05 121344 ----a-w- c:\documents and settings\trevor\loop1.exe
2010-03-19 17:47:12 150016 ----a-w- c:\documents and settings\trevor\123.exe
2010-03-19 04:17:38 112640 ----a-w- c:\documents and settings\trevor\dave.exe
2010-03-19 03:18:11 144384 ----a-w- c:\documents and settings\trevor\for.exe
2010-03-19 02:20:27 156160 ----a-w- c:\documents and settings\trevor\var.exe
2010-03-19 01:35:48 121344 ----a-w- c:\documents and settings\trevor\dywpag.exe
2010-03-19 01:32:15 113152 ----a-w- c:\documents and settings\trevor\hello.exe
2010-03-19 01:09:51 54272 ----a-w- c:\documents and settings\trevor\demo1.exe
2010-03-19 00:57:34 136192 ----a-w- c:\documents and settings\trevor\demo3.exe
2010-03-19 00:37:12 151040 ----a-w- c:\documents and settings\trevor\demo2.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 22:00:14.46 ===============

Attached Files


Edited by Mal90, 01 June 2010 - 09:50 AM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 02 June 2010 - 03:07 PM

Hello.

My name is Extremeboy (or EB for short), and I will be helping you with your log.

Seems you're infected with one of the newer TDL3 rootkit that we need to deal with here.

To know you're still with me and as well to see an update of your machine, please run DDS once more and post the DDS log in your next reply.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Mal90

Mal90
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 03 June 2010 - 09:34 AM

Okay here it is:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Trevor at 10:30:13.10 on Thu 06/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.716 [GMT -4:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Trevor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gamefaqs.com/
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
mRun: [SoundMan] "SOUNDMAN.EXE"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\trevor\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-3 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-3 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100528.003\IDSXpx86.sys [2010-5-28 331640]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-3 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100602.034\NAVENG.SYS [2010-6-3 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100602.034\NAVEX15.SYS [2010-6-3 1347504]
S2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\drivers\Ca1528av.sys [2010-4-25 516480]
S3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\drivers\Bulk1528.sys [2010-4-25 11648]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\trevor\locals~1\temp\mdxgthkn.sys --> c:\docume~1\trevor\locals~1\temp\mdxgthkn.sys [?]

=============== Created Last 30 ================

2010-06-01 01:56:59 0 ----a-w- c:\documents and settings\trevor\defogger_reenable
2010-05-31 23:29:19 0 d-----w- c:\program files\MSSOAP
2010-05-31 23:28:47 0 d-----w- c:\program files\Webroot
2010-05-31 23:25:49 164 ----a-w- c:\windows\install.dat
2010-05-31 23:21:05 0 d-----w- c:\program files\Uniblue
2010-05-30 14:47:34 25088 ----a-w- c:\program files\SMASH2.EXE
2010-05-27 14:47:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-27 14:47:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-25 23:20:53 0 d-----w- C:\Sega
2010-05-25 22:14:55 0 d-----w- c:\program files\directx
2010-05-25 22:11:25 0 d-----w- c:\program files\Strategy First
2010-05-25 21:54:33 0 d-----w- c:\program files\Enlight
2010-05-20 11:32:12 19 ----a-w- c:\windows\popcinfo.dat
2010-05-20 11:07:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-05-18 19:42:03 0 d-----w- c:\program files\Plants vs. Zombies
2010-05-18 19:41:11 0 d-----w- c:\program files\bfgclient
2010-05-18 19:40:04 0 d-----w- c:\docume~1\alluse~1\applic~1\BigFishGamesCache
2010-05-13 17:17:20 0 d-----w- c:\docume~1\trevor\applic~1\LimeWire
2010-05-13 17:14:42 0 d-----w- c:\program files\LimeWire
2010-05-05 11:27:17 0 d-----w- c:\docume~1\trevor\applic~1\ieSpell
2010-05-05 11:25:22 0 d-----w- c:\program files\ieSpell

