Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.FakeAV and Backdoor.Tidserv


  • This topic is locked This topic is locked
28 replies to this topic

#1 good day

good day

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:09:35 AM

Posted 09 August 2010 - 05:26 PM

Post-infection problems: infected with some virus(es) (rootkit?), unable to access Windows Update, unable to put computer in hibernation (never a problem before) but can use standby.

Pre-existing situation that I have never been sure was related to a virus or not. Upon startup, the following message would pop-up in Notepad twice:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

Steps taken: backed up data to CDs and online storage account, limit time online and turn off router/modem when not online, ran Norton 360 version 4.0 scans, ran Defogger (not sure if it did anything) and completed the other steps

From the research I have done at Norton's site (I am not tech savvy, just research oriented), I believe that my computer's infection may have begun with Trojan.FakeAV!gen35, and evolved to Trojan.FakeAV, which is responsible for HTTP Misleading Application Detection and HTTP Fake Scan Webpage 5, and then progressed to Backdoor.Tidserv, which is responsible for HTTP Tidserv Request and HTTPS Tidserv Request 2. Not sure if this is the nature of the progression or what not, but from what I read it sounds as though the responsible viruses are: Trojan.FakeAV and Backdoor.Tidserv.

I have read Norton's recommended removal of the above viruses, but I am not sure they would work. They definitely appear different than what may be recommended by Bleepingcomputer. For the Backdoor.Tidserv they recommend:
1. Restart the computer using the Windows Recovery Console
2. Disable System Restore (Windows Me/XP).
3. Update the virus definitions.
4. Run a full system scan.
5. Delete any values added to the registry.

For the Trojan.FakeAV they recommend:
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.

I am not proceeding forward with what they recommend, more so just posting it for comments and/or to highlight Norton's approach.

Upon getting infected, one of these viruses was continuously trying to inform me that my computer was infected. I would not click on any of its windows. It must have been preventing me from opening certain webpages and running Spybot, Adaware/Lavasoft, and Inoculate. I did a hard shut down of my computer, started in safe mode, and then ran scans using the three aforementioned anti-malware systems. Besides cookies, none of them found anything. I went out and purchased Norton 360, but was unable to load it in normal mode. This fake antivirus was blocking it. So, I loaded Norton in safe mode with networking (I am not sure on the differences of all the different safe modes), ran it, and it detected and removed Trojan.FakeAV!gen35. Something else was detected by Norton sonar, but I am unable to remember. I thought all was resolved, but after this I was unable to retrieve mail using Windows Live Mail or use IE to run Windows update. I received the following messages:
Unable to send or receive messages for the Hotmail account. Sorry, we were unable to sign you in to Windows Live ID at this time. Please try again later.

Server Error: 0x80048820
Server: 'http://mail.services.live.com/DeltaSync_v2.0.0/Sync.aspx'
Windows Live Mail Error ID: 0x80048820

http://mail.services.live.com/DeltaSync_v1.0.0/sync.aspx
http://services.msn.com/svcs/hotmail/httpmail.asp
http://mail.services.live.com/DeltaSync_v1.0.0/sync.aspx

Unable to send or receive messages for the Hotmail account. To send and receive messages in your Hotmail account, go to http://hotmail.live.com on the Web, or try again later. To get help from Windows Live Customer Support, go to http://support.live.com and click Windows Live Mail in the list of services.

Server Error: 0x80072EFD
Server: 'http://mail.services.live.com/DeltaSync_v2.0.0/Sync.aspx'
Windows Live Mail Error ID: 0x80072EFD

I went to the support page, and it instructed to disable the firewall temporarily to assess if the firewall was blocking Windows Live Mail. This still did not work, plus I worried that my firewall was disabled temporarily with this virus on my computer. Also, I downloaded the latest version of Windows Live Mail, but this did not solve things either. I then re-installed Norton 360 because I thought that was affecting Windows Live Mail, but that did not work. Next, I used system restore to go to earlier restore point. I clicked on Windows Live Mail (the earlier version because of the restore point), and it was working normal and syncing with hotmail. But, I still have not been able to use Windows Update. In general, my computer seems as though it runs slower ever since this virus situation. I removed Inoculate & Ad-aware, and attempted to remove TrendMicro, but was unable to remove Trend b/c it needed something to remove it (I figured I would do later; not a big deal). I removed these programs b/c I thought they were the ones competing with Norton & were possibly slowing down my computer, and that I didn't need them anymore since having purchased Norton 360. Besides, Inoculate lapsed & I could no longer get updates. One program I did leave was Spybot.

Ever since getting this virus and restoring the computer to an earlier time, I continuously get notices that Norton has blocked an intrusion attack. Also, every so often this malware succeeds and opens a random window/tab when I am on Mozilla. Looking at the Norton intrusion prevention log, I see attempts have been made by: HTTP Tidserv Request, HTTPS Tidserv Request 2, HTTP Misleading Application Detection, HTTP Fake Scan Webpage 5, and HTTP Nukesploit Request. I have re-run Norton, but nothing besides cookies are detected. I thought Norton would remove this virus/malware, rather than just keeping letting me know that the firewall blocked an intrusion attempt.

Also, not sure if it is related, but ever since installing Norton 360 I occasionally get notices that my "revocation information for the security certificate for this site is not available." I never used to see this message before, and I don't know what it is related to. It has not happened as of lately.

I have included the requested attachments, as well as an attachment of the Norton Intrusion Prevention logs. Please help me with removing/cleaning this malware off my computer. I am at my wits end and the only thing left I can think of doing is a reinstall of the OS (which I have never done before), but with your help, hopefully there is another way to correct this situation.

Lastly, I will get back to this post as soon as possible, but be forewarned I work up to 15 hour days. I work the next 3 straight, and I will respond when I have a chance. Thanks in advance!


DDS (Ver_10-03-17.01) - NTFSx86
Run at 15:18:45.70 on Sun 08/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.130 [GMT -7:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\quickenw\QAGENT.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brian Brockman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://start.dslextreme.com/
uDefault_Search_URL = hxxp://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://home.peoplepc.com/search
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PeoplePC FixedBandBHO: {3de88907-3e38-11d4-beb2-cbe76c0598dd} - c:\program files\isp40\bin\BandObject.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
BHO: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.2.0.12\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Mobipocket Reader Notifications] c:\program files\mobipocket.com\mobipocket reader\readernotify.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [TFNF5] TFNF5.exe
mRun: [Tpwrtray] TPWRTRAY.EXE
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [A Verizon App] c:\progra~1\verizo~1\helpsu~1\VERIZO~1.EXE
mRun: [Motive SmartBridge] c:\progra~1\verizon\smartb~1\MotiveSB.exe
mRun: [POINTER] point32.exe
mRun: [QAGENT] c:\quickenw\QAGENT.EXE
mRun: [AdaptecDirectCD] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\brianb~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\sony handheld\HOTSYNC.EXE
StartupFolder: c:\docume~1\brianb~1\startm~1\programs\startup\mobipo~1.lnk - c:\program files\mobipocket.com\mobipocket reader\webcomp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: intuit.com\ttlc
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187714325701
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://www.verizon.net/checkmypc/includes/MotivePreQual.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brianb~1\applic~1\mozilla\firefox\profiles\e202341g.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\brian brockman\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-6 64160]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-8-1 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-8-1 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100719.001\BHDrvx86.sys [2010-8-5 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-8-1 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-8-1 116784]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2002-8-21 34712]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.2.0.12\ccsvchst.exe [2010-8-1 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-4 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100805.004\IDSXpx86.sys [2010-8-5 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100808.003\NAVENG.SYS [2010-8-8 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100808.003\NAVEX15.SYS [2010-8-8 1362608]

=============== Created Last 30 ================

2010-08-08 22:05:57 0 ----a-w- c:\documents and settings\brian brockman\defogger_reenable
2010-08-06 06:35:10 0 d-----w- c:\windows\system32\N360_BACKUP
2010-08-02 00:05:48 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-08-02 00:05:48 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-08-01 23:59:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-01 23:59:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-01 23:59:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-01 23:59:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-01 23:22:32 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-30 04:28:18 0 d-----w- c:\windows\system32\drivers\N360
2010-07-14 00:40:21 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-05-31 18:53:49 68938 ----a-w- c:\windows\hpoins05.dat
2009-10-08 05:38:46 16384 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-06-28 10:08:19 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062820080629\index.dat

============= FINISH: 15:22:59.33 ===============

The latest thing, which has never happened before, is that I can't even open Windows Live Mail. I click on the icon to load it, and up pops a supposed window from Windows Live Mail stating:
Windows Live Mail could not be started because your computer is low on system resources. Most likely the problem is your computer is low on memory or is unstable.

Well, I can say personally that my computer does seem unstable, but even being unstable it still opened Windows Live Mail. Not sure if my problem is getting worse, but please help. Thanks.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 09 August 2010 - 05:39 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:35 PM

Posted 09 August 2010 - 06:02 PM

Good evening. smile.gif

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.
  • You will then need to extract the file(s) from the zipped folder.

  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.

  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. smile.gif

So long, and thanks for all the fish.

 

 


#3 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:09:35 AM

Posted 09 August 2010 - 10:41 PM

Thanks for the reply Noviciate. Will you be the one handling my case?

Before I begin, from reading my post, does this problem sound like something that can be rectified? And, are you familiar with this situation? Thanks for your help in advance.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:35 PM

Posted 10 August 2010 - 02:10 PM

Good evening. smile.gif

If I didn't think I could handle the problem, I wouldn't have posted to it - trust me i'm not a doctor! thumbup2.gif

So long, and thanks for all the fish.

 

 


#5 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:09:35 AM

Posted 13 August 2010 - 06:24 PM

I'm back. Well, I did as instructed with the Kaspersky program and it found something. I ran it a second time and nothing was found. I am attaching the log from the first scan.

While on the internet, so far Norton 360 has not notified me of an intrusion attempt, but it just seems like my computer is constantly running or trying to process something. Not sure if that is related to any virus/infection.

Oh yeah, I tried hibernating my computer when I had to go, and that worked. I guess the virus/infection had something to do with disabling hibernation.

Attached Files



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:35 PM

Posted 14 August 2010 - 01:44 PM

Good evening. smile.gif

I think a wee peek into the hard drive is worth the time it takes, just to be on the safe side.

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#7 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:09:35 AM

Posted 14 August 2010 - 07:15 PM

Hi Novicate. As instructed, I ran MBAM. The program did not detect anything. I have attached the MBAM log as requested, along with a new DDS log.

One distressing thing is that after the MBAM finished, I decided to open the Norton 360 recent history to see if any intrusion attempts or suspicious activity had been detected recently. Well, it turns out that Trojan.FakeAV was detected, quarantined, and removed at 3:58 pm. MBAM finished and created a log at 4:13 pm. So, it either appears that Trojan.FakeAV is still on the computer or re-attacked my computer. What do you make of this? I tried to created an attachment of the Norton activity pertaining to the Trojan.FakeAV that was detected and quarantined, but the file is 335k and I guess the upload limit is 331.94k. Do you want me to upload this Norton attachment somehow? The Norton status bar shows that it was quarantined, but the specific activity page for the Trojan.FakeAV file shows that it, or the associated program a0132660.exe and a0132668.exe, have been removed. I am confused on whether this Trojan.FakeAV has been removed or is still on the machine.

As far as behavior, the computer is performing more like it was pre-infection. It seems to be running normal, but it appears slightly slower than it used to when I try to have various programs running. For instance, having Mozilla, Windows Live Mail, Word, and my Palm desktop application open creates a bottleneck a little more than it did before. When I am on the internet and searching pages, I am no longer redirected to different sites vs. the sites I have searched for. And, random pages no longer open up. Also, Windows Live Mail is working properly, along with hibernation mode, and IE and Microsoft Update. I was able to go onto Microsoft Update and receive/install the latest updates.

Lastly, although MBAM didn't find anything, I am confused on what you meant by "Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later." So, if I keep MBAM on my computer, should I always follow this rule? What do you mean "will be dealt with later"? Later by us or later by MBAM? And, aren't my system restore points potentially infected?

Thanks for time and assistance.

Attached Files



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:35 PM

Posted 15 August 2010 - 02:12 PM

Good evening. smile.gif

QUOTE
Well, it turns out that Trojan.FakeAV was detected, quarantined, and removed at 3:58 pm. MBAM finished and created a log at 4:13 pm. So, it either appears that Trojan.FakeAV is still on the computer or re-attacked my computer. What do you make of this?

I would need to know exactly what Norton detected and removed in order to make anthing of it. It could be a leftover of no real interest that Norton found and tidied up, or it could be part of an active infection that you've picked up - at this point I can't say.
If you post the full file path(s) for the detection(s) and run a full system scan with Norton and tell me of it picks up anything else i'll take it from there.

QUOTE
Lastly, although MBAM didn't find anything, I am confused on what you meant by "Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later." So, if I keep MBAM on my computer, should I always follow this rule? What do you mean "will be dealt with later"? Later by us or later by MBAM? And, aren't my system restore points potentially infected?

These detections are from data held within a Restore Point that Windows creates using System Restore. While it is true that using one of these infected RPs will reintroduce whatever nasty was back-up at the time, if you don't use one there is no risk.
The concern with removing them is that SR uses a chaining method and if you remove something from one of the points you may break the chain and render all the following points useless - at this time I do not know for certain whether this is an actual risk or just theoretical, but I have no desire to take the chance on your PC.
Once your machine is clean you will create a new Restore Point and this will be the oldest point you will use if at all possible. Over time as Windows creates new points it overwrites the oldest ones due to the limited amount of disc space reserved for SR and so all points, infected or not, get removed over time.
If your PC cannot be repaired by using a known clean point it is better to trust to a potentially infected one that gets the PC working again rather than have an expensive paperweight in front of you, which is why we don;t just wipe SR and start afresh.

If you give me the info from the top of my reply we'll take it from there.



So long, and thanks for all the fish.

 

 


#9 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:09:35 AM

Posted 16 August 2010 - 03:35 PM

I ran 2 Norton full system scans. Besides tracking cookies, nothing was detected. I have attached the log (virus scan) from the second scan for reference.

Also, the Word document (Trojan.FakeAV) is the summarized log of the activity around the latest detection and removal/quarantine of Trojan.FakeAV that I was discussing. I deleted much of the activity on the Word log because it showed "no action taken." I left in that activity that showed something was repaired or removed. Hopefully, it provides you with a better picture. The one part I don't understand is:
Suspicious Actions
Automatically run service: SSHNAS
No Action Required

Not sure what SSHNAS is or why no action was taken if this is suspicious to Norton.

Attached Files



#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:35 PM

Posted 17 August 2010 - 02:31 PM

Good evening. smile.gif

It looks like Norton tidied up after a fake AV infection which may have piggy-backed on the TDSS infection that you picked up - they sometimes come in bundles.
I don't know exactly what Norton is referring to with SSHNAS, but if it says No Action Required you can but trust it.

I think that an online scan would be a good idea though, given that Norton did deal with a number of items. Please work through the following and post accordingly:

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#11 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:09:35 AM

Posted 19 August 2010 - 06:44 AM

Just to keep you updated so that the post doesn't get closed, I will be unavailable/busy for the next week or so. I will attempt to get to the steps in your latest post as soon as I have a chance.

Thanks for the help and I'll keep you posted when I implement the steps.

#12 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:09:35 AM

Posted 21 August 2010 - 06:49 PM

So, I was going to implement the steps of your latest posting Novicate, but I thought that perhaps I should update you on the more on my computer behavior. Recently, it seems as though my computer is always, always processing something. The hard drive seems as though it is continuously running. This has happened ever since using MBAM and then running those Norton Scans. I have absolutely no idea what is going on. It never used to do this.

As a result of that continuous processing, the computer is ridiculously slow. It is stalling as I type these words. I am going crazy with this computer. So, I bring this up b/c I am not sure if what is happening is a result of having done some of the steps outlined in your emails, or if this is a result of the virus/infection. Whatever the case, I am not sure how these should be addressed, if I should continue with your outlined steps first, or what. Would you offer any input/suggestions? Thanks.

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:35 PM

Posted 22 August 2010 - 01:20 PM

Good evening. smile.gif

Given that in a previous post you felt that the PC was returning to normal it seems likely to me that you have picked something else up in the mean time. I'd go with the ESET scan and we'll see if it can identify something nasty onboard.

So long, and thanks for all the fish.

 

 


#14 good day

good day
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:09:35 AM

Posted 23 August 2010 - 11:25 PM

Hi Noviciate. I am in the middle of a stretch of 12-14 hour days. I will run that ESET scan when I have a chance. Just wanted to make a quick post. So, I am thinking that could the slowness of my computer be related to Windows Virtual Memory? It seems lately, more so than pre-infection, I have been receiving the Windows error message stating:
Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied.

Could this be the reason my system is just totally stalling with everything?

FYI, my laptop doesn't have that much RAM (if that is what is applicable). It originally had 256 mb of RAM. I increased it in the Fall of '09 to its max, 1024 mb of RAM. Pre-infection, I was receiving this Windows virtual memory message every so often, but I never really knew what it was related to. I always thought it was curious that I received this message even though I increased the RAM to 1024 mb. When the computer had 256 mb of RAM, this message really did not come up that often.

Anyhow, I bring this up to question if this could be a possible link to the slowness.

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:35 PM

Posted 24 August 2010 - 02:12 PM

Good evening. smile.gif

Perhaps it has a bearing, at this point I don't know. Go with the scan and we'll take it from there.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users