Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTPS Tidserv Request 2 infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 Bullitt3463

Bullitt3463

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 17 July 2010 - 01:33 AM

Over the last few days i have noticed notifications from Norton Anti-virus telling me that it is blocking recent attacks on my computer system. When looking at the Security History file I noticed a High Risk attack from "HTTPS Tidserv Request 2"

My systems has been booting up much slower than usuual. It has also been hanging when I try to restart, It seems even clicking icons on my desktop doesn't run the programs. I usually have to hold the power button to shutdown the machine.

Can anyone please help with this?

I've attached the HJT file, DDS logs and GMER log.

Thanks in advance.

Attached Files


Edited by Bullitt3463, 17 July 2010 - 06:34 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:59 PM

Posted 23 July 2010 - 04:52 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Bullitt3463

Bullitt3463
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 23 July 2010 - 10:42 PM

I'm here and anxious to get started. Thanks for the help in adavnce.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:59 PM

Posted 24 July 2010 - 04:17 PM

Tidserv is TDSS. A nasty rootkit which is changing weekly and making it very difficult to catch.


Please run Combofix to try and grab it quickly.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 Bullitt3463

Bullitt3463
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 24 July 2010 - 05:56 PM

I just finished the ComboFix scan of my computer. See the Attached file.

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:59 PM

Posted 26 July 2010 - 07:34 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
Folder::
c:\documents and settings\Michael Desa\Local Settings\Application Data\jyhuhxtwf


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 Bullitt3463

Bullitt3463
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 29 July 2010 - 01:49 AM

Finished up the comFix scan and here is the log file you requested.



I will be out on vacation from July 29th until August 1st. I should be able to reply to you on Aug 1st. I just wanted to let you know.

Thanks.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:59 PM

Posted 29 July 2010 - 03:15 PM

QUOTE(Bullitt3463 @ Jul 29 2010, 07:49 AM) View Post
I will be out on vacation from July 29th until August 1st. I should be able to reply to you on Aug 1st. I just wanted to let you know.


No problem. This is going well so you should be coming back to a finish up if all continues to go well.


Please run ATF which will clear up temp files, cookies, cache, etc.

Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main "Select Files to Delete" choose: Select All.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

[color]NB: If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

This could also be Clear Recent History or similar

Then close Firefox and then reopen it.[/color]


Now empty your Java cache

To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon. If you don't see it, go to Other options in the left panel or change to Classic View
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • Applications and applets
    • Trace and log files
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.

Finally run the ESET online scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 Bullitt3463

Bullitt3463
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 01 August 2010 - 11:58 PM

Thanks for your patience. I'm back and completed all three steps from your previous response.

I ran the ATF Cleaner successfully, I do not have a Java Runtime Env't on my computer. Couldn't find a folder for it in Control Panel, so I bypassed this step and went straight to the ESET Online Scanner. Attached you will find a log.

I am still getting random pop-ups when surfing the net. I did receive a Norton threat detection a while after the Scan had completed.

See attached.

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:59 PM

Posted 02 August 2010 - 05:27 PM

Please run this tool which will check why pop-ups are still appearing.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#11 Bullitt3463

Bullitt3463
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 03 August 2010 - 12:31 AM

Ran the MBRCheck tool successfully. See below for the log it provided after completion.

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:59 PM

Posted 03 August 2010 - 01:51 PM

That's okay. Please run TDSSKiller next to make sure that's completely gone.
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#13 Bullitt3463

Bullitt3463
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 03 August 2010 - 10:09 PM

Downloaded and ran TDSSKiller successfully. See log below.


2010/08/03 19:59:18.0328 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/08/03 19:59:18.0328 ================================================================================
2010/08/03 19:59:18.0328 SystemInfo:
2010/08/03 19:59:18.0328
2010/08/03 19:59:18.0328 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/03 19:59:18.0328 Product type: Workstation
2010/08/03 19:59:18.0328 ComputerName: DELL
2010/08/03 19:59:18.0328 UserName: Michael Desa
2010/08/03 19:59:18.0328 Windows directory: C:\WINDOWS
2010/08/03 19:59:18.0328 System windows directory: C:\WINDOWS
2010/08/03 19:59:18.0328 Processor architecture: Intel x86
2010/08/03 19:59:18.0328 Number of processors: 1
2010/08/03 19:59:18.0328 Page size: 0x1000
2010/08/03 19:59:18.0328 Boot type: Normal boot
2010/08/03 19:59:18.0328 ================================================================================
2010/08/03 19:59:18.0671 Initialize success
2010/08/03 19:59:25.0984 ================================================================================
2010/08/03 19:59:25.0984 Scan started
2010/08/03 19:59:25.0984 Mode: Manual;
2010/08/03 19:59:25.0984 ================================================================================
2010/08/03 19:59:26.0609 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/03 19:59:26.0656 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/03 19:59:26.0750 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/08/03 19:59:26.0796 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/03 19:59:26.0859 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/03 19:59:26.0890 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/08/03 19:59:27.0062 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/03 19:59:27.0093 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/03 19:59:27.0187 ati2mtag (2d30381d718228d2841cf962e9e86499) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/08/03 19:59:27.0265 atinevxx (d335e45bfa1bf0bf93a8d3c15d1fc0e1) C:\WINDOWS\system32\DRIVERS\atinevxx.sys
2010/08/03 19:59:27.0281 ATITUNEP (4e09c36d16c5c310e9e8065385e743c2) C:\WINDOWS\system32\DRIVERS\atineuxx.sys
2010/08/03 19:59:27.0343 ativraxx (866332d193898755dc955a4ad111ac89) C:\WINDOWS\system32\DRIVERS\atinraxx.sys
2010/08/03 19:59:27.0359 ATIXSAudio (2bf5f72ad56964451b2e7b22aae389d1) C:\WINDOWS\system32\DRIVERS\atinesxx.sys
2010/08/03 19:59:27.0406 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/03 19:59:27.0437 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/03 19:59:27.0515 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys
2010/08/03 19:59:27.0593 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/03 19:59:27.0656 BHDrvx86 (76154fa6a742c613b44bb636b1a7c057) C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys
2010/08/03 19:59:27.0703 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2010/08/03 19:59:27.0718 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2010/08/03 19:59:27.0812 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/03 19:59:27.0843 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/08/03 19:59:27.0875 ccHP (8973ff34b83572d867b5b928905ad5ac) C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys
2010/08/03 19:59:27.0906 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/03 19:59:27.0937 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/03 19:59:27.0953 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/03 19:59:28.0078 dfmirage (d8cd6a2a94f545858eec6117f0d5dff4) C:\WINDOWS\system32\DRIVERS\dfmirage.sys
2010/08/03 19:59:28.0125 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/03 19:59:28.0187 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/03 19:59:28.0234 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/03 19:59:28.0265 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/03 19:59:28.0281 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/03 19:59:28.0312 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2010/08/03 19:59:28.0359 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2010/08/03 19:59:28.0390 Dot4Scan (bd05306428da63369692477ddc0f6f5f) C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
2010/08/03 19:59:28.0421 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/03 19:59:28.0453 drvmcdb (7f056a52bcba3102d2d37a4a2646c807) C:\WINDOWS\system32\drivers\drvmcdb.sys
2010/08/03 19:59:28.0484 drvnddm (d3c1e501ed42e77574b3095309dd4075) C:\WINDOWS\system32\drivers\drvnddm.sys
2010/08/03 19:59:28.0531 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/08/03 19:59:28.0640 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/08/03 19:59:28.0671 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/08/03 19:59:28.0718 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/03 19:59:28.0734 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/03 19:59:28.0781 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/03 19:59:28.0796 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/03 19:59:28.0843 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/03 19:59:28.0875 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/03 19:59:28.0890 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/03 19:59:28.0921 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/08/03 19:59:28.0968 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/03 19:59:29.0000 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/03 19:59:29.0062 hpusbfd (fea040582be5db58a8fafe3948736526) C:\WINDOWS\system32\DRIVERS\hpusbfd.sys
2010/08/03 19:59:29.0156 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/03 19:59:29.0203 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/03 19:59:29.0406 IDSxpx86 (231c3f6d5c520e99924e1e37401a90c4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100802.001\IDSxpx86.sys
2010/08/03 19:59:29.0421 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/03 19:59:29.0500 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/03 19:59:29.0531 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/03 19:59:29.0578 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/03 19:59:29.0640 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/03 19:59:29.0687 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/03 19:59:29.0703 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/03 19:59:29.0734 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/03 19:59:29.0781 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/03 19:59:29.0796 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/03 19:59:29.0843 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys
2010/08/03 19:59:29.0890 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/03 19:59:29.0937 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/03 19:59:30.0000 Lbd (419590ebe7855215bb157ea0cf0d0531) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/08/03 19:59:30.0093 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/03 19:59:30.0109 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/03 19:59:30.0156 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/08/03 19:59:30.0218 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/03 19:59:30.0234 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/03 19:59:30.0281 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/03 19:59:30.0312 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/03 19:59:30.0375 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/03 19:59:30.0390 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/03 19:59:30.0421 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/03 19:59:30.0484 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/03 19:59:30.0609 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/03 19:59:30.0671 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/03 19:59:30.0703 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/08/03 19:59:30.0734 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/03 19:59:30.0812 MVDCODEC (04dd08f6c43d331c238197e7deaf0d5e) C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
2010/08/03 19:59:30.0843 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/08/03 19:59:30.0984 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100802.041\NAVENG.SYS
2010/08/03 19:59:31.0062 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100802.041\NAVEX15.SYS
2010/08/03 19:59:31.0109 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/03 19:59:31.0140 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/08/03 19:59:31.0187 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/03 19:59:31.0218 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/03 19:59:31.0234 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/03 19:59:31.0250 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/03 19:59:31.0265 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/03 19:59:31.0296 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/03 19:59:31.0312 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/03 19:59:31.0343 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/03 19:59:31.0390 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/03 19:59:31.0421 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/03 19:59:31.0453 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/03 19:59:31.0515 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/08/03 19:59:31.0546 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/03 19:59:31.0562 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/03 19:59:31.0593 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/03 19:59:31.0640 PCDCODEC (1a3e460843151029f98f87274fbb40ca) C:\WINDOWS\system32\DRIVERS\atinpdxx.sys
2010/08/03 19:59:31.0656 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/03 19:59:31.0718 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/03 19:59:31.0734 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/03 19:59:31.0812 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2010/08/03 19:59:31.0953 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/03 19:59:31.0968 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/03 19:59:31.0984 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/03 19:59:32.0015 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/03 19:59:32.0062 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2010/08/03 19:59:32.0156 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/03 19:59:32.0187 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/03 19:59:32.0218 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/03 19:59:32.0234 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/03 19:59:32.0250 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/03 19:59:32.0281 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/03 19:59:32.0296 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/03 19:59:32.0328 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/03 19:59:32.0359 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/03 19:59:32.0484 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/08/03 19:59:32.0546 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/08/03 19:59:32.0593 SASKUTIL (f81ea209a3e43c33f99ff89ebab82d93) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/08/03 19:59:32.0609 SCDEmu (f441ba47bd8610cb9536965bd7d1f943) C:\WINDOWS\system32\drivers\SCDEmu.sys
2010/08/03 19:59:32.0640 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/03 19:59:32.0687 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/03 19:59:32.0703 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/03 19:59:32.0734 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/03 19:59:32.0781 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/08/03 19:59:32.0843 smwdm (39f9595d2f6f7eb93f45a466789a6f49) C:\WINDOWS\system32\drivers\smwdm.sys
2010/08/03 19:59:32.0890 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/08/03 19:59:32.0953 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/03 19:59:32.0968 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/03 19:59:33.0031 SRTSP (e81f6caeab9ad5732e94c07c97866aa2) C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS
2010/08/03 19:59:33.0078 SRTSPX (e28de499d942b08058bffac69d4122b6) C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS
2010/08/03 19:59:33.0125 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/03 19:59:33.0156 sscdbhk5 (328e8bb94ec58480f60458fb4b8437a7) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2010/08/03 19:59:33.0187 ssrtln (7ec8b427cee5c0cdac066320b93f1355) C:\WINDOWS\system32\drivers\ssrtln.sys
2010/08/03 19:59:33.0218 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2010/08/03 19:59:33.0250 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/08/03 19:59:33.0296 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/03 19:59:33.0312 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/03 19:59:33.0390 SymEFA (d0885f6e24259a6c65e68d6ad749910a) C:\WINDOWS\system32\drivers\N360\0308000.029\SYMEFA.SYS
2010/08/03 19:59:33.0453 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2010/08/03 19:59:33.0531 SYMFW (1e825026436c4eac3e1a11d1e9c33f2c) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS
2010/08/03 19:59:33.0546 SYMIDS (7a20b7d774ef0f16cf81b898bfeca772) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS
2010/08/03 19:59:33.0578 SymIM (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2010/08/03 19:59:33.0609 SymIMMP (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2010/08/03 19:59:33.0656 SYMNDIS (5ab7d00ea6b7a6fcd5067c632ec6f039) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS
2010/08/03 19:59:33.0703 SYMTDI (e4fa8bbb96e314e9508865de1a767538) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS
2010/08/03 19:59:33.0750 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/03 19:59:33.0812 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/03 19:59:33.0843 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/03 19:59:33.0890 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/03 19:59:33.0937 TermDD (b2723ac785445266b5036a8c56273895) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/03 19:59:33.0937 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: b2723ac785445266b5036a8c56273895, Fake md5: 88155247177638048422893737429d9e
2010/08/03 19:59:33.0937 TermDD - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/03 19:59:34.0015 tfsnboio (c229bf90443be8d3bd2b65d7f3ac0f35) C:\WINDOWS\system32\dla\tfsnboio.sys
2010/08/03 19:59:34.0031 tfsncofs (79ee9fcd7728e54ab8fbc30962f0416f) C:\WINDOWS\system32\dla\tfsncofs.sys
2010/08/03 19:59:34.0046 tfsndrct (9efb37e7de17d783a059b653f7e8afad) C:\WINDOWS\system32\dla\tfsndrct.sys
2010/08/03 19:59:34.0109 tfsndres (130254995ebedcb34d62e8d78ec9dbd0) C:\WINDOWS\system32\dla\tfsndres.sys
2010/08/03 19:59:34.0125 tfsnifs (9b40e1e4aeed849812a2e43a388a7e77) C:\WINDOWS\system32\dla\tfsnifs.sys
2010/08/03 19:59:34.0140 tfsnopio (818047ad850b312705aa17ca96b9427d) C:\WINDOWS\system32\dla\tfsnopio.sys
2010/08/03 19:59:34.0156 tfsnpool (4603e813bcc6dd465cd8d2afd37fa90d) C:\WINDOWS\system32\dla\tfsnpool.sys
2010/08/03 19:59:34.0171 tfsnudf (6fc2cd904a9a55acfdfc780a611a75ed) C:\WINDOWS\system32\dla\tfsnudf.sys
2010/08/03 19:59:34.0187 tfsnudfa (d4afa4d00f8db3fd1c15b3fe49c3a96c) C:\WINDOWS\system32\dla\tfsnudfa.sys
2010/08/03 19:59:34.0234 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/03 19:59:34.0328 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/03 19:59:34.0375 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/08/03 19:59:34.0437 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/03 19:59:34.0484 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/03 19:59:34.0515 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/03 19:59:34.0562 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/03 19:59:34.0625 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/03 19:59:34.0687 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/03 19:59:34.0734 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/03 19:59:34.0781 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/03 19:59:34.0859 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/03 19:59:34.0875 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/03 19:59:34.0921 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/03 19:59:34.0984 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/08/03 19:59:35.0031 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/08/03 19:59:35.0078 ================================================================================
2010/08/03 19:59:35.0078 Scan finished
2010/08/03 19:59:35.0078 ================================================================================
2010/08/03 19:59:35.0093 Detected object count: 1
2010/08/03 20:00:22.0937 TermDD (b2723ac785445266b5036a8c56273895) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/03 20:00:22.0937 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: b2723ac785445266b5036a8c56273895, Fake md5: 88155247177638048422893737429d9e
2010/08/03 20:00:23.0546 Backup copy found, using it..
2010/08/03 20:00:23.0671 C:\WINDOWS\system32\DRIVERS\termdd.sys - will be cured after reboot
2010/08/03 20:00:23.0671 Rootkit.Win32.TDSS.tdl3(TermDD) - User select action: Cure
2010/08/03 20:00:29.0375 Deinitialize success


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:59 PM

Posted 04 August 2010 - 04:27 PM

A forged file, a present from TDSS. dry.gif

How are the pop-ups now?
Posted Image
m0le is a proud member of UNITE

#15 Bullitt3463

Bullitt3463
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 05 August 2010 - 10:15 PM

The pop-ups have stopped. I have surfed for the last couple of days for about 30 -40 minutes each day and no issues with it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users