Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I'm infected with Tidsev


  • This topic is locked This topic is locked
11 replies to this topic

#1 Johnathon

Johnathon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 13 June 2010 - 07:36 PM

Hi,
Norton 360 keeps telling me that it stopped an intrusion named HTTPS Tidserv Request 2 from svchost.exe and iexplore.exe. I also cannot update any windows programs. I've ran Malwarebytes antimalware (free trial), Trojan Remover, Spybot and Norton 360 but they can't find anything. I downloaded and ran DDS.scr after turning off anti virus programs ( Window Defender said it was turned off but according to the log it was't)






DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:33:08.47 on 13/06/2010
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.2.1033.18.2029.863 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Registry Clean Expert\RCHelper.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\conime.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\System32\svchost.exe -k wdisvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.quadro.net/
uSearch Bar = Preserve
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360 premier edition\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360 premier edition\engine\4.2.0.12\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360 premier edition\engine\4.2.0.12\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [RegClean Expert Scheduler] "d:\program files\registry clean expert\RCHelper.exe" /startup
uRun: [RGSC] d:\program files\rockstar games\rockstar games social club\RGSCLauncher.exe /silent
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\AxAutoMntSrv.exe" -automount
uRun: [Uniblue RegistryBooster 2] d:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
uRun: [Uniblue SpeedUpMyPC] d:\program files\uniblue\speedupmypc 3\StartSUMP2.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.blitzgamer.com/play_now/sports/1500/braapi-motocross.html"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [TrojanScanner] d:\program files\trojan remover\Trjscan.exe /boot
mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoi~1.lnk - c:\program files\logitech\setpoint ii\SetpointII.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-6-4 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-6-4 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-6-4 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100604.004\IDSvix86.sys [2010-6-9 344112]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-6-4 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0402000.00c\symtdiv.sys [2010-6-4 339504]
R2 hpsunidr;HPScanJet UniDriver;c:\windows\system32\drivers\hpsunidr.sys [2007-3-26 5376]
R2 N360;Norton 360;c:\program files\norton 360 premier edition\engine\4.2.0.12\ccsvchst.exe [2010-6-4 126392]
R2 SBSDWSCService;SBSD Security Center Service;d:\program files\spybot - search & destroy\SDWinSec.exe [2008-1-18 1153368]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-3 102448]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-26 21504]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-4-10 266544]

=============== Created Last 30 ================

2010-06-13 13:57:36 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-06-13 07:56:39 0 d-----w- c:\users\owner\appdata\roaming\Xilisoft
2010-06-12 17:06:58 4817 ----a-w- c:\windows\checkip.dat
2010-06-05 09:24:40 0 d-----w- c:\programdata\Uniblue
2010-06-05 09:24:33 20232 ----a-w- c:\windows\system32\AntiSpyNative64.exe
2010-06-05 09:24:33 16648 ----a-w- c:\windows\system32\AntiSpyNative32.exe
2010-06-04 08:16:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-03 22:38:19 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-06-03 22:38:19 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-06-03 22:38:16 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-03 22:38:16 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-03 22:38:16 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-03 22:37:56 0 d-----w- c:\program files\Symantec
2010-06-03 22:37:13 0 d-----w- c:\windows\system32\drivers\N360
2010-06-03 22:37:12 0 d-----w- c:\program files\Norton 360 Premier Edition
2010-06-03 22:27:59 0 d-----w- c:\program files\NortonInstaller
2010-05-26 09:19:57 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-16 08:12:46 0 d-----w- c:\programdata\Apple Computer

