Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTP Tidserv Request


  • This topic is locked This topic is locked
3 replies to this topic

#1 cometfur

cometfur

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 04 June 2010 - 04:16 PM

Hello,

The computer that I'm trying to fix had a number of infections that I believe I have removed with Norton, Malwarebytes, Windows Live and ComboFix.

But I am still seeing Norton 360 regularly alert me that it has blocked HTTP Tidserv Request and HTTPS Tidserv Request. It appears to happen everytime I do a Google search in Firefox and click a link and other times as well but I don't know what triggers it. While Norton says no further action is needed, I'm wondering what it means that I'm getting these? And is there action that I should take?

Here's the ComboFix log.

Thanks,
Cometfur

ComboFix 10-06-03.01 - Dad 06/04/2010 13:23:50.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.1122 [GMT -7:00]
Running from: c:\documents and settings\Dad\My Documents\Downloads\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\The Peach\Application Data\Microsoft\Internet Explorer\lleod150
c:\documents and settings\The Peach\Application Data\Microsoft\Internet Explorer\wmharun.log
c:\windows\Downloaded Program Files\Install.inf
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\bszip.dll
c:\windows\system32\Vb40032.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-04 04:05 . 2010-06-04 04:05 503808 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-792a1a99-n\msvcp71.dll
2010-06-04 04:05 . 2010-06-04 04:05 499712 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-792a1a99-n\jmc.dll
2010-06-04 04:05 . 2010-06-04 04:05 348160 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-792a1a99-n\msvcr71.dll
2010-06-04 03:11 . 2010-06-04 03:11 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2010-06-04 02:37 . 2010-06-04 02:37 -------- d-sh--w- c:\documents and settings\Dad\IECompatCache
2010-06-04 02:33 . 2010-06-04 02:33 -------- d-----w- c:\documents and settings\Dad\Application Data\HpUpdate
2010-06-04 02:24 . 2010-06-04 02:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-03 23:02 . 2010-06-03 23:02 0 ----a-w- c:\program files\extra2.dat
2010-06-03 21:22 . 2010-06-03 21:22 0 ----a-w- c:\program files\extra1.dat
2010-05-27 13:03 . 2010-05-27 13:03 503808 ----a-w- c:\documents and settings\The Peach\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6857340d-n\msvcp71.dll
2010-05-27 13:03 . 2010-05-27 13:03 499712 ----a-w- c:\documents and settings\The Peach\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6857340d-n\jmc.dll
2010-05-27 13:03 . 2010-05-27 13:03 348160 ----a-w- c:\documents and settings\The Peach\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6857340d-n\msvcr71.dll
2010-05-15 06:30 . 2010-06-04 02:49 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-14 00:59 . 2010-05-14 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 03:11 . 2009-03-23 20:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 11:03 . 2007-03-24 03:13 34 ----a-w- c:\windows\popcinfot.dat
2010-06-03 11:03 . 2007-03-24 03:13 112 ---h--w- c:\windows\popcreg.dat
2010-05-14 00:57 . 2008-05-24 02:22 -------- d-----w- c:\program files\RealArcade
2010-05-02 21:57 . 2007-09-27 16:40 -------- d-----w- c:\program files\iTunes
2010-05-02 21:55 . 2007-07-05 17:50 -------- d-----w- c:\program files\Common Files\Apple
2010-05-02 21:46 . 2005-09-08 07:20 -------- d-----w- c:\documents and settings\Dad\Application Data\Apple Computer
2010-05-02 21:44 . 2008-07-13 00:44 -------- d-----w- c:\program files\Bonjour
2010-05-02 21:42 . 2010-05-02 21:42 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-29 22:39 . 2009-03-23 20:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-03-23 20:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 04:51 . 2010-04-26 04:51 -------- d-----w- c:\documents and settings\The Peach\Application Data\Realv1001
2010-04-12 00:11 . 2005-10-11 00:45 -------- d-----w- c:\program files\Yahoo! Games
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-31 16:51 . 2010-03-31 16:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-31 16:50 . 2010-03-31 16:50 152576 ----a-w- c:\documents and settings\The Peach\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-31 16:48 . 2010-03-31 16:48 79488 ----a-w- c:\documents and settings\The Peach\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-30 22:48 . 2010-03-30 22:48 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-30 22:43 . 2010-03-30 22:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-26 17:33 . 2010-04-18 21:07 1496064 ----a-w- c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\1spbymd7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 17:33 . 2010-04-14 14:44 1496064 ----a-w- c:\documents and settings\The Peach\Application Data\Mozilla\Firefox\Profiles\cxbb2rlc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 17:33 . 2010-04-18 21:07 43008 ----a-w- c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\1spbymd7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 17:33 . 2010-04-18 21:07 339456 ----a-w- c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\1spbymd7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 17:33 . 2010-04-14 14:44 43008 ----a-w- c:\documents and settings\The Peach\Application Data\Mozilla\Firefox\Profiles\cxbb2rlc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 17:33 . 2010-04-14 14:44 339456 ----a-w- c:\documents and settings\The Peach\Application Data\Mozilla\Firefox\Profiles\cxbb2rlc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 17:32 . 2010-04-18 21:07 346112 ----a-w- c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\1spbymd7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-26 17:32 . 2010-04-14 14:44 346112 ----a-w- c:\documents and settings\The Peach\Application Data\Mozilla\Firefox\Profiles\cxbb2rlc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-10 06:15 . 2004-08-04 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2005-09-25 21:25 . 2005-09-25 21:27 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-01-16 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-31 149280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-02 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-08 65536]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-13 517768]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-2-23 196608]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2010-3-26 604008]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\SymEFA.sys [1/27/2010 9:01 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\BHDrvx86.sys [1/27/2010 9:01 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0308000.029\cchpx86.sys [1/27/2010 9:01 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100520.001\IDSXpx86.sys [10/28/2009 3:37 PM 329592]
R2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [10/26/2009 11:29 AM 20992]
R2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [10/26/2009 11:29 AM 81920]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [1/27/2010 9:01 PM 117640]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [10/7/2009 1:48 PM 376680]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/31/2010 6:50 PM 102448]
S2 gupdate1c9bfd2ec289fc;Google Update Service (gupdate1c9bfd2ec289fc);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2009 8:01 PM 133104]
S3 asbp2poa;asbp2poa;\??\c:\docume~1\DABOYZ~1\LOCALS~1\Temp\asbp2poa.sys --> c:\docume~1\DABOYZ~1\LOCALS~1\Temp\asbp2poa.sys [?]
S3 BackupReader;BackupReader;c:\windows\SYSTEM32\DRIVERS\BackupReader.sys [9/6/2007 7:53 PM 46368]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\SYSTEM32\DRIVERS\fantom.sys [3/10/2006 3:55 PM 39424]
S3 RemoteControl-USBLAN;RemoteControl-USBLAN;c:\windows\SYSTEM32\DRIVERS\rcblan.sys [2/23/2007 2:42 PM 39704]
S3 XDva164;XDva164;\??\c:\windows\system32\XDva164.sys --> c:\windows\system32\XDva164.sys [?]
S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys --> c:\windows\system32\XDva165.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;c:\windows\SYSTEM32\XDva186.sys [7/10/2008 9:03 PM 46080]
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 17:09]

2010-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:01]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 03:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/index.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {0A229854-7591-47D3-82AB-B88045C66595} - hxxp://speed.dfsplash.com/DFInstall.cab
DPF: {3FB37917-B6B9-4FBB-920D-254BFBB8D520} - hxxp://www.wowweesupport.com/download/rovio/WebSee.cab
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\1spbymd7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/index.html
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\1spbymd7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 13:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89FAFEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba16cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f1f852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d82bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d8fa21
SendHandler -> NDIS.sys @ 0xb9d6d87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1475057589-2010775184-3064206355-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-04 13:44:00
ComboFix-quarantined-files.txt 2010-06-04 20:43

Pre-Run: 13,669,699,584 bytes free
Post-Run: 17,411,555,328 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D8F501305CC5C871675D97A0D0C6B34E

EDIT: Moved from XP to more appropriate Malware Removal Logs forum ~ Hamluis.

Edited by hamluis, 04 June 2010 - 05:44 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:34 AM

Posted 07 June 2010 - 04:58 PM

Hi cometfur,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your computer is infected. If the issue is not resolved please update me on the current condition of your computer. Also do the following:

Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

"C:\Qoobox\Add-Remove Programs.txt"

A text file opens up, copy and paste the content to your reply.

#3 cometfur

cometfur
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 07 June 2010 - 08:37 PM

Thanks Just Curious...

I took the nuclear option and reformatted/reinstalled. Fortunately we have regular backups and so data was preserved.

So bottomline, topic can be closed.

Thanks again,

Cometfur

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:34 AM

Posted 08 June 2010 - 02:57 AM

Glad the issue is resolved and thanks for letting me know.

This thread will now be closed since the issue seems to be resolved.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users