Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

moved: I thinkI have a tidserv????


  • This topic is locked This topic is locked
1 reply to this topic

#1 CB ROb

CB ROb

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 28 July 2010 - 08:01 PM

I recently did some automatic updates, and afterword norton found numerous trojans and av suite. norton quarintined these items, but now I get intrusion alerts every twenty minutes or so.
these intrusions are labeled: an intrusion attempt by zz87jfhda88.com was blocked. path DEVICE/HARDDISKVOLUME2/WINDOWS/SYSTEM32/SVCHOST.EXE


I may have turned off my auto updates... comp was slow.... might have forgot to turn it back on.... oops
what can I do now? do I need protect bank accounts, or paypal accounts?
thanks in advance for any advice.



here is my dds log:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Rob at 18:40:54.06 on Wed 07/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.95

[GMT -6:00]

AV: Norton 360 *On-access scanning enabled* (Updated)

{E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Rob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.

microsoft:en-US&ie=utf8&oe=utf8
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} -

c:\program files\mywaysa\srchasde\1.bin\deSrcAs.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} -

c:\program files\hp\digital imaging\smart web

printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} -

c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer:

{3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: : {4d25f921-b9fe-4682-bf72-8ab8210d6d75} - c:\program

files\mywaysa\srchasde\1.bin\deSrcAs.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} -

c:\windows\system32\dla\tfswshx.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} -

c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention:

{6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton

360\engine\3.8.0.41\IPSBHO.DLL
BHO: Google Toolbar Notifier BHO:

{af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper:

{dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class:

{e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} -

c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} -

c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [{656BD480-A5DF-F3A3-3E03-FDFCEB0B6058}] "c:\documents and

settings\rob\application data\okku\visii.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program

files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Dit] Dit.exe
mRun: [Adobe ARM] "c:\program files\common

files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe

/auto
mRunOnce: [Uninstall Adobe Download Manager]

"c:\windows\system32\rundll32.exe" "c:\program

files\nos\bin\getPlus_Helper_3004.dll",Uninstall

/IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\documents and settings\rob\start

menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk -

c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk -

c:\program files\linksys\wusb600n\WUSB600N.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program

files\partygaming\partypoker\RunApp.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program

files\partypoker.net\partypokernet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} -

{DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program

files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: musicmatch.com\online
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -

hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUp

loader5.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program

files\yahoo!\common\Yinsthelper.dll
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} -

hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -

hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -

hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} -

c:\program files\intuit\quickbooks 2005\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -

c:\windows\system32\mscoree.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} -

c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File

Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys

[2010-1-27 310320]
R1 BHDrvx86;Symantec Heuristics

Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys

[2010-1-27 259632]
R1 ccHP;Symantec Hash

Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys

[2010-1-27 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\i

psdefs\20100726.001\IDSXpx86.sys [2010-7-28 331640]
R2 N360;Norton 360;c:\program files\norton

360\engine\3.8.0.41\ccSvcHst.exe [2010-1-27 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common

files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-23

102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\v

irusdefs\20100728.002\NAVENG.SYS [2010-7-28 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\v

irusdefs\20100728.002\NAVEX15.SYS [2010-7-28 1362608]
S2 gupdate;Google Update Service (gupdate);c:\program

files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 CardReaderFilter;Card Reader

Filter;c:\windows\system32\drivers\USBCRFT.SYS [2006-9-21 13568]
S3 nosGetPlusHelper;getPlus® Helper

3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4

14336]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card

Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 551680]

=============== Created Last 30 ================

2010-07-26 20:36:11 0 d-----w- c:\program files\Norton Support
2010-07-26 15:58:50 0 d-----w- c:\windows\system32\scripting
2010-07-26 15:58:46 0 d-----w- c:\windows\l2schemas
2010-07-26 15:58:34 0 d-----w- c:\windows\system32\en
2010-07-26 15:58:33 0 d-----w- c:\windows\system32\bits
2010-07-26 15:32:25 0 d-----w- c:\windows\EHome
2010-07-23 14:56:29 664 ----a-w-

c:\windows\system32\d3d9caps.dat
2010-07-13 21:31:21 744448 ------w-

c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-07-28 22:05:24 13568 ----a-w-

c:\windows\system32\drivers\USBCRFT.SYS
2010-05-05 13:30:57 173056 ----a-w-

c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w-

c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w-

c:\windows\system32\dllcache\win32k.sys
2009-08-05 17:22:29 848 --sha-w-

c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:44:45.96 ===============


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:29 AM

Posted 07 August 2010 - 12:10 PM

Hello CB ROb

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users