HTTPS Tidserv Request 2

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

HTTPS Tidserv Request 2

Post by vtflee on Wed 28 Jul 2010, 9:58 am

First topic message reminder :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:04 PM, on 7/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\system32\bcmntray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\anotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Francisco Lee\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

vtflee

Rookie Surfer
Rookie Surfer

Posts : 61
Joined : 2008-11-27
Operating System : Windows XP Media Center

View user profile

Back to top Go down


Re: HTTPS Tidserv Request 2

Post by vtflee on Thu 12 Aug 2010, 12:45 pm

ComboFix 10-08-11.04 - Francisco Lee 08/11/2010 21:31:13.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.520 [GMT -4:00]
Running from: c:\documents and settings\Francisco Lee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Francisco Lee\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\dmio.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-07-12 to 2010-08-12 )))))))))))))))))))))))))))))))
.

2010-08-06 21:35 . 2010-08-06 21:35 -------- d-----w- c:\program files\7-Zip
2010-07-31 01:26 . 2010-07-31 01:26 -------- d-----w- C:\found.004
2010-07-24 15:49 . 2010-07-24 15:49 54632 ----a-w- c:\documents and settings\Francisco Lee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-24 15:35 . 2010-07-24 15:34 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-24 15:23 . 2010-07-24 15:23 -------- d-----w- C:\found.003
2010-07-23 14:10 . 2010-07-23 14:10 -------- d-----w- C:\found.002
2010-07-23 04:55 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-07-23 04:55 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-23 04:55 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-07-23 04:55 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-07-23 04:55 . 2010-07-23 04:55 -------- d-----w- c:\program files\Avira
2010-07-23 04:55 . 2010-07-23 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-07-22 18:09 . 2010-07-22 18:09 -------- d-----w- C:\found.001
2010-07-22 14:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 14:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-22 14:58 . 2010-07-22 14:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 00:45 . 2010-07-22 00:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-22 00:29 . 2010-07-22 00:29 -------- d-----w- C:\found.000
2010-07-20 23:16 . 2010-07-20 23:16 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\80549D4BAC8408491A18543EEB42DDBD
2010-07-16 21:20 . 2010-07-16 21:20 -------- d-----w- c:\documents and settings\Francisco Lee\Local Settings\Application Data\Unity
2010-07-16 07:00 . 2010-07-16 07:00 -------- d-----w- c:\program files\MSXML 4.0
2010-07-15 05:39 . 2010-07-15 05:41 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\ooVoo Details
2010-07-15 05:29 . 2010-07-15 05:29 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-15 05:29 . 2010-08-12 00:06 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\skypePM
2010-07-15 05:24 . 2010-08-12 01:06 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\Skype
2010-07-15 05:22 . 2010-07-15 05:22 -------- d-----w- c:\program files\Common Files\Skype
2010-07-15 05:22 . 2010-07-15 05:23 -------- d-----r- c:\program files\Skype
2010-07-15 05:21 . 2010-07-15 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-15 05:07 . 2010-07-15 05:08 -------- d-----w- c:\documents and settings\Francisco Lee\Local Settings\Application Data\Temp
2010-07-15 05:07 . 2010-07-15 05:08 -------- d-----w- c:\documents and settings\Francisco Lee\Local Settings\Application Data\Google
2010-07-15 04:50 . 2008-04-13 18:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-07-15 04:50 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-07-15 04:50 . 2008-04-13 18:46 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-07-15 04:50 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-07-15 04:50 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-07-15 04:50 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-07-15 04:50 . 2008-04-13 18:46 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-07-15 04:50 . 2008-04-13 18:46 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-07-15 04:50 . 2008-04-13 18:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-07-15 04:50 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-07-15 04:49 . 2008-04-13 18:46 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-07-15 04:49 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-07-15 04:49 . 2008-04-13 18:46 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-07-15 04:49 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2010-07-15 04:48 . 2008-04-14 00:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-07-15 04:48 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-07-15 04:30 . 2010-07-15 04:30 10134 ----a-r- c:\documents and settings\Francisco Lee\Application Data\Microsoft\Installer\{BEF726DD-4037-4214-8C6A-E625C02D2870}\ARPPRODUCTICON.exe
2010-07-15 04:29 . 2010-07-15 04:29 10134 ----a-r- c:\documents and settings\Francisco Lee\Application Data\Microsoft\Installer\{35725FBC-A136-4A46-9F29-091759D9BB93}\ARPPRODUCTICON.exe
2010-07-15 04:29 . 2010-07-15 04:29 10134 ----a-r- c:\documents and settings\Francisco Lee\Application Data\Microsoft\Installer\{EA516024-D84D-41F1-814F-83175A6188F2}\ARPPRODUCTICON.exe
2010-07-15 04:28 . 2007-02-03 14:32 1939360 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2010-07-15 04:28 . 2007-02-03 14:29 264992 ----a-w- c:\windows\system32\lvcodec2.dll
2010-07-15 04:28 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system\msvcr71.dll
2010-07-15 04:28 . 2007-02-03 14:32 527136 ----a-w- c:\windows\system32\LVUI2RC.dll
2010-07-15 04:28 . 2007-02-03 14:32 215840 ----a-w- c:\windows\system32\LVUI2.dll
2010-07-15 04:28 . 2007-02-03 14:30 1507232 ----a-w- c:\windows\system32\drivers\lvpopflt.sys
2010-07-15 04:28 . 2007-02-03 13:01 13398 ----a-w- c:\windows\system32\Repository.reg
2010-07-15 04:28 . 2007-02-03 14:33 22560 ----a-w- c:\windows\system32\drivers\lvuvcflt.sys
2010-07-15 04:28 . 2007-02-03 14:32 41504 ----a-w- c:\windows\system32\drivers\LVUSBSta.sys
2010-07-15 04:28 . 2007-02-03 14:29 129824 ----a-w- c:\windows\system32\lvci1051.dll
2010-07-15 04:26 . 2010-07-15 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-07-15 04:26 . 2010-07-15 04:48 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-07-15 04:21 . 2010-07-15 04:26 -------- d-----w- c:\program files\Logitech
2010-07-15 03:46 . 2010-07-15 03:46 -------- d-----w- c:\documents and settings\Francisco Lee\Local Settings\Application Data\LogiShrd
2010-07-15 03:45 . 2010-07-15 03:45 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\Leadertech
2010-07-15 03:41 . 2010-07-15 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-07-15 03:23 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-07-15 03:23 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-07-15 03:23 . 2010-01-21 15:46 441168 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Mozilla\Firefox\Profiles\e59ng5xf.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
2010-07-14 11:51 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 01:05 . 2009-03-23 16:38 117760 ----a-w- c:\documents and settings\Francisco Lee\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-12 01:00 . 2010-07-15 04:49 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-22 15:00 . 2009-03-07 03:22 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\Malwarebytes
2010-07-22 00:44 . 2007-03-29 06:30 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-21 18:07 . 2010-03-09 04:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-21 18:06 . 2010-03-09 04:10 -------- d-----w- c:\program files\SpywareBlaster
2010-07-15 04:27 . 2006-06-05 19:35 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-14 14:31 . 2006-06-05 18:46 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-24 05:41 . 2010-05-24 05:41 503808 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5d605c38-n\msvcp71.dll
2010-05-24 05:41 . 2010-05-24 05:41 499712 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5d605c38-n\jmc.dll
2010-05-24 05:41 . 2010-05-24 05:41 348160 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5d605c38-n\msvcr71.dll
2010-05-24 05:41 . 2010-05-24 05:41 61440 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-39e02bdd-n\decora-sse.dll
2010-05-24 05:41 . 2010-05-24 05:41 12800 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-39e02bdd-n\decora-d3d.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-29 1830128]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\Francisco Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-15 136176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\bcmntray" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-12 3067904]
"nwiz"="nwiz.exe" [2004-03-12 753664]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-29 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Francisco Lee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 8:23 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 8:23 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 8:23 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100809.001\IDSXpx86.sys [8/11/2010 9:16 PM 331640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2009 11:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 8:22 PM 117640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/15/2009 11:42 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/30/2010 7:35 PM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/23/2010 12:55 AM 135336]
S3 EraserUtilDrv10615;EraserUtilDrv10615;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10615.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10615.sys [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [1/12/2010 9:01 PM 14424]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/30/2007 4:40 PM 646392]
.
Contents of the 'Scheduled Tasks' folder

