Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with backdoor.tidserv.l!inf AND unknow rootkit


  • This topic is locked This topic is locked
11 replies to this topic

#1 DaveFrench

DaveFrench

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 24 September 2010 - 11:21 AM

The initial indication of a problem is that loading personal settings takes 10 minutes or more.
IE8 won't connect to any corrective site: (MS update, Malwarebytes, spybot, your site, etc.) otherwise I can use it fine. The IE screen says "Internet Explorer cannot display the webpage".
All programs you requested to be run were transported via thumbdrive to the infected machine, run and then the data files were put on a thumbdrive to send here.
Periodically, I receive a message that says "Generic Host Process for Win32 services has encountered a problem and needs to close", and do I want to send an error report to MS. If I click yes, (or debug) the system hangs and I have to hard reboot.
I ran Norton Bootable Recovery which found and fixed (?) Trojan.gen. It found and but couldn't remove the backdoor.tidserv.l!inf infection.

DDS (Ver_10-03-17.01) - NTFSx86
Run by President at 7:47:26.32 on Fri 09/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3036.2446 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\Documents and Settings\President\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCST.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\spoolsv.exe
E:\bleepingcomputer downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://login.secureserver.net/index.php?ap...be&logout=1
uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx
mSearchAssistant = hxxp://www.bing.com/sphome.aspx
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [DellNSCST] "c:\program files\dell\dell laser mfp 1600n\networkscan\DNSCST.exe" /HIDEUI
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1274994648937
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.71,93.188.161.4
TCP: {406EC75A-C8EE-4519-AAE6-7C27351EC83F} = 93.188.162.71,93.188.161.4
TCP: {FE10FEA9-7A52-4DA9-B737-90A7761493F9} = 93.188.162.71,93.188.161.4
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\presid~1\applic~1\mozilla\firefox\profiles\arpjvqf6.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.secureserver.net/index.php?app=wbe&logout=1|https://login.yahoo.com/config/login_verify2?&.src=ym
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-9-23 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-9-23 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20100901.003\BHDrvx86.sys [2010-8-31 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-9-23 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-9-23 116784]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\president\local settings\application data\crossloop\CrossLoopService.exe [2010-5-28 560792]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-9-23 126392]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-4-28 45056]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-4-28 48640]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-5-28 134144]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-5-28 143968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-30 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20100923.001\IDSXpx86.sys [2010-9-23 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100923.039\NAVENG.SYS [2010-9-24 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100923.039\NAVEX15.SYS [2010-9-24 1362608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 uvnc_service;uvnc_service;c:\documents and settings\president\local settings\application data\crossloop\winvnc.exe [2010-5-28 1590216]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-09-24 14:46:14 0 ----a-w- c:\documents and settings\president\defogger_reenable
2010-09-24 02:48:13 262144 --sha-w- c:\documents and settings\president\ntuser.dat.LOG1
2010-09-24 02:48:13 0 --sha-w- c:\documents and settings\president\ntuser.dat.LOG2
2010-09-23 19:16:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 16:28:10 1796 ----a-w- c:\windows\_detmp.1
2010-09-23 16:28:10 122880 ----a-w- c:\windows\_detmp.2
2010-09-23 16:12:47 0 d--h--w- c:\program files\WindowsUpdate
2010-09-23 00:33:07 0 d-----w- C:\NBRT
2010-09-20 02:46:52 0 d-----w- C:\spoolerlogs

==================== Find3M ====================

2010-09-24 06:40:36 8832 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

============= FINISH: 7:49:21.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:10 PM

Posted 24 September 2010 - 12:07 PM

Hello DaveFrench,



Let's see if we can throw a bomb at it and shake it loose. thumbup2.gif


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to DaveFrench.exe and try again. If it still won't run, try it in safe mode.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 DaveFrench

DaveFrench
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 24 September 2010 - 03:00 PM

The infected machine won't let me download. I downloaded to another machine, put the .exe on a thumb drive and put the file on the desktop. The infected machine won't let me execute the file using "combofix" directly or in safe mode. I renamed it in safe mode as suggested and tried executing it again. This time it tried to start. Almost immedietely I received the following error message twice:

"Some files could not be created.
Please close all applications, reboot Windows and restart the installation"


I also got the usual message:
Svchost.exe - Application Error
The instruction at "0x001a61bb" referenced memory at "0x000000". The memory could not be "written".
Click on OK to terminate the program.
Click on CANCEL to debug the program.

I clicked on OK and stopped the computer.
I brought it up in safe mode to try again.

This time it ran for a bit and then I received the message:
the program cannot run because xxxxxxx program is missing. ( missed the program as the screen went away immedietely)

I started typing this note and ComboFix began preparing to run??? the next message in the blue box said: attempting to create a new system restore point. I then got the same Svchost message as above. I will wait 5 minutes to see if ComboFix is still running and then hit OK to get rid of the message screen. The Svchost message appeared again. Both messages are on the screen.

I will send this reply and wait.

The screen

#4 DaveFrench

DaveFrench
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 24 September 2010 - 04:32 PM

After waiting 30 minutes for any apparent, I hit the ‘OK’ on the first message. I used the Enter key and arrow keys to respond, not the mouse (keypad) as you said there could be a problem. The next message was “ERROR – you don’t seem to be connected to the internet (right). Kindly connect before checking OK” While I waited a bit, I got another svchost message.

Several messages appeared– and disappeared - in quick order from ComboFix. The current message is: “Scanning for infected files”

Rootkit message: Combofix has detected the presence of rootkit activity and needs to reboot the machine. (I hit OK)

I let it come up in regular mode, not SAFE mod. The ComboFix blue box came up before anything else. The first message is “ComboFix is preparing to run” (again?) It looks like it is doing the scan again.

Message: rootkit activity persists. Have to attempt other methods
ComboFix needs to reboot the machine again
Kindly note down on paper the data below. We may need it later

Service: WmiAcpi
File: C\windows\system32\drivers\wmaicpi.sys
I hit OK and the computer rebooted

Welcome screen came up; loaded personal settings

ComboFix blue box appeared; Completed stage_1-50 messages appeared
Reboot again

Welcome screen came up; loaded personal settings
ComboFix blue box appeared: messages:
Preparing Log Report.
Do not run any programs until ComboFix has finished
the log report is attached.

What next?

Attached Files



#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:10 PM

Posted 25 September 2010 - 02:22 AM

Hello,

Sounds like ComboFix ran beautifully, actually. thumbup2.gif Everything you posted it was supposed to do, and it got the rootkit, which modifies legit files. Just to clarify for myself....you're getting svchost messages still? Even after the run and final reboot of ComboFix?

I see Malwarebytes on board.....please make sure it's updated and have a run with it. Please post the report in your reply, if there is anything to post.

All in all, how is it running now please? smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 DaveFrench

DaveFrench
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 25 September 2010 - 09:46 AM

Good Morning. Actually there are still problems. Norton IS won't start. I had do shut it down to do all this fixing. I ran the 'defogger' to undo whatever it did before and IS still won't start. I can get Windows update to connect however. I will troubleshoot the IS problem. I guess if it isn't resolvable easily, I can just remove and reinstall.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:10 PM

Posted 25 September 2010 - 09:56 AM

Good morning smile.gif

That's actually why I was asking about the message you said you were getting....if the letters are slightly different, then Norton has become corrupt somehow because of the malware. The last log showed this might be a problem. I would try the uninstalling and reinstalling now, rather than later. thumbup2.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 DaveFrench

DaveFrench
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 25 September 2010 - 10:59 AM

I decided to let Norton take a crack at fixing it. The tech failed and in frustration put Norton IS 2011 on my system.
Everything looks normal. Thanks for all your help!

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:10 PM

Posted 25 September 2010 - 11:27 AM

You're most welcome. thumbup2.gif Glad all is well.

ITs aren't trained to deal with malware, so I know what you mean about his/her frustration. whistling.gif

Please delete ComboFix and its folder C:\Qoobox, empty your recycle bin and reboot.

Take care!
tea


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 DaveFrench

DaveFrench
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 25 September 2010 - 11:48 AM

Done.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:10 PM

Posted 25 September 2010 - 11:58 AM

thumbup2.gif
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:10 PM

Posted 29 September 2010 - 02:14 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users