==================== Find3M ====================

2010-05-25 22:59:39 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-04-19 14:13:11 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-19 14:13:11 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-12 06:40:28 19200 ----a-w- c:\windows\system32\drivers\srvkp.sys
2010-04-12 06:40:08 1571001 ----a-w- c:\windows\system32\sisgl.dll
2010-04-12 06:22:38 3468288 ----a-w- c:\windows\system32\sisgrv.dll
2010-04-12 06:17:36 324608 ----a-w- c:\windows\system32\drivers\sisgrp.sys
2010-04-12 06:08:42 9728 ----a-w- c:\windows\system32\SiSPIns2.dll
2010-04-12 06:07:14 172032 ----a-w- c:\windows\system32\SiSInst.dll
2010-04-12 06:07:02 258048 ----a-w- c:\windows\system32\SiSParse.dll
2010-04-12 06:06:42 49152 ----a-w- c:\windows\system32\SiSBase.dll
2010-04-09 11:54:38 35835 ----a-w- c:\windows\DIIUnin.dat
2010-04-09 11:54:01 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-09 11:54:01 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-09 11:54:01 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-03-26 16:45:35 113152 ----a-w- c:\documents and settings\trevor\ryan.exe
2010-03-24 20:19:38 2829 ----a-w- c:\windows\DIIUnin.pif
2010-03-24 20:19:37 94208 ----a-w- c:\windows\DIIUnin.exe
2010-03-22 17:42:55 136704 ----a-w- c:\documents and settings\trevor\Mars.exe
2010-03-22 17:31:05 136704 ----a-w- c:\documents and settings\trevor\bool.exe
2010-03-22 17:23:57 137216 ----a-w- c:\documents and settings\trevor\sr.exe
2010-03-22 17:06:55 137216 ----a-w- c:\documents and settings\trevor\12.exe
2010-03-22 15:36:58 136192 ----a-w- c:\documents and settings\trevor\function.exe
2010-03-22 15:30:22 136704 ----a-w- c:\documents and settings\trevor\FtoMTable.exe
2010-03-22 03:07:49 148480 ----a-w- c:\documents and settings\trevor\FtoM.exe
2010-03-22 02:52:49 137216 ----a-w- c:\documents and settings\trevor\dif.exe
2010-03-22 02:44:16 112640 ----a-w- c:\documents and settings\trevor\nline.exe
2010-03-22 02:38:26 148480 ----a-w- c:\documents and settings\trevor\input.exe
2010-03-22 00:53:45 136704 ----a-w- c:\documents and settings\trevor\area.exe
2010-03-22 00:45:46 122368 ----a-w- c:\documents and settings\trevor\hayd.exe
2010-03-22 00:42:55 136704 ----a-w- c:\documents and settings\trevor\practice.exe
2010-03-22 00:26:31 112640 ----a-w- c:\documents and settings\trevor\sample.exe
2010-03-21 00:18:28 150016 ----a-w- c:\documents and settings\trevor\age.exe
2010-03-19 18:58:59 146432 ----a-w- c:\documents and settings\trevor\chart1.exe
2010-03-19 18:41:44 144896 ----a-w- c:\documents and settings\trevor\array1.exe
2010-03-19 18:22:44 156160 ----a-w- c:\documents and settings\trevor\321.exe
2010-03-19 18:20:02 144384 ----a-w- c:\documents and settings\trevor\loop2.exe
2010-03-19 18:18:05 121344 ----a-w- c:\documents and settings\trevor\loop1.exe
2010-03-19 17:47:12 150016 ----a-w- c:\documents and settings\trevor\123.exe
2010-03-19 04:17:38 112640 ----a-w- c:\documents and settings\trevor\dave.exe
2010-03-19 03:18:11 144384 ----a-w- c:\documents and settings\trevor\for.exe
2010-03-19 02:20:27 156160 ----a-w- c:\documents and settings\trevor\var.exe
2010-03-19 01:35:48 121344 ----a-w- c:\documents and settings\trevor\dywpag.exe
2010-03-19 01:32:15 113152 ----a-w- c:\documents and settings\trevor\hello.exe
2010-03-19 01:09:51 54272 ----a-w- c:\documents and settings\trevor\demo1.exe
2010-03-19 00:57:34 136192 ----a-w- c:\documents and settings\trevor\demo3.exe
2010-03-19 00:37:12 151040 ----a-w- c:\documents and settings\trevor\demo2.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 10:31:51.18 ===============


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 03 June 2010 - 04:13 PM

Hello again,

Let's start off with Combofix and proceed from there...

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.



Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Mal90

Mal90
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 03 June 2010 - 07:14 PM

Okay I ran ComboFix here's the log:
ComboFix 10-06-03.01 - Trevor 06/03/2010 20:02:35.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.902 [GMT -4:00]
Running from: c:\documents and settings\Trevor\Desktop\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Trevor\12.exe
c:\documents and settings\Trevor\123.exe
c:\documents and settings\Trevor\321.exe
c:\documents and settings\Trevor\age.exe
c:\documents and settings\Trevor\area.exe
c:\documents and settings\Trevor\array1.exe
c:\documents and settings\Trevor\bool.exe
c:\documents and settings\Trevor\chart1.exe
c:\documents and settings\Trevor\dave.exe
c:\documents and settings\Trevor\demo1.exe
c:\documents and settings\Trevor\demo2.exe
c:\documents and settings\Trevor\demo3.exe
c:\documents and settings\Trevor\dif.exe
c:\documents and settings\Trevor\dywpag.exe
c:\documents and settings\Trevor\for.exe
c:\documents and settings\Trevor\FtoM.exe
c:\documents and settings\Trevor\FtoMTable.exe
c:\documents and settings\Trevor\function.exe
c:\documents and settings\Trevor\hayd.exe
c:\documents and settings\Trevor\hello.exe
c:\documents and settings\Trevor\input.exe
c:\documents and settings\Trevor\loop1.exe
c:\documents and settings\Trevor\loop2.exe
c:\documents and settings\Trevor\Mars.exe
c:\documents and settings\Trevor\nline.exe
c:\documents and settings\Trevor\practice.exe
c:\documents and settings\Trevor\ryan.exe
c:\documents and settings\Trevor\sample.exe
c:\documents and settings\Trevor\sr.exe
c:\documents and settings\Trevor\var.exe
C:\install.exe

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-05-31 23:29 . 2010-05-31 23:29 -------- d-----w- c:\program files\MSSOAP
2010-05-31 23:28 . 2010-05-31 23:28 -------- d-----w- c:\program files\Webroot
2010-05-31 23:25 . 2010-05-31 23:25 164 ----a-w- c:\windows\install.dat
2010-05-31 23:21 . 2010-05-31 23:21 -------- d-----w- c:\program files\Uniblue
2010-05-30 14:47 . 2000-05-01 22:56 25088 ----a-w- c:\program files\SMASH2.EXE
2010-05-29 03:01 . 2010-05-29 03:01 -------- d-----w- c:\documents and settings\Trevor\Local Settings\Application Data\Google
2010-05-29 03:01 . 2010-05-29 03:01 -------- d-----w- c:\program files\Google
2010-05-27 14:48 . 2010-05-27 14:48 -------- d-----w- c:\program files\Common Files\Java
2010-05-27 14:47 . 2010-05-27 14:47 61440 ----a-w- c:\documents and settings\Trevor\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7dc57ef2-n\decora-sse.dll
2010-05-27 14:47 . 2010-05-27 14:47 503808 ----a-w- c:\documents and settings\Trevor\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1158820c-n\msvcp71.dll
2010-05-27 14:47 . 2010-05-27 14:47 499712 ----a-w- c:\documents and settings\Trevor\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1158820c-n\jmc.dll
2010-05-27 14:47 . 2010-05-27 14:47 348160 ----a-w- c:\documents and settings\Trevor\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1158820c-n\msvcr71.dll
2010-05-27 14:47 . 2010-05-27 14:47 12800 ----a-w- c:\documents and settings\Trevor\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7dc57ef2-n\decora-d3d.dll
2010-05-27 14:47 . 2010-05-27 14:47 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-27 14:47 . 2010-05-27 14:47 -------- d-----w- c:\program files\Java
2010-05-25 23:20 . 2010-05-25 23:20 -------- d-----w- C:\Sega
2010-05-25 22:14 . 2010-05-25 22:14 -------- d-----w- c:\program files\directx
2010-05-25 22:11 . 2010-05-25 22:11 -------- d-----w- c:\program files\Strategy First
2010-05-25 21:54 . 2010-05-25 21:54 -------- d-----w- c:\program files\Enlight
2010-05-23 21:38 . 2010-05-23 21:38 -------- d-----w- c:\windows\Sun
2010-05-20 11:32 . 2010-05-26 13:30 19 ----a-w- c:\windows\popcinfo.dat
2010-05-20 11:07 . 2010-05-20 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-05-18 19:42 . 2010-06-03 15:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-18 19:42 . 2010-05-18 19:43 -------- d-----w- c:\program files\Plants vs. Zombies
2010-05-18 19:41 . 2010-05-18 19:41 -------- d-----w- c:\program files\bfgclient
2010-05-18 19:40 . 2010-05-18 19:40 3085800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2010-05-18 19:40 . 2010-05-18 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-05-14 11:42 . 2010-05-14 11:42 61440 ----a-w- c:\documents and settings\Trevor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-41a3be49-n\decora-sse.dll
2010-05-14 11:42 . 2010-05-14 11:42 503808 ----a-w- c:\documents and settings\Trevor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4139e3fd-n\msvcp71.dll
2010-05-14 11:42 . 2010-05-14 11:42 499712 ----a-w- c:\documents and settings\Trevor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4139e3fd-n\jmc.dll
2010-05-14 11:42 . 2010-05-14 11:42 348160 ----a-w- c:\documents and settings\Trevor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4139e3fd-n\msvcr71.dll
2010-05-14 11:42 . 2010-05-14 11:42 12800 ----a-w- c:\documents and settings\Trevor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-41a3be49-n\decora-d3d.dll
2010-05-13 17:14 . 2010-05-13 17:16 -------- d-----w- c:\program files\LimeWire
2010-05-05 11:27 . 2010-05-05 11:27 -------- d-----w- c:\documents and settings\Trevor\Application Data\ieSpell
2010-05-05 11:25 . 2010-05-05 11:25 -------- d-----w- c:\program files\ieSpell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 14:21 . 2010-05-13 17:17 -------- d-----w- c:\documents and settings\Trevor\Application Data\LimeWire
2010-05-29 03:00 . 2010-02-17 23:47 -------- d-----w- c:\program files\RealArcade
2010-05-25 22:59 . 2010-01-21 04:52 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-05-25 21:54 . 2010-01-19 21:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-12 23:36 . 2010-01-18 00:58 -------- d-----w- c:\program files\Microsoft Games
2010-05-05 10:44 . 2010-03-06 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-01 15:41 . 2010-04-18 02:45 -------- d-----w- c:\program files\QuickTime
2010-04-25 18:05 . 2010-04-25 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Vivitar Experience Image Manager
2010-04-25 18:05 . 2010-04-25 18:02 -------- d-----w- c:\program files\Vivitar Experience Image Manager
2010-04-25 18:05 . 2010-04-25 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Vivitar
2010-04-25 18:04 . 2010-04-25 18:04 -------- d-----w- c:\program files\SPCA1528
2010-04-25 18:02 . 2010-04-25 18:02 -------- d-----w- c:\program files\Haali
2010-04-25 18:02 . 2010-04-25 18:02 -------- d-----w- c:\program files\ffdshow
2010-04-25 00:00 . 2010-01-21 03:51 -------- d-----w- c:\program files\Starcraft
2010-04-19 14:14 . 2010-04-19 14:14 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-19 14:14 . 2010-04-19 14:14 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-19 14:14 . 2010-04-19 14:14 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-19 14:14 . 2010-04-19 14:14 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-19 14:14 . 2010-04-19 14:14 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-19 14:14 . 2010-04-19 14:14 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-19 14:14 . 2010-04-19 14:14 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-19 14:14 . 2010-04-19 14:14 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-19 14:14 . 2010-04-19 14:14 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-19 14:14 . 2010-04-19 14:13 -------- d-----w- c:\program files\Common Files\Real
2010-04-19 14:14 . 2010-04-19 14:13 -------- d-----w- c:\program files\Real
2010-04-19 14:13 . 2010-04-19 14:13 -------- d-----w- c:\program files\Common Files\xing shared
2010-04-19 14:13 . 2010-01-12 05:48 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-19 14:13 . 2010-01-12 05:48 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-18 02:45 . 2010-04-18 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-12 15:56 . 2010-04-12 15:56 -------- d-----w- c:\program files\Alternate's Ascii Artist
2010-04-12 06:40 . 2009-06-05 08:24 19200 ----a-w- c:\windows\system32\drivers\srvkp.sys
2010-04-12 06:40 . 2009-06-05 08:24 1571001 ----a-w- c:\windows\system32\sisgl.dll
2010-04-12 06:22 . 2009-06-05 08:07 3468288 ----a-w- c:\windows\system32\sisgrv.dll
2010-04-12 06:17 . 2009-06-05 08:02 324608 ----a-w- c:\windows\system32\drivers\sisgrp.sys
2010-04-12 06:08 . 2009-06-05 07:58 9728 ----a-w- c:\windows\system32\SiSPIns2.dll
2010-04-12 06:07 . 2009-06-05 07:56 172032 ----a-w- c:\windows\system32\SiSInst.dll
2010-04-12 06:07 . 2009-06-05 07:56 258048 ----a-w- c:\windows\system32\SiSParse.dll
2010-04-12 06:06 . 2009-06-05 07:56 49152 ----a-w- c:\windows\system32\SiSBase.dll
2010-04-09 19:14 . 2010-04-09 19:14 -------- d-----w- c:\program files\Super DX-Ball
2010-04-09 19:14 . 2010-04-09 18:56 -------- d-----w- c:\program files\Neon Wars
2010-04-09 18:20 . 2010-04-09 18:20 -------- d-----w- c:\program files\Pocket Tanks
2010-04-09 11:55 . 2010-03-24 20:11 -------- d-----w- c:\program files\Diablo II
2010-04-09 11:54 . 2010-03-24 20:19 35835 ----a-w- c:\windows\DIIUnin.dat
2010-04-09 11:54 . 2010-03-24 20:21 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-09 11:54 . 2010-03-24 20:21 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-09 11:54 . 2010-03-24 20:21 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-04-07 22:49 . 2010-04-07 22:49 -------- d-----w- c:\program files\Red Storm Entertainment
2010-04-07 17:19 . 2010-04-07 17:19 -------- d-----w- c:\documents and settings\Trevor\Application Data\Blender Foundation
2010-04-07 17:19 . 2010-04-07 17:19 -------- d-----w- c:\program files\Blender Foundation
2010-04-07 07:24 . 2010-03-23 01:33 138392 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-02 18:13 . 2010-04-19 20:19 142774 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-03-24 20:19 . 2010-03-24 20:19 2829 ----a-w- c:\windows\DIIUnin.pif
2010-03-24 20:19 . 2010-03-24 20:19 94208 ----a-w- c:\windows\DIIUnin.exe
2010-03-10 06:15 . 2004-08-04 04:56 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 18:53 . 2010-03-06 18:55 38784 ----a-w- c:\documents and settings\Trevor\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-06 18:52 . 2010-03-06 18:52 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-19 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Trevor\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\3dsmax7\\3dsmax.exe"=
"c:\\Program Files\\backburner 2\\monitor.exe"=
"c:\\Program Files\\backburner 2\\manager.exe"=
"c:\\Program Files\\backburner 2\\server.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/3/2010 8:04 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/3/2010 8:04 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/3/2010 8:04 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100528.003\IDSXpx86.sys [5/28/2010 3:33 PM 331640]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/3/2010 8:04 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2010 11:11 PM 102448]
S2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\drivers\Ca1528av.sys [4/25/2010 2:04 PM 516480]
S3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\drivers\Bulk1528.sys [4/25/2010 2:04 PM 11648]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\Trevor\LOCALS~1\Temp\mdxgthkn.sys --> c:\docume~1\Trevor\LOCALS~1\Temp\mdxgthkn.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-515967899-1801674531-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-06-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-515967899-1801674531-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gamefaqs.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 20:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-06-03 20:11:22
ComboFix-quarantined-files.txt 2010-06-04 00:11

Pre-Run: 50,024,960,000 bytes free
Post-Run: 49,988,993,024 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 344F3DC93528A1D8A08B2210C2C4FC48


#6 Mal90

Mal90
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 04 June 2010 - 12:07 PM

Hello EB,
after I ran ComboFix everything seemed fine and then today when I went to check my e-mail I got a message from Norton saying that I was infected with "Backdoor.Tidserv!inf".

I have attached a picture of the security history from Norton in case that helps.

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 05 June 2010 - 08:57 PM

Hello.

When you were checking your e-mail through where? Outlook, internet?

The logs are looking good so far, just some leftover things I see needed to be done.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link


Run ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
You can refer to this animation by neomage if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Mal90

Mal90
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 06 June 2010 - 04:40 PM

Hello EB,
When I was checking my e-mail it was through yahoo messenger however I hadn't opened anything yet the Norton message popped up while the page was still loading.

Also the MBAM scan didn't find anything but here is the scan log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4172

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/6/2010 1:29:48 PM
mbam-log-2010-06-06 (13-29-48).txt

Scan type: Quick scan
Objects scanned: 114089
Time elapsed: 7 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And here is the ESET scan log:

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\termdd.sys.vir Win32/Olmarik.ZC trojan
cleaned - quarantined



Should I delete the quarantined file?

Edited by Mal90, 06 June 2010 - 04:41 PM.


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 06 June 2010 - 05:21 PM

Hello.

No need to really delete that. It's just a quarantine item from Combofix. We will remove that at the end automatically. ;)

That looks good. Does Norton still pop up any messages though?

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Mal90

Mal90
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 06 June 2010 - 05:32 PM

Hello EB,

Okay cool just wanted to make sure.

Norton has not popped up for anything since the last warning message I told you about, and I haven't experienced any other issues.

Here is the DDS log:




DDS (Ver_10-03-17.01) - NTFSx86
Run by Trevor at 18:24:08.43 on Sun 06/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.589 [GMT -4:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Trevor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gamefaqs.com/
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SoundMan] "SOUNDMAN.EXE"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\trevor\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-3 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-3 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100528.003\IDSXpx86.sys [2010-5-28 331640]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-3 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100606.003\NAVENG.SYS [2010-6-6 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100606.003\NAVEX15.SYS [2010-6-6 1347504]
S2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\drivers\Ca1528av.sys [2010-4-25 516480]
S3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\drivers\Bulk1528.sys [2010-4-25 11648]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\trevor\locals~1\temp\mdxgthkn.sys --> c:\docume~1\trevor\locals~1\temp\mdxgthkn.sys [?]

=============== Created Last 30 ================

2010-06-06 17:34:51 0 d-----w- c:\program files\ESET
2010-06-06 17:21:31 0 d-----w- c:\docume~1\trevor\applic~1\Malwarebytes
2010-06-06 17:21:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-06 17:21:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-06 17:21:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-06 17:21:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-03 23:57:39 0 d-sha-r- C:\cmdcons
2010-06-03 23:55:28 98816 ----a-w- c:\windows\sed.exe
2010-06-03 23:55:28 77312 ----a-w- c:\windows\MBR.exe
2010-06-03 23:55:28 256512 ----a-w- c:\windows\PEV.exe
2010-06-03 23:55:28 161792 ----a-w- c:\windows\SWREG.exe
2010-06-01 01:56:59 0 ----a-w- c:\documents and settings\trevor\defogger_reenable
2010-05-31 23:29:19 0 d-----w- c:\program files\MSSOAP
2010-05-31 23:28:47 0 d-----w- c:\program files\Webroot
2010-05-31 23:25:49 164 ----a-w- c:\windows\install.dat
2010-05-31 23:21:05 0 d-----w- c:\program files\Uniblue
2010-05-30 14:47:34 25088 ----a-w- c:\program files\SMASH2.EXE
2010-05-27 14:47:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-27 14:47:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-25 23:20:53 0 d-----w- C:\Sega
2010-05-25 22:14:55 0 d-----w- c:\program files\directx
2010-05-25 22:11:25 0 d-----w- c:\program files\Strategy First
2010-05-25 21:54:33 0 d-----w- c:\program files\Enlight
2010-05-20 11:32:12 19 ----a-w- c:\windows\popcinfo.dat
2010-05-20 11:07:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2010-05-18 19:42:03 0 d-----w- c:\program files\Plants vs. Zombies
2010-05-18 19:41:11 0 d-----w- c:\program files\bfgclient
2010-05-18 19:40:04 0 d-----w- c:\docume~1\alluse~1\applic~1\BigFishGamesCache
2010-05-13 17:17:20 0 d-----w- c:\docume~1\trevor\applic~1\LimeWire
2010-05-13 17:14:42 0 d-----w- c:\program files\LimeWire

==================== Find3M ====================

2010-05-25 22:59:39 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-04-19 14:13:11 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-19 14:13:11 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-12 06:40:28 19200 ----a-w- c:\windows\system32\drivers\srvkp.sys
2010-04-12 06:40:08 1571001 ----a-w- c:\windows\system32\sisgl.dll
2010-04-12 06:22:38 3468288 ----a-w- c:\windows\system32\sisgrv.dll
2010-04-12 06:17:36 324608 ----a-w- c:\windows\system32\drivers\sisgrp.sys
2010-04-12 06:08:42 9728 ----a-w- c:\windows\system32\SiSPIns2.dll
2010-04-12 06:07:14 172032 ----a-w- c:\windows\system32\SiSInst.dll
2010-04-12 06:07:02 258048 ----a-w- c:\windows\system32\SiSParse.dll
2010-04-12 06:06:42 49152 ----a-w- c:\windows\system32\SiSBase.dll
2010-04-09 11:54:38 35835 ----a-w- c:\windows\DIIUnin.dat
2010-04-09 11:54:01 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-09 11:54:01 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-09 11:54:01 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-03-24 20:19:38 2829 ----a-w- c:\windows\DIIUnin.pif
2010-03-24 20:19:37 94208 ----a-w- c:\windows\DIIUnin.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 18:24:50.54 ===============

Attached Files



#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 06 June 2010 - 06:46 PM

Awesome. smile.gif

Just one last thing we need to do...

Download and Run OTM
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :services
    mdxgthkn
    :files
    c:\docume~1\trevor\locals~1\temp\mdxgthkn.sys
    :commands
    [CREATERESTOREPOINT]
    [emptytemp]
  4. Click the large button.
  5. If OTM requires are reboot, please allow it to do so.
  6. Copy/Paste the contents under the line here in your next reply.
Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Mal90

Mal90
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 06 June 2010 - 07:00 PM

Okay here is the OTM log:

All processes killed
========== SERVICES/DRIVERS ==========
Service mdxgthkn stopped successfully!
Service mdxgthkn deleted successfully!
========== FILES ==========
File/Folder c:\docume~1\trevor\locals~1\temp\mdxgthkn.sys not found.
========== COMMANDS ==========
Restore point Set: OTM Restore Point (0)

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 68994 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Trevor
->Temp folder emptied: 137094 bytes
->Temporary Internet Files folder emptied: 23535623 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 222932 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 688287 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 26075 bytes

Total Files Cleaned = 26.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06062010_195117

Files moved on Reboot...
File C:\Documents and Settings\Trevor\Local Settings\Temp\~DFE868.tmp not found!
File C:\Documents and Settings\Trevor\Local Settings\Temp\~DFE88A.tmp not found!
File C:\Documents and Settings\Trevor\Local Settings\Temp\~DFE942.tmp not found!
File C:\Documents and Settings\Trevor\Local Settings\Temp\~DFEA06.tmp not found!
File C:\Documents and Settings\Trevor\Local Settings\Temp\~DFEB47.tmp not found!
File C:\Documents and Settings\Trevor\Local Settings\Temp\~DFEB5C.tmp not found!
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\KUM04Q58\iframe[1].htm moved successfully.
C:\Documents and Settings\Trevor\Local Settings\Temporary Internet Files\Content.IE5\GH95UIRJ\topic320736[1].htm moved successfully.
File C:\WINDOWS\temp\JETA0A5.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_7f4.dat not found!

Registry entries deleted on Reboot...

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 06 June 2010 - 07:05 PM

Great. That's done, you're clean now smile.gif

Let's wrap up and give you some prevention tips.

Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips >over here<. Is your system a bit slow? If so, try some of the points and things suggested here.

If you would like, visit my http://computermalwaresecurity.blogspot.com/ and Subscribe/Follow along.


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 Mal90

Mal90
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 06 June 2010 - 07:21 PM

Hello EB and thanks for all of your help, I just have one question what happened to the original Tidserv infection? because the file that the ESET scan came up with was named something different.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 06 June 2010 - 07:45 PM

It has all been removed.

ESET and many other Anti-Virus company vendors uses their own unique way of categorizing and calling an infection. Therefore, names of infections can differ.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users