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-117609710-1801674531-1003Core.job
- c:\documents and settings\Francisco Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:07]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-117609710-1801674531-1003UA.job
- c:\documents and settings\Francisco Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:07]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: { - c:\documents and settings\All Users\Start Menu\Programs\absoƖute Poker\absoƖute Poker.lnk
FF - ProfilePath - c:\documents and settings\Francisco Lee\Application Data\Mozilla\Firefox\Profiles\e59ng5xf.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Mozilla\Firefox\Profiles\e59ng5xf.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Mozilla\Firefox\Profiles\e59ng5xf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Francisco Lee\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Francisco Lee\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-11 21:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"=""c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe" /s "N360" /m "c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,77,f8,99,60,9b,06,87,47,b3,fa,bc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,77,f8,99,60,9b,06,87,47,b3,fa,bc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1228)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(884)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-08-11 21:43:22
ComboFix-quarantined-files.txt 2010-08-12 01:43
ComboFix2.txt 2010-08-01 00:04
ComboFix3.txt 2010-07-31 02:13

Pre-Run: 12,402,245,632 bytes free
Post-Run: 12,385,980,416 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - AA3AA7D7C81DCFA5E20344A584F3578D

vtflee

Rookie Surfer
Rookie Surfer

Posts : 61
Joined : 2008-11-27
Operating System : Windows XP Media Center

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by Belahzur on Fri 13 Aug 2010, 10:33 am

Hmm. Okay then, how is the machine running now?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by vtflee on Fri 13 Aug 2010, 1:11 pm

seems to be running okay. how can i be sure?

vtflee

Rookie Surfer
Rookie Surfer

Posts : 61
Joined : 2008-11-27
Operating System : Windows XP Media Center

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by Belahzur on Sat 14 Aug 2010, 8:57 am

Still getting re-direct symptoms.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by vtflee on Sat 14 Aug 2010, 12:14 pm

I don't think i've come across any redirect symptoms yet, but I just ran a full scan with my superantispyware. It found 2 files infected with Trojan.Agent/Gen-CDesc[Gen]. Then it quarantined and removed the files, but after that happened my Norton popped up and said I was still infected with the backdoor.tidserv.

vtflee

Rookie Surfer
Rookie Surfer

Posts : 61
Joined : 2008-11-27
Operating System : Windows XP Media Center

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by Belahzur on Sun 15 Aug 2010, 2:27 am

Hello.
Did SAS say where it found those 2 files? does Norton say where the problem is too?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by vtflee on Mon 16 Aug 2010, 5:48 am

SAS reported these files:

C:\SYSTEM VOLUME INFORMATION\_RESTORE{13C4ADED-8E9C-46C2-A3e7-DA24A6174591}\RP487\A0086903.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13C4ADED-8E9C-46C2-A3e7-DA24A6174591}\RP488\A0087199.SYS

As for Norton, I can't find any log information of where the problem is.

Thanks!

vtflee

Rookie Surfer
Rookie Surfer

Posts : 61
Joined : 2008-11-27
Operating System : Windows XP Media Center

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by Belahzur on Mon 16 Aug 2010, 11:53 am

Ah okay, nothing serious, just restore points.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Any difference now?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by vtflee on Tue 17 Aug 2010, 1:18 pm

ran SAS again, no problems. however, when I try to open my mozilla browser, it takes forever to open. but when i unplug my ethernet cord, it opens right away. should i be concerned or is it just my computer?

vtflee

Rookie Surfer
Rookie Surfer

Posts : 61
Joined : 2008-11-27
Operating System : Windows XP Media Center

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by Belahzur on Thu 19 Aug 2010, 8:42 am

I think it may just be your computer, try upgrading your RAM and closing unnecessary programs.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by vtflee on Fri 20 Aug 2010, 11:03 pm

thank you!

vtflee

Rookie Surfer
Rookie Surfer

Posts : 61
Joined : 2008-11-27
Operating System : Windows XP Media Center

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by Sponsored content Today at 2:52 am


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum