HTTPS Tidserv Request 2

Post new topic   Reply to topic

View previous topic View next topic Go down

Re: HTTPS Tidserv Request 2

Post by vtflee on 12th August 2010, 1:45 am

ComboFix 10-08-11.04 - Francisco Lee 08/11/2010 21:31:13.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.520 [GMT -4:00]
Running from: c:\documents and settings\Francisco Lee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Francisco Lee\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\dmio.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-07-12 to 2010-08-12 )))))))))))))))))))))))))))))))
.

2010-08-06 21:35 . 2010-08-06 21:35 -------- d-----w- c:\program files\7-Zip
2010-07-31 01:26 . 2010-07-31 01:26 -------- d-----w- C:\found.004
2010-07-24 15:49 . 2010-07-24 15:49 54632 ----a-w- c:\documents and settings\Francisco Lee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-24 15:35 . 2010-07-24 15:34 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-24 15:23 . 2010-07-24 15:23 -------- d-----w- C:\found.003
2010-07-23 14:10 . 2010-07-23 14:10 -------- d-----w- C:\found.002
2010-07-23 04:55 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-07-23 04:55 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-23 04:55 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-07-23 04:55 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-07-23 04:55 . 2010-07-23 04:55 -------- d-----w- c:\program files\Avira
2010-07-23 04:55 . 2010-07-23 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-07-22 18:09 . 2010-07-22 18:09 -------- d-----w- C:\found.001
2010-07-22 14:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 14:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-22 14:58 . 2010-07-22 14:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 00:45 . 2010-07-22 00:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-22 00:29 . 2010-07-22 00:29 -------- d-----w- C:\found.000
2010-07-20 23:16 . 2010-07-20 23:16 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\80549D4BAC8408491A18543EEB42DDBD
2010-07-16 21:20 . 2010-07-16 21:20 -------- d-----w- c:\documents and settings\Francisco Lee\Local Settings\Application Data\Unity
2010-07-16 07:00 . 2010-07-16 07:00 -------- d-----w- c:\program files\MSXML 4.0
2010-07-15 05:39 . 2010-07-15 05:41 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\ooVoo Details
2010-07-15 05:29 . 2010-07-15 05:29 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-15 05:29 . 2010-08-12 00:06 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\skypePM
2010-07-15 05:24 . 2010-08-12 01:06 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\Skype
2010-07-15 05:22 . 2010-07-15 05:22 -------- d-----w- c:\program files\Common Files\Skype
2010-07-15 05:22 . 2010-07-15 05:23 -------- d-----r- c:\program files\Skype
2010-07-15 05:21 . 2010-07-15 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-15 05:07 . 2010-07-15 05:08 -------- d-----w- c:\documents and settings\Francisco Lee\Local Settings\Application Data\Temp
2010-07-15 05:07 . 2010-07-15 05:08 -------- d-----w- c:\documents and settings\Francisco Lee\Local Settings\Application Data\Google
2010-07-15 04:50 . 2008-04-13 18:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-07-15 04:50 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-07-15 04:50 . 2008-04-13 18:46 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-07-15 04:50 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-07-15 04:50 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-07-15 04:50 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-07-15 04:50 . 2008-04-13 18:46 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-07-15 04:50 . 2008-04-13 18:46 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-07-15 04:50 . 2008-04-13 18:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-07-15 04:50 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-07-15 04:49 . 2008-04-13 18:46 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-07-15 04:49 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-07-15 04:49 . 2008-04-13 18:46 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-07-15 04:49 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2010-07-15 04:48 . 2008-04-14 00:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-07-15 04:48 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-07-15 04:30 . 2010-07-15 04:30 10134 ----a-r- c:\documents and settings\Francisco Lee\Application Data\Microsoft\Installer\{BEF726DD-4037-4214-8C6A-E625C02D2870}\ARPPRODUCTICON.exe
2010-07-15 04:29 . 2010-07-15 04:29 10134 ----a-r- c:\documents and settings\Francisco Lee\Application Data\Microsoft\Installer\{35725FBC-A136-4A46-9F29-091759D9BB93}\ARPPRODUCTICON.exe
2010-07-15 04:29 . 2010-07-15 04:29 10134 ----a-r- c:\documents and settings\Francisco Lee\Application Data\Microsoft\Installer\{EA516024-D84D-41F1-814F-83175A6188F2}\ARPPRODUCTICON.exe
2010-07-15 04:28 . 2007-02-03 14:32 1939360 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2010-07-15 04:28 . 2007-02-03 14:29 264992 ----a-w- c:\windows\system32\lvcodec2.dll
2010-07-15 04:28 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system\msvcr71.dll
2010-07-15 04:28 . 2007-02-03 14:32 527136 ----a-w- c:\windows\system32\LVUI2RC.dll
2010-07-15 04:28 . 2007-02-03 14:32 215840 ----a-w- c:\windows\system32\LVUI2.dll
2010-07-15 04:28 . 2007-02-03 14:30 1507232 ----a-w- c:\windows\system32\drivers\lvpopflt.sys
2010-07-15 04:28 . 2007-02-03 13:01 13398 ----a-w- c:\windows\system32\Repository.reg
2010-07-15 04:28 . 2007-02-03 14:33 22560 ----a-w- c:\windows\system32\drivers\lvuvcflt.sys
2010-07-15 04:28 . 2007-02-03 14:32 41504 ----a-w- c:\windows\system32\drivers\LVUSBSta.sys
2010-07-15 04:28 . 2007-02-03 14:29 129824 ----a-w- c:\windows\system32\lvci1051.dll
2010-07-15 04:26 . 2010-07-15 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-07-15 04:26 . 2010-07-15 04:48 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-07-15 04:21 . 2010-07-15 04:26 -------- d-----w- c:\program files\Logitech
2010-07-15 03:46 . 2010-07-15 03:46 -------- d-----w- c:\documents and settings\Francisco Lee\Local Settings\Application Data\LogiShrd
2010-07-15 03:45 . 2010-07-15 03:45 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\Leadertech
2010-07-15 03:41 . 2010-07-15 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-07-15 03:23 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-07-15 03:23 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-07-15 03:23 . 2010-01-21 15:46 441168 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Mozilla\Firefox\Profiles\e59ng5xf.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
2010-07-14 11:51 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 01:05 . 2009-03-23 16:38 117760 ----a-w- c:\documents and settings\Francisco Lee\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-12 01:00 . 2010-07-15 04:49 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-22 15:00 . 2009-03-07 03:22 -------- d-----w- c:\documents and settings\Francisco Lee\Application Data\Malwarebytes
2010-07-22 00:44 . 2007-03-29 06:30 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-21 18:07 . 2010-03-09 04:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-21 18:06 . 2010-03-09 04:10 -------- d-----w- c:\program files\SpywareBlaster
2010-07-15 04:27 . 2006-06-05 19:35 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-14 14:31 . 2006-06-05 18:46 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-24 05:41 . 2010-05-24 05:41 503808 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5d605c38-n\msvcp71.dll
2010-05-24 05:41 . 2010-05-24 05:41 499712 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5d605c38-n\jmc.dll
2010-05-24 05:41 . 2010-05-24 05:41 348160 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5d605c38-n\msvcr71.dll
2010-05-24 05:41 . 2010-05-24 05:41 61440 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-39e02bdd-n\decora-sse.dll
2010-05-24 05:41 . 2010-05-24 05:41 12800 ----a-w- c:\documents and settings\Francisco Lee\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-39e02bdd-n\decora-d3d.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-29 1830128]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\Francisco Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-15 136176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\bcmntray" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-03-12 3067904]
"nwiz"="nwiz.exe" [2004-03-12 753664]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-29 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Francisco Lee\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 8:23 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 8:23 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 8:23 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100809.001\IDSXpx86.sys [8/11/2010 9:16 PM 331640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2009 11:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 8:22 PM 117640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/15/2009 11:42 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/30/2010 7:35 PM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/23/2010 12:55 AM 135336]
S3 EraserUtilDrv10615;EraserUtilDrv10615;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10615.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10615.sys [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [1/12/2010 9:01 PM 14424]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/30/2007 4:40 PM 646392]
.
Contents of the 'Scheduled Tasks' folder

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-117609710-1801674531-1003Core.job
- c:\documents and settings\Francisco Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:07]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-117609710-1801674531-1003UA.job
- c:\documents and settings\Francisco Lee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-15 05:07]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: { - c:\documents and settings\All Users\Start Menu\Programs\absoƖute Poker\absoƖute Poker.lnk
FF - ProfilePath - c:\documents and settings\Francisco Lee\Application Data\Mozilla\Firefox\Profiles\e59ng5xf.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Mozilla\Firefox\Profiles\e59ng5xf.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Mozilla\Firefox\Profiles\e59ng5xf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Francisco Lee\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Francisco Lee\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Francisco Lee\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-11 21:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"=""c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe" /s "N360" /m "c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,77,f8,99,60,9b,06,87,47,b3,fa,bc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,77,f8,99,60,9b,06,87,47,b3,fa,bc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1228)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(884)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-08-11 21:43:22
ComboFix-quarantined-files.txt 2010-08-12 01:43
ComboFix2.txt 2010-08-01 00:04
ComboFix3.txt 2010-07-31 02:13

Pre-Run: 12,402,245,632 bytes free
Post-Run: 12,385,980,416 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - AA3AA7D7C81DCFA5E20344A584F3578D

vtflee
Intermediate
Intermediate

Posts Posts : 61
Joined Joined : 2008-11-27
OS OS : Windows XP Media Center
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by Belahzur on 12th August 2010, 11:33 pm

Hmm. Okay then, how is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by vtflee on 13th August 2010, 2:11 am

seems to be running okay. how can i be sure?

vtflee
Intermediate
Intermediate

Posts Posts : 61
Joined Joined : 2008-11-27
OS OS : Windows XP Media Center
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by Belahzur on 13th August 2010, 9:57 pm

Still getting re-direct symptoms.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by vtflee on 14th August 2010, 1:14 am

I don't think i've come across any redirect symptoms yet, but I just ran a full scan with my superantispyware. It found 2 files infected with Trojan.Agent/Gen-CDesc[Gen]. Then it quarantined and removed the files, but after that happened my Norton popped up and said I was still infected with the backdoor.tidserv.

vtflee
Intermediate
Intermediate

Posts Posts : 61
Joined Joined : 2008-11-27
OS OS : Windows XP Media Center
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by Belahzur on 14th August 2010, 3:27 pm

Hello.
Did SAS say where it found those 2 files? does Norton say where the problem is too?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by vtflee on 15th August 2010, 6:48 pm

SAS reported these files:

C:\SYSTEM VOLUME INFORMATION\_RESTORE{13C4ADED-8E9C-46C2-A3e7-DA24A6174591}\RP487\A0086903.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{13C4ADED-8E9C-46C2-A3e7-DA24A6174591}\RP488\A0087199.SYS

As for Norton, I can't find any log information of where the problem is.

Thanks!

vtflee
Intermediate
Intermediate

Posts Posts : 61
Joined Joined : 2008-11-27
OS OS : Windows XP Media Center
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by Belahzur on 16th August 2010, 12:53 am

Ah okay, nothing serious, just restore points.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Any difference now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by vtflee on 17th August 2010, 2:18 am

ran SAS again, no problems. however, when I try to open my mozilla browser, it takes forever to open. but when i unplug my ethernet cord, it opens right away. should i be concerned or is it just my computer?

vtflee
Intermediate
Intermediate

Posts Posts : 61
Joined Joined : 2008-11-27
OS OS : Windows XP Media Center
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by Belahzur on 18th August 2010, 9:42 pm

I think it may just be your computer, try upgrading your RAM and closing unnecessary programs.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: HTTPS Tidserv Request 2

Post by vtflee on 20th August 2010, 12:03 pm

thank you!

vtflee
Intermediate
Intermediate

Posts Posts : 61
Joined Joined : 2008-11-27
OS OS : Windows XP Media Center
Points Points : 29823
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

Post new topic   Reply to topic
 
Permissions in this forum:
You cannot reply to topics in this forum