==================== Find3M ====================

2010-06-13 13:57:34 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-13 13:57:34 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-13 13:57:34 143360 ----a-w- c:\windows\inf\infstor.dat
2010-06-13 13:33:32 88149 ----a-w- c:\programdata\nvModes.dat
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-08 18:50:07 87608 ----a-w- c:\users\owner\appdata\roaming\inst.exe
2010-05-08 18:50:06 47360 ----a-w- c:\users\owner\appdata\roaming\pcouffin.sys
2010-05-04 21:20:10 82944 --sha-r- c:\users\owner\appdata\roaming\NTDOS412L.dll
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-02 22:45:35 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-05-02 22:45:35 245760 ------w- c:\windows\Setup1.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 18:45:56 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 18:45:56 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-04-22 10:03:58 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-05 17:01:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-04-03 22:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 22:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 22:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 22:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-02 21:17:52 15426200 ----a-w- c:\windows\system32\xlive.dll
2010-04-02 21:17:52 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2009-10-28 20:29:38 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-04-26 21:34:09 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-09 08:41:57 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-12-05 16:25:01 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-12-05 16:25:01 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-12-05 16:25:01 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-10-17 11:20:34 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 19:33:53.51 ===============


















Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:09 PM

Posted 17 June 2010 - 03:12 AM

Hi Johathon,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please update me on the current condition of your computer if the issue is not resolved.

#3 Johnathon

Johnathon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 17 June 2010 - 02:57 PM

Hello farbar,

The issue is not resolved and I appreciate any help you can give me. I will do my best to follow your directions.

Norton 360 is still giving a lot of HTTP Tidserv Request 2 which say---an intrusion attempt by 91.212.226.55 was blocked---attack was from \device\harddiskvolume1\windows\system32\svchost.exe and a few of these----an intrusion attempt by 91.212.226.59 was blocked---attack was from \device\harddiskvolume1\program files\internet explorer\iexplore.exe
Windows is even starting to send warnings about not being able to update itself.

Johnathon


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:09 PM

Posted 17 June 2010 - 03:27 PM

Thanks for the feedback.
  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate fix.bat on the desktop.
    • Right-click and run it as administrator.
    • A window flashes, this is normal.

  3. Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Unckeck all the options except "Sections" (C:\ drive should remain checked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.

  4. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @ECHO OFF
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1500 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Right-click to run it as administrator.
    • A notepad opens, copy and paste the content (log.txt) to your reply.


#5 Johnathon

Johnathon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 17 June 2010 - 05:01 PM

farbar,

Heres the files


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-17 17:48:07
Windows 6.0.6002 Service Pack 2
Running: l5p5q1pn.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kglcapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 82ABA880 8 Bytes [68, E0, 4B, 87, A8, 8D, B8, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 82ABA894 4 Bytes [F8, 0E, C4, 87]
.text ntkrnlpa.exe!KeSetEvent + 13D 82ABA8A0 4 Bytes CALL 0BCB2FBD
.text ntkrnlpa.exe!KeSetEvent + 191 82ABA8F4 4 Bytes [10, F9, 37, 87]
.text ntkrnlpa.exe!KeSetEvent + 1F5 82ABA958 4 Bytes [F0, 90, CC, 87]
.text ...
? System32\Drivers\spsi.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 88BB641B 5 Bytes JMP 86C3D1D8
.text apvu3hi4.SYS 8E12C000 22 Bytes [82, E3, DC, 82, 6C, E2, DC, ...]
.text apvu3hi4.SYS 8E12C017 98 Bytes [00, 32, A7, 78, 80, 3D, A5, ...]
.text apvu3hi4.SYS 8E12C07A 82 Bytes [AF, 82, E3, 71, A2, 82, 18, ...]
.text apvu3hi4.SYS 8E12C0CE 10 Bytes [00, 00, 00, 00, 00, 00, 4D, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; DEC EBP; SUB AL, 0x7c; DEC EDX}
.text apvu3hi4.SYS 8E12C0DA 12 Bytes [00, 00, 02, 00, 00, 00, 26, ...]
.text ...
.rsrc C:\Windows\system32\DRIVERS\kbdclass.sys entry point in ".rsrc" section [0x8E8AC014]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!free 76DA9BCA 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!malloc 76DA9C45 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!??3@YAXPAX@Z 76DA9DE1 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!??2@YAPAXI@Z 76DA9DF1 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!realloc 76DAA509 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!calloc 76DAC590 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_msize 76DAF809 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_aligned_free 76DCC66C 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_aligned_malloc 76DCC6DA 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_aligned_offset_malloc 76DCC6F6 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 76DF8E9D 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_aligned_offset_realloc 76DF8EAD 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_expand 76DF9022 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_heapadd 76DFABA8 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_heapchk 76DFABBC 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_heapset + 1 76DFACBE 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_heapmin 76DFACC7 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_heapused 76DFADAD 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_heapwalk 76DFADC0 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1020] msvcrt.dll!_aligned_realloc 76E030BA 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Windows\system32\svchost.exe[1104] ntdll.dll!NtProtectVirtualMemory 77824D34 5 Bytes JMP 0092000A
.text C:\Windows\system32\svchost.exe[1104] ntdll.dll!NtWriteVirtualMemory 77825674 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[1104] ntdll.dll!KiUserExceptionDispatcher 77825DC8 5 Bytes JMP 0091000A
.text C:\Windows\system32\svchost.exe[1104] ole32.dll!CoCreateInstance 776C9EA6 5 Bytes JMP 00D3000A
.text C:\Windows\system32\svchost.exe[1104] USER32.dll!GetCursorPos 77050B88 5 Bytes JMP 01AF000A
.text C:\Windows\Explorer.EXE[3632] ntdll.dll!NtProtectVirtualMemory 77824D34 5 Bytes JMP 0045000A
.text C:\Windows\Explorer.EXE[3632] ntdll.dll!NtWriteVirtualMemory 77825674 5 Bytes JMP 0046000A
.text C:\Windows\Explorer.EXE[3632] ntdll.dll!KiUserExceptionDispatcher 77825DC8 5 Bytes JMP 0044000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] ntdll.dll!NtProtectVirtualMemory 77824D34 5 Bytes JMP 003D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] ntdll.dll!NtWriteVirtualMemory 77825674 5 Bytes JMP 003E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] ntdll.dll!KiUserExceptionDispatcher 77825DC8 5 Bytes JMP 003C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] USER32.dll!CreateWindowExW 77041305 5 Bytes JMP 6D42DB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] USER32.dll!DialogBoxParamW 770610B0 5 Bytes JMP 6D3554C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] USER32.dll!DialogBoxIndirectParamW 77062EF5 5 Bytes JMP 6D52480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] USER32.dll!DialogBoxParamA 77078152 5 Bytes JMP 6D5247AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] USER32.dll!DialogBoxIndirectParamA 7707847D 5 Bytes JMP 6D524872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] USER32.dll!MessageBoxIndirectA 7708D4D9 5 Bytes JMP 6D524741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] USER32.dll!MessageBoxIndirectW 7708D5D3 5 Bytes JMP 6D5246D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] USER32.dll!MessageBoxExA 7708D639 5 Bytes JMP 6D524674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4544] USER32.dll!MessageBoxExW 7708D65D 5 Bytes JMP 6D524612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] ntdll.dll!NtProtectVirtualMemory 77824D34 5 Bytes JMP 0085000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] ntdll.dll!NtWriteVirtualMemory 77825674 5 Bytes JMP 0086000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] ntdll.dll!KiUserExceptionDispatcher 77825DC8 5 Bytes JMP 0084000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!CreateDialogParamW 770372A2 5 Bytes JMP 6D42DEA8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!GetAsyncKeyState 7703863C 5 Bytes JMP 6D348EFF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!SetWindowsHookExW 770387AD 5 Bytes JMP 6D429AC9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!CallNextHookEx 77038E3B 5 Bytes JMP 6D41D0ED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!UnhookWindowsHookEx 770398DB 5 Bytes JMP 6D39467C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!EnableWindow 7703CD8B 5 Bytes JMP 6D42DD35 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!CreateWindowExW 77041305 5 Bytes JMP 6D42DB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!GetKeyState 77048CB1 5 Bytes JMP 6D42D2E3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!IsDialogMessageW 77050745 5 Bytes JMP 6D3559D7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!CreateDialogParamA 770517AA 5 Bytes JMP 6D52547B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!IsDialogMessage 77051847 5 Bytes JMP 6D524D17 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!CreateDialogIndirectParamA 770526F1 5 Bytes JMP 6D5254B2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!CreateDialogIndirectParamW 77059A62 5 Bytes JMP 6D5254E9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!SetKeyboardState 77060987 5 Bytes JMP 6D525086 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!DialogBoxParamW 770610B0 5 Bytes JMP 6D3554C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!DialogBoxIndirectParamW 77062EF5 5 Bytes JMP 6D52480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!SendInput 77062F75 5 Bytes JMP 6D525C43 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!EndDialog 7706326E 5 Bytes JMP 6D357E7E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!SetCursorPos 77076FB2 5 Bytes JMP 6D525C97 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!DialogBoxParamA 77078152 5 Bytes JMP 6D5247AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!DialogBoxIndirectParamA 7707847D 5 Bytes JMP 6D524872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!MessageBoxIndirectA 7708D4D9 5 Bytes JMP 6D524741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!MessageBoxIndirectW 7708D5D3 5 Bytes JMP 6D5246D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!MessageBoxExA 7708D639 5 Bytes JMP 6D524674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!MessageBoxExW 7708D65D 5 Bytes JMP 6D524612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] USER32.dll!keybd_event 7708D972 5 Bytes JMP 6D525FC7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] SHELL32.dll!SHRestricted + D95 76318988 4 Bytes [4D, 30, BB, 71]
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] SHELL32.dll!SHRestricted + D9D 76318990 8 Bytes [57, 2F, BB, 71, 9C, 5B, BA, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] ole32.dll!OleLoadFromStream 77691E12 5 Bytes JMP 6D524B77 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4596] ole32.dll!CoCreateInstance 776C9EA6 5 Bytes JMP 6D42DB78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\DRIVERS\kbdclass.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86C41EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x858081f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !







#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:09 PM

Posted 17 June 2010 - 05:31 PM

  1. Pleas uninstall Alcohol 120. This and software like Daemon tools interfere with our tools and lead to false positive. Also delete its folder from program files directory (C:\Program Files\Alcohol Soft).

  2. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
    • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Close all the open windows.
    • Right-click TDLfix.exe and run the tool as administrator, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      kbdclass
    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.

  3. See if you can get to Windows update page and the issue is resolved.


#7 Johnathon

Johnathon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 17 June 2010 - 06:30 PM

The computer restarted, i selected my account, the computer started to work again but power suite asked for permission to run stopping tdlfix but it finished the job after i aknowledged powersuites request. Ithen went to windows update and it showed me all the available updates. So far there is no alerts from norton it looks good.

Thanks johnathon

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:09 PM

Posted 17 June 2010 - 06:35 PM

Great. thumbup2.gif
  1. Run TDLfix, type del and press Enter. This will delete the quarantined infected file and mbr.exe. Delete the tool from your desktop.

  2. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please unisntall the following:

    Java™ 6 Update 7

  3. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  4. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  5. Tell me also how is your computer running.


#9 Johnathon

Johnathon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 17 June 2010 - 07:09 PM

The computer is running good and i havn't got any alerts from norton 360 since running the tdl fix.
Here is the mbam-log


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4211

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

17/06/2010 8:01:42 PM
mbam-log-2010-06-17 (20-01-42).txt

Scan type: Quick scan
Objects scanned: 155605
Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:09 PM

Posted 17 June 2010 - 07:15 PM

It looks good. thumbup2.gif
  1. You may delete any tool or log we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run (alternatively you can press Wiindows ke+R key) then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Under "System Restore and Shadow copies" section click "Clean Up" to remove all previous restore points except the newly created one.
    • Click OK and Yes.

  3. I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing Johnathon. smile.gif

#11 Johnathon

Johnathon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 17 June 2010 - 07:36 PM

farbar,
Thanks a lot for your time and patience it is greatly appreciated.

Johnathon

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:09 PM

Posted 17 June 2010 - 07:40 PM

You are most welcome Johnathon. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users