Backdoor.Tidserv!inf and Trojan.Zefarch hit

View previous topic View next topic Go down

Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Mon 19 Jul 2010, 1:06 am

WIndows XP laptop got hit with Backdoor.Tidserv!inf, Trojan.Zefarch and W32Silly.Fdc yesterday morning. Symantec cleaned the W32Silly.Fdc infection but cannot clean Backdoor.Tidserv!inf and Trojan.Zefarch completely. Here is the logfile from HijackThis. Thanks.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:02:35 AM, on 7/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\JHSecure\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OSDEx\OSDEx.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\LainieM\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office 2007\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Amoveseduzuvifu] rundll32.exe "C:\WINDOWS\usagadavemom.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iwacocije] rundll32.exe "C:\WINDOWS\afchrog.dll",Startup
O4 - Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI69DF~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office 2007\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\JHSecure\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10115 bytes

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sneakyone on Mon 19 Jul 2010, 3:54 am

Hi, Welcome to GeekPolice.net!

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Mon 19 Jul 2010, 4:52 am

Thanks - Here is the log file from combofix.

ComboFix 10-07-16.02 - LainieM 07/18/2010 13:24:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1287 [GMT -4:00]
Running from: c:\documents and settings\LainieM\desktop\commy.exe
Command switches used :: /stepdel
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\videosoft
c:\recycler\k-1-3542-4232123213-7676767-8888886
c:\windows\ikonarigap.dll
c:\windows\ilofolifa.dll
c:\windows\itobedidayiyuk.dll
c:\windows\olirojewujoxuce.dll
c:\windows\uwenaqafotocedo.dll
c:\program files\videosoft\Shared Files\ViewRep7.dll
c:\program files\videosoft\Shared Files\Vsflex7.ocx
c:\program files\videosoft\Shared Files\VSPRINT7.ocx
c:\program files\videosoft\Shared Files\VSStr7.ocx
c:\recycler\k-1-3542-4232123213-7676767-8888886\Desktop.ini
c:\windows\afchrog.dll
c:\windows\usagadavemom.dll
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-17 22:31 . 2010-07-17 22:31 -------- d-----w- c:\documents and settings\LainieM\Local Settings\Application Data\{F9956A55-1D30-46CA-A925-989D45436623}
2010-07-17 21:46 . 2010-07-17 21:46 -------- d--h--w- c:\windows\PIF
2010-07-17 19:37 . 2010-07-18 17:14 120 ----a-w- c:\windows\Ujuteza.dat
2010-07-17 19:37 . 2010-07-18 17:14 0 ----a-w- c:\windows\Qriluwiqi.bin
2010-07-17 19:37 . 2010-07-17 19:37 -------- d-----w- c:\documents and settings\LainieM\Local Settings\Application Data\{5987BF2B-AD6F-4733-9371-5F9A3F102284}
2010-07-17 19:21 . 2010-07-17 19:21 -------- d-----w- c:\documents and settings\LainieM\Application Data\Malwarebytes
2010-07-17 19:21 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-17 19:21 . 2010-07-17 19:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-17 19:21 . 2010-07-17 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-17 19:21 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-17 12:57 . 2010-07-17 22:27 -------- d-----w- c:\documents and settings\LainieM\Local Settings\Application Data\gkmkbkdge
2010-07-13 23:01 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 17:35 . 2007-11-02 14:47 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-18 17:13 . 2008-02-26 04:23 -------- d-----w- c:\documents and settings\LainieM\Application Data\EndNote
2010-07-14 01:58 . 2010-04-14 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-23 20:48 . 2009-03-27 17:34 -------- d-----w- c:\documents and settings\LainieM\Application Data\U3
2010-06-16 12:54 . 2007-10-01 03:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-16 12:09 . 2009-10-25 18:17 -------- d-----w- c:\program files\jv16 PowerTools 2009
2010-06-13 11:40 . 2008-02-11 20:23 -------- d-----w- c:\program files\Dell Support Center
2010-06-08 14:24 . 2007-10-01 03:52 128304 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-07 11:33 . 2010-06-07 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-06-07 11:28 . 2010-06-07 11:24 -------- d-----w- c:\program files\Hewlett-Packard
2010-06-07 11:26 . 2010-06-07 11:25 -------- d--h--w- c:\program files\Zero G Registry
2010-06-07 11:24 . 2010-06-07 11:24 -------- d-----w- c:\program files\HP
2010-06-07 11:16 . 2010-06-07 11:16 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-06-04 14:58 . 2010-02-05 00:43 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-13 19:09 . 2010-05-13 19:09 50703272 ----a-w- c:\program files\Visio2003SP3-KB923620-FullFile-ENU.exe
2010-05-06 10:41 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-11 22:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-11 22:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-07 14:50 . 2010-04-07 14:50 537872064 ----a-w- c:\program files\X16-18984.exe
2010-02-02 15:41 . 2010-02-02 15:40 32502364 ----a-w- c:\program files\R-2.10.1-win32.exe
2009-11-18 14:07 . 2009-11-18 14:07 1896 ----a-w- c:\program files\Clean Access Agent.lnk
2009-11-18 14:05 . 2009-11-18 14:05 10117168 ----a-w- c:\program files\CCAAgent_Setup.exe
2001-05-24 17:59 . 2008-11-24 15:14 162304 ----a-w- c:\program files\UNWISE.EXE
2007-10-01 03:38 . 2007-10-01 03:38 76 --sh--r- c:\windows\CT4CET.bin
2009-10-25 18:17 . 2009-10-25 18:17 23 --sha-w- c:\windows\system32\edacded0_x.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-25 149280]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\LainieM\Start Menu\Programs\Startup\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-4-26 35328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DELL\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
""=

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/29/2010 7:00 AM 102448]
S0 vyik;vyik;c:\windows\system32\drivers\pmenba.sys --> c:\windows\system32\drivers\pmenba.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MI69DF~1\Office12\EXCEL.EXE/3000
DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\LainieM\Application Data\Mozilla\Firefox\Profiles\eiuq6l41.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\LainieM\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\LainieM\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {5987BF2B-AD6F-4733-9371-5F9A3F102284} - c:\documents and settings\LainieM\Local Settings\Application Data\{5987BF2B-AD6F-4733-9371-5F9A3F102284}\
FF - HiddenExtension: XULRunner: {F9956A55-1D30-46CA-A925-989D45436623} - c:\documents and settings\LainieM\Local Settings\Application Data\{F9956A55-1D30-46CA-A925-989D45436623}\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Iwacocije - c:\windows\afchrog.dll
HKLM-Run-Amoveseduzuvifu - c:\windows\usagadavemom.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-18 13:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1408)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3312)
c:\windows\system32\WININET.dll
c:\program files\OSDEx\OSDExLib.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\JHSecure\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2010-07-18 13:45:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-18 17:45

Pre-Run: 92,773,064,704 bytes free
Post-Run: 92,831,653,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 044B57C2A8869B0DBA444E9A97B4BD9B

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sneakyone on Mon 19 Jul 2010, 5:53 am

Hi,

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Killall::

    File::
    c:\windows\system32\drivers\pmenba.sys
    c:\windows\Ujuteza.dat
    c:\windows\Qriluwiqi.bin

    Folder::
    c:\documents and settings\LainieM\Local Settings\Application Data\{5987BF2B-AD6F-4733-9371-5F9A3F102284}
    c:\documents and settings\LainieM\Local Settings\Application Data\gkmkbkdge
    c:\documents and settings\LainieM\Local Settings\Application Data\{F9956A55-1D30-46CA-A925-989D45436623}

    Driver::
    vyik

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5643

    Reboot::


  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


========

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Mon 19 Jul 2010, 5:59 am

I have a Symantec version that my school installed and I can't disable it. I checked on-line for various ways around it, but it seems impossible. Will your instructions work even if I can't disable Symantec?
Thanks for all the help.

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sneakyone on Mon 19 Jul 2010, 6:15 am

Hi,

Yes, it should work.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Mon 19 Jul 2010, 6:36 am

Thanks. Here is the latest log output ..

ComboFix 10-07-16.02 - LainieM 07/18/2010 15:16:19.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1411 [GMT -4:00]
Running from: c:\documents and settings\LainieM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\LainieM\Desktop\CFscript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\Qriluwiqi.bin"
"c:\windows\system32\drivers\pmenba.sys"
"c:\windows\Ujuteza.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LainieM\Local Settings\Application Data\{5987BF2B-AD6F-4733-9371-5F9A3F102284}
c:\documents and settings\LainieM\Local Settings\Application Data\{5987BF2B-AD6F-4733-9371-5F9A3F102284}\chrome.manifest
c:\documents and settings\LainieM\Local Settings\Application Data\{5987BF2B-AD6F-4733-9371-5F9A3F102284}\chrome\content\_cfg.js
c:\documents and settings\LainieM\Local Settings\Application Data\{5987BF2B-AD6F-4733-9371-5F9A3F102284}\install.rdf
c:\documents and settings\LainieM\Local Settings\Application Data\{F9956A55-1D30-46CA-A925-989D45436623}
c:\documents and settings\LainieM\Local Settings\Application Data\{F9956A55-1D30-46CA-A925-989D45436623}\chrome.manifest
c:\documents and settings\LainieM\Local Settings\Application Data\{F9956A55-1D30-46CA-A925-989D45436623}\chrome\content\_cfg.js
c:\documents and settings\LainieM\Local Settings\Application Data\{F9956A55-1D30-46CA-A925-989D45436623}\install.rdf
c:\documents and settings\LainieM\Local Settings\Application Data\gkmkbkdge
c:\windows\Qriluwiqi.bin
c:\windows\Ujuteza.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_vyik


((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-17 21:46 . 2010-07-17 21:46 -------- d--h--w- c:\windows\PIF
2010-07-17 19:21 . 2010-07-17 19:21 -------- d-----w- c:\documents and settings\LainieM\Application Data\Malwarebytes
2010-07-17 19:21 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-17 19:21 . 2010-07-17 19:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-17 19:21 . 2010-07-17 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-17 19:21 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-13 23:01 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 19:28 . 2007-11-02 14:47 -------- d-----w- c:\program files\Symantec AntiVirus
2010-07-18 17:13 . 2008-02-26 04:23 -------- d-----w- c:\documents and settings\LainieM\Application Data\EndNote
2010-07-14 01:58 . 2010-04-14 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-23 20:48 . 2009-03-27 17:34 -------- d-----w- c:\documents and settings\LainieM\Application Data\U3
2010-06-16 12:54 . 2007-10-01 03:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-16 12:28 . 2010-07-17 13:11 208530 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-06-16 12:09 . 2009-10-25 18:17 -------- d-----w- c:\program files\jv16 PowerTools 2009
2010-06-14 14:31 . 2004-08-11 22:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-13 11:40 . 2008-02-11 20:23 -------- d-----w- c:\program files\Dell Support Center
2010-06-08 14:24 . 2007-10-01 03:52 128304 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-07 11:33 . 2010-06-07 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-06-07 11:28 . 2010-06-07 11:28 45056 ----a-r- c:\documents and settings\LainieM\Application Data\Microsoft\Installer\{90B5E602-1867-449D-86FD-FC9DEA4434BF}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2010-06-07 11:28 . 2010-06-07 11:24 -------- d-----w- c:\program files\Hewlett-Packard
2010-06-07 11:26 . 2010-06-07 11:25 -------- d--h--w- c:\program files\Zero G Registry
2010-06-07 11:24 . 2010-06-07 11:24 -------- d-----w- c:\program files\HP
2010-06-07 11:16 . 2010-06-07 11:16 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-06-04 14:58 . 2010-02-05 00:43 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-29 10:56 . 2010-05-29 10:56 503808 ----a-w- c:\documents and settings\LainieM\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6b9447e4-n\msvcp71.dll
2010-05-29 10:56 . 2010-05-29 10:56 499712 ----a-w- c:\documents and settings\LainieM\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6b9447e4-n\jmc.dll
2010-05-29 10:56 . 2010-05-29 10:56 348160 ----a-w- c:\documents and settings\LainieM\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6b9447e4-n\msvcr71.dll
2010-05-13 19:09 . 2010-05-13 19:09 50703272 ----a-w- c:\program files\Visio2003SP3-KB923620-FullFile-ENU.exe
2010-05-06 10:41 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-11 22:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-11 22:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-07 14:50 . 2010-04-07 14:50 537872064 ----a-w- c:\program files\X16-18984.exe
2010-02-02 15:41 . 2010-02-02 15:40 32502364 ----a-w- c:\program files\R-2.10.1-win32.exe
2009-11-18 14:07 . 2009-11-18 14:07 1896 ----a-w- c:\program files\Clean Access Agent.lnk
2009-11-18 14:05 . 2009-11-18 14:05 10117168 ----a-w- c:\program files\CCAAgent_Setup.exe
2001-05-24 17:59 . 2008-11-24 15:14 162304 ----a-w- c:\program files\UNWISE.EXE
2007-10-01 03:38 . 2007-10-01 03:38 76 --sh--r- c:\windows\CT4CET.bin
2009-10-25 18:17 . 2009-10-25 18:17 23 --sha-w- c:\windows\system32\edacded0_x.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-25 149280]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\LainieM\Start Menu\Programs\Startup\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-4-26 35328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DELL\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
""=

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/29/2010 7:00 AM 102448]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MI69DF~1\Office12\EXCEL.EXE/3000
DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\LainieM\Application Data\Mozilla\Firefox\Profiles\eiuq6l41.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\LainieM\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\LainieM\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-18 15:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1396)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3200)
c:\windows\system32\WININET.dll
c:\program files\OSDEx\OSDExLib.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\JHSecure\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2010-07-18 15:34:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-18 19:34
ComboFix2.txt 2010-07-18 17:45

Pre-Run: 92,836,786,176 bytes free
Post-Run: 92,710,019,072 bytes free

- - End Of File - - F92F317A1570A4279F8750BACCFDBFDF

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Mon 19 Jul 2010, 8:38 am

bump

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sneakyone on Mon 19 Jul 2010, 8:43 am

Hi,

Do you also have the Gooredfix log?




I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Mon 19 Jul 2010, 8:52 am

Oops, sorry, here is the gooredfix log ..

GooredFix by jpshortstuff (03.07.10.1)
Log created at 17:50 on 18/07/2010 (LainieM)
Firefox version 3.6.6 (en-US)

========== GooredScan ==========

Removing Orphan:
"{5987BF2B-AD6F-4733-9371-5F9A3F102284}"="C:\Documents and Settings\LainieM\Local Settings\Application Data\{5987BF2B-AD6F-4733-9371-5F9A3F102284}" -> Success!
Removing Orphan:
"{F9956A55-1D30-46CA-A925-989D45436623}"="C:\Documents and Settings\LainieM\Local Settings\Application Data\{F9956A55-1D30-46CA-A925-989D45436623}" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:39 08/10/2007]
{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} [17:15 31/03/2010]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [12:08 10/10/2007]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [14:27 25/01/2010]

C:\Documents and Settings\LainieM\Application Data\Mozilla\Firefox\Profiles\eiuq6l41.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [10:28 09/06/2010]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [10:28 09/06/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [17:43 09/11/2009]

-=E.O.F=-

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sneakyone on Mon 19 Jul 2010, 9:24 am

Hi,

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Mon 19 Jul 2010, 12:30 pm

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4325

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/18/2010 9:28:44 PM
mbam-log-2010-07-18 (21-28-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 289904
Time elapsed: 2 hour(s), 35 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sneakyone on Mon 19 Jul 2010, 2:24 pm

Hi,

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Mon 19 Jul 2010, 11:43 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a7929b7edde5e04b900d7e1a0ea630a1
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-19 12:29:43
# local_time=2010-07-19 08:29:43 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=165917
# found=5
# cleaned=5
# scan_time=6931
C:\Qoobox\Quarantine\C\WINDOWS\afchrog.dll.vir a variant of Win32/Cimag.CW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\usagadavemom.dll.vir a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP419\A0072970.inf INF/Autorun.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP419\A0072998.dll a variant of Win32/Cimag.CW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP419\A0072999.dll a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Mon 19 Jul 2010, 11:45 pm

Also, Symantec's auto-protect keeps coming up with Backdoor.Tidserv!inf catches and partial cleans.

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sneakyone on Tue 20 Jul 2010, 6:21 am

Hi,

Could you please tell me the file-paths that Symantec is detecting (For example: C:\Windows\malware.exe)?


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Tue 20 Jul 2010, 6:51 am

Here are the 7 that Symantec's Auto-protect keeps identifying as risks:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP418\A0071874.sys
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP419\A0072920.sys
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP419\A0072952.sys
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP420\A0073192.sys
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP418\A0071874.sys
C:\WINDOWS\system32\drivers\rdpcdd.sys
C:\WINDOWS\system32\drivers\rdpcdd.sys

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sneakyone on Tue 20 Jul 2010, 7:00 am

Hi,

Most of them are in your system restore points, which we will clean later.

There is a patched driver that needs to be replaced.

Download TDSSKiller and save it to your Desktop.


  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log




I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Tue 20 Jul 2010, 7:41 am

16:32:22:296 2676 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
16:32:22:296 2676 ================================================================================
16:32:22:296 2676 SystemInfo:

16:32:22:296 2676 OS Version: 5.1.2600 ServicePack: 3.0
16:32:22:296 2676 Product type: Workstation
16:32:22:296 2676 ComputerName: STU-MEMORGAN
16:32:22:296 2676 UserName: LainieM
16:32:22:296 2676 Windows directory: C:\WINDOWS
16:32:22:296 2676 System windows directory: C:\WINDOWS
16:32:22:296 2676 Processor architecture: Intel x86
16:32:22:296 2676 Number of processors: 2
16:32:22:296 2676 Page size: 0x1000
16:32:22:296 2676 Boot type: Normal boot
16:32:22:296 2676 ================================================================================
16:32:23:031 2676 Initialize success
16:32:23:031 2676
16:32:23:031 2676 Scanning Services ...
16:32:23:640 2676 Raw services enum returned 403 services
16:32:23:656 2676
16:32:23:656 2676 Scanning Drivers ...
16:32:25:796 2676 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
16:32:25:921 2676 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:32:26:015 2676 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:32:26:109 2676 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
16:32:26:187 2676 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:32:26:296 2676 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
16:32:26:375 2676 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
16:32:26:390 2676 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
16:32:26:468 2676 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
16:32:26:515 2676 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
16:32:26:609 2676 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
16:32:26:703 2676 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
16:32:26:812 2676 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
16:32:26:937 2676 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
16:32:26:984 2676 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
16:32:27:062 2676 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
16:32:27:125 2676 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
16:32:27:187 2676 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
16:32:27:265 2676 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
16:32:27:375 2676 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
16:32:27:437 2676 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:32:27:671 2676 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:32:27:812 2676 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:32:27:890 2676 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:32:28:000 2676 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
16:32:28:078 2676 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
16:32:28:140 2676 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:32:28:203 2676 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\Drivers\BrScnUsb.sys
16:32:28:265 2676 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
16:32:28:281 2676 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:32:28:343 2676 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
16:32:28:375 2676 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
16:32:28:421 2676 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:32:28:484 2676 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:32:28:515 2676 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:32:28:562 2676 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
16:32:28:609 2676 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
16:32:28:656 2676 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
16:32:28:718 2676 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
16:32:28:781 2676 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
16:32:28:859 2676 CVPNDRVA (244b0408e9e20c734c97ce1e783d67ee) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
16:32:28:937 2676 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
16:32:28:953 2676 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
16:32:29:031 2676 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:32:29:125 2676 DLABMFSM (a53723176d0002feb486eff8e17812f2) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
16:32:29:125 2676 DLABOIOM (d4587063acea776699251e177d719586) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
16:32:29:140 2676 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
16:32:29:187 2676 DLADResM (c950c2e7b9ed1a4fc4a2ac7ec044f1d6) C:\WINDOWS\system32\DLA\DLADResM.SYS
16:32:29:234 2676 DLAIFS_M (24400137e387a24410c52a591f3cfb4d) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
16:32:29:296 2676 DLAOPIOM (29a303feceb28641ecebdae89eb71c63) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
16:32:29:312 2676 DLAPoolM (c93e33a22a1ae0c5508f3fb1f6d0a50c) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
16:32:29:343 2676 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
16:32:29:375 2676 DLAUDFAM (b953498c35a31e5ac98f49adbcf3e627) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
16:32:29:390 2676 DLAUDF_M (4897704c093c1f59ce58fc65e1e1ef1e) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
16:32:29:500 2676 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:32:29:609 2676 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:32:29:671 2676 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:32:29:734 2676 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:32:29:812 2676 DNE (2eddbb3ef1dd5a28cb07c149d36e7286) C:\WINDOWS\system32\DRIVERS\dne2000.sys
16:32:29:875 2676 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
16:32:29:984 2676 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
16:32:30:000 2676 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
16:32:30:046 2676 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
16:32:30:125 2676 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:32:30:218 2676 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
16:32:30:265 2676 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
16:32:30:453 2676 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
16:32:30:625 2676 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
16:32:30:750 2676 DXEC02 (0c8762b91b967a91373e0e022b62acfc) C:\WINDOWS\system32\drivers\dxec02.sys
16:32:30:843 2676 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
16:32:31:046 2676 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
16:32:31:109 2676 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
16:32:31:359 2676 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:32:31:437 2676 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:32:31:515 2676 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:32:31:562 2676 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:32:31:671 2676 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:32:31:703 2676 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:32:31:781 2676 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:32:31:890 2676 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
16:32:31:921 2676 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:32:31:953 2676 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
16:32:31:984 2676 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:32:32:093 2676 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
16:32:32:218 2676 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
16:32:32:375 2676 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
16:32:32:562 2676 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:32:32:625 2676 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
16:32:32:671 2676 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
16:32:32:734 2676 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:32:33:078 2676 ialm (200cca76cd0e0f7eec78fa56c29b4d67) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
16:32:33:453 2676 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
16:32:33:500 2676 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:32:33:546 2676 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
16:32:33:578 2676 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
16:32:33:625 2676 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:32:33:687 2676 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:32:33:734 2676 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:32:33:812 2676 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:32:33:890 2676 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:32:33:906 2676 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:32:33:968 2676 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:32:34:015 2676 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:32:34:062 2676 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:32:34:109 2676 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
16:32:34:171 2676 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
16:32:34:265 2676 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:32:34:343 2676 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
16:32:34:437 2676 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
16:32:34:468 2676 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:32:34:531 2676 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:32:34:546 2676 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:32:34:656 2676 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:32:34:687 2676 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:32:34:734 2676 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
16:32:34:796 2676 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:32:34:906 2676 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:32:34:968 2676 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:32:35:015 2676 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:32:35:109 2676 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:32:35:203 2676 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:32:35:265 2676 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:32:35:312 2676 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
16:32:35:359 2676 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
16:32:35:437 2676 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
16:32:35:671 2676 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100718.003\naveng.sys
16:32:35:796 2676 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100718.003\navex15.sys
16:32:36:156 2676 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:32:36:218 2676 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
16:32:36:281 2676 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:32:36:312 2676 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:32:36:343 2676 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:32:36:375 2676 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
16:32:36:390 2676 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:32:36:421 2676 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:32:36:500 2676 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
16:32:36:515 2676 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:32:36:640 2676 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:32:36:718 2676 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:32:36:906 2676 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
16:32:37:062 2676 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:32:37:093 2676 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:32:37:140 2676 OEM02Afx (58f478fd0115012ceec75fb73628901c) C:\WINDOWS\system32\Drivers\OEM02Afx.sys
16:32:37:187 2676 OEM02Dev (f95440e0780826417624e66a9171bfb7) C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys
16:32:37:203 2676 OEM02Vfx (86326062a90494bdd79ce383511d7d69) C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys
16:32:37:265 2676 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
16:32:37:312 2676 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
16:32:37:328 2676 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:32:37:421 2676 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:32:37:437 2676 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:32:37:500 2676 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:32:37:578 2676 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:32:37:796 2676 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
16:32:37:906 2676 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
16:32:37:984 2676 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:32:38:031 2676 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:32:38:140 2676 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:32:38:312 2676 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:32:38:390 2676 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
16:32:38:515 2676 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
16:32:38:625 2676 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
16:32:38:734 2676 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
16:32:38:828 2676 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
16:32:38:921 2676 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:32:39:000 2676 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:32:39:062 2676 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:32:39:109 2676 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:32:39:171 2676 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:32:39:203 2676 RDPCDD (87d8c50adc857e4627262be4856d68f3) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:32:39:359 2676 Suspicious file (NoAccess): C:\WINDOWS\system32\DRIVERS\RDPCDD.sys. md5: 87d8c50adc857e4627262be4856d68f3
16:32:39:359 2676 File "C:\WINDOWS\system32\DRIVERS\RDPCDD.sys" infected by TDSS rootkit ... 16:32:41:203 2676 Backup copy not found, trying to cure infected file..
16:32:41:203 2676 Cure success, using it..
16:32:41:250 2676 will be cured on next reboot
16:32:41:468 2676 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:32:41:546 2676 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
16:32:41:609 2676 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:32:41:734 2676 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
16:32:41:921 2676 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
16:32:42:078 2676 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
16:32:42:296 2676 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
16:32:42:406 2676 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
16:32:42:625 2676 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
16:32:42:718 2676 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:32:42:875 2676 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:32:43:109 2676 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
16:32:43:250 2676 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
16:32:43:328 2676 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
16:32:43:375 2676 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:32:43:437 2676 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
16:32:43:484 2676 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
16:32:43:703 2676 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
16:32:44:000 2676 SPBBCDrv (ef9760a364d836a0ce6149ebdf71524d) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
16:32:44:484 2676 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:32:45:453 2676 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:32:46:265 2676 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
16:32:48:484 2676 STHDA (58f855684e163466a5c565adf0865536) C:\WINDOWS\system32\drivers\sthda.sys
16:32:49:953 2676 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
16:32:50:703 2676 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:32:51:250 2676 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:32:51:953 2676 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
16:32:52:093 2676 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
16:32:52:546 2676 SymEvent (49b20b430a4f219173f823536944474a) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
16:32:52:796 2676 SYMREDRV (7de45dfebb51e56d7c795bd0c2d7aef5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
16:32:53:093 2676 SYMTDI (e1444c6095d67ca4ef6ba192cf7fa91a) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
16:32:54:109 2676 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
16:32:54:546 2676 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
16:32:54:734 2676 SynTP (936cd58395d36659bb798b961ef7357f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
16:32:55:031 2676 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:32:55:578 2676 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:32:56:828 2676 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:32:57:328 2676 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:32:57:984 2676 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:32:58:625 2676 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
16:32:59:234 2676 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:32:59:578 2676 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
16:33:00:171 2676 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:33:01:093 2676 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:33:01:781 2676 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:33:02:250 2676 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:33:02:984 2676 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:33:03:656 2676 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:33:04:312 2676 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:33:05:093 2676 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
16:33:05:750 2676 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:33:06:250 2676 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
16:33:06:859 2676 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
16:33:07:500 2676 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:33:08:109 2676 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
16:33:09:515 2676 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:33:10:578 2676 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:33:11:062 2676 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
16:33:12:203 2676 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
16:33:12:609 2676 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
16:33:12:937 2676 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:33:13:312 2676 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:33:13:312 2676 Reboot required for cure complete..
16:33:14:218 2676 Cure on reboot scheduled successfully
16:33:14:218 2676
16:33:14:218 2676 Completed
16:33:14:218 2676
16:33:14:218 2676 Results:
16:33:14:218 2676 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:33:14:218 2676 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:33:14:218 2676
16:33:14:218 2676 KLMD(ARK) unloaded successfully

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sneakyone on Tue 20 Jul 2010, 8:34 am

Ok, that looks good, is Symantec still detecting C:\WINDOWS\system32\drivers\rdpcdd.sys?


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Tue 20 Jul 2010, 8:38 am

No, so far it has just identified C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP418\A0071874.sys again from Auto-protect. From the full scan (about 20% completed now), nothing has popped up yet.

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sneakyone on Tue 20 Jul 2010, 8:47 am

Hi,

Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

Updating System Restore
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE.


You now have a clean restore point.

To get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do a calculation of temporary/old files, and then display a dialogue box.
  • Select the More Options Tab.
  • At the bottom will be a System Restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done.


========

Removing the tools
Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


============

Service Pack upgrade
Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: [You must be registered and logged in to see this link.]

=====

Update Programs
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

========

Here are some prevention tips I have provided:

1. Don't download files from untrusted websites or websites that seem suspious.

2. Don't use torrents they are a good way to get lots of malware.

3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

4. Disable autorun XP or Vista/7

5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

6. Don't ever click on the links inside of a popup.

7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

8. Use a Site Advisor so you don't go to sites that will infect you. Mcafee Siteadvisor

9. Also there are many holes and flaws in Internet Explorer I recommend using Firefox 3 to keep you more safe.

10. Always keep your Java and Adobe updated.

11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

12. Always have a Firewall and a Antivirus.

Thanks for choosing GeekPolice, see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?

For more information please visit [You must be registered and logged in to see this link.]


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by yelljack on Tue 20 Jul 2010, 10:06 am

Okay, great. Should I be concerned that the full Symantec scan still identified:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP418\A0071874.sys
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP419\A0072920.sys
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP419\A0072952.sys
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP420\A0073192.sys

as risks? Is Backdoor.Tidserv!inf not actually a problem?

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sneakyone on Tue 20 Jul 2010, 10:33 am

Hi,

Those are risks, but they will be removed in my latest post, they are in the system restore points.

Follow the instructions in my latest post and everything will be all good.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Backdoor.Tidserv!inf and Trojan.Zefarch hit

Post by Sponsored content Today at 6:03 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum