Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Boot.Tidserv TDSS rootkit virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 jwil

jwil

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 01 December 2011 - 02:25 PM

Hello,

Norton antivirus is telling me that my Windows 7 pc is infected with Boot.Tidserv. I was experiencing some of the usual symptoms - search engine redirects, etc - and was not able to remove with either Norton, NPE, FixTDSS, or MBAM. A Norton technician advised me to wipe the hard drive and reinstall the OS. I did this, and after reinstalling Norton a full scan revealed Boot.Tidserv still infecting the PC. Norton directed me to try NPE and FixTDSS again, which were ineffective. I am also running the full version of MBAM and a full scan does not register the infection. I have also tried Kaspersky's tdsskiller which also does not register the infection.

I am not experiencing any overt symptoms but Norton scans continue to show it as an infection. I understand that Boot.Tidserv can survive OS reinstalls and I have been unable to resolve it with any of my usual tools. I have copied below and attached the DDS files as requested; please note that I am running 64 bit so did not run GMER. Any advice is greatly appreciated - thanks very much!

Thanks,
Jeremy

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Jeremy at 14:03:54 on 2011-12-01
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.1413 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrv.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Program Files (x86)\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrvProxy.exe
C:\Program Files (x86)\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrv.exe
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files (x86)\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrvProxy.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Video Web Camera\traybar.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10e.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\msiexec.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv53a&r=273611114745l0584z185a4492d40o
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv53a&r=273611114745l0584z185a4492d40o
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv53a&r=273611114745l0584z185a4492d40o
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\IPS\IPSBHO.DLL
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - C:\ProgramData\Partner\Partner.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [Camera Assistant Software] "C:\Program Files (x86)\Video Web Camera\traybar.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{5B38AD80-20AC-4E8B-8F7E-557FAB38B61B} : DhcpNameServer = 10.0.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
BHO-X64: Norton Identity Protection - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [Camera Assistant Software] "C:\Program Files (x86)\Video Web Camera\traybar.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1302000.00A\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1302000.00A\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1302000.00A\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1302000.00A\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20111123.001\BHDrvx64.sys [2011-11-23 1156216]
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\system32\drivers\NISx64\1302000.00A\ccSetx64.sys --> C:\Windows\system32\drivers\NISx64\1302000.00A\ccSetx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20111130.001\IDSviA64.sys [2011-11-30 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1302000.00A\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1302000.00A\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1302000.00A\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1302000.00A\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 DiskDoctorService;Norton Disk Doctor Service;C:\Program Files (x86)\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrv.exe [2011-11-30 1029480]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-6-25 325200]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [2011-11-30 867360]
R2 GREGService;GREGService;C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe [2010-1-8 23584]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-11-30 366152]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.2.0.10\ccsvchst.exe [2011-11-30 138760]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2010-3-8 250368]
R2 SpeedDiskService;Norton SpeedDisk Service;C:\Program Files (x86)\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrv.exe [2011-11-30 1037672]
R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2010-6-25 243232]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atipmdag.sys --> C:\Windows\system32\DRIVERS\atipmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-30 138360]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-30 135664]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-30 135664]
S3 Partner Service;Partner Service;C:\ProgramData\Partner\Partner.exe [2010-6-25 332272]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 SymDSMon;SymDSMon;\??\C:\Windows\system32\drivers\SymDSMon.sys --> C:\Windows\system32\drivers\SymDSMon.sys [?]
S3 SYMSpeedDisk;SYMSpeedDisk;C:\Windows\System32\drivers\SymSpeedDisk.sys [2011-11-30 108800]
.
=============== Created Last 30 ================
.
2011-12-01 18:40:33 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2011-12-01 18:39:25 -------- d-----w- C:\Users\Jeremy\AppData\Local\Microsoft Help
2011-12-01 15:06:45 -------- d-----w- C:\Users\Jeremy\Tracing
2011-12-01 14:35:03 -------- d-----w- C:\ProgramData\Applications
2011-11-30 23:07:48 -------- d-----w- C:\Users\Jeremy\AppData\Roaming\WildTangent
2011-11-30 23:06:18 -------- d-----w- C:\Users\Jeremy\AppData\Roaming\Malwarebytes
2011-11-30 23:06:12 -------- d-----w- C:\ProgramData\Malwarebytes
2011-11-30 23:06:09 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-11-30 23:06:09 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-11-30 22:35:10 -------- d-----w- C:\Users\Jeremy\AppData\Local\CrashDumps
2011-11-30 22:14:35 0 ----a-w- C:\Windows\ativpsrm.bin
2011-11-30 22:12:13 -------- d-----w- C:\Windows\SysWow64\RTCOM
2011-11-30 22:09:53 -------- d-----w- C:\Program Files\ATI
2011-11-30 22:09:51 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2011-11-30 21:41:27 -------- d-----w- C:\Windows\NAPP_Dism_Log
2011-11-30 21:18:41 -------- d-----w- C:\Users\Jeremy\AppData\Roaming\Norton Utilities
2011-11-30 21:06:38 401016 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\symnets.sys
2011-11-30 21:06:37 729720 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\srtsp64.sys
2011-11-30 21:06:37 451192 ----a-r- C:\Windows\System32\drivers\NISx64\1302000.00A\symds64.sys
2011-11-30 21:06:37 37496 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\srtspx64.sys
2011-11-30 21:06:37 189560 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\ironx64.sys
2011-11-30 21:06:37 167048 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\ccsetx64.sys
2011-11-30 21:06:37 1084024 ----a-w- C:\Windows\System32\drivers\NISx64\1302000.00A\symefa64.sys
2011-11-30 21:06:30 -------- d-----w- C:\Windows\System32\drivers\NISx64\1302000.00A
2011-11-30 20:51:54 220672 ----a-w- C:\Windows\System32\wintrust.dll
2011-11-30 20:51:54 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2011-11-30 20:51:54 139264 ----a-w- C:\Windows\System32\cabview.dll
2011-11-30 20:51:54 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2011-11-30 20:48:58 -------- d-----w- C:\Users\Jeremy\AppData\Local\Google
2011-11-30 20:01:17 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2011-11-30 20:01:17 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2011-11-30 20:00:58 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2011-11-30 20:00:02 -------- d-----w- C:\Program Files (x86)\Microsoft
2011-11-30 19:59:43 -------- d-----w- C:\Program Files (x86)\Windows Live SkyDrive
2011-11-30 19:59:07 -------- d-----w- C:\Windows\PCHEALTH
2011-11-30 19:58:53 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\7c9bcff71ccaf9a\DSETUP.dll
2011-11-30 19:58:53 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\7c9bcff71ccaf9a\DXSETUP.exe
2011-11-30 19:58:53 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\7c9bcff71ccaf9a\dsetup32.dll
2011-11-30 19:58:25 141402440 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\wlc871A.tmp
2011-11-30 19:58:15 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-11-30 19:57:12 206208 ----a-w- C:\Windows\PLFSetI.exe
2011-11-30 19:57:09 -------- d-----w- C:\Program Files (x86)\Video Web Camera
2011-11-30 19:56:32 -------- d-----w- C:\Program Files\Synaptics
2011-11-30 19:56:05 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2011-11-30 19:53:28 -------- d-----w- C:\Program Files (x86)\Common Files\CyberLink
2011-11-30 19:51:52 505128 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2011-11-30 19:51:52 353576 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2011-11-30 19:51:52 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2011-11-30 19:47:55 -------- d-----w- C:\Program Files (x86)\Launch Manager
2011-11-30 19:47:53 -------- d-----w- C:\Users\Jeremy\AppData\Local\ATI
2011-11-30 19:46:51 -------- d-----w- C:\Users\Jeremy\AppData\Local\Packard Bell
2011-11-30 19:46:46 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-11-30 19:46:45 -------- d-----w- C:\Program Files\Symantec
2011-11-30 19:46:45 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2011-11-30 19:34:57 -------- d-----w- C:\Users\Jeremy\AppData\Local\VirtualStore
2011-11-30 19:24:28 -------- d-----w- C:\Program Files (x86)\OEM
2011-11-30 19:24:14 -------- d-----w- C:\ProgramData\OEM_E471269A730D
.
==================== Find3M ====================
.
2011-11-30 22:13:29 6 ----a-w- C:\Windows\System32\PLD_Framework.cmd
.
============= FINISH: 14:04:52.79 ===============

Attached Files


Edited by jwil, 01 December 2011 - 02:28 PM.


BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:51 AM

Posted 04 December 2011 - 12:08 PM

Hi jwil,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. :welcome:
My name is sundavis, I will be helping you to deal with your Malware problems today.

Over Win7 Start logo > type diskmgmt.msc in search box and press enter > Disk-Management should prompt.

Take a whole Disk Management Window screenshot and attach that picture in your next reply. For more info:This thread . We will start from that. Thanks

#3 jwil

jwil
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 04 December 2011 - 08:13 PM

Hi sundavis,

Thanks in advance for your help. I've attached the disk management screenshot as you requested. Let me know what else you need and I'll get right on it.

Thanks!
Jeremy

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:51 AM

Posted 04 December 2011 - 11:27 PM

Hi jwil,




Thanks for the screenshot, but it isn't really complete actually. Did you notice any unallocated partitions in Disk Management window? If yes, stop all actions and let me know.

If no, do you have any idea about the odd partition which has only 1 mb capacity among 4 partitions? If not, it seemed to be created by the variant malware. Then please proceed the following:



Step1

  • Please download Minitool bootable CD iso file from Here on your desktop.
  • Place a blank CD in your CD-Rom to burn the iso to a bootable CD. If you need a free burner, please go to Here.
  • Boot the computer using the boot CD you just created. In order to do so, the computer must be set to boot from the CD first
  • Note : For information click Here
  • When the boot sequence is complete. Please proceed Step2 in the following:


Step2

  • Please insert your Minitool bootable CD into CD/DVD rom.
  • Make sure you have set the boot sequence from the CD first.
  • Please select boot from Partition Wizard Boot Disc first and press Enter while the following picture appears:

    Posted Image
  • Please choose the following screen resolution. You may select: 1 and press Enter

    Posted Image
  • The Partition Wizard GUI should prompt. Click on Disk 1 and select the odd partition (only 1 mb capacity, sometimes it maybe present Unallocated in File System), then Click Partitions in the top menu » click Delete.

    Click Yes when the prompt appears and press Apply in the left bottom. For more info: consult this thread .


    CAUTION: Do not select the wrong partition. That may cause the pc to be unbootable.


    Posted Image
  • When done, click on General menu and press Exit button. Get the bootable CD out of CD/DVD rom and reboot normally.
  • After that, give me a new Disk Management screenshot in your next reply.



Step3

I also notice you have MBAM installed in your system, Please rerun it as instructed in the following. If you can't update the program, you can download the virus definitions from Here and install manually.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



In your next reply, please post back:

1.Disk Managemetn screenshot
2.MBAM log

Let me know if you have any remaining issues on your pc.

Edited by sundavis, 05 December 2011 - 02:21 AM.


#5 jwil

jwil
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 06 December 2011 - 02:12 PM

Hi sundavis,

I did as instructed and am no longer seeing the infection. Note that MBAM was not detecting the infection earlier either, but Norton was and those scans are now showing clean. I've attached the updated disk management screenshot and MBAM scan log below. I think I'm good now - thanks very much for your help. Please let me know if there's anything else I should do.

Thanks,
Jeremy

Attached Files



#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:51 AM

Posted 06 December 2011 - 05:02 PM

Hi jwil,




That sounds good. Since the culprit is gone, your system appears clean now. :thumbsup: If you have no remaining issues on your pc, lets do some tidy up and we can send you on your way.

Please delete all the logs and tools we have used and install java from Here . Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:


  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:51 AM

Posted 08 December 2011 - 09:54 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users