backdoor.tidserv!inf removal

View previous topic View next topic Go down

backdoor.tidserv!inf removal

Post by litayoliechi on 20th September 2009, 5:34 am

Hello

I have Symantac Endpoint Corp. edition and it has found this trogan file called Backdoor.Tidserv!inf and it is unable to do anything, clean, delete or quarantine this file. I also have Malwarebytes but it seems to be unable to find this virus. I have even gone to the folder that contains the virus and had Malwarebytes scan that but nothing so far. I have done both of the above in normal and safe mood.

I have read through a few of the other threas about this virus (everyone seems to get it, huh?) but those all seem different.

litayoliechi
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-09-20
OS OS : Windows XP: Media Center Edition
Points Points : 26383
# Likes # Likes : 0

View user profile

Back to top Go down

Hijack Log file

Post by litayoliechi on 20th September 2009, 5:35 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:18 AM, on 9/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\LeeAnna.HIEI\Desktop\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 9378 bytes

litayoliechi
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-09-20
OS OS : Windows XP: Media Center Edition
Points Points : 26383
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by Belahzur on 20th September 2009, 9:20 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by litayoliechi on 21st September 2009, 1:48 am

Malwarebytes' Anti-Malware 1.41
Database version: 2834
Windows 5.1.2600 Service Pack 3

9/20/2009 8:35:55 PM
mbam-log-2009-09-20 (20-35-55).txt

Scan type: Quick Scan
Objects scanned: 110338
Time elapsed: 15 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LeeAnna.HIEI\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

litayoliechi
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-09-20
OS OS : Windows XP: Media Center Edition
Points Points : 26383
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by Belahzur on 21st September 2009, 8:26 am

Hello.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by litayoliechi on 21st September 2009, 1:33 pm

DDS (Ver_09-07-30.01) - NTFSx86
Run by LeeAnna at 8:30:39.43 on Mon 09/21/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.191 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
svchost.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\freecell.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Documents and Settings\LeeAnna.HIEI\Temporary Internet Files\Content.IE5\3JKBNQVD\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: []
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-5-7 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-5-7 108392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-5-7 2440120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-13 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090920.019\NAVENG.SYS [2009-9-20 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090920.019\NAVEX15.SYS [2009-9-20 1323568]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-5-7 23888]

=============== Created Last 30 ================

2009-09-20 12:08 --d----- c:\docume~1\leeann~1.hie\applic~1\HpUpdate
2009-09-20 12:07 --d----- c:\windows\Hewlett-Packard
2009-09-18 23:39 664 a------- c:\windows\system32\d3d9caps.dat
2009-09-18 23:18 --d----- c:\docume~1\leeann~1.hie\applic~1\Malwarebytes
2009-09-18 23:17 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 23:17 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-18 23:17 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-18 23:17 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-15 21:37 26,368 a------- c:\windows\system32\dllcache\usbstor.sys
2009-09-14 12:55 268,648 a------- c:\windows\system32\mucltui.dll
2009-09-14 12:55 208,744 a------- c:\windows\system32\muweb.dll
2009-09-14 12:55 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-09-13 18:17 --d----- c:\documents and settings\leeanna.hiei\Tracing
2009-09-13 18:07 --d----- c:\docume~1\leeann~1.hie\applic~1\GrabPro
2009-09-13 18:06 --dsh--- c:\documents and settings\leeanna.hiei\IECompatCache
2009-09-13 18:02 --dsh--- c:\documents and settings\leeanna.hiei\PrivacIE
2009-09-13 18:00 --dsh--- c:\documents and settings\leeanna.hiei\IETldCache
2009-09-13 17:54 100,352 -------- c:\windows\system32\dllcache\iecompat.dll
2009-09-13 17:53 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-09-13 17:53 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-09-13 17:53 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-09-13 17:53 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-13 17:53 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-09-13 17:53 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-09-13 17:40 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-13 17:40 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-09-13 17:40 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-13 17:40 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-13 17:27 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-09-13 17:27 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-09-13 17:27 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-09-13 17:27 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-13 17:27 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-09-13 17:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-09-13 17:27 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-09-13 17:26 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-09-13 17:26 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-09-13 17:26 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-09-13 17:26 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-09-13 17:26 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-09-13 17:22 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-13 17:22 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-09-13 17:22 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-09-13 17:22 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-09-13 17:11 --d----- c:\windows\system32\scripting
2009-09-13 17:11 --d----- c:\windows\system32\en
2009-09-13 17:11 --d----- c:\windows\system32\bits
2009-09-13 17:01 33,792 -------- c:\windows\system32\mmcperf.exe
2009-09-13 16:55 138,496 -------- c:\windows\system32\dllcache\afd.sys
2009-09-13 16:55 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-09-13 16:54 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-09-13 16:54 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-13 16:54 --d----- c:\windows\system32\PreInstall
2009-09-13 16:51 --ds---- c:\documents and settings\leeanna.hiei\UserData
2009-09-13 16:51 --d----- c:\windows\system32\SoftwareDistribution
2009-09-13 11:10 --dsh--- c:\documents and settings\leeanna.hiei\Temporary Internet Files
2009-09-13 11:10 --dsh--- c:\documents and settings\leeanna.hiei\History
2009-09-13 11:09 1,728 a--shr-- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv9000 (EZ456UA#ABA)_YN_0Pavi_QCNF6444FMR_E432250001_46_I30B9_SQuanta_V65.2C_BF.41_T081126_WXP2_L409_M959_J120_7AMD_8Turion 64 X2 Technology TL-50_91.61_#081208_N14E44312_(EZ456UA#ABA).MRK
2009-09-13 11:08 --d----- c:\docume~1\leeann~1.hie\applic~1\Intuit
2009-09-13 11:08 --d----- c:\documents and settings\LeeAnna.HIEI
2009-09-13 11:04 185,344 a------- c:\windows\system32\Thawbrkr.dll
2009-09-13 11:04 10,752 a------- c:\windows\system32\c_iscii.dll
2009-09-13 11:04 5,632 a------- c:\windows\system32\kbdusa.dll
2009-09-13 11:04 66,594 a------- c:\windows\system32\c_864.nls
2009-09-13 11:04 66,594 a------- c:\windows\system32\c_862.nls
2009-09-13 11:04 66,594 a------- c:\windows\system32\c_720.nls
2009-09-13 11:04 66,082 a------- c:\windows\system32\c_708.nls
2009-09-13 11:04 66,082 a------- c:\windows\system32\C_28596.NLS
2009-09-13 11:04 66,082 a------- c:\windows\system32\c_10021.nls
2009-09-13 11:04 66,082 a------- c:\windows\system32\c_10005.nls
2009-09-13 11:04 66,082 a------- c:\windows\system32\c_10004.nls
2009-09-13 11:04 6,144 a------- c:\windows\system32\ftlx041e.dll
2009-09-13 08:37 16,254 a------- c:\windows\system32\PINTLPAE.HLP
2009-09-13 08:27 --d----- c:\windows\system32\appmgmt

==================== Find3M ====================

2009-09-13 17:15 92,819 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-28 23:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 23:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-28 23:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 23:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2009-07-19 08:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 11:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 12:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 12:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 12:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 12:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 12:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 06:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 03:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 03:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 03:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll

============= FINISH: 8:31:10.48 ===============

litayoliechi
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-09-20
OS OS : Windows XP: Media Center Edition
Points Points : 26383
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by litayoliechi on 21st September 2009, 1:36 pm

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/13/2009 11:07:13 AM
System Uptime: 9/21/2009 3:31:32 AM (5 hours ago)

Motherboard: Quanta | | 30B9
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-50 | Socket S1 | 1607/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 102 GiB total, 50.053 GiB free.
D: is FIXED (FAT32) - 10 GiB total, 0.904 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 9/13/2009 11:07:21 AM - System Checkpoint
RP2: 9/13/2009 11:11:49 AM - Installed Vongo
RP3: 9/13/2009 8:24:28 AM - Configured easy Internet sign-up
RP4: 9/13/2009 8:27:05 AM - Removed Microsoft Office Standard Edition 2003
RP5: 9/13/2009 8:33:17 AM - Removed Office 2003 Trial Assistant
RP6: 9/13/2009 8:33:41 AM - Removed Quicken 2006
RP7: 9/13/2009 8:34:40 AM - Removed TourSetup
RP8: 9/13/2009 8:34:49 AM - Removed Vongo
RP9: 9/13/2009 8:46:25 AM - Installed Symantec Endpoint Protection.
RP10: 9/13/2009 8:56:48 AM - Installed Symantec Endpoint Protection.
RP11: 9/13/2009 4:49:16 PM - Installed Symantec Endpoint Protection.
RP12: 9/13/2009 4:54:19 PM - Software Distribution Service 3.0
RP13: 9/13/2009 5:03:18 PM - Software Distribution Service 3.0
RP14: 9/13/2009 5:18:31 PM - Software Distribution Service 3.0
RP15: 9/13/2009 5:30:52 PM - Software Distribution Service 3.0
RP16: 9/13/2009 6:04:29 PM - Software Distribution Service 3.0
RP17: 9/14/2009 6:06:20 PM - System Checkpoint
RP18: 9/15/2009 8:51:00 AM - Software Distribution Service 3.0
RP19: 9/16/2009 6:41:18 PM - System Checkpoint
RP20: 9/18/2009 5:08:08 PM - System Checkpoint
RP21: 9/20/2009 12:08:10 PM - Removed HPSU306Stub
RP22: 9/20/2009 12:08:16 PM - Removed HP Update
RP23: 9/20/2009 12:08:23 PM - Installed HP Update.

==== Installed Programs ======================


5 Card Slingo from Hewlett-Packard Laptops (remove only)
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5
AutoUpdate
Bejeweled 2 Deluxe from Hewlett-Packard Laptops (remove only)
Big Kahuna Reef from Hewlett-Packard Laptops (remove only)
Blackhawk Striker 2 from Hewlett-Packard Laptops (remove only)
Blasterball 2 from Hewlett-Packard Laptops (remove only)
Boggle Supreme from Hewlett-Packard Laptops (remove only)
Bookworm Deluxe from Hewlett-Packard Laptops (remove only)
Bounce Symphony from Hewlett-Packard Laptops (remove only)
BufferChm
Chuzzle Deluxe from Hewlett-Packard Laptops (remove only)
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Crystal Maze from Hewlett-Packard Laptops (remove only)
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
DivX
FATE from Hewlett-Packard Laptops (remove only)
Final Drive Nitro from Hewlett-Packard Laptops (remove only)
Flip Words from Hewlett-Packard Laptops (remove only)
FullDPAppQFolder
GemMaster Mystic
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP DVD Play 2.3
HP Game Console and games
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Quick Launch Buttons 6.10 A2
HP Update
HP User Guides 0032
HP Wireless Assistant 2.00 G2
HpSdpAppCoreApp
Insaniquarium Deluxe from Hewlett-Packard Laptops (remove only)
InstantShareDevices
J2SE Runtime Environment 5.0 Update 6
Jewel Quest from Hewlett-Packard Laptops (remove only)
Lemonade Tycoon 2 from Hewlett-Packard Laptops (remove only)
Lexibox Deluxe from Hewlett-Packard Laptops (remove only)
LightScribe 1.4.97.1
LiveUpdate 3.3 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
Mah Jong Quest from Hewlett-Packard Laptops (remove only)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 5.0
NVIDIA Drivers
Oasis from Hewlett-Packard Laptops (remove only)
Office 2003 Trial Assistant
OptionalContentQFolder
Orbit Downloader
Otto
PhotoGallery
Polar Bowler from Hewlett-Packard Laptops (remove only)
Polar Golfer from Hewlett-Packard Laptops (remove only)
Puzzle Express from Hewlett-Packard Laptops (remove only)
RandMap
SCRABBLE from Hewlett-Packard Laptops (remove only)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Segoe UI
SkinsHP1
Slingo Deluxe from Hewlett-Packard Laptops (remove only)
Slyder from Hewlett-Packard Laptops (remove only)
Snowboard SuperJam
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
SonicAC3Encoder
SonicMPEGEncoder
Super Granny from Hewlett-Packard Laptops (remove only)
Symantec Endpoint Protection
Synaptics Pointing Device Driver
Tradewinds from Hewlett-Packard Laptops (remove only)
Unload
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Media Player 10 (KB910393)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VLC media player 1.0.1
Vongo
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Connect
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB912067
Windows XP Media Center Edition 2005 KB915381
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Wireless Home Network Setup
Zuma Deluxe from Hewlett-Packard Laptops (remove only)

==== Event Viewer Messages From Past Week ========

9/18/2009 11:29:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 eeCtrl Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SPBBCDrv SRTSP SRTSPX SYMTDI Tcpip
9/18/2009 11:29:06 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 11:29:06 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 11:29:06 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 11:29:06 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/18/2009 11:28:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/18/2009 11:28:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================

litayoliechi
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-09-20
OS OS : Windows XP: Media Center Edition
Points Points : 26383
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by Belahzur on 21st September 2009, 2:13 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 6

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by litayoliechi on 21st September 2009, 3:03 pm

The virus is still there. When I scan with Malwarebytes' Anti-malware, a pop up from Symmantic comes up telling me that it still is there but when malware is finished, it doens't find anything.

litayoliechi
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-09-20
OS OS : Windows XP: Media Center Edition
Points Points : 26383
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by Belahzur on 21st September 2009, 5:10 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by litayoliechi on 21st September 2009, 8:24 pm

ComboFix 09-09-20.04 - LeeAnna 09/21/2009 15:00.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.585 [GMT -5:00]
Running from: c:\documents and settings\LeeAnna.HIEI\Desktop\Combo-Fix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-4201900978-169062202-2389370249-1005
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\12d67c8.msi
c:\windows\Installer\14d0626.msi
c:\windows\Installer\168d84.msi
c:\windows\Installer\1706c9b.msi
c:\windows\Installer\19082a.msi
c:\windows\Installer\19082b.msp
c:\windows\Installer\19082c.msp
c:\windows\Installer\19082d.msp
c:\windows\Installer\19082e.msp
c:\windows\Installer\19082f.msp
c:\windows\Installer\190830.msp
c:\windows\Installer\190831.msp
c:\windows\Installer\190832.msp
c:\windows\Installer\190833.msp
c:\windows\Installer\1e8be2.msi
c:\windows\Installer\1e8be3.msp
c:\windows\Installer\1e8be4.msp
c:\windows\Installer\1e8be5.msp
c:\windows\Installer\1e8be6.msp
c:\windows\Installer\1e8be7.msp
c:\windows\Installer\1e8be8.msp
c:\windows\Installer\1e8be9.msp
c:\windows\Installer\1e8bea.msp
c:\windows\Installer\1e8beb.msp
c:\windows\Installer\1e8bec.msp
c:\windows\Installer\1fae01.msi
c:\windows\Installer\1fae10.msp
c:\windows\Installer\1fae1b.msp
c:\windows\Installer\1fae27.msp
c:\windows\Installer\202fc7.msi
c:\windows\Installer\20b44eb.msi
c:\windows\Installer\20b9ade.msi
c:\windows\Installer\219ee.msi
c:\windows\Installer\219f4.msi
c:\windows\Installer\219fa.msi
c:\windows\Installer\21a01.msi
c:\windows\Installer\21a07.msi
c:\windows\Installer\21a0d.msi
c:\windows\Installer\21a13.msi
c:\windows\Installer\21a19.msi
c:\windows\Installer\21a1f.msi
c:\windows\Installer\21a25.msi
c:\windows\Installer\23ccd.msi
c:\windows\Installer\276c6d84.msi
c:\windows\Installer\2ef8eb4.msi
c:\windows\Installer\2ef8ee0.msp
c:\windows\Installer\2ef8ee6.msi
c:\windows\Installer\37883.msp
c:\windows\Installer\3b201.msp
c:\windows\Installer\3f6e2692.msi
c:\windows\Installer\3f6e269a.msp
c:\windows\Installer\478930.msi
c:\windows\Installer\4865d68.msp
c:\windows\Installer\5fd30.msi
c:\windows\Installer\6b6f7.msp
c:\windows\Installer\6bb37d.msi
c:\windows\Installer\6bb383.msi
c:\windows\Installer\6bb389.msi
c:\windows\Installer\6bb38f.msi
c:\windows\Installer\6bb393.msi
c:\windows\Installer\745c8.msi
c:\windows\Installer\745ce.msi
c:\windows\Installer\745d4.msi
c:\windows\Installer\745da.msi
c:\windows\Installer\745e0.msi
c:\windows\Installer\745e6.msi
c:\windows\Installer\745f3.msi
c:\windows\Installer\745f9.msi
c:\windows\Installer\745ff.msi
c:\windows\Installer\74609.msi
c:\windows\Installer\79d150.msi
c:\windows\Installer\b176d25.msi
c:\windows\Installer\b37d3.msi
c:\windows\Installer\bde9f49.msi
c:\windows\Installer\dfdf160.msi
c:\windows\Installer\dfdf167.msp
c:\windows\kb913800.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-20 17:08 . 2009-09-20 17:27 -------- d-----w- c:\documents and settings\LeeAnna.HIEI\Application Data\HpUpdate
2009-09-20 17:07 . 2009-09-20 17:07 -------- d-----w- c:\windows\Hewlett-Packard
2009-09-19 04:39 . 2009-09-19 11:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-19 04:18 . 2009-09-19 04:18 -------- d-----w- c:\documents and settings\LeeAnna.HIEI\Application Data\Malwarebytes
2009-09-19 04:17 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 04:17 . 2009-09-21 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 04:17 . 2009-09-19 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-19 04:17 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-16 02:37 . 2008-04-13 18:45 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2009-09-15 04:02 . 2009-09-15 04:02 -------- d-----w- c:\documents and settings\LeeAnna.HIEI\Application Data\AdobeUM
2009-09-15 00:53 . 2009-09-21 01:49 -------- d-----w- c:\documents and settings\LeeAnna.HIEI\Application Data\vlc
2009-09-14 17:55 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-14 17:55 . 2008-10-16 19:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-09-14 00:44 . 2009-09-14 00:45 -------- d-----w- c:\documents and settings\LeeAnna.HIEI\Local Settings\Application Data\Adobe
2009-09-13 23:17 . 2009-09-21 01:39 -------- d-----w- c:\documents and settings\LeeAnna.HIEI\Tracing
2009-09-13 23:07 . 2009-09-13 23:07 -------- d-----w- c:\documents and settings\LeeAnna.HIEI\Application Data\GrabPro
2009-09-13 23:06 . 2009-09-13 23:06 -------- d-sh--w- c:\documents and settings\LeeAnna.HIEI\IECompatCache
2009-09-13 23:02 . 2009-09-13 23:02 -------- d-sh--w- c:\documents and settings\LeeAnna.HIEI\PrivacIE
2009-09-13 23:00 . 2009-09-13 23:00 -------- d-sh--w- c:\documents and settings\LeeAnna.HIEI\IETldCache
2009-09-13 22:54 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-13 22:53 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-13 22:53 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-13 22:53 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-13 22:53 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-13 22:53 . 2009-07-19 23:48 11067392 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-09-13 22:53 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-13 22:44 . 2009-09-13 22:44 -------- d-----w- c:\documents and settings\LeeAnna.HIEI\Local Settings\Application Data\Symantec
2009-09-13 22:40 . 2009-09-13 22:41 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-13 22:40 . 2009-09-13 22:41 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-13 22:27 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-09-13 22:27 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-09-13 22:27 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-13 22:27 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-09-13 22:27 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-09-13 22:27 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-09-13 22:26 . 2008-10-03 10:02 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-09-13 22:26 . 2008-09-04 17:15 1106944 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-09-13 22:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-09-13 22:26 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-09-13 22:22 . 2009-06-25 08:25 54272 ------w- c:\windows\system32\dllcache\wdigest.dll
2009-09-13 22:22 . 2009-06-25 08:25 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-13 22:22 . 2009-06-25 08:25 301568 ------w- c:\windows\system32\dllcache\kerberos.dll
2009-09-13 22:22 . 2009-06-24 11:18 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys
2009-09-13 22:11 . 2009-09-13 22:11 -------- d-----w- c:\windows\system32\scripting
2009-09-13 22:11 . 2009-09-13 22:11 -------- d-----w- c:\windows\system32\en
2009-09-13 22:11 . 2009-09-13 22:11 -------- d-----w- c:\windows\system32\bits
2009-09-13 22:01 . 2008-04-14 00:12 33792 ------w- c:\windows\system32\mmcperf.exe
2009-09-13 21:55 . 2008-08-14 10:04 138496 ------w- c:\windows\system32\dllcache\afd.sys
2009-09-13 21:55 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-09-13 21:54 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-09-13 21:54 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-13 21:51 . 2009-09-13 21:51 -------- d-s---w- c:\documents and settings\LeeAnna.HIEI\UserData
2009-09-13 16:10 . 2009-09-21 01:39 -------- d-----w- c:\documents and settings\LeeAnna.HIEI\Application Data\Orbit
2009-09-13 16:10 . 2009-09-13 23:06 -------- d-sh--w- c:\documents and settings\LeeAnna.HIEI\Temporary Internet Files
2009-09-13 16:10 . 2009-09-13 22:21 -------- d-sh--w- c:\documents and settings\LeeAnna.HIEI\History
2009-09-13 16:04 . 2006-03-16 03:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2009-09-13 16:04 . 2006-03-16 03:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2009-09-13 16:04 . 2006-03-16 03:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2009-09-13 16:04 . 2006-03-16 03:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2009-09-13 13:52 . 2009-09-13 13:52 -------- d-----w- c:\documents and settings\LeeAnna.HIEI\Local Settings\Application Data\Mozilla
2009-09-13 13:38 . 2006-03-16 03:00 838144 ----a-w- c:\windows\system32\dllcache\chtbrkr.dll
2009-09-13 13:38 . 2006-03-16 03:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2009-09-13 13:38 . 2006-03-16 03:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2009-09-13 13:38 . 2006-03-16 03:00 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2009-09-13 13:38 . 2006-03-16 03:00 1677824 ----a-w- c:\windows\system32\dllcache\chsbrkr.dll
2009-09-13 13:38 . 2006-03-16 03:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2009-09-13 13:38 . 2006-03-16 03:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2009-09-13 13:38 . 2006-03-16 03:00 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 14:21 . 2008-12-09 02:55 -------- d-----w- c:\program files\Java
2009-09-16 03:32 . 2008-12-09 03:02 76368 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 23:12 . 2008-12-14 12:40 -------- d-----w- c:\program files\Orbitdownloader
2009-09-13 22:44 . 2008-12-09 03:09 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-13 22:41 . 2008-12-09 03:09 -------- d-----w- c:\program files\Symantec
2009-09-13 22:41 . 2009-09-13 22:40 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-13 22:41 . 2009-09-13 22:40 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-13 22:34 . 2008-12-09 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-13 16:11 . 2009-09-13 16:08 135 ----a-w- c:\documents and settings\LeeAnna.HIEI\Local Settings\Application Data\fusioncache.dat
2009-09-13 16:09 . 2009-09-13 16:09 1728 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_HP Pavilion dv9000 (EZ456UA#ABA)_YN_0Pavi_QCNF6444FMR_E432250001_46_I30B9_SQuanta_V65.2C_BF.41_T081126_WXP2_L409_M959_J120_7AMD_8Turion 64 X2 Technology TL-50_91.61_#081208_N14E44312_(EZ456UA#ABA).MRK
2009-09-13 13:35 . 2008-12-09 03:42 -------- d-----w- c:\program files\Yahoo!
2009-09-13 13:33 . 2008-12-09 03:47 -------- d-----w- c:\program files\Quicken
2009-09-13 08:22 . 2008-12-09 03:46 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-13 08:15 . 2008-12-09 03:47 -------- d-----w- c:\program files\Quickensetup
2009-09-13 08:15 . 2008-12-09 03:26 -------- d-----w- c:\program files\RGB
2009-09-13 08:13 . 2008-12-09 03:44 -------- d-----w- c:\program files\music_now
2009-09-13 08:13 . 2008-12-09 03:27 -------- d-----w- c:\program files\Microsoft Works
2009-09-13 08:12 . 2008-12-09 03:46 -------- d-----w- c:\program files\Microsoft Office Trial Wizard
2009-09-13 08:09 . 2008-12-09 03:23 -------- d-----w- c:\program files\GemMaster
2009-09-13 08:09 . 2008-12-09 03:23 -------- d-----w- c:\program files\EnglishOtto
2009-09-13 08:09 . 2008-12-09 03:45 -------- d-----w- c:\program files\DivX
2009-09-13 08:09 . 2008-12-09 02:55 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-09-13 08:09 . 2008-12-09 02:55 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-09-13 08:08 . 2008-12-09 03:50 -------- d-----w- c:\program files\Common Files\LightScribe
2009-09-13 08:00 . 2008-12-09 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-09-13 08:00 . 2008-12-09 03:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2009-09-13 05:56 . 2009-01-06 17:48 -------- d-----w- c:\documents and settings\LeeAnna\Application Data\DNA
2009-09-13 05:36 . 2008-12-14 12:21 -------- d-----w- c:\documents and settings\LeeAnna\Application Data\Skype
2009-09-13 05:05 . 2008-12-14 12:22 -------- d-----w- c:\documents and settings\LeeAnna\Application Data\skypePM
2009-09-12 02:15 . 2008-12-11 02:29 9448 ------w- c:\documents and settings\LeeAnna\Application Data\wklnhst.dat
2009-09-09 13:35 . 2008-12-14 12:40 -------- d-----w- c:\documents and settings\LeeAnna\Application Data\Orbit
2009-09-09 13:34 . 2009-01-06 17:48 -------- d-----w- c:\program files\DNA
2009-09-09 13:31 . 2009-01-09 10:19 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 14:25 . 2009-07-12 15:17 5029888 ---h--w- c:\documents and settings\LeeAnna\ntuser.tmp
2009-08-05 09:01 . 2006-03-16 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2005-10-18 12:14 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2005-10-18 12:14 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-26 21:44 . 2009-07-26 21:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2006-03-16 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2006-03-16 11:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-03-16 11:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2006-03-16 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-03-16 11:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-03-16 11:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-03-16 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2006-03-16 11:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-03-16 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2006-03-16 11:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-01-27 01:34 . 2009-01-27 01:34 1044480 -c----w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 -c----w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [1857-01-01 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [1857-01-01 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-12 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-12 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-31 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-16 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-16 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-16 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-16 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-16 455168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-07 115560]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [1857-01-01 1617920]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-12-14 1719568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/13/2009 5:49 PM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/7/2009 9:57 AM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\User_Feed_Synchronization-{937F740B-1F1F-4021-8E10-42D4D1B2ABC9}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus
AddRemove-HijackThis - c:\documents and settings\LeeAnna.HIEI\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-21 15:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-09-21 15:21
ComboFix-quarantined-files.txt 2009-09-21 20:21

Pre-Run: 53,745,467,392 bytes free
Post-Run: 57,712,513,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

336 --- E O F --- 2009-09-15 13:52

litayoliechi
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-09-20
OS OS : Windows XP: Media Center Edition
Points Points : 26383
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by Belahzur on 22nd September 2009, 12:47 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by litayoliechi on 22nd September 2009, 5:24 am

Windows can't find Combofix /u. For some reason Combofix is gone off of my computer...it just disappeared.

litayoliechi
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-09-20
OS OS : Windows XP: Media Center Edition
Points Points : 26383
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by Belahzur on 22nd September 2009, 7:36 pm

It's okay, just delete this folder.

C:\Qoobox


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by litayoliechi on 22nd September 2009, 9:51 pm

That file doesn't exist.

litayoliechi
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-09-20
OS OS : Windows XP: Media Center Edition
Points Points : 26383
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by Belahzur on 23rd September 2009, 12:48 am

Okay, this should be fine anyhow. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: backdoor.tidserv!inf removal

Post by litayoliechi on 23rd September 2009, 3:21 am

Awesome! Thank you so much! Thank You! Hooray!

litayoliechi
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-09-20
OS OS : Windows XP: Media Center Edition
Points Points : 26383
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum