Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tidserv response 2


  • Please log in to reply
5 replies to this topic

#1 billfid

billfid

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 16 January 2011 - 09:35 AM

My computer, running XP Professional, has contracted tidserv response 2. Malwarebytes has found and removed some parts of it. However, I still cannot open in safe mode, I still get "blocked tidserv response 2 attack" from Norton (I have the basic version of Norton), and I cannot access my windows firewall. I've also had instances where WinHost32 has had to close, and one case of Firefox (my browser) closing unexpectedly. At this point I feel I need to get some more detailed suggestions for getting rid of this. Thanks. --Billfid

Update--after reading another thread on this topic here, I downloaded and ran TDSSKiller from Kaspersky. It found TDSS4 and seems to have removed it successfully. If I encounter further issues I will post them again, but it seems at this moment that I have been, as Jimmy Swaggert puts in, HEALED! -BF

Edited by billfid, 16 January 2011 - 12:28 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 16 January 2011 - 10:48 PM

Please post the complete results of your TDSSkiller scan for review.

After running TDSSkiller, a log file named TDSSKiller_version_date_time_log.txt will have been created and saved to the root directory (usually Local Disk C:). Open that file in notepad, then copy and paste the contents in your next reply.

Please download Malwarebytes' Anti-Malware (v1.50.1) and follow these instructions for doing a Quick Scan in normal mode.

Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

-- Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware as you may need to rename it or use RKill by Grinler.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 billfid

billfid
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 17 January 2011 - 06:13 AM

2011/01/16 12:08:51.0896 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
2011/01/16 12:08:51.0896 ================================================================================
2011/01/16 12:08:51.0896 SystemInfo:
2011/01/16 12:08:51.0896
2011/01/16 12:08:51.0896 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/16 12:08:51.0906 Product type: Workstation
2011/01/16 12:08:51.0906 ComputerName: WNH
2011/01/16 12:08:51.0906 UserName: billfid
2011/01/16 12:08:51.0906 Windows directory: C:\WINDOWS
2011/01/16 12:08:51.0906 System windows directory: C:\WINDOWS
2011/01/16 12:08:51.0906 Processor architecture: Intel x86
2011/01/16 12:08:51.0906 Number of processors: 1
2011/01/16 12:08:51.0906 Page size: 0x1000
2011/01/16 12:08:51.0906 Boot type: Normal boot
2011/01/16 12:08:51.0906 ================================================================================
2011/01/16 12:08:52.0927 Initialize success
2011/01/16 12:09:04.0604 ================================================================================
2011/01/16 12:09:04.0604 Scan started
2011/01/16 12:09:04.0604 Mode: Manual;
2011/01/16 12:09:04.0604 ================================================================================
2011/01/16 12:09:05.0706 acfva (426b4845468b690cfeeb268488d3aa0b) C:\WINDOWS\system32\DRIVERS\ACFVA32.sys
2011/01/16 12:09:05.0826 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/16 12:09:05.0936 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/01/16 12:09:06.0156 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/16 12:09:06.0287 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/16 12:09:06.0777 aliadwdm (065a6d38a79216592de03f3525d6296e) C:\WINDOWS\system32\drivers\ac97ali.sys
2011/01/16 12:09:06.0927 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/01/16 12:09:07.0518 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/16 12:09:07.0648 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/16 12:09:07.0909 ati2mtag (83f24e252908e59c4a7ef203bf7f4c02) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/16 12:09:08.0039 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/16 12:09:08.0179 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/16 12:09:08.0360 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/16 12:09:08.0550 CALIAUD (ecdde6089b366b7e6c8f3e7119c60040) C:\WINDOWS\system32\drivers\caliaud.sys
2011/01/16 12:09:08.0630 CALIHALA (fa2f5dbe2804803972052636693e80a1) C:\WINDOWS\system32\drivers\calihal.sys
2011/01/16 12:09:08.0740 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/16 12:09:08.0990 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/16 12:09:09.0201 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/16 12:09:09.0391 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/16 12:09:09.0752 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/01/16 12:09:09.0892 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/16 12:09:10.0513 dgcfltr (ff2cfb06e8019e5bed0497cd629a4bd5) C:\WINDOWS\system32\DRIVERS\ACFDCP32.sys
2011/01/16 12:09:10.0693 DirectPort (4545fd33bbbe37848a721cb002afeb80) C:\WINDOWS\system32\Drivers\DirectPort.sys
2011/01/16 12:09:10.0873 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/16 12:09:11.0113 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/16 12:09:11.0314 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/16 12:09:11.0474 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/16 12:09:11.0634 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/16 12:09:11.0885 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/16 12:09:12.0145 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/01/16 12:09:12.0325 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/01/16 12:09:12.0736 FA312 (aa855fb8a866281aacb393c1feab91ae) C:\WINDOWS\system32\DRIVERS\FA312nd5.sys
2011/01/16 12:09:12.0846 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/16 12:09:13.0036 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/16 12:09:13.0126 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/16 12:09:13.0237 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/16 12:09:13.0397 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/16 12:09:13.0657 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/16 12:09:13.0767 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/16 12:09:13.0907 GEARAspiWDM (32a73a8952580b284a47290adb62032a) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/01/16 12:09:13.0998 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/16 12:09:14.0178 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\drivers\hidusb.sys
2011/01/16 12:09:14.0358 HPCI (708f5d243ce450bc937dedabd39d3600) C:\WINDOWS\system32\DRIVERS\hpci.sys
2011/01/16 12:09:14.0639 HSFHWALI (479d9d93af53338db162a9ab23776a63) C:\WINDOWS\system32\DRIVERS\HSFHWALI.sys
2011/01/16 12:09:14.0809 HSF_DP (9b731969ba86d9a3ca55638264603e12) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/01/16 12:09:15.0189 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/16 12:09:15.0660 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/16 12:09:15.0820 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/16 12:09:15.0970 InCDfs (b87fc7c71632240dac8f4d20e9ce8377) C:\WINDOWS\system32\drivers\InCDfs.sys
2011/01/16 12:09:16.0061 InCDPass (2e878405128ec98886eb9c2216ac7bd6) C:\WINDOWS\system32\DRIVERS\InCDPass.sys
2011/01/16 12:09:16.0181 InCDrec (ddf078917a42f105385d7eb6debb3433) C:\WINDOWS\system32\drivers\InCDrec.sys
2011/01/16 12:09:16.0291 incdrm (7f352360e947ad2cd4ba60de27b1a299) C:\WINDOWS\system32\drivers\incdrm.sys
2011/01/16 12:09:16.0651 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/16 12:09:16.0762 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/16 12:09:16.0912 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/16 12:09:17.0052 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/16 12:09:17.0172 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/16 12:09:17.0312 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/16 12:09:17.0433 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/16 12:09:17.0603 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/16 12:09:17.0773 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/16 12:09:17.0903 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\drivers\kbdhid.sys
2011/01/16 12:09:18.0043 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/16 12:09:18.0134 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/16 12:09:18.0584 mdmxsdk (1968508adb20192a03a30c25f16db506) C:\WINDOWS\system32\DRIVERS\ACFSDK32.sys
2011/01/16 12:09:18.0734 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/16 12:09:18.0905 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/16 12:09:19.0025 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/01/16 12:09:19.0135 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/16 12:09:19.0295 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/16 12:09:19.0796 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/16 12:09:19.0996 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/16 12:09:20.0307 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/16 12:09:20.0497 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/16 12:09:20.0607 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/16 12:09:20.0707 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/16 12:09:20.0857 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/16 12:09:20.0988 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/16 12:09:21.0288 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110112.002\NAVENG.SYS
2011/01/16 12:09:21.0458 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110112.002\NAVEX15.SYS
2011/01/16 12:09:21.0709 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/16 12:09:22.0280 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/16 12:09:22.0380 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/16 12:09:22.0510 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/16 12:09:22.0640 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/16 12:09:22.0760 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/16 12:09:22.0940 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/16 12:09:23.0211 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/16 12:09:23.0341 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/16 12:09:23.0481 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/16 12:09:23.0611 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/16 12:09:23.0752 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/16 12:09:23.0882 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/16 12:09:24.0032 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/16 12:09:24.0423 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/16 12:09:24.0573 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/16 12:09:24.0953 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/01/16 12:09:25.0895 pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2011/01/16 12:09:26.0035 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/16 12:09:26.0285 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/16 12:09:26.0526 pssnap (599dac0114eaf8edaf88b44d0c6183f6) C:\WINDOWS\system32\DRIVERS\pssnap.sys
2011/01/16 12:09:26.0656 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/16 12:09:27.0207 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/16 12:09:27.0407 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/16 12:09:27.0517 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/16 12:09:27.0627 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/16 12:09:27.0757 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/16 12:09:27.0868 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/16 12:09:28.0078 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/16 12:09:28.0228 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/16 12:09:28.0468 RDWM1005 (ee0d131104745820e6d039df5c513e49) C:\WINDOWS\system32\Drivers\rdwm1005.sys
2011/01/16 12:09:28.0839 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/16 12:09:29.0250 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/16 12:09:29.0520 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/16 12:09:29.0630 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/16 12:09:29.0830 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/01/16 12:09:30.0151 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/01/16 12:09:30.0541 SPBBCDrv (cdea9a0a0e547fef4c44ccae35a9b09c) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/01/16 12:09:30.0822 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/16 12:09:30.0992 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/16 12:09:31.0162 SRTSP (655773f2f1a3730c6cf20280a49f4ee1) C:\WINDOWS\system32\Drivers\SRTSP.SYS
2011/01/16 12:09:31.0353 SRTSPL (2a0aaf370d4c6574a34ae2f4a0709cae) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
2011/01/16 12:09:31.0863 SRTSPX (3104bdceace2d5710776dd05e6a286c1) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
2011/01/16 12:09:32.0034 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/16 12:09:32.0244 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/16 12:09:32.0334 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/16 12:09:32.0805 SYMDNS (51b57cda977170ac608d839dbfa1d3ee) C:\WINDOWS\System32\Drivers\SYMDNS.SYS
2011/01/16 12:09:33.0025 SymEvent (06b95820df51502099a8a15c93e87986) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/01/16 12:09:33.0155 SYMFW (a131d8360b01044517aa44529e2137d6) C:\WINDOWS\System32\Drivers\SYMFW.SYS
2011/01/16 12:09:33.0295 SYMIDS (2b77868f02dae02103380b824431b798) C:\WINDOWS\System32\Drivers\SYMIDS.SYS
2011/01/16 12:09:33.0596 SYMIDSCO (2133d1f879b280121b0e6a7d34b24a02) C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20110114.002\SymIDSCo.sys
2011/01/16 12:09:33.0686 SYMNDIS (799282f4a913ca51197c9cdd34d403d6) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
2011/01/16 12:09:34.0016 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/01/16 12:09:34.0167 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/01/16 12:09:34.0517 SynTP (23fe1f173996b8bad4b9ed74003676d8) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/01/16 12:09:34.0627 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/16 12:09:34.0898 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/16 12:09:35.0068 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/16 12:09:35.0218 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/16 12:09:35.0388 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/16 12:09:35.0699 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/16 12:09:35.0989 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/16 12:09:36.0180 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/16 12:09:36.0340 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/16 12:09:36.0490 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/16 12:09:36.0610 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/16 12:09:36.0750 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/16 12:09:36.0881 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/16 12:09:37.0051 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
2011/01/16 12:09:37.0251 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/16 12:09:38.0042 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/16 12:09:38.0293 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/16 12:09:38.0563 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/16 12:09:38.0953 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/16 12:09:39.0344 winachsf (3a2c273922037971f9e7a0ab549b8b0e) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/01/16 12:09:39.0544 WinPhlash (1a0a95b1c9aeed08c3a65432ff640e67) c:\SWSetup\sp30455\PHLASHNT.SYS
2011/01/16 12:09:40.0045 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/16 12:09:40.0075 ================================================================================
2011/01/16 12:09:40.0075 Scan finished
2011/01/16 12:09:40.0075 ================================================================================
2011/01/16 12:09:40.0175 Detected object count: 1
2011/01/16 12:10:17.0168 \HardDisk0 - will be cured after reboot
2011/01/16 12:10:17.0168 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/16 12:10:23.0658 Deinitialize success


I don't plan on doing anything more unless other symptoms appear. I had already run Malwarebytes before doing the TDSS scan, and it had found one tidserv and quarantined it. Below is the Malwarebytes log which found the problem:

www.malwarebytes.org

Database version: 5524

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/15/2011 10:18:25 AM
mbam-log-2011-01-15 (10-18-25).txt

Scan type: Quick scan
Objects scanned: 157385
Time elapsed: 12 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\billfid\local settings\temporary internet files\Content.IE5\H23TH16N\load[1].php (Rootkit.TDSS) -> Quarantined and deleted successfully.

Edited by billfid, 17 January 2011 - 06:18 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 17 January 2011 - 02:14 PM

This is the pertinent section of the log which indicates a TDSS rootkit infected the Master Boot Record (MBR) and that it will be cured after reboot.

2011/01/16 12:09:40.0045 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/16 12:09:40.0075 ================================================================================
2011/01/16 12:09:40.0075 Scan finished
2011/01/16 12:09:40.0075 ================================================================================
2011/01/16 12:09:40.0175 Detected object count: 1
2011/01/16 12:10:17.0168 \HardDisk0 - will be cured after reboot
2011/01/16 12:10:17.0168 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

This particular malware alters the MBR of the system drive to ensure persistent execution of malicious code. Essentially, it overwrites the MBR of the hard disk with its own code and stores a copy of the original MBR at another sector using rootkit techniques to hide itself. For more specific analysis and explanation of the infection, please refer to:Please reboot if you have not done so already. Rerun TDSSKiller again and post the new log to confirm the infection was cured.

Also let me know how your computer is running and if there are any more signs of infection, strange audio ads, unwanted pop-ups, security alerts, or browser redirects.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 billfid

billfid
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 19 January 2011 - 10:00 AM

I ran TDSSKiller again per your request. The scan was clean. There are no further signs of problems on my computer at this time.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 19 January 2011 - 10:03 AM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Posted Image > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users