Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HTTPS Tidserv request 2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HTTPS Tidserv request 2

Unread postby kemsing » May 1st, 2010, 4:30 am

I have recently loaded Norton as we had been having some issues with our e-mails. We did have mailwasher installed but seemed to be having problems with that and wondered if that was blocking some e-mails so we took it off our system.
Norton says it has detected some viruses and malware and has got rid of, but we keep getting a box that keeps coming up Saying an attempt to attack our computer has been blocked.
It comes up with HTTPS Tidserve request 2 , attacking Computer 19js8103002.com and 91.212.226.67 Traffic description TCP, https

When I look at the Security updates Norton says it has found 13 threats under Viruses and spyware and 19 attempts under intrusion. What worries me is that overnight when i left the computer on to do a malwarebytes Anti Malware scan, it looks as this HTTPS Tidserv had not been removed and the log shows intrusions at 22.07,01.09,01.39,02.09 virtually every half hour.
Please can you let me know what I can do, as i don't know how harmful this might be?
I have Printed of the log from both Malwarebytes log and also Hijack this.
Here is the Malwarebytes one first and then the hijack this report.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4055

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

01/05/2010 08:13:57
mbam-log-2010-05-01 (08-13-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 262152
Time elapsed: 4 hour(s), 11 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ms.videostream (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{29bf1b1f-0106-4881-a7c7-a71035c54825} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f856bb9e-855b-498d-883e-3509c550a031} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f856bb9e-855b-498d-883e-3509c550a031} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{99e591b6-a5ad-4a2d-b349-334020760ef2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4e524163-8d00-46f3-b239-1f42d48c8ed0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f856bb9e-855b-498d-883e-3509c550a031} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f856bb9e-855b-498d-883e-3509c550a031} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Lee\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.

Here is a Hijack this report if it helps.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 08:53:35, on 01/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://home.endeavour.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program
Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer -
{3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program
Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program
Files\Norton 360\Norton 360\Engine\4.1.0.32\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -
C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program
Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program
Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program
Files\Norton 360\Norton 360\Engine\4.1.0.32\coIEPlg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader
9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program
Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] "C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk =
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver -
res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google
Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -
C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program
Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -
http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) -
http://picasaweb.google.com/s/v/25.18/uploader2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) -
https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microso ... site.cab?1
212229050421
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) -
http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... =122009996
3046&h=b8a9652405c97184fa5dace0e4231759/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) -
http://gfx2.hotmail.com/mail/w4/pr01/ph ... NPUpld.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) -
http://selectworld.squarespace.com/univ ... Upload.ocx
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} (pCastPanel Class) -
http://ps.itv.mop.com/dn/files/pCastCtl ... signed.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} -
C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -
{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program
Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common
Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Fast User Switching Compatibility FastUserSwitchingCompatibilityImapiService
(FastUserSwitchingCompatibilityImapiService) - Unknown owner - C:\WINDOWS\system32\3076a.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program
Files\Citrix\GoToAssist\508\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program
Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Norton
360\Engine\4.1.0.32\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9563 bytes
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm
Advertisement
Register to Remove

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 4th, 2010, 6:46 am

Hi kemsing,
Please open Notepad, click Format from the top menu and click Wordwrap once.
This should turn OFF Wordwrap, which will make your logs much easier to analyze.
--------------------------------------------
TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Double-click the tdsskiller Folder on your desktop.
  • Right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy (Ctrl+C) the text in the codebox below.
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste (Ctrl+V) the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply
----------------------------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan. Do NOT run Full scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt

So we are looking for the contents of logs from TDSSKiller and Malwarebytes Anti-Malware.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 4th, 2010, 10:58 am

Hi Askey 127
So here is TDSKILLER .txt information
15:20:19:046 3464 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
15:20:19:046 3464 ================================================================================
15:20:19:046 3464 SystemInfo:

15:20:19:046 3464 OS Version: 5.1.2600 ServicePack: 3.0
15:20:19:046 3464 Product type: Workstation
15:20:19:046 3464 ComputerName: SELECT-09
15:20:19:046 3464 UserName: Lee
15:20:19:046 3464 Windows directory: C:\WINDOWS
15:20:19:046 3464 Processor architecture: Intel x86
15:20:19:046 3464 Number of processors: 2
15:20:19:046 3464 Page size: 0x1000
15:20:19:062 3464 Boot type: Normal boot
15:20:19:062 3464 ================================================================================
15:20:19:062 3464 UnloadDriverW: NtUnloadDriver error 1
15:20:19:062 3464 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
15:20:19:140 3464 LoadDriverW: Driver already loaded
15:20:19:140 3464 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:20:19:140 3464 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:20:19:140 3464 wfopen_ex: Trying to KLMD file open
15:20:19:140 3464 wfopen_ex: File opened ok (Flags 2)
15:20:19:156 3464 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:20:19:156 3464 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:20:19:156 3464 wfopen_ex: Trying to KLMD file open
15:20:19:156 3464 wfopen_ex: File opened ok (Flags 2)
15:20:19:156 3464 Initialize success
15:20:19:156 3464
15:20:19:156 3464 Scanning Services ...
15:20:19:453 3464 Raw services enum returned 352 services
15:20:19:468 3464
15:20:19:468 3464 Scanning Kernel memory ...
15:20:19:468 3464 Devices to scan: 10
15:20:19:468 3464
15:20:19:468 3464 Driver Name: Disk
15:20:19:468 3464 IRP_MJ_CREATE : F75DABB0
15:20:19:468 3464 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:19:468 3464 IRP_MJ_CLOSE : F75DABB0
15:20:19:468 3464 IRP_MJ_READ : F75D4D1F
15:20:19:468 3464 IRP_MJ_WRITE : F75D4D1F
15:20:19:468 3464 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:19:468 3464 IRP_MJ_SET_INFORMATION : 804F4562
15:20:19:468 3464 IRP_MJ_QUERY_EA : 804F4562
15:20:19:468 3464 IRP_MJ_SET_EA : 804F4562
15:20:19:468 3464 IRP_MJ_FLUSH_BUFFERS : F75D52E2
15:20:19:468 3464 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:19:468 3464 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:19:468 3464 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:19:468 3464 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:19:468 3464 IRP_MJ_DEVICE_CONTROL : F75D53BB
15:20:19:468 3464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75D8F28
15:20:19:468 3464 IRP_MJ_SHUTDOWN : F75D52E2
15:20:19:468 3464 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:19:468 3464 IRP_MJ_CLEANUP : 804F4562
15:20:19:468 3464 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:19:468 3464 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:19:468 3464 IRP_MJ_SET_SECURITY : 804F4562
15:20:19:468 3464 IRP_MJ_POWER : F75D6C82
15:20:19:468 3464 IRP_MJ_SYSTEM_CONTROL : F75DB99E
15:20:19:468 3464 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:19:484 3464 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:19:484 3464 IRP_MJ_SET_QUOTA : 804F4562
15:20:19:500 3464 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:20:19:500 3464
15:20:19:500 3464 Driver Name: Disk
15:20:19:500 3464 IRP_MJ_CREATE : F75DABB0
15:20:19:500 3464 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:19:500 3464 IRP_MJ_CLOSE : F75DABB0
15:20:19:500 3464 IRP_MJ_READ : F75D4D1F
15:20:19:500 3464 IRP_MJ_WRITE : F75D4D1F
15:20:19:500 3464 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:19:500 3464 IRP_MJ_SET_INFORMATION : 804F4562
15:20:19:500 3464 IRP_MJ_QUERY_EA : 804F4562
15:20:19:500 3464 IRP_MJ_SET_EA : 804F4562
15:20:19:500 3464 IRP_MJ_FLUSH_BUFFERS : F75D52E2
15:20:19:500 3464 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:19:500 3464 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:19:500 3464 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:19:500 3464 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:19:500 3464 IRP_MJ_DEVICE_CONTROL : F75D53BB
15:20:19:500 3464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75D8F28
15:20:19:500 3464 IRP_MJ_SHUTDOWN : F75D52E2
15:20:19:500 3464 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:19:500 3464 IRP_MJ_CLEANUP : 804F4562
15:20:19:500 3464 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:19:500 3464 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:19:500 3464 IRP_MJ_SET_SECURITY : 804F4562
15:20:19:500 3464 IRP_MJ_POWER : F75D6C82
15:20:19:500 3464 IRP_MJ_SYSTEM_CONTROL : F75DB99E
15:20:19:500 3464 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:19:500 3464 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:19:500 3464 IRP_MJ_SET_QUOTA : 804F4562
15:20:19:500 3464 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:20:19:500 3464
15:20:19:500 3464 Driver Name: Disk
15:20:19:500 3464 IRP_MJ_CREATE : F75DABB0
15:20:19:500 3464 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:19:500 3464 IRP_MJ_CLOSE : F75DABB0
15:20:19:500 3464 IRP_MJ_READ : F75D4D1F
15:20:19:500 3464 IRP_MJ_WRITE : F75D4D1F
15:20:19:500 3464 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:19:500 3464 IRP_MJ_SET_INFORMATION : 804F4562
15:20:19:500 3464 IRP_MJ_QUERY_EA : 804F4562
15:20:19:500 3464 IRP_MJ_SET_EA : 804F4562
15:20:19:500 3464 IRP_MJ_FLUSH_BUFFERS : F75D52E2
15:20:19:500 3464 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:19:500 3464 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:19:500 3464 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:19:500 3464 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:19:500 3464 IRP_MJ_DEVICE_CONTROL : F75D53BB
15:20:19:500 3464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75D8F28
15:20:19:500 3464 IRP_MJ_SHUTDOWN : F75D52E2
15:20:19:500 3464 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:19:500 3464 IRP_MJ_CLEANUP : 804F4562
15:20:19:500 3464 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:19:500 3464 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:19:500 3464 IRP_MJ_SET_SECURITY : 804F4562
15:20:19:500 3464 IRP_MJ_POWER : F75D6C82
15:20:19:500 3464 IRP_MJ_SYSTEM_CONTROL : F75DB99E
15:20:19:500 3464 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:19:500 3464 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:19:500 3464 IRP_MJ_SET_QUOTA : 804F4562
15:20:19:515 3464 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:20:19:515 3464
15:20:19:515 3464 Driver Name: Disk
15:20:19:515 3464 IRP_MJ_CREATE : F75DABB0
15:20:19:515 3464 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:19:515 3464 IRP_MJ_CLOSE : F75DABB0
15:20:19:515 3464 IRP_MJ_READ : F75D4D1F
15:20:19:515 3464 IRP_MJ_WRITE : F75D4D1F
15:20:19:515 3464 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:19:515 3464 IRP_MJ_SET_INFORMATION : 804F4562
15:20:19:515 3464 IRP_MJ_QUERY_EA : 804F4562
15:20:19:515 3464 IRP_MJ_SET_EA : 804F4562
15:20:19:515 3464 IRP_MJ_FLUSH_BUFFERS : F75D52E2
15:20:19:515 3464 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:19:515 3464 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:19:515 3464 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:19:515 3464 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:19:515 3464 IRP_MJ_DEVICE_CONTROL : F75D53BB
15:20:19:515 3464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75D8F28
15:20:19:515 3464 IRP_MJ_SHUTDOWN : F75D52E2
15:20:19:515 3464 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:19:515 3464 IRP_MJ_CLEANUP : 804F4562
15:20:19:515 3464 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:19:515 3464 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:19:515 3464 IRP_MJ_SET_SECURITY : 804F4562
15:20:19:515 3464 IRP_MJ_POWER : F75D6C82
15:20:19:515 3464 IRP_MJ_SYSTEM_CONTROL : F75DB99E
15:20:19:515 3464 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:19:515 3464 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:19:515 3464 IRP_MJ_SET_QUOTA : 804F4562
15:20:19:515 3464 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:20:19:515 3464
15:20:19:515 3464 Driver Name: USBSTOR
15:20:19:515 3464 IRP_MJ_CREATE : F7971218
15:20:19:515 3464 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:19:515 3464 IRP_MJ_CLOSE : F7971218
15:20:19:515 3464 IRP_MJ_READ : F797123C
15:20:19:515 3464 IRP_MJ_WRITE : F797123C
15:20:19:515 3464 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:19:515 3464 IRP_MJ_SET_INFORMATION : 804F4562
15:20:19:515 3464 IRP_MJ_QUERY_EA : 804F4562
15:20:19:515 3464 IRP_MJ_SET_EA : 804F4562
15:20:19:515 3464 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:20:19:515 3464 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:19:515 3464 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:19:515 3464 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:19:515 3464 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:19:515 3464 IRP_MJ_DEVICE_CONTROL : F7971180
15:20:19:515 3464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F796C9E6
15:20:19:515 3464 IRP_MJ_SHUTDOWN : 804F4562
15:20:19:515 3464 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:19:515 3464 IRP_MJ_CLEANUP : 804F4562
15:20:19:515 3464 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:19:515 3464 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:19:515 3464 IRP_MJ_SET_SECURITY : 804F4562
15:20:19:515 3464 IRP_MJ_POWER : F79705F0
15:20:19:515 3464 IRP_MJ_SYSTEM_CONTROL : F796EA6E
15:20:19:515 3464 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:19:515 3464 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:19:515 3464 IRP_MJ_SET_QUOTA : 804F4562
15:20:19:531 3464 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
15:20:19:531 3464
15:20:19:531 3464 Driver Name: USBSTOR
15:20:19:531 3464 IRP_MJ_CREATE : F7971218
15:20:19:531 3464 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:19:531 3464 IRP_MJ_CLOSE : F7971218
15:20:19:531 3464 IRP_MJ_READ : F797123C
15:20:19:531 3464 IRP_MJ_WRITE : F797123C
15:20:19:531 3464 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:19:531 3464 IRP_MJ_SET_INFORMATION : 804F4562
15:20:19:531 3464 IRP_MJ_QUERY_EA : 804F4562
15:20:19:531 3464 IRP_MJ_SET_EA : 804F4562
15:20:19:531 3464 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:20:19:531 3464 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:19:531 3464 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:19:531 3464 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:19:531 3464 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:19:531 3464 IRP_MJ_DEVICE_CONTROL : F7971180
15:20:19:531 3464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F796C9E6
15:20:19:531 3464 IRP_MJ_SHUTDOWN : 804F4562
15:20:19:531 3464 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:19:531 3464 IRP_MJ_CLEANUP : 804F4562
15:20:19:531 3464 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:19:531 3464 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:19:531 3464 IRP_MJ_SET_SECURITY : 804F4562
15:20:19:531 3464 IRP_MJ_POWER : F79705F0
15:20:19:531 3464 IRP_MJ_SYSTEM_CONTROL : F796EA6E
15:20:19:531 3464 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:19:531 3464 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:19:531 3464 IRP_MJ_SET_QUOTA : 804F4562
15:20:19:531 3464 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
15:20:19:531 3464
15:20:19:531 3464 Driver Name: USBSTOR
15:20:19:531 3464 IRP_MJ_CREATE : F7971218
15:20:19:531 3464 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:19:531 3464 IRP_MJ_CLOSE : F7971218
15:20:19:531 3464 IRP_MJ_READ : F797123C
15:20:19:531 3464 IRP_MJ_WRITE : F797123C
15:20:19:531 3464 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:19:531 3464 IRP_MJ_SET_INFORMATION : 804F4562
15:20:19:531 3464 IRP_MJ_QUERY_EA : 804F4562
15:20:19:531 3464 IRP_MJ_SET_EA : 804F4562
15:20:19:531 3464 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:20:19:531 3464 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:19:531 3464 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:19:531 3464 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:19:531 3464 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:19:531 3464 IRP_MJ_DEVICE_CONTROL : F7971180
15:20:19:531 3464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F796C9E6
15:20:19:531 3464 IRP_MJ_SHUTDOWN : 804F4562
15:20:19:531 3464 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:19:531 3464 IRP_MJ_CLEANUP : 804F4562
15:20:19:531 3464 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:19:531 3464 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:19:531 3464 IRP_MJ_SET_SECURITY : 804F4562
15:20:19:531 3464 IRP_MJ_POWER : F79705F0
15:20:19:531 3464 IRP_MJ_SYSTEM_CONTROL : F796EA6E
15:20:19:531 3464 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:19:531 3464 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:19:531 3464 IRP_MJ_SET_QUOTA : 804F4562
15:20:19:546 3464 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
15:20:19:546 3464
15:20:19:546 3464 Driver Name: USBSTOR
15:20:19:546 3464 IRP_MJ_CREATE : F7971218
15:20:19:546 3464 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:19:546 3464 IRP_MJ_CLOSE : F7971218
15:20:19:546 3464 IRP_MJ_READ : F797123C
15:20:19:546 3464 IRP_MJ_WRITE : F797123C
15:20:19:546 3464 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:19:546 3464 IRP_MJ_SET_INFORMATION : 804F4562
15:20:19:546 3464 IRP_MJ_QUERY_EA : 804F4562
15:20:19:546 3464 IRP_MJ_SET_EA : 804F4562
15:20:19:546 3464 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:20:19:546 3464 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:19:546 3464 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:19:546 3464 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:19:546 3464 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:19:546 3464 IRP_MJ_DEVICE_CONTROL : F7971180
15:20:19:546 3464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F796C9E6
15:20:19:546 3464 IRP_MJ_SHUTDOWN : 804F4562
15:20:19:546 3464 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:19:546 3464 IRP_MJ_CLEANUP : 804F4562
15:20:19:546 3464 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:19:546 3464 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:19:546 3464 IRP_MJ_SET_SECURITY : 804F4562
15:20:19:546 3464 IRP_MJ_POWER : F79705F0
15:20:19:546 3464 IRP_MJ_SYSTEM_CONTROL : F796EA6E
15:20:19:546 3464 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:19:546 3464 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:19:546 3464 IRP_MJ_SET_QUOTA : 804F4562
15:20:19:546 3464 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
15:20:19:546 3464
15:20:19:546 3464 Driver Name: Disk
15:20:19:546 3464 IRP_MJ_CREATE : F75DABB0
15:20:19:546 3464 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:20:19:546 3464 IRP_MJ_CLOSE : F75DABB0
15:20:19:546 3464 IRP_MJ_READ : F75D4D1F
15:20:19:546 3464 IRP_MJ_WRITE : F75D4D1F
15:20:19:546 3464 IRP_MJ_QUERY_INFORMATION : 804F4562
15:20:19:546 3464 IRP_MJ_SET_INFORMATION : 804F4562
15:20:19:546 3464 IRP_MJ_QUERY_EA : 804F4562
15:20:19:546 3464 IRP_MJ_SET_EA : 804F4562
15:20:19:546 3464 IRP_MJ_FLUSH_BUFFERS : F75D52E2
15:20:19:546 3464 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:20:19:546 3464 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:20:19:546 3464 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:20:19:546 3464 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:20:19:546 3464 IRP_MJ_DEVICE_CONTROL : F75D53BB
15:20:19:546 3464 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75D8F28
15:20:19:546 3464 IRP_MJ_SHUTDOWN : F75D52E2
15:20:19:546 3464 IRP_MJ_LOCK_CONTROL : 804F4562
15:20:19:546 3464 IRP_MJ_CLEANUP : 804F4562
15:20:19:546 3464 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:20:19:546 3464 IRP_MJ_QUERY_SECURITY : 804F4562
15:20:19:546 3464 IRP_MJ_SET_SECURITY : 804F4562
15:20:19:546 3464 IRP_MJ_POWER : F75D6C82
15:20:19:546 3464 IRP_MJ_SYSTEM_CONTROL : F75DB99E
15:20:19:546 3464 IRP_MJ_DEVICE_CHANGE : 804F4562
15:20:19:546 3464 IRP_MJ_QUERY_QUOTA : 804F4562
15:20:19:546 3464 IRP_MJ_SET_QUOTA : 804F4562
15:20:19:562 3464 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:20:19:562 3464
15:20:19:562 3464 Driver Name: atapi
15:20:19:562 3464 IRP_MJ_CREATE : 868C0EE4
15:20:19:562 3464 IRP_MJ_CREATE_NAMED_PIPE : 868C0EE4
15:20:19:562 3464 IRP_MJ_CLOSE : 868C0EE4
15:20:19:562 3464 IRP_MJ_READ : 868C0EE4
15:20:19:562 3464 IRP_MJ_WRITE : 868C0EE4
15:20:19:562 3464 IRP_MJ_QUERY_INFORMATION : 868C0EE4
15:20:19:562 3464 IRP_MJ_SET_INFORMATION : 868C0EE4
15:20:19:562 3464 IRP_MJ_QUERY_EA : 868C0EE4
15:20:19:562 3464 IRP_MJ_SET_EA : 868C0EE4
15:20:19:562 3464 IRP_MJ_FLUSH_BUFFERS : 868C0EE4
15:20:19:562 3464 IRP_MJ_QUERY_VOLUME_INFORMATION : 868C0EE4
15:20:19:562 3464 IRP_MJ_SET_VOLUME_INFORMATION : 868C0EE4
15:20:19:562 3464 IRP_MJ_DIRECTORY_CONTROL : 868C0EE4
15:20:19:562 3464 IRP_MJ_FILE_SYSTEM_CONTROL : 868C0EE4
15:20:19:562 3464 IRP_MJ_DEVICE_CONTROL : 868C0EE4
15:20:19:562 3464 IRP_MJ_INTERNAL_DEVICE_CONTROL : 868C0EE4
15:20:19:562 3464 IRP_MJ_SHUTDOWN : 868C0EE4
15:20:19:562 3464 IRP_MJ_LOCK_CONTROL : 868C0EE4
15:20:19:562 3464 IRP_MJ_CLEANUP : 868C0EE4
15:20:19:562 3464 IRP_MJ_CREATE_MAILSLOT : 868C0EE4
15:20:19:562 3464 IRP_MJ_QUERY_SECURITY : 868C0EE4
15:20:19:562 3464 IRP_MJ_SET_SECURITY : 868C0EE4
15:20:19:562 3464 IRP_MJ_POWER : 868C0EE4
15:20:19:562 3464 IRP_MJ_SYSTEM_CONTROL : 868C0EE4
15:20:19:562 3464 IRP_MJ_DEVICE_CHANGE : 868C0EE4
15:20:19:562 3464 IRP_MJ_QUERY_QUOTA : 868C0EE4
15:20:19:562 3464 IRP_MJ_SET_QUOTA : 868C0EE4
15:20:19:562 3464 Driver "atapi" infected by TDSS rootkit!
15:20:19:562 3464 C:\WINDOWS\system32\drivers\tskF9.tmp - Verdict: 3
15:20:19:562 3464
15:20:19:562 3464 Completed
15:20:19:562 3464
15:20:19:562 3464 Results:
15:20:19:562 3464 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
15:20:19:562 3464 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:20:19:562 3464 File objects infected / cured / cured on reboot: 0 / 0 / 0
15:20:19:562 3464
15:20:19:562 3464 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:20:19:562 3464 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:20:19:562 3464 UnloadDriverW: NtUnloadDriver error 1
15:20:19:609 3464 KLMD(ARK) unloaded successfully

Malware updated itself from version 4055 to version 4065.
HERE IS THE MALWAREBYTES ANTI MALWARE LOG
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4065

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

04/05/2010 15:54:14
mbam-log-2010-05-04 (15-54-14).txt

Scan type: Quick scan
Objects scanned: 135963
Time elapsed: 25 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 4th, 2010, 12:35 pm

kemsing,
-----------------------------------------------------------
Download and Run ComboFix
[i]IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix!!
Turn OFF Norton Security
1 Start Norton Internet Security.
2 In the left pane, click Status & Settings
3 Click Security.
4 Click Turn Off.

  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • Disable ALL antivirus/antimalware programs before proceeding!
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running!
  • When finished, the report will open. Reenable your protection software and post the log in your next reply
A copy of the log will be located here -> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.
Turn ON Norton Security
Start Norton Internet Security.
In the left pane, click Status & Settings
Click Security.
Click Turn ON.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 4th, 2010, 1:10 pm

Hi askey 127
Thanks for the prompt response.
With Norton , I can't see in the left pane, status and settings ? and with Malware should I go into my computer and remove both the Norton and antiMalware programmes or is there a setting on my desktop items i am missing to turn off the Security? Product Name: Norton 360Version: 4.1.0.32

Should I also delete Hijack this and also the Tddskiller on my desktop and the log before downloading Combofix?

Could you tell me how long Combofix usually takes to run when scanning till getting to the report?It is 18.10 here so will have to start this process in the morning.
I do appreciate all the help.
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 4th, 2010, 3:35 pm

kemsing,
Here are the two instructions if you cannot find a method from within the Program.
You may want to print this out before you use it.

Stop and Disable Norton 360 Service
Go to Start, Run or Start, Programs, Accessories, Command Prompt and type Services.msc and click OK.
Scroll down and find the service.

Norton 360

Click once on the service to highlight it.
Right-Click on the service. Click on Properties
Select the General tab.
Next to Service Status, click Stop.
Click the Arrow-down tab on the right-hand side of the Start-up Type box.
From the drop-down menu, click on Disabled
Click Apply , then OK


Start and Re-Enable Norton 360 Service
Go to Start, Run or Start, Programs, Accessories, Command Prompt and type Services.msc and click OK.
Scroll down and find the service.

Norton 360

Click once on the service to highlight it.
Right-Click on the service. Click on Properties
Select the General tab.
Click the Arrow-down tab on the right-hand side of the Start-up Type box.
From the drop-down menu, click on Automatic
Next to Service Status, click Start.
Click Apply , then OK

I will guess 15-40 minutes for ComboFix depending on how much stuff to scan and the machine speed.
It has about 50 tasks to do.
Since we are involved with a very serious infection here, be SURE to allow ComboFix to install the Recovery Console, as requested, before the scan.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 5th, 2010, 4:40 am

I have gone into start, run and services.msc. Found Norton360 and gone into Properties, General Tab.
It Is showing that Norton has started, but the Start, Stop tabs etc are not highlighted ?
Have then tried the arrow down tab and clicked on disabled, applied and got the following message.
Unable to open service N360 for writing on local computer. Error 5 Access is denied.

Please can you let me know what to do? Should I uninstall Norton from My Computer or can you suggest something else.
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 5th, 2010, 7:23 am

kemsing,
That is a defense mechanism by Norton.
Just run ComboFix as instructed, skipping the part about disabling Norton.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 5th, 2010, 9:32 am

I Am trying to post the Log from Combofix, but every time I press the Submit button, it comes up with not connected to the Web? Will try to copy the log and use a different computer to post hopefully.
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 5th, 2010, 9:53 am

Am downloading this from another computer as when I tried from the infected one Norton is still bringing up a message saying it has blocked an attack. As mentioned above When I tried to submit the log it came up with No internet connection, although there must have been to have posted my last message. Please advise what to do next?
Here is the log.
ComboFix 10-05-04.06 - Lee 05/05/2010 13:37:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.567 [GMT 1:00]
Running from: c:\documents and settings\Lee\Desktop\zzz.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lee\Recent\vIKING (2).zip
c:\program files\INSTALL.LOG
c:\program files\WindowsUpdate
c:\recycler\S-1-5-21-3037033330-607060280-3880570142-500
C:\smp.bat
c:\windows\eSellerateEngine.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\3076a.exe
c:\windows\system32\938259235.dat

Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FASTUSERSWITCHINGCOMPATIBILITYIMAPISERVICE
-------\Service_FastUserSwitchingCompatibilityImapiService


((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-01 07:54 . 2010-05-01 07:54 -------- d-----w- c:\program files\Hijack this log
2010-04-30 16:59 . 2010-04-30 16:59 -------- d-----w- c:\program files\Trend Micro
2010-04-30 16:56 . 2010-04-30 16:56 -------- d-----w- c:\documents and settings\Lee\Application Data\Malwarebytes
2010-04-30 16:55 . 2010-04-30 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-30 16:55 . 2010-05-05 07:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 12:45 . 2010-04-29 12:45 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-29 12:44 . 2010-04-29 12:44 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-29 12:44 . 2010-04-29 12:44 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-29 12:44 . 2010-02-04 01:40 362032 ----a-r- c:\windows\system32\drivers\symtdi.sys
2010-04-29 12:44 . 2010-02-27 02:23 116784 ----a-r- c:\windows\system32\drivers\Ironx86.sys
2010-04-29 12:44 . 2010-02-27 02:23 43696 ----a-r- c:\windows\system32\drivers\srtspx.sys
2010-04-29 12:44 . 2010-02-04 01:40 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys
2010-04-29 12:44 . 2010-02-04 01:40 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys
2010-04-29 12:44 . 2010-02-25 23:22 501888 ----a-r- c:\windows\system32\drivers\cchpx86.sys
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\windows\system32\drivers\N360
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\program files\Windows Sidebar
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\program files\NortonInstaller
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-04-29 12:11 . 2010-04-29 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-23 14:08 . 2010-04-23 14:08 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Real
2010-04-23 14:07 . 2010-04-23 14:07 -------- d-----w- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 15:10 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-04 10:41 . 2010-05-04 10:41 439816 ----a-w- c:\documents and settings\Lee\Application Data\Real\Update\setup3.10\setup.exe
2010-04-30 16:59 . 2010-04-30 16:59 388096 ----a-r- c:\documents and settings\Lee\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-29 12:47 . 2006-10-16 15:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-29 12:44 . 2008-04-25 17:16 -------- d-----w- c:\program files\Symantec
2010-04-29 12:44 . 2010-04-29 12:44 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-29 12:44 . 2010-04-29 12:44 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-29 12:44 . 2008-04-25 17:18 -------- d-----w- c:\program files\Norton 360
2010-04-29 12:00 . 2009-07-09 14:10 -------- d-----w- c:\program files\FireTrust
2010-04-29 12:00 . 2006-10-18 07:48 -------- d-----w- c:\documents and settings\Lee\Application Data\MailWasherPro
2010-04-29 11:28 . 2009-12-12 14:20 120 ----a-w- c:\windows\Edulikovuviy.dat
2010-04-29 07:26 . 2009-12-12 14:20 0 ----a-w- c:\windows\Dtihigokimakigej.bin
2010-04-28 00:00 . 2010-05-05 07:34 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100504.004\NAVENG.SYS
2010-04-28 00:00 . 2010-05-05 07:34 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100504.004\NAVENG32.DLL
2010-04-28 00:00 . 2010-05-05 07:34 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100504.004\NAVEX32A.DLL
2010-04-28 00:00 . 2010-05-05 07:34 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100504.004\NAVEX15.SYS
2010-04-28 00:00 . 2010-05-05 07:34 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100504.004\EECTRL.SYS
2010-04-28 00:00 . 2010-05-05 07:34 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100504.004\CCERASER.DLL
2010-04-28 00:00 . 2010-05-05 07:34 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100504.004\ECMSVR32.DLL
2010-04-28 00:00 . 2010-05-05 07:34 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100504.004\ERASER.SYS
2010-04-23 14:08 . 2007-01-24 15:23 -------- d-----w- c:\program files\Google
2010-04-23 14:07 . 2006-10-21 14:02 -------- d-----w- c:\program files\Common Files\Real
2010-04-23 14:06 . 2006-07-11 18:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-16 07:30 . 2006-10-16 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-15 07:39 . 2005-10-26 18:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 13:38 . 2010-01-19 10:57 -------- d-----w- c:\documents and settings\Lee\Application Data\deskUNPDF
2010-03-27 01:41 . 2010-04-29 12:44 891760 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\CLT\cltLMSx.dll
2010-03-25 23:29 . 2010-04-29 12:46 786800 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn\components\coFFPlgn.dll
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100324.001\bbRGen.dll
2010-03-24 10:11 . 2010-03-24 10:11 50354 ----a-w- c:\documents and settings\Lee\Application Data\Facebook\uninstall.exe
2010-03-24 10:11 . 2010-03-24 10:11 -------- d-----w- c:\documents and settings\Lee\Application Data\Facebook
2010-03-16 09:02 . 2010-03-16 09:02 -------- d-----w- c:\documents and settings\Lee\Application Data\Unity
2010-03-13 13:54 . 2010-03-13 13:54 -------- d-----w- c:\program files\Common Files\Borland Shared
2010-03-11 12:38 . 2004-08-20 17:08 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-20 17:08 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-20 17:07 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-20 17:08 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Lee\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Lee\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-28 10:13 . 2010-02-28 10:12 1955472 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-27 00:20 . 2010-04-29 12:45 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\components\IPSFFPl.dll
2010-02-24 13:11 . 2004-08-20 17:08 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2004-08-20 17:08 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-01 08:29 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2004-08-20 17:07 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 23:47 . 2010-04-29 12:44 1122672 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\OCS\hsplayer.dll
2010-02-11 12:02 . 2004-08-20 17:08 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-04 17:37 . 2010-02-04 17:37 70984 ----a-w- c:\documents and settings\Lee\g2mdlhlpx.exe
2001-11-05 09:30 . 2008-05-19 12:02 165376 ----a-w- c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IW_Drop_Icon"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2005-06-29 1346560]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-31 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 77824]
"SiSPower"="SiSPower.dll" [2006-01-09 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-18 98304]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-23 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(3).lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2006-10-17 131584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2006-10-16 262144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-04-26 08:59 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SymDS.sys [29/04/2010 13:44 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SymEFA.sys [29/04/2010 13:44 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [24/03/2010 21:38 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\cchpx86.sys [29/04/2010 13:44 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.sys [29/04/2010 13:44 116784]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [01/09/2004 14:50 188416]
R2 N360;Norton 360;c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [29/04/2010 13:44 126392]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [10/02/2005 11:55 62976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [29/04/2010 13:45 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100429.001\IDSXpx86.sys [04/05/2010 08:11 329592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/12/2009 18:57 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-31 17:57]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-31 17:57]

2010-05-05 c:\windows\Tasks\User_Feed_Synchronization-{898C5654-CDAC-482F-B8DF-430F31E4F8DA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.endeavour.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - hxxp://ps.itv.mop.com/dn/files/pCastCtl ... signed.cab
FF - ProfilePath - c:\documents and settings\Lee\Application Data\Mozilla\Firefox\Profiles\jryr85ce.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Lee\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Lee\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {1A5CF3E8-DDB2-4E9F-BDFF-3585E2905B12} - c:\documents and settings\Lee\Local Settings\Application Data\{1A5CF3E8-DDB2-4E9F-BDFF-3585E2905B12}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
AddRemove-deskUNPDF 3 Standard - c:\documents and settings\All Users\Application Data\{465E445C-2745-4FD0-B818-21ABB78A8627}\deskUNPDF3.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 13:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x868D6EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7615f28
\Driver\ACPI -> ACPI.sys @ 0xf74a8cb8
\Driver\atapi -> atapi.sys @ 0xf743a852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1471223198-1642118984-4230253141-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(676)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3828)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-05 14:14:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 13:14

Pre-Run: 3,166,228,480 bytes free
Post-Run: 3,122,327,552 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FC4BD08D6D17BD281955425A0DC2EBD9
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 5th, 2010, 10:01 am

kemsing,
You DID successfully disable Norton.
Please re-enable it as soon as you can.
Analyzing the log....
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 5th, 2010, 1:51 pm

kemsong,
Good results.

Unplug your Internet Cable, wait one minute, then plug it back in.
If it's a laptop on wireless, disable, then re-enable your local network. (Control Panel, Networks)

Let's submit two different files for analysis.
Post each result separately if you wish.
-----------------------------------------------------------
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath.
Copy and paste this filepath:
c:\windows\Edulikovuviy.dat

Then hit Submit or Upload, depending on the scanner.
The scan will take a while before the result comes up so please be patient.
Then copy and/or save the result and post it here in this thread.

Then please do the same thing again for this file:
-----------------------------------------------------------
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath.
Copy and paste this filepath:
c:\windows\Dtihigokimakigej.bin

Then hit Submit or Upload, depending on the scanner.
The scan will take a while before the result comes up so please be patient.
Then copy and/or save the result for this one also (use a different filename) and post it here in this thread.

For either submission, if Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html
or virus.org here: http://scanner.virus.org/
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 6th, 2010, 3:26 am

I Went to put the Joti address in, and after loading, internet explorer re-directed the page, so there is still something infecting the Computer? When I submitted the http://virusscan.jotti.org/ in seconds it came back with the following?

Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.





--------------------------------------------------------------------------------

Filename: Xgakulasejadaza.dat
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 17 Mar 2010 13:09:21 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 120 bytes
Filetype: ASCII text, with no line terminators
MD5: 8efeabdeec3de81c3dc42a2801ddf461
SHA1: 02f1032b36b1546af5815cd03befd0aa5a09b008







Scanners
2010-03-17 Found nothing 2010-03-17 Found nothing
2010-03-17 Found nothing 2010-03-17 Found nothing
2010-03-17 Found nothing 2010-03-17 Found nothing
2010-03-17 Found nothing 2010-03-17 Found nothing
2010-03-17 Found nothing 2010-03-17 Found nothing
2010-03-17 Found nothing 2010-03-16 Found nothing
2010-03-17 Found nothing 2010-03-17 Found nothing
2010-03-17 Found nothing 2010-03-17 Found nothing
2010-03-17 Found nothing 2010-03-16 Found nothing
2010-03-17 Found nothing 2010-03-16 Found nothing



--------------------------------------------------------------------------------
As It said Scan Again I Did and this is what it says:
Filename: Edulikovuviy.dat
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 6 May 2010 09:32:49 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 120 bytes
Filetype: ASCII text, with no line terminators
MD5: 8efeabdeec3de81c3dc42a2801ddf461
SHA1: 02f1032b36b1546af5815cd03befd0aa5a09b008







Scanners
2010-05-05 Found nothing 2010-05-06 Found nothing
2010-05-06 Found nothing 2010-05-06 Found nothing
2010-05-05 Found nothing 2010-05-06 Found nothing
2010-05-05 Found nothing 2010-05-06 Found nothing
2010-05-05 Found nothing 2010-05-05 Found nothing
2010-05-06 Found nothing 2010-05-05 Found nothing
2010-05-06 Found nothing 2010-04-29 Found nothing
2010-05-06 Found nothing 2010-05-05 Found nothing
2010-05-06 Found nothing 2010-05-04 Found nothing
2010-05-06 Found nothing 2010-05-05 Found nothing



--------------------------------------------------------------------------------
It Says at the Top Next File. I haven't done this but will now do the C:\windows\Dtihigokimakigej.bin

I Am still getting a pop up box from Norton 360 saying a recent attempt to attack your computer was blocked?
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 6th, 2010, 6:28 am

kemsing,
----------------------------------------------
Disable CD Emulator(s)
We need to use powerful tools to investigate your system. *If* you are are using a CD Emulator (Daemon Tools, Alcohol 120%, Astroburn, AnyDVD) be aware that they use hidden drivers with rootkit-like techniques to hide from other applications.
When dealing with a malware infections, CD Emulators can interfere with investigative tools producing misleading or inaccurate scan results, false detection of legitimate files, cause unexpected crashes, BSODs, and general 'dross' which often makes it hard to differentiate between malicious rootkits and the legitimate drivers used by Emulators.
Since CD Emulators use a hidden driver which can be seen as a rootkit and can interfere with investigative tools or cause other problems, we need to remove or disable them until disinfection is completed.

Please download DeFogger by jpshortstuff and save it to your desktop.
  • Double click DeFogger.exe to run the tool.
  • The application window will appear.
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue.
  • A 'Finished!' message will appear.
  • Click OK...DeFogger will now ask to reboot the machine...click OK. If not, reboot manually.
  • Do not re-enable these drivers until instructed or your system has been cleaned.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
--------------------------------------------
TDSSKiller
Delete The logfile "TDSSKiller.txt" from your desktop
  • Highlight and copy (Ctrl+C) the text in the codebox below.
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste (Ctrl+V) the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply
----------------------------------------------
Go to Start, Run
Type this into the box and hit enter : mbr.exe -t
There will be a file created in C:\Documents and Settings\<Username>\ named mbr.log
In your case, probably this user : C:\Documents and Settings\Lee\
Please paste its contents here.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 6th, 2010, 9:27 am

Have gone through DeFogger, although I don't know if we use CD Emulator material.
Have disabled, clicked yes, finished and clicked OK .We did not get message to re-boot so did this manually. We did not receive any error message but here is a copy of the log in case it helps? Will now go to the other part and go back to TDSSKiller and follow your instructions for that.

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:10 on 06/05/2010 (Lee)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware