Netbt.sys Help - Logs Attached

[JSG]

Symantec has popped up and told me I have a problem with my Netbt.sys, (Backdoor.Tidserv!inf). I was hit by Antivirus soft sometime last night and thought I had gotten rid of it. Symantec keeps telling me it is going to fix the issue and that I need to restart, but everytime I restart I get the same message. My internet was working OK this morning, but after a restart I can connect to my network, but my IP address is all 0's. I'm assuming this is due to the netbt.sys problem. I am running windows XP with bootcamp fwiw.

Thanks!



mbam-log-2010-06-16 (18-19-32).txt

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4060

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/16/2010 6:19:32 PM
mbam-log-2010-06-16 (18-19-32).txt

Scan type: Quick scan
Objects scanned: 126352
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

gmer.log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-16 20:05:18
Windows 5.1.2600 Service Pack 3
Running: ybb98vg9.exe; Driver: C:\DOCUME~1\Michael\LOCALS~1\Temp\awtdypog.sys


---- System - GMER 1.0.15 ----

SSDT 89D46310 ZwAlertResumeThread
SSDT 8A5DBCA8 ZwAlertThread
SSDT 8A649C50 ZwAllocateVirtualMemory
SSDT 8A600750 ZwConnectPort
SSDT 89D74280 ZwCreateMutant
SSDT 8A66EE60 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA85FC910]
SSDT 8A7BA460 ZwFreeVirtualMemory
SSDT 89D46218 ZwImpersonateAnonymousToken
SSDT 89D46250 ZwImpersonateThread
SSDT 8A6B6828 ZwMapViewOfSection
SSDT 8A680340 ZwOpenEvent
SSDT 8A286360 ZwOpenProcessToken
SSDT 8A66EA30 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB8E42880]
SSDT 8A7F9778 ZwResumeThread
SSDT 8A5F7CF8 ZwSetContextThread
SSDT 8A5DB850 ZwSetInformationProcess
SSDT 8A6926E8 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA85FCB60]
SSDT 8A680280 ZwSuspendProcess
SSDT 8A6025E8 ZwSuspendThread
SSDT 8A5F15F8 ZwTerminateProcess
SSDT 8A692270 ZwTerminateThread
SSDT 89F21690 ZwUnmapViewOfSection
SSDT 8A50B918 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C00 8050449C 6 Bytes [10, 63, D4, 89, A8, BC]
.text ntkrnlpa.exe!ZwCallbackReturn + 2DD4 80504670 4 Bytes JMP D4DA8A66

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\BTHUSB \Device\000000a4 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000a6 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f5bde64ff
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001f5bde64ff (not active ControlSet)

---- EOF - GMER 1.0.15 ----

DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86
Run by Michael at 20:05:47.95 on Wed 06/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1330 [GMT -7:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
svchost.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:3582
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Aim6]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Octoshape Streaming Services] "c:\documents and settings\michael\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [lhscesuif] c:\documents and settings\michael\local settings\application data\dokdfxdcg\pwuytkl.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IRW] c:\windows\system32\IRW.exe
mRun: [Apple_KbdMgr] c:\program files\boot camp\KbdMgr.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [lhscesuif] c:\documents and settings\michael\local settings\application data\dokdfxdcg\pwuytkl.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\y0k9aozg.default\
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\michael\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-06-17 01:17:03 162816 ----a-w- c:\windows\system32\drivers\OLD5.tmp
2010-06-05 01:03:51 0 d-----w- c:\docume~1\michael\applic~1\Octoshape
2010-06-01 08:31:07 0 d-----w- c:\program files\Veoh Networks
2010-05-29 20:07:39 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-05-29 20:06:03 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-05-29 20:05:34 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-29 20:05:33 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-29 20:05:33 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-29 20:05:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-29 20:05:07 503808 ----a-w- c:\windows\system32\MSVCP71.DLL
2010-05-29 20:05:07 348160 ----a-w- c:\windows\system32\MSVCR71.DLL
2010-05-28 20:43:28 0 d-----w- c:\program files\PSQLINSTALL

==================== Find3M ====================

2010-05-12 18:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-07 08:09:46 12 ----a-w- c:\docume~1\michael\applic~1\jmkneq.dat
2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 21:25:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010020120100202\index.dat

============= FINISH: 20:08:08.53 ===============

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!