Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTPS Tidserv Request 2 intrusions


  • Please log in to reply
9 replies to this topic

#1 CrosbyMike

CrosbyMike

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 29 June 2010 - 04:37 AM

Hello Everyone,
My NIS9 security has started blocking HTTPS Tidserv Request 2 intrusions.
These only appear when I'm connected to my ISP.
I have a PC with a cable connection running windows XP.

Hope you can help.

thanks
Mike

p.s. I started getting google redirects about the same time.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:37 PM

Posted 29 June 2010 - 06:12 PM

Hello and welcome.. Is this PC on a network?

Run a full system scan in safe mode with the latest Norton definitions. Then unplug the network connection and reboot the computer. Does the backdoor.tidserv detection come up again? If so, then we need to search for another undetected process on your computer.


Now run TDDS Killer
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.
Before you save it rename it to say zztoy.exe


alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 CrosbyMike

CrosbyMike
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 29 June 2010 - 07:22 PM

Hi I ran progs as requested, here are the log files;

00:52:30:718 3064 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
00:52:30:718 3064 ================================================================================
00:52:30:718 3064 SystemInfo:

00:52:30:718 3064 OS Version: 5.1.2600 ServicePack: 2.0
00:52:30:718 3064 Product type: Workstation
00:52:30:718 3064 ComputerName: YOUR-CLCWBQ9DPP
00:52:30:718 3064 UserName: Mike
00:52:30:718 3064 Windows directory: C:\WINDOWS
00:52:30:718 3064 Processor architecture: Intel x86
00:52:30:718 3064 Number of processors: 2
00:52:30:718 3064 Page size: 0x1000
00:52:30:718 3064 Boot type: Normal boot
00:52:30:718 3064 ================================================================================
00:52:31:234 3064 Initialize success
00:52:31:234 3064
00:52:31:234 3064 Scanning Services ...
00:52:31:734 3064 Raw services enum returned 384 services
00:52:31:750 3064
00:52:31:750 3064 Scanning Drivers ...
00:52:32:859 3064 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
00:52:33:031 3064 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
00:52:33:250 3064 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
00:52:33:359 3064 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
00:52:33:484 3064 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
00:52:33:625 3064 AgereSoftModem (f1a97570ea402493bcc22246e8141ae6) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
00:52:33:765 3064 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
00:52:33:937 3064 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
00:52:34:078 3064 ASPI32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\ASPI32.sys
00:52:34:156 3064 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
00:52:34:250 3064 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
00:52:34:343 3064 ati2mtag (c3d6c7486038cd6405f1131c7c302d05) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
00:52:34:468 3064 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
00:52:34:562 3064 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
00:52:34:640 3064 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
00:52:34:906 3064 BHDrvx86 (87c00decc19bd995217a4a5fdd4d638c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100619.001\BHDrvx86.sys
00:52:35:125 3064 btaudio (ecdc40cc54603c711e1a7a1c9255184a) C:\WINDOWS\system32\drivers\btaudio.sys
00:52:35:234 3064 BTDriver (58a49bd10e08d3d4333a60dedcb1ced8) C:\WINDOWS\system32\DRIVERS\btport.sys
00:52:35:312 3064 BthEnum (d24b8d1784c68a25060fffbe8ed34b76) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
00:52:35:437 3064 BthPan (10355270be12641b9764235da39dcf0f) C:\WINDOWS\system32\DRIVERS\bthpan.sys
00:52:35:515 3064 BTHPORT (95ef6f3f386d93ee1e4d9ca45a50252a) C:\WINDOWS\system32\Drivers\BTHport.sys
00:52:35:625 3064 BTHUSB (f06d4cb9918b462a84d9ac00027efc30) C:\WINDOWS\system32\Drivers\BTHUSB.sys
00:52:35:734 3064 BTKRNL (885b6d0f826a216eee4c3ad883809012) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
00:52:35:859 3064 BTWDNDIS (b1d350f3f13cf340fce93912d2ba1ebf) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
00:52:36:109 3064 btwhid (e48668b4a6a5cf68b33aecad18ee8e1e) C:\WINDOWS\system32\DRIVERS\btwhid.sys
00:52:36:375 3064 BTWUSB (57e91e9925976bbc98984eebaaf1d84c) C:\WINDOWS\system32\Drivers\btwusb.sys
00:52:36:703 3064 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
00:52:36:796 3064 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
00:52:36:953 3064 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\NIS\1107000.00C\ccHPx86.sys
00:52:37:125 3064 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
00:52:37:218 3064 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
00:52:37:281 3064 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
00:52:37:453 3064 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
00:52:37:578 3064 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
00:52:37:718 3064 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
00:52:37:781 3064 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
00:52:37:875 3064 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
00:52:37:968 3064 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
00:52:38:093 3064 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
00:52:38:171 3064 E100B (5c940a174dfb2c42b9f6ba6edc2baa0b) C:\WINDOWS\system32\DRIVERS\e100b325.sys
00:52:38:265 3064 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
00:52:38:375 3064 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
00:52:38:515 3064 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
00:52:38:609 3064 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
00:52:38:671 3064 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
00:52:38:765 3064 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
00:52:38:843 3064 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
00:52:38:953 3064 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:52:39:046 3064 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:52:39:109 3064 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
00:52:39:187 3064 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:52:39:265 3064 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
00:52:39:359 3064 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
00:52:39:468 3064 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
00:52:39:703 3064 IDSxpx86 (231c3f6d5c520e99924e1e37401a90c4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100625.001\IDSxpx86.sys
00:52:39:812 3064 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
00:52:39:890 3064 intelppm (853d8160b62483df25e36779ed6e7e14) C:\WINDOWS\system32\DRIVERS\intelppm.sys
00:52:39:890 3064 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelppm.sys. Real md5: 853d8160b62483df25e36779ed6e7e14, Fake md5: 279fb78702454dff2bb445f238c048d2
00:52:39:890 3064 File "C:\WINDOWS\system32\DRIVERS\intelppm.sys" infected by TDSS rootkit ... 00:52:42:671 3064 Backup copy found, using it..
00:52:42:859 3064 will be cured on next reboot
00:52:42:953 3064 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
00:52:43:031 3064 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:52:43:109 3064 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:52:43:203 3064 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:52:43:265 3064 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:52:43:343 3064 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
