Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HTTPS Tidserv request 2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 9th, 2010, 10:45 am

Am in Safe Mode and saved GMER to Desk top as I Didn't save it last time. It has opened up and the following boxes are showing all checked, System, Sections ( as instructed leave this checked), IAT/EAT(Have unchecked this box) Devices,Modules,Processes, threads,libraries,services,registry,files,
There is not anything i can see that says Drives/Partitions other than systemdrive (typically C:\. As this is not there do i just ignore this and carry on.
The Show all box is unchecked, just above that is a box that is checked called ADS, do I just leave that checked and then Scan?
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm
Advertisement
Register to Remove

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 9th, 2010, 2:37 pm

YES. Looks OK.
Let's see whether Gmer will run in SAFE MODE without locking up.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 11th, 2010, 8:28 am

Have started GMER Scan at approx 09.00 and at 13.25 it seems to be still scanning and running through files and Directories.
Is This normal and shoiuld I wait till finished?
How long would the average scan take?
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 11th, 2010, 9:10 am

kemsing,
Can't tell. Please let it finish and follow the remainder of the sequence.
Having one of these runs work (there is only one more I can try if neither of these work) is very important to have any chance of saving your machine from a total reformat and re-install of Windows.
Thanks,
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 11th, 2010, 9:46 am

Here is the results from GMER. am now following second part.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-11 14:27:09
Windows 5.1.2600 Service Pack 3
Running: 1mxls9v3.exe; Driver: C:\DOCUME~1\Lee\LOCALS~1\Temp\pwriipow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\dmload.sys entry point in ".rsrc" section [0xF7CD1114]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
.text C:\WINDOWS\Explorer.EXE[908] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[908] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[908] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86AD1EE4

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0xAA 0x52 0xC6 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xF8 0x31 0x0F 0xA9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\dmload.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 11th, 2010, 10:21 am

Please see post above for GMER Results
Went to download Rootkit unhooker and tried to save it to Desktop, Norton said it was unsafe and it didn't seem to download to desktop It then came up with Run, but when doubleclicked it just seemed to disappear . It Doesn't appear anywhere on my desktop?
Could Norton be blocking it?
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 11th, 2010, 10:54 am

Disable Norton first. It IS blocking it.
Then download it after Norton is disabled, unplug your Internet if you can, and run RKUnHooker per instructions.
All programs that look into this problem may get flagged by Norton.
In this case, they are more important than Norton at the moment.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 11th, 2010, 11:57 am

Hopefully this is full report you need.
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF9D6000 C:\WINDOWS\System32\SiSGRV.dll 2695168 bytes (Silicon Integrated Systems Corporation, SiS Compatible Super VGA Driver)
0xF61A0000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2326528 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xAFB8A000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100510.025\NAVEX15.SYS 1343488 bytes (Symantec Corporation, AV Engine)
0xF729E000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAF75C000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys 548864 bytes (Symantec Corporation, BASH Driver)
0xAF7E2000 C:\WINDOWS\system32\drivers\N360\0401000.020\ccHPx86.sys 520192 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0xAF8DC000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xAF87E000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF60A2000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAFA92000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB44C3000 C:\WINDOWS\system32\drivers\N360\0401000.020\SRTSP.SYS 356352 bytes (Symantec Corporation, Symantec AutoProtect)
0xAF4D4000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xAFA15000 C:\WINDOWS\system32\drivers\N360\0401000.020\SYMTDI.SYS 356352 bytes (Symantec Corporation, Network Dispatch Driver)
0xF7381000 SYMDS.SYS 352256 bytes (Symantec Corporation, Symantec Data Store)
0xAF9C1000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100505.001\IDSxpx86.sys 344064 bytes (Symantec Corporation, IDS Core Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xAF553000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF646C000 C:\WINDOWS\system32\DRIVERS\sisgrp.sys 258048 bytes (Silicon Integrated Systems Corporation, SiS Compatible Super VGA Driver)
0xAFAFE000 C:\WINDOWS\System32\Drivers\vobiw.SYS 208896 bytes (Pinnacle Systems GmbH, InstantWrite File System Driver)
0xF6100000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7465000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF6074000 C:\WINDOWS\system32\DRIVERS\MarvinBus.sys 188416 bytes (Pinnacle Systems GmbH, Pinnacle Marvin Discrete Bus Enumerator)
0xAF65C000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7271000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF7342000 SYMEFA.SYS 184320 bytes (Symantec Corporation, Symantec Extended File Attributes)
0xAE93B000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAF94C000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAF999000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF740F000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xAFA6C000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAFB65000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0xF7233000 adpu320.sys 147456 bytes (Adaptec, Inc., Adaptec Win2K/XP/Server2003 Ultra320 SCSI Driver)
0xF63E9000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF617C000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6158000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6421000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAF977000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF73D7000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7435000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB44A4000 C:\WINDOWS\system32\drivers\N360\0401000.020\Ironx86.SYS 126976 bytes (Symantec Corporation, Iron Driver)
0xAF861000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xF7257000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF73F7000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF721B000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF732B000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6141000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAF6D7000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF640D000 C:\WINDOWS\System32\Drivers\Cdrdrv.sys 81920 bytes (Pinnacle Systems GmbH, InstantWrite Driver)
0xAFB51000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100510.025\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xF6444000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6458000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAFAEB000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF9C4000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF736F000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7454000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6130000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF63D8000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xF7674000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7804000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7664000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7614000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF77E4000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF76A4000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF6C35000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7654000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF69BF000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76C4000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7624000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF75D4000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF77D4000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF6C15000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF75B4000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF6BC5000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7634000 amdagp.sys 45056 bytes (Advanced Micro Devices, Inc., AMD Win2000 AGP Filter)
0xB046E000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF77F4000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF75A4000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF6C05000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7604000 uagp35.sys 45056 bytes (Microsoft Corporation, MS AGPv3.5 Filter)
0xF75F4000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xF6C25000 C:\WINDOWS\system32\DRIVERS\AN983.sys 40960 bytes (ADMtek Incorporated., ADMtek AN983 NDIS5 Driver)
0xF7594000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF699F000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB0A7C000 C:\WINDOWS\system32\drivers\N360\0401000.020\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xF6BE5000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF75C4000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB564B000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF77C4000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF6BF5000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB048E000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAEAA1000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF75E4000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7694000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF78CC000 C:\WINDOWS\System32\Drivers\ASAPIW2K.sys 32768 bytes (Pinnacle Systems GmbH, ASAPI)
0xF7934000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78DC000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF78BC000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xB7D18000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7814000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF78C4000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF78B4000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF78FC000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7924000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB0E6F000 C:\WINDOWS\System32\drivers\aspi32.sys 20480 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0xF792C000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF781C000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF78EC000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF78F4000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF78E4000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF78D4000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xB00A3000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF64CB000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF71DA000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB85E7000 C:\WINDOWS\system32\drivers\pclepci.sys 16384 bytes (Pinnacle Systems GmbH, PCLEPCI)
0xF7A58000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF79A4000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7A54000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB85F7000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7A4C000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xB85F3000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7A68000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB03C9000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB03B1000 C:\WINDOWS\system32\DRIVERS\srvkp.sys 12288 bytes (Silicon Integrated Systems Corporation, SiS VGA Driver Manager)
0xB26C4000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A98000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xB26C6000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A94000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB1FC9000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB1FC7000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7AC0000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7AEC000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A96000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7BC6000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BF0000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7BE6000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7B5C000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x868D2CE2 ?_empty_? 798 bytes
0x868D2EE4 unknown_irp_handler 284 bytes
!!!!!!!!!!!Hidden driver: 0x869567A0 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF73F7000 WARNING: suspicious driver modification [atapi.sys::0x868D2CE2]
0xF7A98000 WARNING: Virus alike driver modification [dmload.sys], 8192 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002D49C, Type: Inline - RelativeJump 0x8050449C-->805044D2 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D4E8, Type: Inline - RelativeJump 0x805044E8-->8050455C [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D57C, Type: Inline - RelativeJump 0x8050457C-->8050450A [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D5D0, Type: Inline - RelativeJump 0x805045D0-->805045B6 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D5D8, Type: Inline - RelativeJump 0x805045D8-->805045AE [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D654, Type: Inline - RelativeJump 0x80504654-->805046BB [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D660, Type: Inline - RelativeCall 0x80504660-->AED637BD [unknown_code_page]
ntkrnlpa.exe+0x0002D7C0, Type: Inline - RelativeJump 0x805047C0-->8050474E [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D860, Type: Inline - RelativeJump 0x80504860-->80504821 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D870, Type: Inline - RelativeJump 0x80504870-->805048CF [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
[1008]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1008]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1008]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1008]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1008]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1008]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1008]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]
[1132]wuauclt.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1132]wuauclt.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1132]wuauclt.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1132]wuauclt.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1132]wuauclt.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1132]wuauclt.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1296]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1296]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1296]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1296]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1296]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1296]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1296]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1296]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1296]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1296]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1296]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[2260]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[2260]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [aclayers.dll]
[2260]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [aclayers.dll]
[2260]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [aclayers.dll]
[2260]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[2260]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [aclayers.dll]
[2260]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [aclayers.dll]
[2260]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [aclayers.dll]
[2260]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040111C-->00000000 [shimeng.dll]
[2260]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401060-->00000000 [aclayers.dll]
[2260]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010B8-->00000000 [aclayers.dll]
[2260]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x00401078-->00000000 [aclayers.dll]
[2260]iexplore.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[2260]iexplore.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[2260]iexplore.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[2260]iexplore.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[2260]iexplore.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[2260]iexplore.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[2260]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[2260]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [aclayers.dll]
[2260]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [aclayers.dll]
[2260]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [aclayers.dll]
[2260]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [aclayers.dll]
[2260]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->00000000 [ieframe.dll]
[2260]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->00000000 [ieframe.dll]
[2260]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->00000000 [ieframe.dll]
[2260]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->00000000 [ieframe.dll]
[2260]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[2260]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->00000000 [aclayers.dll]
[2260]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [aclayers.dll]
[2260]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [aclayers.dll]
[2260]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->00000000 [ieframe.dll]
[2260]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->00000000 [ieframe.dll]
[2260]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->00000000 [ieframe.dll]
[2260]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->00000000 [ieframe.dll]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 11th, 2010, 3:36 pm

kemsing,
Make sure Norton is disabled. If not, disable it.
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard
    Code: Select all
    TDL::
    C:\WINDOWS\system32\drivers\dmload.sys
    C:\WINDOWS\system32\drivers\atapi.sys
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (probably still named xxx.exe)as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
--------------------------------------------
REBOOT the machine into Normal Mode, your usual account
--------------------------------------------
Delete the TDSSKiller folder on your desktop. We are going to download and run a new copy.

If you don't have Internet, unplug the Internet cable from the machine and plug it back in, OR turn the wireless OFF and then turn it ON.

TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
    TDSSKiller
  • Double-click the tdsskiller Folder on your desktop.
  • Right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy (Ctrl+C) the text in the codebox below.
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste (Ctrl+V) the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply
----------------------------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt

Then you can re-enable your Norton.
We will be looking for the Logs from ComboFix (xxx.exe), TDSSKiller, and Malwarebytes Anti-Malware.
Try to do it all without much time in between. None of the processes should take long.
You can wait until all of them are complete before you post any of the logs.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 12th, 2010, 4:22 am

Please can you provide a secure link through to download MalwareBytes' Anti-Malware.
I deleted the Icon from last time When I was asked to close down Norton etc and I don't want to download from Google search as not sure if links would be safe.
Once I have this i can the follow your last instructions.
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 12th, 2010, 5:44 am

Please go here to the Download Location, click on Download.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 12th, 2010, 8:02 am

Here is Combo text. will post other logs shortly:
ComboFix 10-05-11.05 - Lee 12/05/2010 12:32:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.672 [GMT 1:00]
Running from: c:\documents and settings\Lee\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Lee\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lee\g2mdlhlpx.exe

Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
--
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
--
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
--
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-01 07:54 . 2010-05-01 07:54 -------- d-----w- c:\program files\Hijack this log
2010-04-30 16:59 . 2010-04-30 16:59 -------- d-----w- c:\program files\Trend Micro
2010-04-30 16:56 . 2010-04-30 16:56 -------- d-----w- c:\documents and settings\Lee\Application Data\Malwarebytes
2010-04-30 16:55 . 2010-04-30 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-30 16:55 . 2010-05-05 07:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 12:45 . 2010-04-29 12:45 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-29 12:44 . 2010-04-29 12:44 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-29 12:44 . 2010-04-29 12:44 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-29 12:44 . 2010-02-04 01:40 362032 ----a-r- c:\windows\system32\drivers\symtdi.sys
2010-04-29 12:44 . 2010-02-27 02:23 116784 ----a-r- c:\windows\system32\drivers\Ironx86.sys
2010-04-29 12:44 . 2010-02-27 02:23 43696 ----a-r- c:\windows\system32\drivers\srtspx.sys
2010-04-29 12:44 . 2010-02-04 01:40 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys
2010-04-29 12:44 . 2010-02-04 01:40 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys
2010-04-29 12:44 . 2010-02-25 23:22 501888 ----a-r- c:\windows\system32\drivers\cchpx86.sys
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\windows\system32\drivers\N360
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\program files\Windows Sidebar
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\program files\NortonInstaller
2010-04-29 12:44 . 2010-04-29 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-04-29 12:11 . 2010-04-29 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-23 14:08 . 2010-04-23 14:08 -------- d-----w- c:\documents and settings\Lee\Local Settings\Application Data\Real
2010-04-23 14:07 . 2010-04-23 14:07 -------- d-----w- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 07:19 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-04 10:41 . 2010-05-04 10:41 439816 ----a-w- c:\documents and settings\Lee\Application Data\Real\Update\setup3.10\setup.exe
2010-04-30 16:59 . 2010-04-30 16:59 388096 ----a-r- c:\documents and settings\Lee\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-29 12:47 . 2006-10-16 15:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-29 12:44 . 2008-04-25 17:16 -------- d-----w- c:\program files\Symantec
2010-04-29 12:44 . 2010-04-29 12:44 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-29 12:44 . 2010-04-29 12:44 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-29 12:44 . 2008-04-25 17:18 -------- d-----w- c:\program files\Norton 360
2010-04-29 12:00 . 2009-07-09 14:10 -------- d-----w- c:\program files\FireTrust
2010-04-29 12:00 . 2006-10-18 07:48 -------- d-----w- c:\documents and settings\Lee\Application Data\MailWasherPro
2010-04-29 11:28 . 2009-12-12 14:20 120 ----a-w- c:\windows\Edulikovuviy.dat
2010-04-29 07:26 . 2009-12-12 14:20 0 ----a-w- c:\windows\Dtihigokimakigej.bin
2010-04-23 14:08 . 2007-01-24 15:23 -------- d-----w- c:\program files\Google
2010-04-23 14:07 . 2006-10-21 14:02 -------- d-----w- c:\program files\Common Files\Real
2010-04-23 14:06 . 2006-07-11 18:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-16 07:30 . 2006-10-16 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-15 07:39 . 2005-10-26 18:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 13:38 . 2010-01-19 10:57 -------- d-----w- c:\documents and settings\Lee\Application Data\deskUNPDF
2010-03-24 10:11 . 2010-03-24 10:11 50354 ----a-w- c:\documents and settings\Lee\Application Data\Facebook\uninstall.exe
2010-03-24 10:11 . 2010-03-24 10:11 -------- d-----w- c:\documents and settings\Lee\Application Data\Facebook
2010-03-16 09:02 . 2010-03-16 09:02 -------- d-----w- c:\documents and settings\Lee\Application Data\Unity
2010-03-13 13:54 . 2010-03-13 13:54 -------- d-----w- c:\program files\Common Files\Borland Shared
2010-03-11 12:38 . 2004-08-20 17:08 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-20 17:08 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-20 17:07 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-20 17:08 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Lee\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Lee\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-28 10:13 . 2010-02-28 10:12 1955472 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-24 13:11 . 2004-08-20 17:08 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2004-08-20 17:08 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-01 08:29 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2004-08-20 17:07 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-20 17:08 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2001-11-05 09:30 . 2008-05-19 12:02 165376 ----a-w- c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IW_Drop_Icon"="c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2005-06-29 1346560]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-31 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 77824]
"SiSPower"="SiSPower.dll" [2006-01-09 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-18 98304]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-23 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(3).lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2006-10-17 131584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2006-10-16 262144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-04-26 08:59 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SymDS.sys [29/04/2010 13:44 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SymEFA.sys [29/04/2010 13:44 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [06/05/2010 08:14 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\cchpx86.sys [29/04/2010 13:44 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.sys [29/04/2010 13:44 116784]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [01/09/2004 14:50 188416]
R2 N360;Norton 360;c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [29/04/2010 13:44 126392]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [10/02/2005 11:55 62976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [29/04/2010 13:45 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100505.001\IDSXpx86.sys [08/05/2010 08:25 329592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/12/2009 18:57 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-31 17:57]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-31 17:57]

2010-05-11 c:\windows\Tasks\User_Feed_Synchronization-{898C5654-CDAC-482F-B8DF-430F31E4F8DA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.endeavour.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - hxxp://ps.itv.mop.com/dn/files/pCastCtl ... signed.cab
FF - ProfilePath - c:\documents and settings\Lee\Application Data\Mozilla\Firefox\Profiles\jryr85ce.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Lee\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Lee\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {1A5CF3E8-DDB2-4E9F-BDFF-3585E2905B12} - c:\documents and settings\Lee\Local Settings\Application Data\{1A5CF3E8-DDB2-4E9F-BDFF-3585E2905B12}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe Digital Editions - c:\documents and settings\Lee\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions2x0\digitaleditions2x0.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 12:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1471223198-1642118984-4230253141-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3856)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
.
**************************************************************************
.
Completion time: 2010-05-12 12:55:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-12 11:55
ComboFix2.txt 2010-05-05 13:15

Pre-Run: 18,189,004,800 bytes free
Post-Run: 18,192,986,112 bytes free

- - End Of File - - C42DE86206F5A1E8043FFFC38A91568F
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 12th, 2010, 8:20 am

TDS Killer Log:
13:19:21:312 0436 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
13:19:21:312 0436 ================================================================================
13:19:21:312 0436 SystemInfo:

13:19:21:312 0436 OS Version: 5.1.2600 ServicePack: 3.0
13:19:21:312 0436 Product type: Workstation
13:19:21:312 0436 ComputerName: SELECT-09
13:19:21:312 0436 UserName: Lee
13:19:21:312 0436 Windows directory: C:\WINDOWS
13:19:21:312 0436 Processor architecture: Intel x86
13:19:21:312 0436 Number of processors: 2
13:19:21:312 0436 Page size: 0x1000
13:19:21:312 0436 Boot type: Normal boot
13:19:21:312 0436 ================================================================================
13:19:21:359 0436 UnloadDriverW: NtUnloadDriver error 2
13:19:21:359 0436 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
13:19:21:546 0436 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
13:19:21:546 0436 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:19:21:546 0436 wfopen_ex: Trying to KLMD file open
13:19:21:546 0436 wfopen_ex: File opened ok (Flags 2)
13:19:21:546 0436 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
13:19:21:546 0436 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:19:21:546 0436 wfopen_ex: Trying to KLMD file open
13:19:21:546 0436 wfopen_ex: File opened ok (Flags 2)
13:19:21:546 0436 Initialize success
13:19:21:546 0436
13:19:21:546 0436 Scanning Services ...
13:19:22:000 0436 Raw services enum returned 351 services
13:19:22:015 0436
13:19:22:015 0436 Scanning Kernel memory ...
13:19:22:015 0436 Devices to scan: 2
13:19:22:015 0436
13:19:22:015 0436 Driver Name: Disk
13:19:22:015 0436 IRP_MJ_CREATE : F75DABB0
13:19:22:015 0436 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:19:22:015 0436 IRP_MJ_CLOSE : F75DABB0
13:19:22:015 0436 IRP_MJ_READ : F75D4D1F
13:19:22:015 0436 IRP_MJ_WRITE : F75D4D1F
13:19:22:015 0436 IRP_MJ_QUERY_INFORMATION : 804F4562
13:19:22:015 0436 IRP_MJ_SET_INFORMATION : 804F4562
13:19:22:015 0436 IRP_MJ_QUERY_EA : 804F4562
13:19:22:015 0436 IRP_MJ_SET_EA : 804F4562
13:19:22:015 0436 IRP_MJ_FLUSH_BUFFERS : F75D52E2
13:19:22:015 0436 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:19:22:015 0436 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:19:22:015 0436 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:19:22:015 0436 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:19:22:015 0436 IRP_MJ_DEVICE_CONTROL : F75D53BB
13:19:22:015 0436 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75D8F28
13:19:22:015 0436 IRP_MJ_SHUTDOWN : F75D52E2
13:19:22:015 0436 IRP_MJ_LOCK_CONTROL : 804F4562
13:19:22:015 0436 IRP_MJ_CLEANUP : 804F4562
13:19:22:015 0436 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:19:22:015 0436 IRP_MJ_QUERY_SECURITY : 804F4562
13:19:22:015 0436 IRP_MJ_SET_SECURITY : 804F4562
13:19:22:015 0436 IRP_MJ_POWER : F75D6C82
13:19:22:015 0436 IRP_MJ_SYSTEM_CONTROL : F75DB99E
13:19:22:015 0436 IRP_MJ_DEVICE_CHANGE : 804F4562
13:19:22:015 0436 IRP_MJ_QUERY_QUOTA : 804F4562
13:19:22:015 0436 IRP_MJ_SET_QUOTA : 804F4562
13:19:22:062 0436 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:19:22:062 0436
13:19:22:062 0436 Driver Name: atapi
13:19:22:062 0436 IRP_MJ_CREATE : F74016F2
13:19:22:062 0436 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:19:22:062 0436 IRP_MJ_CLOSE : F74016F2
13:19:22:062 0436 IRP_MJ_READ : 804F4562
13:19:22:062 0436 IRP_MJ_WRITE : 804F4562
13:19:22:062 0436 IRP_MJ_QUERY_INFORMATION : 804F4562
13:19:22:062 0436 IRP_MJ_SET_INFORMATION : 804F4562
13:19:22:062 0436 IRP_MJ_QUERY_EA : 804F4562
13:19:22:062 0436 IRP_MJ_SET_EA : 804F4562
13:19:22:062 0436 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:19:22:062 0436 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:19:22:062 0436 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:19:22:062 0436 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:19:22:062 0436 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:19:22:062 0436 IRP_MJ_DEVICE_CONTROL : F7401712
13:19:22:062 0436 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73FD852
13:19:22:062 0436 IRP_MJ_SHUTDOWN : 804F4562
13:19:22:062 0436 IRP_MJ_LOCK_CONTROL : 804F4562
13:19:22:062 0436 IRP_MJ_CLEANUP : 804F4562
13:19:22:062 0436 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:19:22:062 0436 IRP_MJ_QUERY_SECURITY : 804F4562
13:19:22:062 0436 IRP_MJ_SET_SECURITY : 804F4562
13:19:22:062 0436 IRP_MJ_POWER : F740173C
13:19:22:062 0436 IRP_MJ_SYSTEM_CONTROL : F7408336
13:19:22:062 0436 IRP_MJ_DEVICE_CHANGE : 804F4562
13:19:22:062 0436 IRP_MJ_QUERY_QUOTA : 804F4562
13:19:22:062 0436 IRP_MJ_SET_QUOTA : 804F4562
13:19:22:125 0436 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
13:19:22:125 0436
13:19:22:125 0436 Completed
13:19:22:125 0436
13:19:22:125 0436 Results:
13:19:22:125 0436 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
13:19:22:125 0436 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:19:22:125 0436 File objects infected / cured / cured on reboot: 0 / 0 / 0
13:19:22:125 0436
13:19:22:125 0436 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
13:19:22:125 0436 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
13:19:22:171 0436 KLMD(ARK) unloaded successfully
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 12th, 2010, 8:34 am

Malware log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4092

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/05/2010 13:32:19
mbam-log-2010-05-12 (13-32-19).txt

Scan type: Quick scan
Objects scanned: 126637
Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 12th, 2010, 9:14 am

kemsing
Looking Good.
Make sure your Norton 360 is turned back ON now.
-----------------------------------------------
Run the RSIT Scanner
Doubleclick the RSIT icon.
When the scan is complete, one text file will open
log.txt [color=red]
The file will be saved here also -> C:\rsit\ )
Copy/Paste the contents of log.txt into your next post please.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 68 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware