Symantec Endpoint Protection
[SID: 23615] HTTPS Tidserv Request 2 detected.
I have run TDSKiller which found and killed:
C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: 6dbe0f2d71508f43275b8e95e7e0ee39, Fake md5: 88155247177638048422893737429d9e
16:19:45:531 2420 File "C:\WINDOWS\system32\DRIVERS\termdd.sys" infected by TDSS rootkit ... 16:19:46:953 2420 Backup copy found, using it..
16:19:47:031 2420 will be cured on next reboot
16:19:48:171 2420 Reboot required for cure complete..
16:19:48:234 2420 Cure on reboot scheduled successfully
16:19:48:234 2420
16:19:48:234 2420 Completed
16:19:48:234 2420
16:19:48:234 2420 Results:
16:19:48:234 2420 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:19:48:234 2420 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:19:48:234 2420
16:19:48:234 2420 KLMD(ARK) unloaded successfully
I next ran Combo-Fix , here are the results of the log file - I would appreciate if someone could take a look and let me know if there are additional steps I need to take
Thanks
Blake
******************
ComboFix 10-06-23.01 - Jay 06/23/2010 16:42:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.429 [GMT -4:00]
Running from: c:\documents and settings\Jay\My Documents\Downloads\Combo-Fix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Jay\LOCALS~1\Temp\1.wmv
c:\documents and settings\Jay\Favorites\Error Cleaner.url
c:\documents and settings\Jay\Favorites\Privacy Protector.url
c:\documents and settings\Jay\Favorites\Spyware&Malware Protection.url
c:\documents and settings\Jay\Local Settings\Application Data\syssvc.exe
c:\documents and settings\Jay\My Documents\REGEDIT.EXE
c:\documents and settings\Jay\System
c:\documents and settings\Jay\System\win_qs8.jqx
C:\install.exe
C:\LOG13D.tmp
c:\windows\hosts
c:\windows\system32\AutoRun.inf
c:\windows\system32\Settings
c:\windows\system32\Settings\Settings.ini
c:\windows\xpsp1hfm.log
.
((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.
2010-06-23 20:28 . 2010-06-23 20:28 -------- d-----w- c:\windows\LastGood
2010-06-22 19:29 . 2010-06-22 19:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-06-22 19:24 . 2010-06-22 19:25 -------- d-----w- c:\documents and settings\Jay\Local Settings\Application Data\Temp
2010-06-22 19:24 . 2010-06-22 19:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-06-22 19:23 . 2010-06-22 19:23 -------- d-----w- c:\program files\Common Files\Skype
2010-06-16 14:54 . 2010-06-16 14:54 503808 ----a-w- c:\documents and settings\Jay\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1844a3b7-n\msvcp71.dll
2010-06-16 14:54 . 2010-06-16 14:54 499712 ----a-w- c:\documents and settings\Jay\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1844a3b7-n\jmc.dll
2010-06-16 14:54 . 2010-06-16 14:54 348160 ----a-w- c:\documents and settings\Jay\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1844a3b7-n\msvcr71.dll
2010-06-16 14:54 . 2010-06-16 14:54 61440 ----a-w- c:\documents and settings\Jay\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6e5e7452-n\decora-sse.dll
2010-06-16 14:54 . 2010-06-16 14:54 12800 ----a-w- c:\documents and settings\Jay\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6e5e7452-n\decora-d3d.dll
2010-06-16 14:53 . 2010-06-16 14:53 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-14 15:56 . 2010-06-02 23:59 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-06-14 15:53 . 2009-09-17 22:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-06-14 15:52 . 2010-06-14 15:53 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-14 15:52 . 2010-06-14 15:53 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-09 19:17 . 2010-06-09 19:19 2692662 ----a-w- c:\program files\install_UGRIB.exe
2010-06-07 13:49 . 2010-06-07 13:49 -------- d-----w- c:\program files\Trend Micro
2010-06-07 13:47 . 2010-06-07 13:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sierra Wireless
2010-06-07 13:43 . 2010-06-07 13:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-06-05 16:18 . 2010-06-05 16:18 4342088 ----a-w- c:\windows\system32\mfc100.dll
2010-06-05 16:18 . 2010-06-05 16:18 770384 ----a-w- c:\windows\system32\msvcr100.dll
2010-06-05 16:18 . 2010-06-05 16:18 421200 ----a-w- c:\windows\system32\msvcp100.dll
2010-06-05 16:18 . 2010-06-05 16:18 80208 ----a-w- c:\windows\system32\mfcm100.dll
2010-06-05 16:18 . 2010-06-05 16:18 4368720 ----a-w- c:\windows\system32\mfc100u.dll
2010-06-05 16:18 . 2010-06-05 16:18 80720 ----a-w- c:\windows\system32\mfcm100u.dll
2010-05-30 16:06 . 2010-06-22 19:29 439816 ----a-w- c:\documents and settings\Jay\Application Data\Real\Update\setup3.10\setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 20:53 . 2008-01-14 19:32 -------- d-----w- c:\documents and settings\Jay\Application Data\Skype
2010-06-23 20:23 . 2008-01-12 00:07 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-06-23 20:20 . 2008-09-19 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-23 16:29 . 2008-09-19 02:15 -------- d-----w- c:\program files\Google
2010-06-23 12:05 . 2008-01-14 19:56 -------- d-----w- c:\documents and settings\Jay\Application Data\skypePM
2010-06-17 12:31 . 2008-05-15 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Expedition
2010-06-16 14:56 . 2008-01-11 23:57 -------- d-----w- c:\program files\Common Files\Java
2010-06-16 14:53 . 2008-01-11 23:57 -------- d-----w- c:\program files\Java
2010-06-14 15:56 . 2008-01-13 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-14 15:54 . 2008-01-13 23:16 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-14 15:53 . 2008-01-13 23:16 -------- d-----w- c:\program files\Symantec
2010-06-14 15:53 . 2010-06-14 15:52 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-14 15:53 . 2010-06-14 15:52 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-09 19:31 . 2008-01-23 01:43 -------- d-----w- c:\program files\GRIB.US
2010-06-07 13:47 . 2010-05-21 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2010-06-07 13:45 . 2008-08-22 16:01 72168 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-23 00:23 . 2010-05-23 00:23 -------- d-----w- c:\documents and settings\Jay\Application Data\Bytemobile
2010-05-23 00:20 . 2010-05-23 00:20 -------- d-----w- c:\program files\AT&T
2010-05-21 21:04 . 2008-01-12 01:34 72168 ----a-w- c:\documents and settings\Jay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-21 20:59 . 2009-12-06 20:40 1009000 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-21 20:57 . 2010-05-21 20:57 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_cdc_ecm_01007.Wdf
2010-05-21 20:56 . 2010-05-21 20:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_dc_enum_01007.Wdf
2010-05-21 20:56 . 2010-05-21 20:56 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-05-21 20:21 . 2009-01-21 18:29 256 ----a-w- c:\windows\system32\pool.bin
2010-05-17 12:36 . 2008-01-25 13:07 121514 ----a-w- c:\windows\HPHins15.dat
2010-04-08 15:56 . 2010-04-08 15:56 666112 ----a-w- c:\documents and settings\Jay\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1003220-0-main.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SJelite3Launch"="c:\documents and settings\Jay\Application Data\Transcend\SJelite3\SJelite3Launch.exe" [2008-06-23 176128]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2007-02-02 1116920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-06 872448]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 1101824]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-06 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-08 236016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlackBerry Desktop Redirector.lnk - c:\program files\Research In Motion\BlackBerry\Redirector.exe [2008-6-20 1319024]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Jay\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/14/2010 4:00 AM 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/11/2008 7:42 PM 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [1/12/2008 12:08 AM 47616]
S3 cdc_ecm;LGE WirelessSA USB NDIS REVD Device Driver;c:\windows\system32\DRIVERS\cdc_ecm.sys --> c:\windows\system32\DRIVERS\cdc_ecm.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]
S3 lgcpo;LGE Configuration Policy Owner Service Install;c:\windows\system32\DRIVERS\lgcpo.sys --> c:\windows\system32\DRIVERS\lgcpo.sys [?]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [5/16/2008 1:41 PM 190080]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [5/16/2008 1:41 PM 148096]
S3 UsbSADDiag;LGE WirelessSA USB Serial01 REVD Device;c:\windows\system32\DRIVERS\lgusbddiag.sys --> c:\windows\system32\DRIVERS\lgusbddiag.sys [?]
S3 USBSADModem;LGE WirelessSA USB REVD Modem;c:\windows\system32\DRIVERS\lgusbdmodem.sys --> c:\windows\system32\DRIVERS\lgusbdmodem.sys [?]
S3 UsbSADObex;LGE WirelessSA USB Serial02 REVD Device;c:\windows\system32\DRIVERS\lgusbdobex.sys --> c:\windows\system32\DRIVERS\lgusbdobex.sys [?]
S3 USBSANDIS;LGE WirelessSA USB NDIS Device Enumerator REVD Service;c:\windows\system32\DRIVERS\dc_enum.sys --> c:\windows\system32\DRIVERS\dc_enum.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - KLMDB
*Deregistered* - klmdb
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-06-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-19 14:55]
2010-06-23 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-10-13 16:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bloomberg.com/index.html?Intro=intro3
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\Jay\Application Data\Mozilla\Firefox\Profiles\sjjoioua.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.search.selectedengine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bloomberg.com/index.html?Intro=intro3
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
Notify-NavLogon - (no file)
SafeBoot-klmdb.sys
SafeBoot-Symantec Antvirus
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1344)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-23 16:55:01
ComboFix-quarantined-files.txt 2010-06-23 20:54
Pre-Run: 2,317,946,880 bytes free
Post-Run: 11,080,810,496 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 4096D8602000B81AC30D8FB26834D143
Sign In
Create Account