00:52:43:437 3064 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:52:43:515 3064 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:52:43:593 3064 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
00:52:43:671 3064 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
00:52:43:765 3064 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
00:52:43:828 3064 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
00:52:43:937 3064 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
00:52:44:031 3064 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
00:52:44:093 3064 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:52:44:171 3064 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
00:52:44:265 3064 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
00:52:44:375 3064 mrtRate (a7566da7aa8b74f1cebc18afd6b6cfa0) C:\WINDOWS\system32\drivers\mrtRate.sys
00:52:44:453 3064 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:52:44:562 3064 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:52:44:640 3064 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
00:52:44:718 3064 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:52:44:812 3064 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:52:44:890 3064 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
00:52:44:984 3064 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:52:45:078 3064 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
00:52:45:187 3064 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
00:52:45:281 3064 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
00:52:45:500 3064 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100629.002\NAVENG.SYS
00:52:45:625 3064 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100629.002\NAVEX15.SYS
00:52:45:812 3064 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
00:52:45:890 3064 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
00:52:45:984 3064 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:52:46:062 3064 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:52:46:156 3064 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:52:46:234 3064 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
00:52:46:328 3064 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
00:52:46:406 3064 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
00:52:46:531 3064 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
00:52:46:625 3064 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
00:52:46:718 3064 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
00:52:46:812 3064 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
00:52:46:890 3064 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:52:46:984 3064 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:52:47:093 3064 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
00:52:47:171 3064 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
00:52:47:250 3064 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
00:52:47:312 3064 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
00:52:47:390 3064 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
00:52:47:500 3064 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
00:52:47:609 3064 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
00:52:47:687 3064 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
00:52:48:312 3064 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:52:48:687 3064 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
00:52:49:140 3064 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
00:52:49:218 3064 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:52:49:296 3064 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
00:52:49:468 3064 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:52:49:562 3064 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:52:49:640 3064 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:52:49:734 3064 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
00:52:49:812 3064 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:52:49:906 3064 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:52:49:984 3064 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
00:52:50:156 3064 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
00:52:50:234 3064 RFCOMM (99c4b74981a1413f142a3903130088cb) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
00:52:50:312 3064 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
00:52:50:406 3064 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:52:50:484 3064 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
00:52:50:578 3064 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
00:52:50:687 3064 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
00:52:50:812 3064 smrt (4c177cdfe23146013d0b44d1f4f9686c) C:\WINDOWS\system32\DRIVERS\smrt.sys
00:52:51:203 3064 smwdm (13739b36bd8d94d0fed7662aa7a4235d) C:\WINDOWS\system32\drivers\smwdm.sys
00:52:51:343 3064 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
00:52:51:468 3064 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
00:52:51:562 3064 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
00:52:51:671 3064 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SRTSP.SYS
00:52:51:859 3064 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SRTSPX.SYS
00:52:51:953 3064 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
00:52:52:109 3064 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
00:52:52:281 3064 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
00:52:52:375 3064 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
00:52:52:578 3064 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMDS.SYS
00:52:52:718 3064 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMEFA.SYS
00:52:52:890 3064 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
00:52:53:171 3064 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\NIS\1107000.00C\Ironx86.SYS
00:52:53:578 3064 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SYMTDI.SYS
00:52:53:750 3064 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
00:52:53:843 3064 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:52:53:953 3064 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
00:52:54:031 3064 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
00:52:54:140 3064 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
00:52:54:234 3064 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
00:52:54:359 3064 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
00:52:54:468 3064 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:52:54:562 3064 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:52:54:640 3064 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
00:52:54:734 3064 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
00:52:54:843 3064 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:52:54:921 3064 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
00:52:55:078 3064 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
00:52:55:187 3064 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
00:52:55:281 3064 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:52:55:390 3064 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
00:52:55:484 3064 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
00:52:55:578 3064 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
00:52:55:656 3064 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
00:52:55:671 3064 Reboot required for cure complete..
00:52:56:484 3064 Cure on reboot scheduled successfully
00:52:56:484 3064
00:52:56:484 3064 Completed
00:52:56:484 3064
00:52:56:484 3064 Results:
00:52:56:484 3064 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:52:56:484 3064 File objects infected / cured / cured on reboot: 1 / 0 / 1
00:52:56:484 3064
00:52:56:640 3064 KLMD(ARK) unloaded successfully



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4259

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

30/06/2010 01:16:46
mbam-log-2010-06-30 (01-16-46).txt

Scan type: Quick scan
Objects scanned: 133978
Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:37 PM

Posted 29 June 2010 - 07:28 PM

OK, things should be much better already.

You had a backdoor Bot... This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 CrosbyMike

CrosbyMike
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 29 June 2010 - 09:14 PM

Hi, A quick update from my laptop.
I took your advice and am changing my passwords.
I'm currently running SAS in safe mode and a number of threats have been flagged.
They are mostly adware cookies but it has also detected Trojan.Media-Codec.

I thought I might get these scans finished tonight, but the SAS isn't running too fast, well not for the number of files I've got anyway :-(

Thanks for your help.

Mike

Edited by CrosbyMike, 29 June 2010 - 09:19 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:37 PM

Posted 29 June 2010 - 09:25 PM

Good.. There are no shotcuts in malware Removal. Best to have everything ele off while running scans.

Trojan.Media-Codec is a downloader trojan that often drops more threats into an infected computer and executes them. This trojan typically uses deceptive tactics, like pretending to be a codec for Windows Media Player in order for the user to install it. Spotted on adult material sites, but also spotted using advanced search engine spamming.

Drops rogue anti-spywares.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 CrosbyMike

CrosbyMike
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 30 June 2010 - 03:52 PM

Hi Boopme,
Here are the SAS and MBAm logs;

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/30/2010 at 06:57 AM

Application Version : 4.39.1002

Core Rules Database Version : 5135
Trace Rules Database Version: 2947

Scan type : Complete Scan
Total Scan Time : 04:59:50

Memory items scanned : 221
Memory threats detected : 0
Registry items scanned : 7004
Registry threats detected : 1
File items scanned : 101580
File threats detected : 80

Trojan.Media-Codec
HKU\S-1-5-21-115704740-4102039269-357893306-1005\Software\Internet Security

Adware.Flash Tracking Cookie
C:\Documents and Settings\Mike\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\6EJPKPBG\BROADCAST.PIXIMEDIA.FR
C:\Documents and Settings\Mike\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\6EJPKPBG\ELECTRIC.VIRGINMEDIA.COM
C:\Documents and Settings\Mike\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\6EJPKPBG\IA.MEDIA-IMDB.COM
C:\Documents and Settings\Mike\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\6EJPKPBG\MEDIA.ENTERTONEMENT.COM
C:\Documents and Settings\Mike\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\6EJPKPBG\ADSERVER.BEGGARSPROMO.COM
C:\Documents and Settings\Mike\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\6EJPKPBG\S0.2MDN.NET
C:\Documents and Settings\Mike\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\6EJPKPBG\SECURE-US.IMRWORLDWIDE.COM

Adware.Tracking Cookie
adserver.beggarspromo.com [ C:\Documents and Settings\Mike\Application Data\Macromedia\Flash Player\#SharedObjects\6EJPKPBG ]
broadcast.piximedia.fr [ C:\Documents and Settings\Mike\Application Data\Macromedia\Flash Player\#SharedObjects\6EJPKPBG ]
cdn5.specificclick.net [ C:\Documents and Settings\Mike\Application Data\Macromedia\Flash Player\#SharedObjects\6EJPKPBG ]
electric.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Macromedia\Flash Player\#SharedObjects\6EJPKPBG ]
ia.media-imdb.com [ C:\Documents and Settings\Mike\Application Data\Macromedia\Flash Player\#SharedObjects\6EJPKPBG ]
media.azfamily.com [ C:\Documents and Settings\Mike\Application Data\Macromedia\Flash Player\#SharedObjects\6EJPKPBG ]
media.entertonement.com [ C:\Documents and Settings\Mike\Application Data\Macromedia\Flash Player\#SharedObjects\6EJPKPBG ]
media.mtvnservices.com [ C:\Documents and Settings\Mike\Application Data\Macromedia\Flash Player\#SharedObjects\6EJPKPBG ]
media01.kyte.tv [ C:\Documents and Settings\Mike\Application Data\Macromedia\Flash Player\#SharedObjects\6EJPKPBG ]
s0.2mdn.net [ C:\Documents and Settings\Mike\Application Data\Macromedia\Flash Player\#SharedObjects\6EJPKPBG ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Mike\Application Data\Macromedia\Flash Player\#SharedObjects\6EJPKPBG ]
.adserver.zylom.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.adserver.zylom.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.adserver.zylom.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.adcentriconline.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
stats.eonenergy.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.mediaconverter.org [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
uk.sitestat.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
adserver.zylom.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.stats.paypal.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.stats.canalblog.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
metroleap.rotator.hadj7.adjuggler.net [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
metroleap.rotator.hadj7.adjuggler.net [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.eyewonder.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
w00tpublishers.wootmedia.net [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
publishers.w00tmedia.net [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
handpickedmedia.co.uk [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
www.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
www.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
www.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
www.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.www.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.www.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
in.getclicky.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.advancedsearch.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.advancedsearch.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
advancedsearch.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
advancedsearch.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.latestnews.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.latestnews.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
latestnews.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
latestnews.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.latestnews.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.latestnews.virginmedia.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
.adxpose.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\b6mwwjvr.default\cookies.sqlite ]
media.heavy.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\YTLQPX7V ]
s0.2mdn.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\YTLQPX7V ]

Adware.Casino Games (Golden Palace Casino)
C:\POKER\BLUESQUARE POKER\CASINO.EXE

Adware.GloboLook
C:\TCWIN45\EXAMPLES\OWL\GAMES\BLAKJACK\BLAKJACK.ICO

Adware.Vundo/Variant-X32[Header]
C:\UTILITIES\GRAPHICWORKSHOP\GIF32.DLL
C:\UTILITIES\GRAPHICWORKSHOP\SPIN32.DLL
C:\UTILITIES\GRAPHICWORKSHOP\TIFLIB32.DLL
D:\K_GATEWAY\GRAPHICWORKSHOP\GIF32.DLL
D:\K_GATEWAY\GRAPHICWORKSHOP\SPIN32.DLL
D:\K_GATEWAY\GRAPHICWORKSHOP\TIFLIB32.DLL

Trojan.Agent/Gen-Krpytik
C:\UTILITIES\GRAPHICWORKSHOP\JPG32.DLL
C:\UTILITIES\GRAPHICWORKSHOP\PNGLIB32.DLL
D:\K_GATEWAY\GRAPHICWORKSHOP\JPG32.DLL
D:\K_GATEWAY\GRAPHICWORKSHOP\PNGLIB32.DLL



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4260

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

30/06/2010 08:39:30
mbam-log-2010-06-30 (08-39-30).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 227257
Time elapsed: 1 hour(s), 20 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Mike\My Documents\SetupPoker.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Poker\BlueSquare Poker\_SetupPoker.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Every thing appears to be OK.
Not had any more problems sinc the clean up.

I am setting up a restore point and await your response.

thanks Mike

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:37 PM

Posted 30 June 2010 - 07:35 PM

Mike it looks good!!

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 CrosbyMike

CrosbyMike
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 01 July 2010 - 06:08 PM

Well I think I'm sorted now, so all that remains is to say a big thank you for all your help. It is much appreciated.

I was going to ask about running these programs in the future, but I found your answers in another thread ( ringwood's ).

Cheers now,

Mike.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:37 PM

Posted 01 July 2010 - 08:05 PM

You're welcome. Have great day.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users