Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv Activity 2


  • This topic is locked This topic is locked
36 replies to this topic

#1 rickinariz

rickinariz

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 14 January 2012 - 02:01 PM

I can't seem to post here. I am not including my DDS log or anything else until I can see a post. Soryy for the confusion.

BC AdBot (Login to Remove)

 


#2 rickinariz

rickinariz
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 14 January 2012 - 02:13 PM

Here is the Attach file. I hope

#3 rickinariz

rickinariz
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 14 January 2012 - 02:16 PM

The post won't go through with my DDS file copy-pasted in, or my attach file attached. Perhaps the administrator can help me out.

Thank you for your time.

Rick

#4 rickinariz

rickinariz
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 15 January 2012 - 04:40 PM

I got a Norton popup that said "Thread requiring manual remvoal detected:
System Infected: Tidserv Activity 2". I ran the Norton tool, or tried to.
The tool reboots your computer when it runs, and it would only boot back up
in Safe Mode, so I did. I ran the tool again in Safe Mode, and when it
re-booted this time, I had a normal Win Xp "Welcome" screen. When I looged
into my desktop (I am an Admin) there was a popup asking if I wanted to run
"FixTDSS.exe". I clicked Run. Another dialog box says "Scanning your system,
this will take some time...". I let the tool run and when it's done, it says
"Backdoor. Tidserv has not been found on this computer." But I still have
the Norton popup. As part of the preparation for this post, I tried to run
gmer. I get the opening dialog for a second then another blue screen. "A
problem has been detected and Windows has shut been shut down to prevent
damage to your computer. BAD_POOL_HEADER If this is the first time you have
seen this..." the message ends with STOP: 0x00000019 (0x00000020,
0x88CFD000, 0x88CFD828, 0x1B050000) So, I could not make a gmer file to
post. This thing is so nasty, I could not post with dds or attach from the infected machine. I sent it all plain text email to my daughter's laptop to post from there.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18
Run by Rick Yost at 13:15:35 on 2012-01-15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1850 [GMT
-7:00]
.
AV: Norton Internet Security *Enabled/Updated*
{E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Documents and Settings\Rick Yost\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -
c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} -
c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} -
c:\windows\system32\dla\tfswshx.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program
files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} -
c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} -
c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} -
c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} -
c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -
c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} -
c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program
files\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat
7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [swg] "c:\program
files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AutoStartNPSAgent] "c:\program files\samsung\samsung new pc
studio\NPSAgent.exe"
uRun: [Google Update] "c:\documents and settings\rick yost\local
settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe"
c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BCMSMMSG] "c:\windows\BCMSMMSG.exe"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [DVDSentry] "c:\windows\system32\DSentry.exe"
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe"
startup
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [TkBellExe] "c:\program files\common
files\real\update_ob\realsched.exe" -osboot
mRun: [Iomega Startup Options] c:\program files\iomega\common\ImgStart.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [EPSON Stylus CX5400]
"c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE" /P19 "EPSON Stylus
CX5400" /O6 "USB001" /M "Stylus CX5400"
mRun: [UpdateManager] "c:\program files\common files\sonic\update
manager\sgtray.exe" /r
mRun: [EPSON Stylus CX5400 (Copy 1)]
"c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE" /P28 "EPSON Stylus
CX5400 (Copy 1)" /O6 "USB002" /M "Stylus CX5400"
mRun: [Auto EPSON Stylus CX5400 on MIKE]
"c:\windows\system32\spool\drivers\w32x86\3\e_s4i2g1.exe" /p32 "auto epson
stylus cx5400 on mike" /o15 "\\mike\Printer2" /M "Stylus CX5400"
mRun: [ISUSPM] "c:\program files\common
files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java
update\jusched.exe"
mRun: [Intuit SyncManager] "c:\program files\common
files\intuit\sync\IntuitSyncManager.exe" startup
mRun: [avast5] "c:\progra~1\alwils~1\avast5\avastUI.exe" /nogui
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE"
c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NPSStartup]
mRun: [EaseUs Watch] "c:\program files\easeus\todo backup\bin\EuWatch.exe"
mRun: [EaseUs Tray] "c:\program files\easeus\todo backup\bin\TrayNotify.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe"
/DelayServices
mRun: [APSDaemon] "c:\program files\common files\apple\apple application
support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader
9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk -
c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: <NO NAME> =
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program
files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} -
{48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft
office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} -
{FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft
office\office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} -
hxxp://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} -
hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} -
hxxp://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72
a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} -
hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -
hxxp://www.microsoft.com/security/controls/WebCleaner.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.ca
b
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -
hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muwe
b_site.cab?1124038928000
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} -
hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim
.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37998.937847
2222
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} -
hxxp://www.microsoft.com/security/controls/SassCln.CAB
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A790} -
hxxp://www.microsoft.com/security/controls/Berbew/0/BerbCln.CAB
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} -
hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} -
hxxps://ive.gdc4s.com/dana-cached/sc/JuniperSetupClient.cab
TCP: Interfaces\{32577A31-28BC-4FEC-9C69-64281C151A33} : DhcpNameServer =
68.2.16.25 68.2.16.30 68.6.16.30
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook:
{091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd}
- c:\progra~1\micros~3\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2011-9-4 38920]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2011-9-4 42376]
R0 ppa;Iomega Parallel Port Filter
Driver;c:\windows\system32\drivers\ppa.sys [2004-1-11 17792]
R0 SymDS;Symantec Data
Store;c:\windows\system32\drivers\nis\1206000.01d\SymDS.sys [2011-7-22
340088]
R0 SymEFA;Symantec Extended File
Attributes;c:\windows\system32\drivers\nis\1206000.01d\SymEFA.sys [2011-7-22
744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions
\bashdefs\20111223.001\BHDrvx86.sys [2011-11-30 820344]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2011-9-4
16008]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2011-9-4
184072]
R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys
[2005-9-29 3026]
R1 SymIRON;Symantec Iron
Driver;c:\windows\system32\drivers\nis\1206000.01d\Ironx86.sys [2011-7-22
136312]
R2 DLPortIO;DriverLINX Port I/O
Driver;c:\windows\system32\drivers\DLPortIO.SYS [2005-10-17 3584]
R2 EaseUS Agent;EaseUS Agent;c:\program files\easeus\todo
backup\bin\Agent.exe [2011-9-4 60040]
R2 FlipShareServer;FlipShare Server;c:\program files\flip
video\flipshareserver\FlipShareServer.exe [2011-5-6 1085440]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe
[2011-6-4 233472]
R2 NIS;Norton Internet Security;c:\program files\norton internet
security\engine\18.6.0.29\ccSvcHst.exe [2011-7-22 130008]
R2 wwEngineSvc;Window Washer Engine;c:\program
files\webroot\washer\WasherSvc.exe [2008-1-1 598856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common
files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-10 106104]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-6-4
36608]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions
\ipsdefs\20120113.002\IDSXpx86.sys [2012-1-13 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions
\virusdefs\20120114.019\NAVENG.SYS [2012-1-15 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions
\virusdefs\20120114.019\NAVEX15.SYS [2012-1-15 1576312]
R3 osppsvc;Office Software Protection Platform;c:\program files\common
files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE
[2010-1-9 4640000]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys -->
c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program
files\google\update\GoogleUpdate.exe [2009-12-20 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program
files\google\update\GoogleUpdate.exe [2009-12-20 135664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\167.tmp -->
c:\windows\system32\167.tmp [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint
Workspace Audit Service;c:\program files\microsoft
office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 tj2knd5;Terayon Cable Modem
(NDIS);c:\windows\system32\drivers\tj2knd5.sys [2004-1-10 17616]
S3 tj2kunic;Terayon Cable Modem
(WDM);c:\windows\system32\drivers\tj2kunic.sys [2004-1-10 69680]
S4
SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriv
er.sys [2009-8-16 14976]
.
=============== Created Last 30 ================
.
2012-01-14 02:02:25 23040 ----a-w- C:\chktrust.exe
2012-01-14 02:00:30 -------- d-----w- C:\chktrust
2012-01-13 20:07:13 6823496 ----a-w- c:\documents and
settings\all users\application data\microsoft\windows defender\definition
updates\{572e4ae3-b67b-45cc-b10e-e8b60107d8b9}\mpengine.dll
2012-01-06 02:54:15 -------- d-----w- c:\program
files\W6ELProp Propagation Prediction
2012-01-03 15:22:02 103864 ----a-w- c:\program files\internet
explorer\plugins\nppdf32.dll
2011-12-29 17:59:59 -------- d-----w- c:\documents and
settings\rick yost\application data\Applian FLV and Media Player
2011-12-29 17:35:27 18944 ----a-r- c:\documents and
settings\rick yost\application
data\microsoft\installer\{297dcada-86a1-4a42-8a13-66b7d7a09fd2}\IconBB6A1630
1.exe
2011-12-29 17:34:15 -------- d-----w- c:\program
files\Applian Technologies
2011-12-29 17:33:52 -------- d-----w- c:\documents and
settings\all users\application data\WeCareReminder
2011-12-17 19:38:02 -------- d-----w- c:\documents and
settings\rick yost\local settings\application data\SanctionedMedia
.
==================== Find3M ====================
.
2011-12-30 05:38:59 414368 ----a-w-
c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57:19 293376 ----a-w-
c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ------w-
c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ------w-
c:\windows\system32\packager.exe
2011-11-03 15:28:36 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ------w-
c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w-
c:\windows\system32\ole32.dll
2011-10-31 23:43:21 832512 ----a-w-
c:\windows\system32\wininet.dll
2011-10-31 23:43:21 78336 ----a-w-
c:\windows\system32\ieencode.dll
2011-10-31 23:43:21 1830912 ----a-w-
c:\windows\system32\inetcpl.cpl
2011-10-31 23:43:20 17408 ------w-
c:\windows\system32\corpol.dll
2011-10-28 05:31:48 33280 ------w-
c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ------w-
c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ------w-
c:\windows\system32\ntkrnlpa.exe
2011-10-24 21:29:02 94208 ----a-w-
c:\windows\system32\QuickTimeVR.qtx
2011-10-24 21:29:02 69632 ----a-w-
c:\windows\system32\QuickTime.qts
2011-10-18 11:13:22 186880 ------w-
c:\windows\system32\encdec.dll
.
============= FINISH: 13:17:01.31 ===============

EDIT: Topics merged ~Budapest

Attached Files


Edited by Budapest, 15 January 2012 - 05:21 PM.


#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:25 AM

Posted 16 January 2012 - 11:32 AM

Hi rickinariz, welcome to BC and sorry about the delay, do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 rickinariz

rickinariz
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 16 January 2012 - 05:39 PM

Hello Semp!!

Yes, I still very much need help. Let me tell you just a bit about myself. I am older >55, and an electronics professional. I have worked with hardware for over 35 years, but not a computer wizard by any means. Part of my job is to write and execute test procedures, so I tend to follow instructions explicitly. If you tell me to do somethig, I will, but if you leave something out, I won't. My default is to do nothing in abscense of instruction. Kinda like the machines we all love, right? Pleased to meet you.
Rick
(and thanks for the really quick reply, I appreciate your time)

Edited by rickinariz, 16 January 2012 - 05:42 PM.


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:25 AM

Posted 16 January 2012 - 09:38 PM

Pleased to meet you too, Rick. :)

Let's make sure to unchecked "Word wrap" before posting any log, to do this open Notepad > Format > unchecked "Word wrap". This will make the log more easier to read.



Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 rickinariz

rickinariz
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 16 January 2012 - 09:54 PM

Semp,
Recieved and understood.
Rick

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:25 AM

Posted 16 January 2012 - 09:59 PM

:thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 rickinariz

rickinariz
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 16 January 2012 - 11:13 PM

Semp,
Running ComboFix was not successful. The first popup told me that Norton had scanners still running. I had earlier gone to the forum's instructions for turning off Norton's, but I have Norton Internet Security 2012, and the instructions didn't match, or I missed them for 2012. While ComboFix waited, I went into Norton's "Settings" and threw every switch I could find to off. I clicked apply and Norton asked for a time, and I tried to select 5 hours, but when the dialog box selection wouldn't change from 15 minutes, I eventually clicked okay and let ComboFix run. It came up with the Microsoft Recovery Window install request and I completed that okay, without issue.

ComboFix said "Rootkit.ZeroAccess has rooted itself in the top of the TCP-IP Stack. This is a bad infection" ComboFix tried to reboot finally, but couldn't by itself, so I turn machine off, then on. Normal boot and Welcome,and I log into my desktop. ComboFix seemed to be waiting, it comes up "Please wait, ComboFix is preparing to run". It takes over 20 minutes and runs to stage 50 then says "Preparing to Delete Infected Files" then something clicks and I get a blue screen of death. "Windows has shut down to prevent damaage to your machine...BAD_POOL_HEADER and STOP 0x00000019, (0x00000020, 0x88706000, 0x88706418, 0x1A830000)" I turn the machine off, then on again and it boots normally, and I log on to my desktop without issue. ComboFix is not running and Norton has returned to "on". No ComboFix Log, of course, since the program didn't terminate properly.

It "feels" like I should try again, and this time make sure Norton's is really off (have any hints how to assure that?) and then run ComboFix again, but I will wait for your patient instructions.
Thanks--Rick

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:25 AM

Posted 16 January 2012 - 11:35 PM

Thanks for the info, let's hold for Combofix and run some more scans first.


:step1: Click Start > Run then copy/paste the following bolded text below. A log file will open, please post the contents in your next reply.

cmd /c dir /a /s C:\QooBox >log.txt&start log.txt



:step2: Please download MBRCheck to your desktop.
  • Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista/Windows 7).
  • It will open a black window, please do not fix anything (if it gives you an option).
  • Exit that window and it will produce a log (MBRCheck_date_time).
  • Please post that log when you reply.


:step3: Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Note: Do not install Avast anti virus when offered.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 rickinariz

rickinariz
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 16 January 2012 - 11:50 PM

Semp,
QooBoxlog first, as requested:

Volume in drive C has no label.
Volume Serial Number is E0C4-9DD9

Directory of C:\QooBox

01/16/2012 08:32 PM <DIR> .
01/16/2012 08:32 PM <DIR> ..
01/16/2012 08:15 PM <DIR> BackEnv
01/16/2012 08:35 PM <DIR> LastRun
01/16/2012 08:32 PM 2,956 LogA
01/16/2012 08:20 PM <DIR> Quarantine
01/16/2012 08:45 PM <DIR> Test
01/16/2012 08:09 PM <DIR> TestC
1 File(s) 2,956 bytes

Directory of C:\QooBox\BackEnv

01/16/2012 08:15 PM <DIR> .
01/16/2012 08:15 PM <DIR> ..
01/16/2012 08:15 PM 232 AppData.folder.dat
01/16/2012 08:15 PM 327 Cache.folder.dat
01/16/2012 08:15 PM 149 Cookies.folder.dat
01/16/2012 08:15 PM 94 Desktop.folder.dat
01/16/2012 08:15 PM 150 Favorites.folder.dat
01/16/2012 08:15 PM 194 History.folder.dat
01/16/2012 08:15 PM 221 LocalAppData.folder.dat
01/16/2012 08:15 PM 229 LocalSettings.folder.dat
01/16/2012 08:15 PM 61 Music.folder.dat
01/16/2012 08:15 PM 47 NetHood.folder.dat
01/16/2012 08:15 PM 149 Personal.folder.dat
01/16/2012 08:15 PM 64 Pictures.folder.dat
01/16/2012 08:15 PM 49 PrintHood.folder.dat
01/16/2012 08:15 PM 428 Profiles.Folder.dat
01/16/2012 08:15 PM 719 Profiles.Folder.folder.dat
01/16/2012 08:15 PM 180 Programs.folder.dat
01/16/2012 08:15 PM 46 Recent.folder.dat
01/16/2012 08:15 PM 46 SendTo.folder.dat
01/16/2012 08:15 PM 7,323 SetPath.bat
01/16/2012 08:15 PM 153 StartMenu.folder.dat
01/16/2012 08:15 PM 204 StartUp.folder.dat
01/16/2012 08:11 PM 2,123 SysPath.dat
01/16/2012 08:15 PM 98 Templates.folder.dat
01/16/2012 08:15 PM 2,192 VikPev00
24 File(s) 15,478 bytes

Directory of C:\QooBox\LastRun

01/16/2012 08:35 PM <DIR> .
01/16/2012 08:35 PM <DIR> ..
01/16/2012 08:35 PM 13 Gateway
1 File(s) 13 bytes

Directory of C:\QooBox\Quarantine

01/16/2012 08:20 PM <DIR> .
01/16/2012 08:20 PM <DIR> ..
01/16/2012 08:21 PM <DIR> C
01/16/2012 08:33 PM 380 catchme.log
01/16/2012 08:47 PM <DIR> Registry_backups
1 File(s) 380 bytes

Directory of C:\QooBox\Quarantine\C

01/16/2012 08:21 PM <DIR> .
01/16/2012 08:21 PM <DIR> ..
01/16/2012 08:21 PM <DIR> WINDOWS
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS

01/16/2012 08:21 PM <DIR> .
01/16/2012 08:21 PM <DIR> ..
01/16/2012 08:21 PM <DIR> $NtUninstallKB36333$
01/16/2012 08:21 PM <DIR> system32
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB36333$

01/16/2012 08:21 PM <DIR> .
01/16/2012 08:21 PM <DIR> ..
01/16/2012 08:21 PM <DIR> 3498073453
01/16/2012 08:21 PM 120 _1015685262_.zip
1 File(s) 120 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB36333$\3498073453

01/16/2012 08:21 PM <DIR> .
01/16/2012 08:21 PM <DIR> ..
01/13/2012 06:15 PM 2,048 @.vir
01/16/2012 06:31 PM 850 bckfg.tmp.vir
01/16/2012 08:05 PM 139 cfg.ini.vir
01/16/2012 05:57 PM 4,608 Desktop.ini.vir
01/16/2012 07:13 PM 161 keywords.vir
01/16/2012 05:57 PM 223,744 kwrd.dll.vir
01/16/2012 08:21 PM <DIR> L
01/16/2012 08:21 PM <DIR> U
6 File(s) 231,550 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB36333$\3498073453\L

01/16/2012 08:21 PM <DIR> .
01/16/2012 08:21 PM <DIR> ..
01/13/2012 06:15 PM 75,264 asobptkf.vir
1 File(s) 75,264 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB36333$\3498073453\U

01/16/2012 08:21 PM <DIR> .
01/16/2012 08:21 PM <DIR> ..
01/16/2012 06:31 PM 2,048 00000001.@.vir
01/13/2012 06:15 PM 224,768 00000002.@.vir
01/13/2012 06:15 PM 1,024 00000004.@.vir
01/13/2012 06:15 PM 11,264 80000000.@.vir
01/13/2012 06:15 PM 12,800 80000004.@.vir
01/13/2012 06:15 PM 77,312 80000032.@.vir
6 File(s) 329,216 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32

01/16/2012 08:21 PM <DIR> .
01/16/2012 08:21 PM <DIR> ..
01/16/2012 08:31 PM <DIR> Drivers
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32\Drivers

01/16/2012 08:31 PM <DIR> .
01/16/2012 08:31 PM <DIR> ..
04/13/2008 12:19 PM 75,264 ipsec.sys.vir
04/13/2008 12:19 PM 75,264 ipsec.sys.vir_
2 File(s) 150,528 bytes

Directory of C:\QooBox\Quarantine\Registry_backups

01/16/2012 08:47 PM <DIR> .
01/16/2012 08:47 PM <DIR> ..
01/16/2012 08:47 PM 7,791 tcpip.reg
1 File(s) 7,791 bytes

Directory of C:\QooBox\Test

01/16/2012 08:45 PM <DIR> .
01/16/2012 08:45 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\TestC

01/16/2012 08:09 PM <DIR> .
01/16/2012 08:09 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
44 File(s) 813,296 bytes
44 Dir(s) 35,893,473,280 bytes free

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000005d

Kernel Drivers (total 152):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF74C0000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF74A0000 fltmgr.sys
0xF7449000 SYMDS.SYS
0xF7437000 sr.sys
0xF7B24000 SYMEFA.SYS
0xF7717000 PxHelp20.sys
0xF7422000 drvmcdb.sys
0xF740B000 KSecDD.sys
0xF7884000 WudfPf.sys
0xBA773000 Ntfs.sys
0xBA746000 NDIS.sys
0xF771F000 ppa.sys
0xBA72C000 Mup.sys
0xF7647000 EUBKMON.sys
0xF7727000 eubakup.sys
0xF7657000 agp440.sys
0xF7557000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xB9562000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xB954E000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF774F000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB952A000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7757000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xB941D000 \SystemRoot\System32\DRIVERS\BCMSM.sys
0xB93FA000 \SystemRoot\System32\DRIVERS\ks.sys
0xF775F000 \SystemRoot\System32\Drivers\Modem.SYS
0xB92B5000 \SystemRoot\system32\drivers\P16X.sys
0xB9291000 \SystemRoot\system32\drivers\portcls.sys
0xF7547000 \SystemRoot\system32\drivers\drmk.sys
0xB9265000 \SystemRoot\System32\DRIVERS\ctoss2k.sys
0xB9245000 \SystemRoot\System32\DRIVERS\ctsfm2k.sys
0xF7923000 \SystemRoot\System32\DRIVERS\gameenum.sys
0xF7537000 \SystemRoot\System32\DRIVERS\mf.sys
0xB9221000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xB9E6C000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF7527000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xB9E64000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xB9E5C000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7517000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7927000 \SystemRoot\System32\DRIVERS\serenum.sys
0xB920D000 \SystemRoot\System32\DRIVERS\parport.sys
0xF7507000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF79F3000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF74F7000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xBA6AC000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB9E54000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA31E000 \SystemRoot\System32\DRIVERS\audstub.sys
0xBA69C000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7933000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB91F6000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xBA68C000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xBA67C000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xB9E4C000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB91E5000 \SystemRoot\System32\DRIVERS\psched.sys
0xBA66C000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xB9E44000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xB9E3C000 \SystemRoot\System32\DRIVERS\raspti.sys
0xBA65C000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF79F5000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB9100000 \SystemRoot\System32\DRIVERS\update.sys
0xB9E34000 \SystemRoot\System32\DRIVERS\omci.sys
0xBA5F7000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xBA63C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA61C000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF79F7000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7943000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xB9E2C000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xBA6F4000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79F9000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A52000 \SystemRoot\System32\Drivers\Null.SYS
0xF79FB000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7777000 \SystemRoot\system32\drivers\ssrtln.sys
0xF777F000 \SystemRoot\System32\drivers\vga.sys
0xF79FD000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79FF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7787000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF778F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA6EC000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xB6F65000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB6F0C000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xB6EB3000 \SystemRoot\system32\drivers\NIS\1206000.01D\SYMTDI.SYS
0xB6E8D000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF7687000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xB6E67000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xF7797000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xB6E0C000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20120113.002\IDSxpx86.sys
0xB6DE4000 \SystemRoot\System32\DRIVERS\netbt.sys
0xBA6E4000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB6DC2000 \SystemRoot\System32\drivers\afd.sys
0xB9DCB000 \SystemRoot\System32\DRIVERS\netbios.sys
0xB6D9E000 \SystemRoot\system32\drivers\NIS\1206000.01D\Ironx86.SYS
0xB9D9B000 \SystemRoot\system32\drivers\NIS\1206000.01D\SRTSPX.SYS
0xB6D73000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xB6D03000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xB9F05000 \SystemRoot\System32\Drivers\hwinterface.sys
0xB9D8B000 \SystemRoot\System32\Drivers\Fips.SYS
0xB6BBF000 \??\C:\WINDOWS\system32\drivers\EuFdDisk.sys
0xBA6D4000 \??\C:\WINDOWS\system32\drivers\eudskacs.sys
0xB6B61000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xB6B43000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xB6A77000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20111223.001\BHDrvx86.sys
0xB9D6B000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB6A37000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7991000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9162000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77CF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7AB4000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF5E6000 \SystemRoot\System32\ATMFD.DLL
0xB6CE3000 \SystemRoot\system32\drivers\drvnddm.sys
0xBA122000 \SystemRoot\system32\dla\tfsndres.sys
0xB6679000 \SystemRoot\system32\dla\tfsnifs.sys
0xB679A000 \SystemRoot\system32\dla\tfsnopio.sys
0xF79A7000 \SystemRoot\system32\dla\tfsnpool.sys
0xF77E7000 \SystemRoot\system32\dla\tfsnboio.sys
0xB6CD3000 \SystemRoot\system32\dla\tfsncofs.sys
0xF7A7A000 \SystemRoot\system32\dla\tfsndrct.sys
0xB6639000 \SystemRoot\system32\dla\tfsnudf.sys
0xB6620000 \SystemRoot\system32\dla\tfsnudfa.sys
0xB63F4000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB6317000 \SystemRoot\system32\drivers\wdmaud.sys
0xB6CC3000 \SystemRoot\system32\drivers\sysaudio.sys
0xB6274000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF79CF000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB9E24000 \??\C:\WINDOWS\system32\DRIVERS\DLPortIO.SYS
0xB5FC4000 \SystemRoot\System32\DRIVERS\srv.sys
0xF79ED000 \??\C:\WINDOWS\System32\PfModNT.sys
0xB5829000 \SystemRoot\System32\Drivers\HTTP.sys
0xB5A50000 \??\C:\WINDOWS\system32\FsUsbExDisk.SYS
0xB54FB000 \SystemRoot\system32\drivers\NIS\1206000.01D\SRTSP.SYS
0xB52B3000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20120116.002\NAVEX15.SYS
0xB4A3E000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20120116.002\NAVENG.SYS
0xB4793000 \SystemRoot\system32\drivers\kmixer.sys
0xB65E0000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 54):
0 System Idle Process
4 SYSTEM
600 C:\WINDOWS\SYSTEM32\smss.exe
668 csrss.exe
692 C:\WINDOWS\SYSTEM32\winlogon.exe
736 C:\WINDOWS\SYSTEM32\services.exe
772 C:\WINDOWS\SYSTEM32\lsass.exe
944 C:\WINDOWS\SYSTEM32\svchost.exe
1024 svchost.exe
1120 C:\WINDOWS\SYSTEM32\svchost.exe
1160 C:\WINDOWS\SYSTEM32\svchost.exe
1280 svchost.exe
1356 svchost.exe
1460 C:\WINDOWS\SYSTEM32\spoolsv.exe
1728 C:\WINDOWS\explorer.exe
1812 svchost.exe
1844 C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
1864 C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
1884 C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
1908 C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
1940 C:\WINDOWS\SYSTEM32\FsUsbExService.Exe
192 C:\Program Files\Google\Update\GoogleUpdate.exe
232 C:\Program Files\Java\jre6\bin\jqs.exe
316 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
536 C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
1064 C:\WINDOWS\SYSTEM32\nvsvc32.exe
1092 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
1524 C:\WINDOWS\BCMSMMSG.exe
1592 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
1628 C:\WINDOWS\SYSTEM32\svchost.exe
1532 C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
1932 C:\Program Files\Webroot\Washer\WasherSvc.exe
2268 C:\WINDOWS\SYSTEM32\DSentry.exe
2468 C:\WINDOWS\SYSTEM32\fxssvc.exe
2936 C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
2944 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
3152 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3268 C:\Program Files\Iomega\DriveIcons\Imgicon.exe
3632 UNSECAPP.EXE
3744 wmiprvse.exe
3848 C:\WINDOWS\SYSTEM32\rundll32.exe
3904 C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
532 alg.exe
548 C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
2216 C:\Program Files\QuickTime\QTTask.exe
2832 C:\Program Files\Messenger\msmsgs.exe
2840 C:\WINDOWS\SYSTEM32\ctfmon.exe
2872 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3332 C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
3388 C:\Documents and Settings\Rick Yost\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
4032 C:\Program Files\Internet Explorer\iexplore.exe
1140 C:\WINDOWS\SYSTEM32\svchost.exe
3808 OSPPSVC.EXE
2708 C:\Documents and Settings\Rick Yost\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800BB-75FRA0, Rev: 77.07W77

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-16 21:45:46
-----------------------------
21:45:46.937 OS Version: Windows 5.1.2600 Service Pack 3
21:45:46.937 Number of processors: 2 586 0x209
21:45:46.937 ComputerName: DAD UserName:
21:45:51.156 Initialize success
21:46:07.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:46:07.484 Disk 0 Vendor: WDC_WD800BB-75FRA0 77.07W77 Size: 76293MB BusType: 3
21:46:07.515 Disk 0 MBR read successfully
21:46:07.515 Disk 0 MBR scan
21:46:07.515 Disk 0 Windows XP default MBR code
21:46:07.531 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 39 MB offset 63
21:46:07.531 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76245 MB offset 80325
21:46:07.546 Disk 0 scanning sectors +156232125
21:46:07.609 Disk 0 scanning C:\WINDOWS\system32\drivers
21:46:24.515 Service scanning
21:46:26.015 Modules scanning
21:46:46.812 Module: C:\WINDOWS\system32\dla\tfsndres.sys **SUSPICIOUS**
21:46:53.421 Disk 0 trace - called modules:
21:46:53.453 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:46:53.953 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa38ab8]
21:46:53.953 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8aa7bb00]
21:46:53.953 Scan finished successfully
21:47:21.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Rick Yost\Desktop\MBR.dat"
21:47:21.234 The log file has been saved successfully to "C:\Documents and Settings\Rick Yost\Desktop\aswMBR.txt"


Thanks--Rick

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:25 AM

Posted 17 January 2012 - 12:32 AM

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

  • Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    C:\WINDOWS\system32\dla\tfsndres.sys

  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 rickinariz

rickinariz
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 17 January 2012 - 01:15 AM

Semp,
Jotti's doesn't output a nice text file. I copy pasted into a .txt the textural parts of the web page:

Jotti's malware scan
Filename: tfsndres.sys
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Tue 17 Jan 2012 07:00:31 (CET) Permalink

Additional info
File size: 2233 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 130254995ebedcb34d62e8d78ec9dbd0
SHA1: 91a1ea37e07b9f690597ffb50594a06bc8629305

There was a table on the web page that gave a listing of all the applications that scanned and found nothing. It was HTML, not textural. I can't seem to include that information.

Rick
(ps)while poking around, I see that System Restore is enabled. I had left it dissabled since I started this with the Norton tool. Should I dissable again?

Edited by rickinariz, 17 January 2012 - 01:16 AM.


#15 rickinariz

rickinariz
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 17 January 2012 - 01:42 AM

Semp,
I tried with Virustotal as well. It reported no virus' found. It produced something I could copy-paste into text:

SHA256: 7933c84fab8d782dd9c1a9e75e43742cf22ee8517dcbd92a623f43f5ad9d9d08
SHA1: 91a1ea37e07b9f690597ffb50594a06bc8629305
MD5: 130254995ebedcb34d62e8d78ec9dbd0
File size: 2.2 KB ( 2233 bytes )
File type: Win32 EXE
Detection ratio: 0 / 43
Analysis date: 2012-01-17 06:36:20 UTC ( 1 minute ago )

AhnLab-V3 - 20120116
AntiVir - 20120117
Antiy-AVL - 20120117
Avast - 20120116
AVG - 20120116
BitDefender - 20120117
ByteHero - 20120111
CAT-QuickHeal - 20120117
ClamAV - 20120117
Commtouch - 20120117
Comodo - 20120117
DrWeb - 20120117
Emsisoft - 20120117
eSafe - 20120115
eTrust-Vet - 20120116
F-Prot - 20120116
F-Secure - 20120117
Fortinet - 20120117
GData - 20120117
Ikarus - 20120117
Jiangmin - 20120116
K7AntiVirus - 20120113
Kaspersky - 20120117
McAfee - 20120117
McAfee-GW-Edition - 20120116
Microsoft - 20120117
NOD32 - 20120117
Norman - 20120116
nProtect - 20120117
Panda - 20120116
PCTools - 20120117
Prevx - 20120117
Rising - 20120116
Sophos - 20120117
SUPERAntiSpyware - 20120114
Symantec - 20120117
TheHacker - 20120116
TrendMicro - 20120117
TrendMicro-HouseCall - 20120117
VBA32 - 20120116
VIPRE - 20120117
ViRobot - 20120117
VirusBuster - 20120116




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users