Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

tidserv request 2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: tidserv request 2

Unread postby melboy » April 8th, 2010, 1:51 pm

Hi

As you are experiencing BSoD's please don't run the tools on your own - you may not recover from one! Lets take a further look. If you didn't download RootRepeal before, please do so now.



RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
      Drivers
      Files
      Processes
      SSDT
      Stealth Objects
      Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File then Exit to close the program


After RootRepeal.


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    SRPeek::
    C:\WINDOWS\system32\drivers\iaStor.sys
    
    FileLook:: 
    c:\windows\system32\drivers\netbt.sys
    


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: tidserv request 2

Unread postby Tim Brug » April 8th, 2010, 11:46 pm

Here is the combo log. Not sure if you wanted the root repeal report. Again, I appreciate all your efforts but I'm almost at the point of blowing things up and starting all over. I just don't want to let the sob's win!


ComboFix 10-04-05.06 - Tim Brugnoli 04/08/2010 23:27:37.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1425 [GMT -4:00]
Running from: c:\documents and settings\Tim Brugnoli\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tim Brugnoli\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.

2010-04-09 02:24 . 2010-02-04 21:13 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100408.032\NAVENG.SYS
2010-04-09 02:24 . 2010-02-04 21:13 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100408.032\NAVEX15.SYS
2010-04-09 02:24 . 2009-12-09 23:57 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100408.032\CCERASER.DLL
2010-04-09 02:24 . 2009-11-07 02:30 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100408.032\EECTRL.SYS
2010-04-09 02:24 . 2009-11-07 02:30 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100408.032\ECMSVR32.DLL
2010-04-09 02:24 . 2009-11-07 02:30 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100408.032\NAVENG32.DLL
2010-04-09 02:24 . 2009-11-07 02:30 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100408.032\NAVEX32A.DLL
2010-04-09 02:24 . 2009-11-07 02:30 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100408.032\ERASER.SYS
2010-04-05 22:08 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSvix86.sys
2010-04-05 22:08 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\Scxpx86.dll
2010-04-05 22:08 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSxpx86.dll
2010-04-05 22:07 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSXpx86.sys
2010-04-05 22:07 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSviA64.sys
2010-04-05 21:57 . 2010-04-05 21:57 -------- d-----w- c:\program files\ESET
2010-04-01 05:35 . 2010-04-03 21:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-01 00:25 . 2010-04-01 00:25 388096 ----a-r- c:\documents and settings\Tim Brugnoli\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-01 00:25 . 2010-04-01 00:25 -------- d-----w- c:\program files\TrendMicro
2010-03-31 21:13 . 2010-03-31 21:13 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 01:03 . 2004-08-04 02:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-03-31 01:03 . 2004-08-04 02:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-27 15:11 . 2010-03-27 15:11 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-03-26 09:34 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSvix86.sys
2010-03-26 09:34 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSXpx86.sys
2010-03-26 09:34 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\Scxpx86.dll
2010-03-26 09:34 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSxpx86.dll
2010-03-26 09:34 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSviA64.sys
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\bbRGen.dll
2010-03-23 22:37 . 2010-03-23 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-23 22:37 . 2010-03-23 22:37 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-03-23 22:36 . 2010-03-24 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 01:54 . 2004-08-12 13:36 872064 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-09 01:17 . 2009-01-02 23:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-09 01:11 . 2006-02-21 01:29 -------- d-----w- c:\program files\Agent
2010-04-09 01:08 . 2006-02-21 22:31 -------- d-----w- c:\program files\EasyAgent
2010-04-06 11:07 . 2004-08-12 13:24 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-03-31 21:13 . 2010-03-02 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 04:46 . 2010-03-02 02:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-03-02 02:26 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 23:29 . 2009-10-17 02:35 786800 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
2010-03-02 02:26 . 2010-03-02 02:26 -------- d-----w- c:\documents and settings\Tim Brugnoli\Application Data\Malwarebytes
2010-03-02 02:26 . 2010-03-02 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-25 06:24 . 2004-08-12 13:33 916480 ------w- c:\windows\system32\wininet.dll
2007-08-25 03:52 . 2008-02-11 05:37 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\netbt.sys ---
Company: Microsoft Corporation
File Description: MBT Transport driver
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: netbt.sys
File size: 162816
Created time: 2004-08-12 13:24
Modified time: 2010-04-06 11:07
MD5: 0C80E410CD2F47134407EE7DD19CC86B
SHA1: FC94040533C8E2BBA6F4A5BFF8A97294CC5E4C06


(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

[7] 9A65E42664D1534B68512CAAD0EFE963 872064 c:\windows\system32\Drivers\iaStor.sys
[7] 9A65E42664D1534B68512CAAD0EFE963 872064 \RP5\A0024451.sys
[7] 9A65E42664D1534B68512CAAD0EFE963 872064 \RP5\A0023447.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-04-04_18.07.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-09 02:38 . 2010-04-09 02:38 16384 c:\windows\Temp\Perflib_Perfdata_52c.dat
+ 2010-04-09 02:17 . 2008-12-04 13:17 15312 c:\windows\system32\ReinstallBackups\0031\DriverFiles\RaCoInst.dat
+ 2010-04-07 21:03 . 2010-02-27 02:23 43696 c:\windows\system32\drivers\NIS\1106000.020\srtspx.sys
+ 2010-04-07 21:15 . 2010-04-07 21:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-02-20 22:00 . 2010-04-04 16:44 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-02-20 22:00 . 2010-04-07 21:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-02-20 22:00 . 2010-04-04 16:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-09 02:17 . 2008-12-04 13:17 627072 c:\windows\system32\ReinstallBackups\0031\DriverFiles\rt2870.sys
+ 2010-04-09 02:17 . 2008-12-04 13:17 221184 c:\windows\system32\ReinstallBackups\0031\DriverFiles\RaCoInst.dll
+ 2010-04-07 21:03 . 2010-02-04 01:40 340016 c:\windows\system32\drivers\NIS\1106000.020\symtdiv.sys
+ 2010-04-07 21:03 . 2010-02-04 01:40 362032 c:\windows\system32\drivers\NIS\1106000.020\symtdi.sys
+ 2010-04-07 21:03 . 2010-02-04 01:40 172592 c:\windows\system32\drivers\NIS\1106000.020\symefa.sys
+ 2010-04-07 21:03 . 2009-11-05 22:06 328752 c:\windows\system32\drivers\NIS\1106000.020\symds.sys
+ 2010-04-07 21:03 . 2010-02-27 02:23 325680 c:\windows\system32\drivers\NIS\1106000.020\srtsp.sys
+ 2010-04-07 21:03 . 2010-02-27 02:23 116784 c:\windows\system32\drivers\NIS\1106000.020\ironx86.sys
+ 2010-04-07 21:03 . 2010-02-25 23:22 501888 c:\windows\system32\drivers\NIS\1106000.020\cchpx86.sys
- 2004-08-12 13:24 . 2010-04-01 03:07 162816 c:\windows\system32\dllcache\netbt.sys
+ 2004-08-12 13:24 . 2010-04-06 11:07 162816 c:\windows\system32\dllcache\netbt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2004-08-31 294912]
"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4612096]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=c:\program files\Ahead\InCD\InCD.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"iRiver Updater"=\Updater.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"UIUCU"=c:\docume~1\TIMBRU~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe
"BlackBerryAutoUpdate"=c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1106000.020\symds.sys [4/7/2010 5:03 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1106000.020\symefa.sys [4/7/2010 5:03 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [3/24/2010 4:38 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1106000.020\cchpx86.sys [4/7/2010 5:03 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1106000.020\ironx86.sys [4/7/2010 5:03 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.6.0.32\ccsvchst.exe [4/7/2010 5:03 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/17/2009 10:38 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSXpx86.sys [3/26/2010 5:34 AM 329592]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\TIMBRU~1\LOCALS~1\Temp\00000be9.nmc\nse\bin\ndiskio.sys --> c:\docume~1\TIMBRU~1\LOCALS~1\Temp\00000be9.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\TIMBRU~1\LOCALS~1\Temp\00000cf5.nmc\nse\bin\nsak.sys --> c:\docume~1\TIMBRU~1\LOCALS~1\Temp\00000cf5.nmc\nse\bin\nsak.sys [?]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [11/20/2009 8:57 PM 627072]
.
Contents of the 'Scheduled Tasks' folder

2009-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2010-04-07 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Tim Brugnoli.job
- c:\program files\Norton Internet Security\Engine\17.6.0.32\navw32.exe [2010-04-07 23:51]

2010-01-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2009-05-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-05 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/News/Weather?sta ... nton,%20NJ
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 23:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x887E8AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba7117b4
\Driver\iaStor -> iaStor.sys @ 0xba648b10
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3908)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-08 23:38:21
ComboFix-quarantined-files.txt 2010-04-09 03:38
ComboFix2.txt 2010-04-09 03:14
ComboFix3.txt 2010-04-07 02:41
ComboFix4.txt 2010-04-06 10:59
ComboFix5.txt 2010-04-09 03:25

Pre-Run: 181,386,940,416 bytes free
Post-Run: 181,369,753,600 bytes free

- - End Of File - - A2E2ECC1F6D8373463127F6E24D37EBF
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby melboy » April 9th, 2010, 8:14 am

Hi Tim

Not sure if you wanted the root repeal report


No, further information has come to light and I'd like you to get another GMER scan.

I'd like you to run the GMER scan slightly different to last time. Whereas before you unchecked Sections, this time I'd like you to leave it checked. (Ignore the part of the image below that shows Sections unchecked) If you have trouble running GMER (as you did last time), you may try UNchecking Devices.



Gmer

  • Double click the .exe file (lmyzwn8q.exe). If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    Image
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections <--leave this checked please
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
    • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 10th, 2010, 5:25 am

pc becoming very sluggish almost unusable. having difficulty getting gmer to finish scan> it did complete one scan but i forgot to leave sections checked. will scan again.
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby melboy » April 10th, 2010, 5:42 am

Hi


If it helps, try running GMER in safemode.

>> Booting into Safe Mode - safely <<
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 10th, 2010, 7:47 am

The scan completes but freezes up when trying to save log. Will attempt agAin later today.
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby Tim Brug » April 10th, 2010, 10:40 pm

scan in safe mode:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-10 19:45:24
Windows 5.1.2600 Service Pack 2
Running: lmyzwn8q.exe; Driver: C:\DOCUME~1\TIMBRU~1\LOCALS~1\Temp\axtiqpod.sys


---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


scan in normal mode with sections, can't remeber if i unchecked or left sections checked
;

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-10 04:29:50
Windows 5.1.2600 Service Pack 2
Running: lmyzwn8q.exe; Driver: C:\DOCUME~1\TIMBRU~1\LOCALS~1\Temp\axtiqpod.sys


---- System - GMER 1.0.15 ----

SSDT 899849F8 ZwAlertResumeThread
SSDT 89914460 ZwAlertThread
SSDT 89A7A770 ZwAllocateVirtualMemory
SSDT 8991EA58 ZwAssignProcessToJobObject
SSDT 89B53DD0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAED39210]
SSDT 895B31B0 ZwCreateMutant
SSDT 89117058 ZwCreateSymbolicLinkObject
SSDT 89577610 ZwCreateThread
SSDT 89A72750 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAED39490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAED399F0]
SSDT 898BA0D8 ZwDuplicateObject
SSDT 88E311A8 ZwFreeVirtualMemory
SSDT 89B43CD0 ZwImpersonateAnonymousToken
SSDT 89AA11A8 ZwImpersonateThread
SSDT 89A81518 ZwLoadDriver
SSDT 88E310C8 ZwMapViewOfSection
SSDT 89B18910 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xAED397A0]
SSDT 89577540 ZwOpenProcess
SSDT 899190E0 ZwOpenProcessToken
SSDT 898FABA8 ZwOpenSection
SSDT 898BA1A8 ZwOpenThread
SSDT 89117128 ZwProtectVirtualMemory
SSDT 8990D2D0 ZwResumeThread
SSDT 8A551E08 ZwSetContextThread
SSDT 88E422E8 ZwSetInformationProcess
SSDT 89AB2AA8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAED39C40]
SSDT 8910C598 ZwSuspendProcess
SSDT 8911E5E0 ZwSuspendThread
SSDT 898FAB68 ZwTerminateProcess
SSDT 898CE0B8 ZwTerminateThread
SSDT 89B17D10 ZwUnmapViewOfSection
SSDT 89A7A6A0 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device InCDfs.SYS (InCD File System Driver/Nero AG)
Device -> \Driver\iastor \Device\Harddisk0\DR0 88CBBAC8

---- Files - GMER 1.0.15 ----

File C:\Program Files\Symantec\DownloadManager\NSW2006\Support\Redist\MSRedist\comctl32.ocx (size mismatch) 22288/608448 bytes executable
File C:\WINDOWS\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby melboy » April 11th, 2010, 5:55 am

Hi Tim

Combofix should have installed the Windows Recovery Console - Do you see that option when you boot up?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 11th, 2010, 6:02 am

Yes
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby melboy » April 11th, 2010, 6:09 pm

Hi Tim

Please print the following instructions before execution.



  • In normal mode go to Start > Run and type CMD > Click OK
  • A black command window should open. Copy and paste the contents of the code box below into the command window at the prompt (blinking cursor)
    DO NOT include code:

    Code: Select all
    copy %systemroot%\system32\drivers\netbt.sys %systemroot%
    echo copy netbt.sys system32\drivers>%systemroot%\fix.bat
    echo del netbt.sys>>%systemroot%\fix.bat
    exit
    cls

  • The command window will close.


NEXT:


  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:

    batch fix.bat

  6. At the next prompt, type the following bolded text, and press Enter:

    Exit

  7. Restart the PC and boot into normal mode.


Give me an update on how things are running.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 11th, 2010, 7:00 pm

No luck, after reboot with recovery console, computer went blue screen on me.

I think I'm ready to blow it up and move on. Are we out of options?
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby melboy » April 12th, 2010, 1:24 pm

Hi Tim

We do have other options.

However, if you wish to re-format and re-install your Operating System, I will respect that decision - Let me know. :)

Otherwise carry out the instructions below.

Please print the following instructions before execution.


Boot into safemode.

>> Booting into Safe Mode - safely <<


  • In Safe mode go to Start > Run and type CMD > Click OK
  • A black command window should open. Copy and paste the contents of the code box below into the command window at the prompt (blinking cursor)
    DO NOT include code:

    Code: Select all
    copy /y %systemroot%\netbt.sys %systemroot%\system32\drivers\netbt.sys
  • Press Enter on your keyboard
  • You should see the message "1 File(s) copied"
  • Close the command window.

  • Restart the PC and boot into normal mode.


Give me an update on how things are running or if you have any problems.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 12th, 2010, 4:14 pm

OK, I completed your instructions as asked. I'm did get an alert from Norton about tidserv request 2 being blocked. I also got an error message about Pure Netwrks Platform Service encountering a problem and closing. I believe it has something to do with my wireless usb adapter.

So I guess we will continue on.
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby melboy » April 13th, 2010, 2:40 am

Hi Tim

Go to Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\netbt.*" >Log.txt&Log.txt&del Log.txt


A Notepad file will open. Post the contents of Log.txt in your next reply.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 13th, 2010, 6:27 am

PC seems to be running a little better.



----a-w- 162,816 2010-04-06 11:07:32 C:\WINDOWS\netbt.sys
----a-w- 162,816 2008-04-13 19:21:00 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netbt.sys
-c--a-w- 162,816 2010-04-06 11:07:32 C:\WINDOWS\system32\dllcache\netbt.sys
----a-w- 162,816 2010-04-06 11:07:32 C:\WINDOWS\system32\drivers\netbt.sys

Entries: 4 (4)
Directories: 0 Files: 4
Bytes: 651,264 Blocks: 1,272
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware