Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with HTTP Tidserv Request


  • This topic is locked This topic is locked
23 replies to this topic

#1 one_2_go

one_2_go

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 10 July 2010 - 12:36 AM


DDS (Ver_10-03-17.01) - NTFSx86
Norton provides the following:

An intrusion attempt by 61.61.20.132 was blocked. Appliction path \DEVICE\HARDDISK\VOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE
Risk Name: HTTPS Tidserv Request2

I receive numerous warnings about blocking attacks from different IP addresses and referencing different application paths. All give the risk name as HTTPS Tidserv Request2.

I have provided the logs requested. I am not able to run GMER therefore the Ark.txt file is not uploaded. I have tried numerous times using separate IDs, in safe mode, not in safe mode but none work. Most of the time the scan just stops. Task manager shows CPU at 100%. I have let it sit for hours but the PC never responds again. A couple of times XP has shut down with the blue screen with the error PAGE_FAULT_IN_NONPAGED_AREA.


Run by Dad at 23:36:37.81 on Thu 07/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.376 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146796655625
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll
Notify: w32style - w32style.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-1-28 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-1-28 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-1-28 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100708.004\IDSXpx86.sys [2010-7-8 331640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-1-28 117640]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-2 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100708.033\NAVENG.SYS [2010-7-8 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100708.033\NAVEX15.SYS [2010-7-8 1347504]
S0 rnedynnt;rnedynnt;c:\windows\system32\drivers\drflggf.sys --> c:\windows\system32\drivers\drflggf.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-5-4 189792]

=============== Created Last 30 ================

2010-07-09 03:33:32 0 ----a-w- c:\documents and settings\dad\defogger_reenable
2010-07-05 20:10:12 0 d-sh--w- c:\documents and settings\dad\PrivacIE
2010-07-05 20:05:55 0 d-sh--w- c:\documents and settings\dad\IETldCache
2010-07-05 19:46:28 0 dc-h--w- c:\windows\ie8
2010-07-05 19:41:09 0 d-----w- C:\5f245babf15be6b11a5a7a7155064e3d
2010-06-30 03:55:45 3249 ----a-w- c:\windows\system32\wbem\Outlook_01cb18081e17bece.mof
2010-06-24 02:43:23 0 d-----w- c:\docume~1\dad\applic~1\Malwarebytes
2010-06-24 02:43:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 02:43:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-24 02:43:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-24 02:43:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-07-06 03:19:48 6686 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 17:20:33 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2008-01-10 23:56:00 251 ----a-w- c:\program files\wt3d.ini
2010-02-24 15:41:31 104 --sh--r- c:\windows\system32\A21200AB7E.sys
2008-12-07 02:04:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120620081207\index.dat

============= FINISH: 23:38:25.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 12 July 2010 - 06:59 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Tidserv stops Gmer so that is normal.

Please run Gmer with just the SECTIONS option checked. Don't worry if this doesn't work, we know what we're going after.
Posted Image
m0le is a proud member of UNITE

#3 one_2_go

one_2_go
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 12 July 2010 - 10:20 PM

M0le,

I got your message. I am here and ready to get started. I will run GMER with only SECTIONS option checked.

#4 one_2_go

one_2_go
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 12 July 2010 - 10:56 PM

Uploaded ark.txt from GMER run with only SECTIONS option selected.

Attached Files

  • Attached File  ark.txt   147.05KB   6 downloads


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 13 July 2010 - 04:59 PM

Looks like an older variant. That's good if it is.

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#6 one_2_go

one_2_go
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 13 July 2010 - 07:38 PM

Ran combofix. Log attached.

Attached Files



#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 13 July 2010 - 07:46 PM

Combofix has removed the rootkit and the rogue so that's nice. tongue.gif

Please rerun Combofix, to do a bit more cleaning up, as below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
File::
c:\windows\system32\drivers\drflggf.sys

RegLock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

Driver::
rnedynnt


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 one_2_go

one_2_go
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 13 July 2010 - 09:05 PM

Ran combofix again with CFScript input. Log attached.

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 14 July 2010 - 04:13 PM

The new log shows another rootkit infection dealt with which is strange.

It looks clean now but I want to see how it runs for a day or so.

Please visit ESET and scan with their online scan

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

After posting please observe the system and let me know how it is running?
Posted Image
m0le is a proud member of UNITE

#10 one_2_go

one_2_go
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 15 July 2010 - 10:06 PM

Ran ESET online scan. No issues found. No log produced. I left it running over night and it ran to completion but the PC was completely locked up - even the clock was frozen (first time I have seen that).

A couple of points:

The original issue with attacks being detected by Norton went away after the first Combofix run and have not returned.

After the second run of Combofix Norton began to detect another virus, not external attacks, but a virus on the PC called Backdoor.Tidserv!inf

Norton can not remove the virus but says it must be manually removed.

One more point - I will not have access to the infected PC for about a week after this post. Norton instructions follow - I have done none of this:

Restore system files using Windows Recovery Console.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.

For specific details on each of these steps, read the following instructions.

1. Restore system files using Windows Recovery Console.
Since this threat modifies or replaces system files, it is necessary to recover the affected files using the Windows Recovery Console. To do this it is necessary to restart the computer and run the Windows Recovery Console. For full details on how to do this please read the Microsoft Knowledge Base article, How to install and use the Recovery Console in Windows XP.

Insert the Windows XP CD-ROM into the CD-ROM drive.
Restart the computer from the CD-ROM drive.
Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
Select the installation that you want to access from the Recovery Console.
Enter the administrator password and press Enter.
Type the following commands and press Enter after each command:


cd %System% [DLL FILES]

or


cd %System%\dllcache [DLL FILES]

or


cd %System%\drivers [SYS FILES]

then


expand [CD/DVD DRIVE]:\i386\[DETECTED FILE NAME].[dl or sy]_

For example:
cd c:\windows\system32\drivers
expand d:\i386\atapi.sy_


Repeat the above step for each SYS or DLL file affected.

Type exit.
Press Enter. The computer will now restart automatically

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 16 July 2010 - 06:04 PM

We will put this topic on ice for a week. Post a quick "hello" when you have access to the PC again smile.gif
Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 24 July 2010 - 07:28 PM

Are you still there?
Posted Image
m0le is a proud member of UNITE

#13 one_2_go

one_2_go
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 26 July 2010 - 09:24 PM

Yes - I am back.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 AM

Posted 27 July 2010 - 04:20 PM

Two tools to check what it is that's in the machine

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Then

Please download MBRCheck to your desktop.

http://ad13.geekstogo.com/MBRCheck.exe

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#15 one_2_go

one_2_go
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 27 July 2010 - 08:34 PM

TDSSKiller found no malicious object. The Report follows. MBRcheck log follows this one.

2010/07/27 21:25:39.0108 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/07/27 21:25:39.0108 ================================================================================
2010/07/27 21:25:39.0108 SystemInfo:
2010/07/27 21:25:39.0108
2010/07/27 21:25:39.0108 OS Version: 5.1.2600 ServicePack: 3.0
2010/07/27 21:25:39.0108 Product type: Workstation
2010/07/27 21:25:39.0108 ComputerName: DELL-E510
2010/07/27 21:25:39.0108 UserName: Dad
2010/07/27 21:25:39.0108 Windows directory: C:\WINDOWS
2010/07/27 21:25:39.0108 System windows directory: C:\WINDOWS
2010/07/27 21:25:39.0108 Processor architecture: Intel x86
2010/07/27 21:25:39.0108 Number of processors: 2
2010/07/27 21:25:39.0108 Page size: 0x1000
2010/07/27 21:25:39.0108 Boot type: Normal boot
2010/07/27 21:25:39.0108 ================================================================================
2010/07/27 21:25:41.0624 Initialize success
2010/07/27 21:25:50.0843 ================================================================================
2010/07/27 21:25:50.0843 Scan started
2010/07/27 21:25:50.0843 Mode: Manual;
2010/07/27 21:25:50.0843 ================================================================================
2010/07/27 21:25:51.0202 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/07/27 21:25:51.0280 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/07/27 21:25:51.0374 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/07/27 21:25:51.0436 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/07/27 21:25:51.0483 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/07/27 21:25:51.0546 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/07/27 21:25:51.0593 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/07/27 21:25:51.0640 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/07/27 21:25:51.0640 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/07/27 21:25:51.0655 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/07/27 21:25:51.0686 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/07/27 21:25:51.0702 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/07/27 21:25:51.0702 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/07/27 21:25:51.0733 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/07/27 21:25:51.0765 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/07/27 21:25:51.0780 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/07/27 21:25:51.0780 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/07/27 21:25:51.0796 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/07/27 21:25:51.0827 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2010/07/27 21:25:51.0890 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/07/27 21:25:51.0952 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/07/27 21:25:52.0015 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/07/27 21:25:52.0077 ATIAVPCI (b27fec21c1125bab7d3c8cdf872e627b) C:\WINDOWS\system32\DRIVERS\atinavrr.sys
2010/07/27 21:25:52.0108 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/07/27 21:25:52.0155 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/07/27 21:25:52.0218 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/07/27 21:25:52.0296 BHDrvx86 (76154fa6a742c613b44bb636b1a7c057) C:\WINDOWS\System32\Drivers\NIS\1008000.029\BHDrvx86.sys
2010/07/27 21:25:52.0358 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/07/27 21:25:52.0390 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/07/27 21:25:52.0421 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/07/27 21:25:52.0483 ccHP (8973ff34b83572d867b5b928905ad5ac) C:\WINDOWS\System32\Drivers\NIS\1008000.029\ccHPx86.sys
2010/07/27 21:25:52.0577 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/07/27 21:25:52.0608 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/07/27 21:25:52.0671 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/07/27 21:25:52.0733 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/07/27 21:25:52.0780 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/07/27 21:25:52.0811 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/07/27 21:25:52.0858 ctac32k (8a9c65ce4fe6e8cb24ce06ba28d951a0) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/07/27 21:25:52.0921 ctaud2k (47236971dfb3e03690b98e41665d0924) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/07/27 21:25:52.0983 ctdvda2k (5a0eeb00b02fc78605aa9d3590b24978) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/07/27 21:25:57.0061 ctprxy2k (2381cf056c15271f6b8dab50ff82cf3a) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/07/27 21:25:57.0155 ctsfm2k (da1c530de86c85a701138b30fb145af3) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/07/27 21:25:57.0202 CVirtA (cb7d7c0e74adcb7da96d08ec8db86062) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2010/07/27 21:25:57.0296 CVPNDRVA (992b8e263f30109967c15f7b464ccb05) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2010/07/27 21:25:57.0374 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/07/27 21:25:57.0421 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/07/27 21:25:57.0468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/07/27 21:25:57.0577 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/07/27 21:25:57.0640 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/07/27 21:25:57.0671 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
2010/07/27 21:25:57.0702 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/07/27 21:25:57.0733 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/07/27 21:25:57.0749 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/07/27 21:25:57.0796 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2010/07/27 21:25:57.0843 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/07/27 21:25:57.0874 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/07/27 21:25:57.0952 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/07/27 21:25:58.0030 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/07/27 21:25:58.0093 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/07/27 21:25:58.0171 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/07/27 21:25:58.0218 DNE (c86fbf607445bf693450d84b775f168c) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2010/07/27 21:25:58.0296 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/07/27 21:25:58.0311 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/07/27 21:25:58.0374 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/07/27 21:25:58.0452 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/07/27 21:25:58.0561 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2010/07/27 21:25:58.0624 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2010/07/27 21:25:58.0686 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/07/27 21:25:58.0780 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/07/27 21:25:58.0843 emupia (661cf27263f3e0b553be050a42d357db) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/07/27 21:25:58.0890 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/07/27 21:25:58.0968 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/07/27 21:25:58.0999 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/07/27 21:25:59.0046 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/07/27 21:25:59.0093 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/07/27 21:25:59.0140 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/07/27 21:25:59.0171 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/07/27 21:25:59.0218 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/07/27 21:25:59.0296 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/07/27 21:25:59.0358 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/07/27 21:25:59.0452 ha20x2k (862d4185d43128fef7818711f8f30436) C:\WINDOWS\system32\drivers\ha20x2k.sys
2010/07/27 21:25:59.0515 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/07/27 21:25:59.0561 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/07/27 21:25:59.0608 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/07/27 21:25:59.0702 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/07/27 21:25:59.0765 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/07/27 21:25:59.0811 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/07/27 21:25:59.0874 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/07/27 21:25:59.0936 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/07/27 21:26:00.0202 IDSxpx86 (231c3f6d5c520e99924e1e37401a90c4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100723.001\IDSxpx86.sys
2010/07/27 21:26:00.0343 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/07/27 21:26:00.0436 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/07/27 21:26:00.0499 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/07/27 21:26:00.0546 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/07/27 21:26:00.0593 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/07/27 21:26:00.0640 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/07/27 21:26:00.0686 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/07/27 21:26:00.0749 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/07/27 21:26:00.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/07/27 21:26:00.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/07/27 21:26:00.0952 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/07/27 21:26:01.0015 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/07/27 21:26:01.0030 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/07/27 21:26:01.0093 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys
2010/07/27 21:26:01.0140 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/07/27 21:26:01.0171 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/07/27 21:26:01.0233 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/07/27 21:26:01.0280 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/07/27 21:26:01.0311 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/07/27 21:26:01.0343 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/07/27 21:26:01.0405 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/07/27 21:26:01.0452 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/07/27 21:26:01.0499 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/07/27 21:26:01.0561 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/07/27 21:26:01.0608 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
2010/07/27 21:26:01.0640 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/07/27 21:26:01.0702 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/07/27 21:26:01.0780 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/07/27 21:26:01.0811 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/07/27 21:26:01.0890 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/07/27 21:26:01.0921 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/07/27 21:26:01.0999 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/07/27 21:26:02.0061 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/07/27 21:26:02.0124 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/07/27 21:26:02.0171 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/07/27 21:26:02.0233 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/07/27 21:26:02.0436 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100727.032\NAVENG.SYS
2010/07/27 21:26:02.0546 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100727.032\NAVEX15.SYS
2010/07/27 21:26:02.0686 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/07/27 21:26:02.0765 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/07/27 21:26:02.0827 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/07/27 21:26:02.0843 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/07/27 21:26:02.0890 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/07/27 21:26:02.0936 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/07/27 21:26:02.0983 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/07/27 21:26:03.0030 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/07/27 21:26:03.0140 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/07/27 21:26:03.0171 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/07/27 21:26:03.0233 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/07/27 21:26:03.0343 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/07/27 21:26:03.0405 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/07/27 21:26:03.0436 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/07/27 21:26:03.0468 ossrv (99f877a7bb6feb5af1184eafe937c208) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/07/27 21:26:03.0515 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/07/27 21:26:03.0561 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/07/27 21:26:03.0624 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/07/27 21:26:03.0655 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/07/27 21:26:03.0686 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/07/27 21:26:03.0765 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/07/27 21:26:03.0827 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/07/27 21:26:03.0858 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/07/27 21:26:03.0921 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/07/27 21:26:03.0968 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/07/27 21:26:04.0015 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/07/27 21:26:04.0093 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/07/27 21:26:04.0155 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/07/27 21:26:04.0186 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/07/27 21:26:04.0218 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/07/27 21:26:04.0249 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/07/27 21:26:04.0280 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/07/27 21:26:04.0343 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/07/27 21:26:04.0421 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/07/27 21:26:04.0452 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/07/27 21:26:04.0483 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/07/27 21:26:04.0515 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/07/27 21:26:04.0593 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/07/27 21:26:04.0640 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/07/27 21:26:04.0718 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/07/27 21:26:04.0749 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/07/27 21:26:04.0827 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/07/27 21:26:04.0921 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/07/27 21:26:04.0983 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/07/27 21:26:05.0030 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/07/27 21:26:05.0077 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/07/27 21:26:05.0124 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/07/27 21:26:05.0140 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/07/27 21:26:05.0171 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/07/27 21:26:05.0233 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/07/27 21:26:05.0327 SRTSP (e81f6caeab9ad5732e94c07c97866aa2) C:\WINDOWS\System32\Drivers\NIS\1008000.029\SRTSP.SYS
2010/07/27 21:26:05.0390 SRTSPX (e28de499d942b08058bffac69d4122b6) C:\WINDOWS\system32\drivers\NIS\1008000.029\SRTSPX.SYS
2010/07/27 21:26:05.0468 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/07/27 21:26:05.0515 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/07/27 21:26:05.0561 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/07/27 21:26:05.0577 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/07/27 21:26:05.0640 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/07/27 21:26:05.0671 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/07/27 21:26:05.0749 SymEFA (d0885f6e24259a6c65e68d6ad749910a) C:\WINDOWS\system32\drivers\NIS\1008000.029\SYMEFA.SYS
2010/07/27 21:26:05.0811 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2010/07/27 21:26:05.0874 SYMFW (1e825026436c4eac3e1a11d1e9c33f2c) C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMFW.SYS
2010/07/27 21:26:05.0936 SYMIDS (7a20b7d774ef0f16cf81b898bfeca772) C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMIDS.SYS
2010/07/27 21:26:06.0015 SymIM (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2010/07/27 21:26:06.0061 SymIMMP (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2010/07/27 21:26:06.0093 SYMNDIS (5ab7d00ea6b7a6fcd5067c632ec6f039) C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMNDIS.SYS
2010/07/27 21:26:06.0155 SYMTDI (e4fa8bbb96e314e9508865de1a767538) C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMTDI.SYS
2010/07/27 21:26:06.0218 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/07/27 21:26:06.0249 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/07/27 21:26:06.0296 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/07/27 21:26:06.0390 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/07/27 21:26:06.0436 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/07/27 21:26:06.0483 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/07/27 21:26:06.0530 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/07/27 21:26:06.0608 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys
2010/07/27 21:26:06.0671 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/07/27 21:26:06.0718 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/07/27 21:26:06.0765 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/07/27 21:26:06.0811 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/07/27 21:26:06.0874 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/07/27 21:26:06.0936 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/07/27 21:26:06.0968 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/07/27 21:26:07.0030 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/07/27 21:26:07.0077 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/07/27 21:26:07.0327 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/07/27 21:26:07.0577 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/07/27 21:26:07.0640 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/07/27 21:26:07.0765 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/07/27 21:26:07.0811 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/07/27 21:26:07.0890 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/07/27 21:26:07.0952 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/07/27 21:26:08.0030 vsdatant (d658e49302c382b88c8e9a08e20b2e82) C:\WINDOWS\system32\vsdatant.sys
2010/07/27 21:26:08.0186 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/07/27 21:26:08.0296 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/07/27 21:26:08.0374 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/07/27 21:26:08.0483 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/07/27 21:26:08.0530 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/07/27 21:26:08.0593 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/07/27 21:26:08.0624 ================================================================================
2010/07/27 21:26:08.0624 Scan finished
2010/07/27 21:26:08.0624 ================================================================================


The log from MBRcheck follows.

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Unknown MBR code





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Done! Press ENTER to exit...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users