Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTPS TIDSERV REQUEST and TIDSERV REQUEST2


  • This topic is locked This topic is locked
2 replies to this topic

#1 Jink

Jink

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 22 July 2010 - 10:29 PM

This keeps popping up on my Norton 360 and I have no idea what to do. Is it a site trying to hack into my computer? I followed a few advices on this site but it keeps popping up...


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-22 21:15:53
Windows 6.1.7600
Running: cycsd3fr.exe; Driver: C:\Users\Stephen\AppData\Local\Temp\fwddrfoc.sys


---- System - GMER 1.0.15 ----

SSDT 869C3048 ZwAlertResumeThread
SSDT 86260048 ZwAlertThread
SSDT 86AD0FC0 ZwAllocateVirtualMemory
SSDT 85FAD480 ZwAlpcConnectPort
SSDT 86950048 ZwAssignProcessToJobObject
SSDT 86ACC210 ZwCreateMutant
SSDT 86ACEBA8 ZwCreateSymbolicLinkObject
SSDT 86ACF398 ZwCreateThread
SSDT 86ACEC78 ZwCreateThreadEx
SSDT 86AC8048 ZwDebugActiveProcess
SSDT 86ACF1A0 ZwDuplicateObject
SSDT 86AD0E20 ZwFreeVirtualMemory
SSDT 86953048 ZwImpersonateAnonymousToken
SSDT 86AC7A90 ZwImpersonateThread
SSDT 85E9AD58 ZwLoadDriver
SSDT 86AD0D40 ZwMapViewOfSection
SSDT 869C2970 ZwOpenEvent
SSDT 86ACF2C0 ZwOpenProcess
SSDT 862FA0F0 ZwOpenProcessToken
SSDT 862A8380 ZwOpenSection
SSDT 86ACF230 ZwOpenThread
SSDT 86ACED58 ZwProtectVirtualMemory
SSDT 869BE048 ZwResumeThread
SSDT 869F8120 ZwSetContextThread
SSDT 86AD0BE8 ZwSetInformationProcess
SSDT 869BD048 ZwSetSystemInformation
SSDT 8625F920 ZwSuspendProcess
SSDT 86201068 ZwSuspendThread
SSDT 862186B0 ZwTerminateProcess
SSDT 8631BB10 ZwTerminateThread
SSDT 863CFB50 ZwUnmapViewOfSection
SSDT 86AD0EF0 ZwWriteVirtualMemory

INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys ADD5816D
INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys ADD57FC2
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83035AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83035104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830353F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301E2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301D898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830351DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83035958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830356F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83035F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830361A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83095599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830B9F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 830C1734 8 Bytes [48, 30, 9C, 86, 48, 00, 26, ...] {DEC EAX; XOR [ESI+EAX*4-0x79d9ffb8], BL}
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 830C174C 4 Bytes [C0, 0F, AD, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 830C1758 4 Bytes [80, D4, FA, 85]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 830C17AC 4 Bytes [48, 00, 95, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 830C1828 4 Bytes [10, C2, AC, 86]
.text ...
.text peauth.sys AEA39C9D 28 Bytes [DE, 93, DB, BF, 3E, 7E, 12, ...]
.text peauth.sys AEA39CC1 28 Bytes [DE, 93, DB, BF, 3E, 7E, 12, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\wuauclt.exe[2524] ntdll.dll!NtProtectVirtualMemory 76F75380 5 Bytes JMP 0017000A
.text C:\Windows\system32\wuauclt.exe[2524] ntdll.dll!NtWriteVirtualMemory 76F75F00 5 Bytes JMP 0018000A
.text C:\Windows\system32\wuauclt.exe[2524] ntdll.dll!KiUserExceptionDispatcher 76F76448 5 Bytes JMP 0016000A
.text C:\Windows\Explorer.EXE[3468] ntdll.dll!NtProtectVirtualMemory 76F75380 5 Bytes JMP 007A000A
.text C:\Windows\Explorer.EXE[3468] ntdll.dll!NtWriteVirtualMemory 76F75F00 5 Bytes JMP 007B000A
.text C:\Windows\Explorer.EXE[3468] ntdll.dll!KiUserExceptionDispatcher 76F76448 5 Bytes JMP 0079000A
.text C:\Windows\System32\svchost.exe[4364] ntdll.dll!NtProtectVirtualMemory 76F75380 5 Bytes JMP 003D000A
.text C:\Windows\System32\svchost.exe[4364] ntdll.dll!NtWriteVirtualMemory 76F75F00 5 Bytes JMP 003E000A
.text C:\Windows\System32\svchost.exe[4364] ntdll.dll!KiUserExceptionDispatcher 76F76448 5 Bytes JMP 003C000A
.text C:\Windows\System32\svchost.exe[4364] ole32.dll!CoCreateInstance 760457FC 5 Bytes JMP 00C3000A
.text C:\Windows\System32\svchost.exe[4364] USER32.dll!GetCursorPos 7646C198 5 Bytes JMP 00C4000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[5252] ntdll.dll!NtProtectVirtualMemory 76F75380 5 Bytes JMP 0017000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[5252] ntdll.dll!NtWriteVirtualMemory 76F75F00 5 Bytes JMP 0020000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[5252] ntdll.dll!KiUserExceptionDispatcher 76F76448 5 Bytes JMP 0016000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\AOL\ACS\acsd.exe[1924] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\AOL\ACS\acsd.exe[1924] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\AOL\ACS\acsd.exe[1924] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\AOL\ACS\acsd.exe[1924] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\AOL\ACS\acsd.exe[1924] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\AOL\ACS\acsd.exe[1924] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Protector Suite QL\psqltray.exe[3612] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Protector Suite QL\psqltray.exe[3612] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Protector Suite QL\psqltray.exe[3612] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Protector Suite QL\psqltray.exe[3612] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Protector Suite QL\psqltray.exe[3612] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Protector Suite QL\psqltray.exe[3612] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Protector Suite QL\psqltray.exe[3612] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [74FD5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:01 AM

Posted 30 July 2010 - 05:13 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:01 AM

Posted 03 August 2010 - 06:19 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users