backdoor.tidserv.inf

View previous topic View next topic Go down

backdoor.tidserv.inf

Post by lidlkid on 4th May 2010, 3:13 pm

Picked up this spyware. Norton cant remove it. Tried all sorts of anti malwre software and nothing helping. Ran Hijack This and this is the log.

ogfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:12:08, on 04/05/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Sony\Marketing Tools\MarketingTools.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\AOL\1243367064\ee\aolsoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\stewart\AppData\Local\Apps\2.0\02WOZHM7.Q07\XMWWT72P.8R1\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\AOL 9.0 VR\waol.exe
C:\Program Files\AOL 9.0 VR\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\PROGRA~1\GOOGLE~1\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MarketingTools] C:\Program Files\Sony\Marketing Tools\MarketingTools.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 5.0\SetHook.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1243367064\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.freeonlinegames.com/sports-games/street-sesh.html"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: CurseClientStartup.ccip
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{771E7D05-F861-40E3-B1F3-1817A728F593}: NameServer = 93.188.162.39,93.188.161.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{B185A6DE-2A52-4BC6-982C-FCAD65CAFBCB}: NameServer = 93.188.162.39,93.188.161.154
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.39,93.188.161.154
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.39,93.188.161.154
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1ca1b5c4204d2d0) (gupdate1ca1b5c4204d2d0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHCImp.exe
O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHDms.exe
O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHDs.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Steam Client Service - Unknown owner - C:\Program Files\Common Files\Steam\SteamService.exe (file missing)
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: SAMSUNG WiselinkPro Service (WiselinkPro) - Unknown owner - C:\Program Files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13353 bytes

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 4th May 2010, 6:34 pm

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Scanning with GMER

Note about this tool:
  • This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
  • This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
  • No matter what is in the log, please post all the information/contents of the log.


Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 5th May 2010, 9:31 am

Downloaded and ran the programme, first attempt blue screen an crashed. 2nd attempt frozen for over an hour. Any other programmes You can suggest?

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 5th May 2010, 4:42 pm

Please download [You must be registered and logged in to see this link.] and install it. If you already have it, no need to reinstall.

Then, download [You must be registered and logged in to see this link.] and save the setup to your Desktop.

  • Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  • Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
  • Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
  • It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
  • Once inside the interface, do not fix anything. Click on the Report tab.
  • Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  • It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
  • When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 6th May 2010, 2:28 pm

Ok did that, but the files scan never worked so dont know if this report any use...left it for hours and nothing happened so Icancelled and moved on to next scan. Is this any use?

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6001 (Service Pack 1)
Number of processors #2
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtAlertResumeThread, Type: Address change 0x8229796F-->969CB048 [Unknown module filename]
ntkrnlpa.exe-->NtAlertThread, Type: Address change 0x821FCF63-->968FD048 [Unknown module filename]
ntkrnlpa.exe-->NtAllocateVirtualMemory, Type: Address change 0x82234AB8-->969AC6A8 [Unknown module filename]
ntkrnlpa.exe-->NtAlpcConnectPort, Type: Address change 0x821EE18A-->95215050 [Unknown module filename]
ntkrnlpa.exe-->NtAssignProcessToJobObject, Type: Address change 0x821C21C0-->96A021B0 [Unknown module filename]
ntkrnlpa.exe-->NtCreateMutant, Type: Address change 0x82238BC7-->969E13B8 [Unknown module filename]
ntkrnlpa.exe-->NtCreateSymbolicLinkObject, Type: Address change 0x821DB095-->96A083F8 [Unknown module filename]
ntkrnlpa.exe-->NtCreateThread, Type: Address change 0x82295FE4-->96955C28 [Unknown module filename]
ntkrnlpa.exe-->NtDebugActiveProcess, Type: Address change 0x82269564-->96A02E30 [Unknown module filename]
ntkrnlpa.exe-->NtDuplicateObject, Type: Address change 0x821FBE8F-->969AC900 [Unknown module filename]
ntkrnlpa.exe-->NtFreeVirtualMemory, Type: Address change 0x82093D57-->969AC3A8 [Unknown module filename]
ntkrnlpa.exe-->NtImpersonateAnonymousToken, Type: Address change 0x821BD237-->968F3048 [Unknown module filename]
ntkrnlpa.exe-->NtImpersonateThread, Type: Address change 0x821CF92F-->969D2CE8 [Unknown module filename]
ntkrnlpa.exe-->NtLoadDriver, Type: Address change 0x82171AD2-->8F2E42B8 [Unknown module filename]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Address change 0x8222674E-->969AC2C8 [Unknown module filename]
ntkrnlpa.exe-->NtOpenEvent, Type: Address change 0x821E80EB-->969FA4E0 [Unknown module filename]
ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x82213B14-->96958068 [Unknown module filename]
ntkrnlpa.exe-->NtOpenProcessToken, Type: Address change 0x8220F29D-->9529E110 [Unknown module filename]
ntkrnlpa.exe-->NtOpenSection, Type: Address change 0x8222A7F2-->969E6048 [Unknown module filename]
ntkrnlpa.exe-->NtOpenThread, Type: Address change 0x822041D8-->969ACA10 [Unknown module filename]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Address change 0x822388CE-->969915F8 [Unknown module filename]
ntkrnlpa.exe-->NtResumeThread, Type: Address change 0x82203582-->95FBBA70 [Unknown module filename]
ntkrnlpa.exe-->NtSetContextThread, Type: Address change 0x82296CB7-->961826B8 [Unknown module filename]
ntkrnlpa.exe-->NtSetInformationProcess, Type: Address change 0x82236674-->969AEF40 [Unknown module filename]
ntkrnlpa.exe-->NtSetSystemInformation, Type: Address change 0x821F9381-->96A00B78 [Unknown module filename]
ntkrnlpa.exe-->NtSuspendProcess, Type: Address change 0x822978AB-->9695B048 [Unknown module filename]
ntkrnlpa.exe-->NtSuspendThread, Type: Address change 0x822547B8-->969E9D28 [Unknown module filename]
ntkrnlpa.exe-->NtTerminateProcess, Type: Address change 0x821E4F8A-->87B16108 [Unknown module filename]
ntkrnlpa.exe-->NtTerminateThread, Type: Address change 0x82211715-->9694A048 [Unknown module filename]
ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Address change 0x82226DA5-->96787D98 [Unknown module filename]
ntkrnlpa.exe-->NtWriteVirtualMemory, Type: Address change 0x8220FC55-->969AC478 [Unknown module filename]
ntkrnlpa.exe-->NtCreateThreadEx, Type: Address change 0x82203BE0-->96A08908 [Unknown module filename]
==============================================
>Shadow
==============================================
win32k.sys-->NtUserAttachThreadInput, Type: Address change 0x9F5421AA-->86E2F338 [Unknown module filename]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0x9F472CB7-->86E16E98 [Unknown module filename]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0x9F47CB6D-->86E27FD0 [Unknown module filename]
win32k.sys-->NtUserGetKeyState, Type: Address change 0x9F4DB854-->8F28FAF0 [Unknown module filename]
win32k.sys-->NtUserGetRawInputData, Type: Address change 0x9F55E2B2-->86E29578 [Unknown module filename]
win32k.sys-->NtUserMessageCall, Type: Address change 0x9F4DD80E-->86E26A60 [Unknown module filename]
win32k.sys-->NtUserPostMessage, Type: Address change 0x9F4FCCBC-->86E29160 [Unknown module filename]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0x9F4D5500-->86E2FF38 [Unknown module filename]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0x9F467348-->86E2F3F8 [Unknown module filename]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0x9F47AC31-->86E25AC8 [Unknown module filename]
==============================================
>Processes
==============================================
0xA82D2138 [300] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xA51E2938 [388] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xB0CBB468 [392] C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe (Sony Corporation, VAIO Entertainment UPnP Client Adapter)
0x96AC8020 [456] C:\Windows\System32\smss.exe (Microsoft Corporation, Windows Session Manager)
0xA51E63E0 [468] C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo, RegMgr Module)
0x8D3D88E8 [592] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0xA82DED90 [600] C:\Program Files\Sony\Network Utility\NSUService.exe (Sony Corporation, VAIO Smart Network)
0x967F87C8 [644] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0xA51FDD90 [648] C:\Program Files\Kontiki\KService.exe (Kontiki Inc., Delivery Manager Service)
0x997E22A8 [652] C:\Windows\System32\wininit.exe (Microsoft Corporation, Windows Start-Up Application)
0xA3201988 [696] C:\Windows\System32\winlogon.exe (Microsoft Corporation, Windows Logon Application)
0xA3203D90 [740] C:\Windows\System32\services.exe (Microsoft Corporation, Services and Controller app)
0xA327ED90 [756] C:\Windows\System32\lsass.exe (Microsoft Corporation, Local Security Authority Process)
0xA32549D0 [772] C:\Windows\System32\lsm.exe (Microsoft Corporation, Local Session Manager Service)
0xAB3C8568 [820] C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co., HP Digital Imaging Monitor)
0xA32F9020 [904] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x84F29998 [940] C:\Windows\System32\wbem\unsecapp.exe (Microsoft Corporation, Sink to receive asynchronous callbacks for WMI client application)
0xADCF0618 [964] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation, Windows Media Player Network Sharing Service Configuration Application)
0xA32FE5A8 [968] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xADCC3D90 [1044] C:\Program Files\DivX\DivX Update\DivXUpdate.exe (-, DivX Update)
0xA33AE020 [1072] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xA500E570 [1156] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xA33F8618 [1176] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xA5027940 [1324] C:\Windows\System32\SLsvc.exe (Microsoft Corporation, Microsoft Software Licensing Service)
0xA5040C78 [1376] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xADD0D020 [1464] C:\Windows\System32\taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0xA50D1D90 [1496] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xADCE7360 [1504] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc., Delivery Manager)
0x86BD46B0 [1572] C:\Users\stewart\AppData\Local\Apps\2.0\02WOZHM7.Q07\XMWWT72P.8R1\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe (Curse, Curse Client)
0xADD12020 [1600] C:\Windows\ehome\ehmsas.exe (Microsoft Corporation, Media Center Media Status Aggregator Service)
0xA50F9210 [1744] C:\Windows\System32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0xA5103B40 [1772] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xA82AED90 [1948] C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe (Symantec Corporation, Symantec Service Framework)
0xA51A6D90 [1956] C:\Program Files\Common Files\AOL\acs\AOLacsd.exe (AOL LLC, AOL Connectivity Service)
0xB0CD1458 [1980] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xA51BB020 [2004] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc., Apple Mobile Device Service)
0xA51BEA10 [2028] C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation, BCM SQL Startup Service)
0x997FC788 [2044] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc., Bonjour Service)
0xA82EE570 [2072] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xA82E2708 [2088] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x84C73568 [2272] C:\Windows\System32\dllhost.exe (Microsoft Corporation, COM Surrogate)
0xAB345550 [2380] C:\Windows\ehome\ehtray.exe (Microsoft Corporation, Media Center Tray Applet)
0xB0CF2B88 [2444] C:\Program Files\Sony\VAIO Event Service\VESMgr.exe (Sony Corporation, VAIO Event Service (Service Module))
0xB0CCFAD8 [2580] C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation, SQL Server VSS Writer)
0xADCD9AD8 [2804] C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe (Sony Corporation, VAIO Update)
0xA83F4D90 [2812] C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe (Symantec Corporation, Symantec Service Framework)
0xB0CD79C8 [2844] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xAB283368 [2892] C:\Windows\System32\dwm.exe (Microsoft Corporation, Desktop Window Manager)
0xAB247020 [2952] C:\Windows\System32\taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0xAB26A020 [3040] C:\Windows\explorer.exe (Microsoft Corporation, Windows Explorer)
0xAB2CCD90 [3264] C:\Windows\System32\taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0xADCA5338 [3328] C:\Windows\System32\MustBeRandomlyNamed\nNnrp88i0euc4W.exe (UG North, RKULE, SR2 Normandy)
0x84C5E4A0 [3356] C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd., Alps Pointing-device Driver for Windows NT/2000/XP/Vista)
0x850A4B88 [3456] C:\Windows\System32\mobsync.exe (Microsoft Corporation, Microsoft Sync Center)
0xA509ED90 [3492] C:\Windows\System32\rundll32.exe (Microsoft Corporation, Windows host process (Rundll32))
0xAB340658 [3528] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd., Alps Pointing-device Driver)
0x84C9F020 [3640] C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe (AOL LLC, AOL TopSpeed)
0xA5013020 [3648] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation, -)
0xA83A5D90 [3656] C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation, SQL Browser Service EXE)
0xAB3B5020 [3740] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google, Google Desktop)
0xADC8D020 [3748] C:\Program Files\Sony\Marketing Tools\MarketingTools.exe (Sony NSCE, Marketing Tools)
0xADC12020 [3756] C:\Program Files\Real\RealPlayer\realplay.exe (RealNetworks, Inc., RealPlayer)
0xA50406E0 [3792] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard, hpwuSchd Application)
0xADDC4D90 [3856] C:\Windows\System32\rundll32.exe (Microsoft Corporation, Windows host process (Rundll32))
0xADCD35D0 [4060] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc., Java(TM) Platform SE binary)
0xADCBF5F8 [4068] C:\Program Files\Common Files\AOL\1243367064\ee\aolsoftware.exe (America Online, Inc., AOL)
0xADCE7D90 [4088] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc., iTunesHelper)
0xB0CF3448 [4148] C:\Windows\System32\SearchIndexer.exe (Microsoft Corporation, Microsoft Windows Search Indexer)
0xAB2CE6C8 [4272] C:\Windows\System32\WUDFHost.exe (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Host Process)
0xB0D196A0 [4280] C:\Windows\System32\drivers\XAudio.exe (Conexant Systems, Inc., Modem Audio Service)
0xB0D2B778 [4384] C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe (Sony Corporation, VAIO Entertainment Database Service)
0xAB2CED90 [4476] C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe (Hewlett-Packard Co., HP CUE Status Root)
0x86EB7D90 [4576] C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe (Sony Corporation, VAIO Entertainment File Import Service)
0xA3237A10 [4688] C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe (Sony Corporation, VAIO Event Service(Service Sub Module))
0x84DEDB00 [4728] C:\Windows\System32\wuauclt.exe (Microsoft Corporation, Windows Update)
0x85C0BA00 [5004] C:\Program Files\AOL 9.0 VR\waol.exe (AOL, LLC., AOL Software)
0x84D6F980 [5024] C:\Windows\System32\wbem\WmiPrvSE.exe (Microsoft Corporation, WMI Provider Host)
0x849CC400 [5072] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe (Sony Corporation, SPM Module)
0xA833BC10 [5188] C:\Program Files\iPod\bin\iPodService.exe (Apple Inc., iPodService Module (32-bit))
0x85D0BD90 [5224] C:\Windows\System32\wercon.exe (Microsoft Corporation, Problem Reports and Solutions)
0x84D37780 [5268] C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation, Windows Media Player Network Sharing Service)
0x86EA8D90 [5296] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xADC92D90 [5720] C:\Program Files\Apoint\ApMsgFwd.exe (Alps Electric Co., Ltd., ApMsgFwd)
0x84EEA020 [6044] C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe (Hewlett-Packard Co., HP CUE Alert Popup Window Objects)
0x84F1B020 [6100] C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe (Hewlett-Packard, GPCore COM object)
0x84455910 [4] System
0xA5028D90 [1288] C:\Windows\System32\audiodg.exe (Microsoft Corporation, Windows Audio Device Graph Isolation )
==============================================
>Drivers
==============================================
0x8CA04000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 7626752 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 156.65 )
0x82002000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x82002000 PnpManager 3903488 bytes
0x82002000 RAW 3903488 bytes
0x82002000 WMIxWDM 3903488 bytes
0x8C20B000 C:\Windows\system32\DRIVERS\NETw4v32.sys 2260992 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x9F430000 Win32k 2105344 bytes
0x9F430000 C:\Windows\System32\win32k.sys 2105344 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8EE02000 C:\Windows\system32\drivers\RTKVHDA.sys 2027520 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0x8FE00000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100505.048\NAVEX15.SYS 1318912 bytes (Symantec Corporation, AV Engine)
0x82E06000 C:\Windows\System32\Drivers\Ntfs.sys 1110016 bytes (Microsoft Corporation, NT File System Driver)
0x82C08000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8F063000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1060864 bytes (Conexant Systems, Inc., HSF_DP driver)
0x9500F000 C:\Windows\System32\drivers\tcpip.sys 954368 bytes (Microsoft Corporation, TCP/IP Driver)
0x804D1000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xA8E05000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8C451000 C:\Windows\system32\drivers\ti21sony.sys 835584 bytes (Texas Instruments, ti21sony.sys)
0x8260F000 C:\Windows\system32\DRIVERS\iaStor.sys 778240 bytes
0x8F404000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 737280 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x8C000000 C:\Windows\system32\drivers\spsys.sys 716800 bytes (Microsoft Corporation, security processor)
0x8D14A000 C:\Windows\System32\drivers\dxgkrnl.sys 651264 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x80604000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x95896000 C:\Windows\System32\Drivers\N360\0308000.029\ccHPx86.sys 503808 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0x8278E000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xA6C0A000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x80417000 C:\Windows\system32\mcupdate_GenuineIntel.dll 393216 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x95803000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x8F166000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100429.001\IDSvix86.sys 360448 bytes (Symantec Corporation, IDS Core Driver)
0x8F4C5000 C:\Windows\System32\Drivers\N360\0308000.029\SRTSP.SYS 339968 bytes (Symantec Corporation, Symantec AutoProtect)
0x82735000 C:\Windows\system32\drivers\N360\0308000.029\SYMEFA.SYS 323584 bytes (Symantec Corporation, Symantec Extended File Attributes)
0xA6D79000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x80736000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x95194000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x8068D000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x95911000 C:\Windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys 270336 bytes (Symantec Corporation, BASH Driver)
0x80490000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8C18F000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8C150000 C:\Windows\system32\DRIVERS\yk60x86.sys 258048 bytes (Marvell, NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller)
0x8C0F1000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8F026000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x8F566000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x82D3E000 C:\Windows\system32\drivers\NETIO.SYS 237568 bytes (Microsoft Corporation, Network I/O Subsystem)
0xA6D01000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x82F15000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x95129000 C:\Windows\System32\Drivers\N360\0308000.029\SYMTDI.SYS 212992 bytes (Symantec Corporation, Network Dispatch Driver)
0x82DC7000 C:\Windows\system32\DRIVERS\usbhub.sys 212992 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x823BB000 ACPI_HAL 208896 bytes
0x823BB000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x826F3000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8F521000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8C59B000 C:\Windows\system32\DRIVERS\msiscsi.sys 188416 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x80795000 C:\Windows\system32\DRIVERS\pcmcia.sys 184320 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0x805B1000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8C53E000 C:\Windows\system32\DRIVERS\Apfiltr.sys 180224 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0x82D13000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x82D9D000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x959BA000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x82F65000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x806E4000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xA6D52000 C:\Windows\System32\DRIVERS\srv2.sys 159744 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8F001000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8FF49000 C:\Windows\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0x8C1D0000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x82F9D000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8FFAF000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0xA6CC2000 C:\Windows\system32\drivers\mrxdav.sys 131072 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xA6CE2000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x826D5000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x95861000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xA6C77000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x950F8000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x9598F000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0xA6C94000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8C575000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xA6D3A000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x9587F000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8C5D4000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x95953000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x951DC000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x95113000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0xA6CAD000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x82D78000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x9516B000 C:\Windows\System32\Drivers\N360\0308000.029\SYMFW.SYS 86016 bytes (Symantec Corporation, Firewall Filter Driver)
0xA8EFB000 C:\Windows\system32\DRIVERS\WUDFRd.sys 86016 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0xA8F48000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100505.048\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0x82FE3000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x95180000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8C520000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x8F5AC000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8F553000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8C13E000 C:\Windows\system32\DRIVERS\HDAudBus.sys 73728 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0xA8F10000 C:\Windows\system32\DRIVERS\WUDFPf.sys 73728 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x82F8C000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x807D2000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80477000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x82725000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x959AA000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x807C2000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8C433000 C:\Windows\system32\DRIVERS\ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0x82D8D000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x8C0D3000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x95980000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x82F56000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x8070B000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x82FD4000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8C12F000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x80727000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x8C443000 C:\Windows\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0x9F670000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x95000000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8FFEB000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x80787000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x9515D000 C:\Windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS 57344 bytes (Symantec Corporation, NDIS Filter Driver)
0x8F4B8000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x8C1F3000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8D1E9000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x80680000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xA8EEF000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8FFA3000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8C533000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8C56A000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8FFE0000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8C5EB000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8C5C9000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8C0BF000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8C0E6000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x8071D000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x95976000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8C200000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x959E4000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8F5A2000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x82784000 C:\Windows\System32\Drivers\PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xA8EE5000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8FF82000 C:\Windows\system32\drivers\N360\0308000.029\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xA8F34000 C:\Windows\system32\DRIVERS\WSDPrint.sys 40960 bytes (Microsoft Corporation, Web Services Print Device Driver)
0x82FBE000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8FF8C000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0xA8F65000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x8F518000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x951F2000 C:\Windows\system32\DRIVERS\SymIMv.sys 36864 bytes (Symantec Corporation, NDIS 6.0 Filter Driver for Windows Vista)
0x9F650000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8C0CA000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x806D3000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x826CD000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x80488000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8040F000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x806DC000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8FFD0000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8FFD8000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8C593000 C:\Windows\system32\DRIVERS\serscan.sys 32768 bytes (Microsoft Corporation, Serial Imaging Device Driver)
0x82F4E000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0xA8F22000 C:\Windows\system32\DRIVERS\xaudio.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
0x8FF9C000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x80780000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x8FF95000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8C58D000 C:\Windows\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x8FFF9000 C:\Windows\System32\Drivers\StarOpen.SYS 24576 bytes
0x8C5F6000 C:\Windows\system32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0x8C0E2000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xA6DDF000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0x8071A000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x8C51D000 C:\Windows\system32\DRIVERS\SFEP.sys 12288 bytes (Sony Corporation, Sony Firmware Extension Parser driver)
0xA8EE3000 C:\Windows\system32\drivers\regi.sys 8192 bytes (InterVideo, regi driver)
0x8C5FC000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x9587E000 C:\Windows\system32\DRIVERS\DMICall.sys 4096 bytes (Sony Corporation, Windows 2000 DMI Call Kernel Driver)
==============================================
>Stealth
==============================================
0x04C80000 Hidden Image-->WPF.Themes.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 102400 bytes
0x05470000 Hidden Image-->Curse.CurseClient.Controls.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 192512 bytes
0x041D0000 Hidden Image-->Curse.CurseClient.Enumerations.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 28672 bytes
0x05FA0000 Hidden Image-->Curse.MurmurHash.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 28672 bytes
0x03FC0000 Hidden Image-->Curse.CurseClient.Common.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 290816 bytes
WARNING: File locked for read access [C:\Windows\system32\drivers\iaStor.sys]
0x007E0000 Hidden Image-->HammerProgram.dll [ EPROCESS 0xADC8D020 ] PID: 3748, 36864 bytes
0x05730000 Hidden Image-->Interop.NetFwTypeLib.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 36864 bytes
0x04CE0000 Hidden Image-->Curse.AddOns.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 53248 bytes
0x04E40000 Hidden Image-->Curse.ClientService.Models.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 53248 bytes
0x01920000 Hidden Image-->Curse.CurseClient.Localization.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 61440 bytes
0x04AA0000 Hidden Image-->System.Core.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 675840 bytes
0x03EE0000 Hidden Image-->Curse.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 77824 bytes
0x05DC0000 Hidden Image-->zlib.net.dll [ EPROCESS 0x86BD46B0 ] PID: 1572, 77824 bytes
0x8260F000 WARNING: Virus alike driver modification [iaStor.sys], 778240 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x000B4EEA, Type: Inline - RelativeJump 0x820B6EEA-->820B6EF1 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000B8C58, Type: Inline - RelativeCall 0x820BAC58-->B8A24989 [unknown_code_page]
ntkrnlpa.exe+0x000B8E48, Type: Inline - RelativeJump 0x820BAE48-->820BAE08 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000B8ED4, Type: Inline - RelativeJump 0x820BAED4-->820BAEE5 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000B8F50, Type: Inline - RelativeJump 0x820BAF50-->820BAFCF [ntkrnlpa.exe]
ntkrnlpa.exe+0x000B8F78, Type: Inline - RelativeJump 0x820BAF78-->820BAF42 [ntkrnlpa.exe]
[1956]AOLacsd.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77C814C0-->00000000 [tbdiag.dll]
[1956]AOLacsd.exe-->advapi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77C816A8-->00000000 [tbdiag.dll]
[1956]AOLacsd.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77B7111C-->00000000 [tbdiag.dll]
[1956]AOLacsd.exe-->gdi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77B710B4-->00000000 [tbdiag.dll]
[1956]AOLacsd.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x080E14DC-->00000000 [tbdiag.dll]
[1956]AOLacsd.exe-->shell32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x080E1210-->00000000 [tbdiag.dll]
[1956]AOLacsd.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77D51250-->00000000 [tbdiag.dll]
[1956]AOLacsd.exe-->user32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77D51260-->00000000 [tbdiag.dll]
[1956]AOLacsd.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71721484-->00000000 [tbdiag.dll]
[1956]AOLacsd.exe-->wininet.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x71721478-->00000000 [tbdiag.dll]
[1956]AOLacsd.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x4B0D11EC-->00000000 [tbdiag.dll]
[1956]AOLacsd.exe-->ws2_32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x4B0D1190-->00000000 [tbdiag.dll]
[3492]rundll32.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[3492]rundll32.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B71170-->00000000 [shimeng.dll]
[3492]rundll32.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x080E1414-->00000000 [shimeng.dll]
[3492]rundll32.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[3492]rundll32.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]
[3640]aoltpsd3.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[3640]aoltpsd3.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B71170-->00000000 [shimeng.dll]
[3640]aoltpsd3.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x00405004-->00000000 [shimeng.dll]
[3640]aoltpsd3.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x6C94123C-->00000000 [shimeng.dll]
[3640]aoltpsd3.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x080E1414-->00000000 [shimeng.dll]
[3640]aoltpsd3.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[3640]aoltpsd3.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]
[3756]realplay.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[3756]realplay.exe-->advapi32.dll-->RegCloseKey, Type: IAT modification 0x00404000-->00000000 [AcLayers.dll]
[3756]realplay.exe-->advapi32.dll-->RegCreateKeyA, Type: IAT modification 0x00404010-->00000000 [AcGenral.dll]
[3756]realplay.exe-->advapi32.dll-->RegDeleteKeyA, Type: IAT modification 0x00404014-->00000000 [AcLayers.dll]
[3756]realplay.exe-->advapi32.dll-->RegEnumKeyA, Type: IAT modification 0x00404018-->00000000 [AcLayers.dll]
[3756]realplay.exe-->advapi32.dll-->RegEnumKeyExA, Type: IAT modification 0x00404020-->00000000 [AcLayers.dll]
[3756]realplay.exe-->advapi32.dll-->RegOpenKeyA, Type: IAT modification 0x00404008-->00000000 [AcLayers.dll]
[3756]realplay.exe-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x0040401C-->00000000 [AcLayers.dll]
[3756]realplay.exe-->advapi32.dll-->RegQueryValueA, Type: IAT modification 0x00404004-->00000000 [AcLayers.dll]
[3756]realplay.exe-->advapi32.dll-->RegSetValueA, Type: IAT modification 0x0040400C-->00000000 [AcLayers.dll]
[3756]realplay.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B71170-->00000000 [shimeng.dll]
[3756]realplay.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040403C-->00000000 [shimeng.dll]
[3756]realplay.exe-->kernel32.dll-->GetVersion, Type: IAT modification 0x0040402C-->00000000 [AcLayers.dll]
[3756]realplay.exe-->kernel32.dll-->GetVersionExA, Type: IAT modification 0x00404028-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->advapi32.dll-->RegSetValueExW, Type: IAT modification 0x080E1B2C-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->advapi32.dll-->RegSetValueW, Type: IAT modification 0x080E1B70-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x080E125C-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->CreateDirectoryW, Type: IAT modification 0x080E13B0-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x080E1460-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x080E12E8-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x080E13B4-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->FindFirstFileW, Type: IAT modification 0x080E1328-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetBinaryTypeW, Type: IAT modification 0x080E1280-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetFileAttributesA, Type: IAT modification 0x080E1370-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetFileAttributesExW, Type: IAT modification 0x080E14A0-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetFileAttributesW, Type: IAT modification 0x080E13BC-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetLongPathNameW, Type: IAT modification 0x080E14E8-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileIntW, Type: IAT modification 0x080E1390-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileSectionNamesW, Type: IAT modification 0x080E1168-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileSectionW, Type: IAT modification 0x080E1104-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileStringW, Type: IAT modification 0x080E13A0-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x080E1414-->00000000 [shimeng.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetTempFileNameW, Type: IAT modification 0x080E1148-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetVersion, Type: IAT modification 0x080E1484-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetVersionExA, Type: IAT modification 0x080E1204-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->GetVersionExW, Type: IAT modification 0x080E1458-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x080E13C0-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x080E130C-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->RemoveDirectoryW, Type: IAT modification 0x080E13AC-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->SetCurrentDirectoryW, Type: IAT modification 0x080E14F8-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->SetFileAttributesW, Type: IAT modification 0x080E13B8-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->WritePrivateProfileSectionW, Type: IAT modification 0x080E116C-->00000000 [AcLayers.dll]
[3756]realplay.exe-->shell32.dll-->kernel32.dll-->WritePrivateProfileStringW, Type: IAT modification 0x080E1170-->00000000 [AcLayers.dll]
[3756]realplay.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[3856]rundll32.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[3856]rundll32.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B71170-->00000000 [shimeng.dll]
[3856]rundll32.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x080E1414-->00000000 [shimeng.dll]
[3856]rundll32.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[3856]rundll32.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]
[4068]aolsoftware.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77C814C0-->00000000 [tbdiag.dll]
[4068]aolsoftware.exe-->advapi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77C816A8-->00000000 [tbdiag.dll]
[4068]aolsoftware.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77B7111C-->00000000 [tbdiag.dll]
[4068]aolsoftware.exe-->gdi32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77B710B4-->00000000 [tbdiag.dll]
[4068]aolsoftware.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77D51250-->00000000 [tbdiag.dll]
[4068]aolsoftware.exe-->user32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x77D51260-->00000000 [tbdiag.dll]
[5004]waol.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[5004]waol.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B71170-->00000000 [shimeng.dll]
[5004]waol.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x00402014-->00000000 [shimeng.dll]
[5004]waol.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x6C94123C-->00000000 [shimeng.dll]
[5004]waol.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x080E1414-->00000000 [shimeng.dll]
[5004]waol.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[5004]waol.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71721480-->00000000 [shimeng.dll]
[5004]waol.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 6th May 2010, 9:49 pm

We need to do some diagnostics.

1. Please download [You must be registered and logged in to see this link.] by noahdfear.
  • Save it to your desktop.
  • Double-click profiles.exe and post its log when you reply


2. Download [You must be registered and logged in to see this link.] by ad13 and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


3. In your next reply, please post the following logs for my review:
  • Profiles log (1)
  • Win32kDiag log (2)


Thanks! Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 6th May 2010, 11:02 pm

Ok here's the logs.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1057758560-4026335627-1336335913-1003
ProfileImagePath REG_EXPAND_SZ C:\Users\stewart

ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\LocalService
ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\NetworkService
SystemRoot REG_SZ C:\Windows

2...Seems to be an issue with second one..

Running from: C:\Users\stewart\Desktop\Win32kDiag.exe

Log file at : C:\Users\stewart\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 6th May 2010, 11:47 pm

Ok. No biggie.

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
Alternate link: [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 10th May 2010, 6:46 pm

Ok here we go...

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4074

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

10/05/2010 19:35:02
mbam-log-2010-05-10 (19-35-02).txt

Scan type: Full scan (C:\|)
Objects scanned: 412127
Time elapsed: 2 hour(s), 14 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\stewart\AppData\Local\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.39,93.188.161.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{771e7d05-f861-40e3-b1f3-1817a728f593}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.39,93.188.161.154 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b185a6de-2a52-4bc6-982c-fcad65cafbcb}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.39,93.188.161.154 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 10th May 2010, 6:50 pm

Ran norton after this just to check and its telling me that tidserv.inf is still there...hope you can still help, tx for patience

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 11th May 2010, 1:26 am

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 11th May 2010, 12:01 pm

ok here it is

ComboFix 10-05-10.03 - stewart 11/05/2010 12:37:58.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1044 [GMT 1:00]
Running from: c:\users\stewart\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-11 11:46 . 2010-05-11 11:46 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-11 11:46 . 2010-05-11 11:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-11 10:26 . 2010-05-11 11:09 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-11 02:04 . 2010-02-12 10:48 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-10 21:40 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-10 21:40 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-10 21:40 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-10 21:40 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-05-10 21:37 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-10 21:37 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-10 21:37 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-10 20:58 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-10 20:58 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-07 13:56 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 13:56 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-06 10:06 . 2010-05-06 10:07 -------- d-----w- c:\windows\system32\MustBeRandomlyNamed
2010-05-04 14:34 . 2010-05-04 14:34 388096 ----a-r- c:\users\stewart\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-04 14:34 . 2010-05-04 14:34 -------- d-----w- c:\program files\Trend Micro
2010-04-22 20:56 . 2010-04-22 21:04 -------- d-----w- c:\temp\aol
2010-04-22 20:56 . 2010-04-22 20:56 -------- d-----w- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 11:47 . 2010-04-08 20:20 -------- d-----w- c:\programdata\Kontiki
2010-05-11 02:27 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 02:11 . 2008-04-10 20:46 -------- d-----w- c:\programdata\Microsoft Help
2010-05-10 22:15 . 2008-08-25 12:49 91653 ----a-w- c:\users\stewart\AppData\Roaming\nvModes.dat
2010-05-07 13:56 . 2010-03-28 12:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-03 18:56 . 2009-11-15 09:43 -------- d-----w- c:\users\stewart\AppData\Roaming\Ventrilo
2010-04-28 11:00 . 2008-08-25 14:19 -------- d-----w- c:\program files\PKR
2010-04-11 19:30 . 2008-04-10 20:55 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-09 01:55 . 2008-08-25 14:06 -------- d-----w- c:\users\stewart\AppData\Roaming\DivX
2010-04-09 01:14 . 2010-04-09 01:14 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-09 01:14 . 2010-04-09 01:09 -------- d-----w- c:\programdata\DivX
2010-04-09 01:14 . 2008-04-10 20:55 -------- d-----w- c:\program files\DivX
2010-04-09 01:14 . 2010-04-09 01:14 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-04-09 01:09 . 2010-04-09 01:09 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-09 01:09 . 2010-04-09 01:14 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-04-09 01:09 . 2010-04-09 01:14 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-08 20:19 . 2010-04-08 20:18 -------- d-----w- c:\program files\Kontiki
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\programdata\Sky
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\program files\Sky
2010-04-08 20:06 . 2010-04-08 20:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-31 01:58 . 2008-04-10 21:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58 . 2007-12-20 20:54 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2007-12-20 10:00 44944 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-03-29 16:34 . 2010-03-29 16:34 48323 ----a-w- C:\MGlogs.zip
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\users\stewart\AppData\Roaming\SUPERAntiSpyware.com
2010-03-28 19:12 . 2009-11-15 09:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-28 17:24 . 2010-03-28 12:10 -------- d-----w- c:\program files\Yahoo!
2010-03-28 16:56 . 2010-03-28 16:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\users\stewart\AppData\Roaming\Malwarebytes
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\programdata\Malwarebytes
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\program files\CCleaner
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\users\stewart\AppData\Roaming\Yahoo!
2010-03-24 21:20 . 2009-07-25 14:33 -------- d-----w- c:\program files\Steam
2010-03-09 16:28 . 2010-05-10 21:38 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-05-10 21:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-05-10 21:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-07 13:35 . 2010-03-07 10:55 77353 ----a-w- c:\windows\hpqins05.dat
2010-03-07 13:31 . 2008-08-25 12:49 123952 ----a-w- c:\users\stewart\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:39 . 2010-03-11 03:02 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 03:02 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 03:02 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-02-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-12 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-23 4718592]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-30 30192]
"MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe" [2008-04-10 36864]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-08-25 26112]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2007-12-21 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"HostManager"="c:\program files\Common Files\AOL\1243367064\ee\AOLSoftware.exe" [2006-11-14 50736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\users\stewart\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-12 0]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 03:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 gupdate1ca1b5c4204d2d0;Google Update Service (gupdate1ca1b5c4204d2d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 133104]
R3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-10-30 30192]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [2008-03-05 104288]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [2008-03-05 350048]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [2008-03-05 63328]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-03-03 333088]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-03-03 87328]
R3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [2009-01-08 4136960]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2009-08-22 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2009-08-22 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2009-08-22 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100505.001\IDSvix86.sys [2009-10-28 343088]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2009-08-22 117640]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2008-03-10 229376]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-12 102448]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2009-08-22 48688]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-11 12:46
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5864)
c:\windows\System32\NLSLexicons0009.dll
.
Completion time: 2010-05-11 12:50:49
ComboFix-quarantined-files.txt 2010-05-11 11:50
ComboFix2.txt 2010-05-11 11:03

Pre-Run: 90,559,131,648 bytes free
Post-Run: 90,544,050,176 bytes free

- - End Of File - - FECAAD7E06A939E38B383C26B64B9AEC

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 11th May 2010, 6:00 pm

Let's see if we can arouse interest in ComboFix.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    rootkit::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 11th May 2010, 8:08 pm

ComboFix 10-05-10.03 - stewart 11/05/2010 20:39:57.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1242 [GMT 1:00]
Running from: c:\users\stewart\Desktop\ComboFix.exe
Command switches used :: c:\users\stewart\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-11 19:49 . 2010-05-11 19:53 -------- d-----w- c:\users\stewart\AppData\Local\temp
2010-05-11 19:49 . 2010-05-11 19:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-11 19:49 . 2010-05-11 19:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-11 10:26 . 2010-05-11 11:09 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-11 02:04 . 2010-02-12 10:48 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-10 21:40 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-10 21:40 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-10 21:40 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-10 21:40 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-05-10 21:37 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-10 21:37 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-10 21:37 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-10 20:58 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-10 20:58 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-07 13:56 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 13:56 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-06 10:06 . 2010-05-06 10:07 -------- d-----w- c:\windows\system32\MustBeRandomlyNamed
2010-05-04 14:34 . 2010-05-04 14:34 -------- d-----w- c:\program files\Trend Micro
2010-04-22 20:56 . 2010-04-22 21:04 -------- d-----w- c:\temp\aol
2010-04-22 20:56 . 2010-04-22 20:56 -------- d-----w- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 19:56 . 2010-04-08 20:20 -------- d-----w- c:\programdata\Kontiki
2010-05-11 02:27 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 02:11 . 2008-04-10 20:46 -------- d-----w- c:\programdata\Microsoft Help
2010-05-10 22:15 . 2008-08-25 12:49 91653 ----a-w- c:\users\stewart\AppData\Roaming\nvModes.dat
2010-05-07 13:56 . 2010-03-28 12:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 14:34 . 2010-05-04 14:34 388096 ----a-r- c:\users\stewart\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-03 18:56 . 2009-11-15 09:43 -------- d-----w- c:\users\stewart\AppData\Roaming\Ventrilo
2010-04-28 11:00 . 2008-08-25 14:19 -------- d-----w- c:\program files\PKR
2010-04-11 19:30 . 2008-04-10 20:55 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-09 01:55 . 2008-08-25 14:06 -------- d-----w- c:\users\stewart\AppData\Roaming\DivX
2010-04-09 01:14 . 2010-04-09 01:14 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-09 01:14 . 2010-04-09 01:09 -------- d-----w- c:\programdata\DivX
2010-04-09 01:14 . 2008-04-10 20:55 -------- d-----w- c:\program files\DivX
2010-04-09 01:14 . 2010-04-09 01:14 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-04-09 01:09 . 2010-04-09 01:09 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-09 01:09 . 2010-04-09 01:14 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-04-09 01:09 . 2010-04-09 01:14 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-08 20:19 . 2010-04-08 20:18 -------- d-----w- c:\program files\Kontiki
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\programdata\Sky
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\program files\Sky
2010-04-08 20:06 . 2010-04-08 20:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-31 01:58 . 2008-04-10 21:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58 . 2007-12-20 20:54 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2007-12-20 10:00 44944 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-03-29 16:34 . 2010-03-29 16:34 48323 ----a-w- C:\MGlogs.zip
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\users\stewart\AppData\Roaming\SUPERAntiSpyware.com
2010-03-28 19:12 . 2009-11-15 09:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-28 17:24 . 2010-03-28 12:10 -------- d-----w- c:\program files\Yahoo!
2010-03-28 16:56 . 2010-03-28 16:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\users\stewart\AppData\Roaming\Malwarebytes
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\programdata\Malwarebytes
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\program files\CCleaner
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\users\stewart\AppData\Roaming\Yahoo!
2010-03-24 21:20 . 2009-07-25 14:33 -------- d-----w- c:\program files\Steam
2010-03-09 16:28 . 2010-05-10 21:38 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-05-10 21:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-05-10 21:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-07 13:35 . 2010-03-07 10:55 77353 ----a-w- c:\windows\hpqins05.dat
2010-03-07 13:31 . 2008-08-25 12:49 123952 ----a-w- c:\users\stewart\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:39 . 2010-03-11 03:02 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 03:02 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 03:02 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-02-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-12 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-23 4718592]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-30 30192]
"MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe" [2008-04-10 36864]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-08-25 26112]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2007-12-21 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"HostManager"="c:\program files\Common Files\AOL\1243367064\ee\AOLSoftware.exe" [2006-11-14 50736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\users\stewart\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-12 0]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 03:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 gupdate1ca1b5c4204d2d0;Google Update Service (gupdate1ca1b5c4204d2d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 133104]
R3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-10-30 30192]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [2008-03-05 104288]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [2008-03-05 350048]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [2008-03-05 63328]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-03-03 333088]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-03-03 87328]
R3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [2009-01-08 4136960]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2009-08-22 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2009-08-22 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2009-08-22 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100505.001\IDSvix86.sys [2009-10-28 343088]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2009-08-22 117640]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2008-03-10 229376]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-12 102448]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2009-08-22 48688]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(468)
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\windows\System32\AltTab.dll
c:\windows\system32\imapi2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Kontiki\KService.exe
c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Sony\VAIO Power Management\SPMgr.exe
c:\windows\system32\DllHost.exe
c:\windows\System32\rundll32.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\windows\System32\rundll32.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-11 21:01:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-11 20:00
ComboFix2.txt 2010-05-11 11:50
ComboFix3.txt 2010-05-11 11:03

Pre-Run: 90,682,388,480 bytes free
Post-Run: 90,836,463,616 bytes free

- - End Of File - - B45D963309616FC902F9E9F5B2B9A80B

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 12th May 2010, 2:22 am

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
Code:
@echo off
PEV -tf %systemdrive%\tdlwsp.dll >Logit.txt
PEV -tf %systemdrive%\tdlcmd.dll >>Logit.txt
Start Logit.txt
del %0

Save this as seek.bat Choose to "Save as Type: All Files"

Double click on seek.bat & allow it to run

Post back to tell me what it says.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 12th May 2010, 9:20 am

Ok tried that, but everytime i double click on it something flashes up for a fraction of a second then it brings up a blank notebook, and the icon changed from seek.bat, to notebook icon with logit.txt underneath

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 12th May 2010, 3:33 pm

Go to My Documents folder, click Tools > Folder Options.

Click the View tab.

Find "Hide extensions for known file types" and uncheck that.

Click Apply, then OK.

========

Then, try to rename that file again. See if it works now.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 12th May 2010, 3:47 pm

Tried that, when I went in that box was unchecked anyway. Still nothing happening with that I'm afarid, just doing the same as before

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 13th May 2010, 12:29 am

Go to Start > Run
type in cmd and hit OK.

Enter in the following exactly:

PEV -tf %systemdrive%\tdlwsp.dll >Logit.txt && PEV -tf %systemdrive%\tdlcmd.dll >>Logit.txt && logit.txt


It shall launch a log. Post the information in your next reply. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 13th May 2010, 10:20 am

It's telling me that PEV is not recognised as an internal or external command , operable programme or batch file, I hate Vista so annoying!!

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 13th May 2010, 5:15 pm

Will you run a scan of your antivirus and take a screenshot of the results?

How to do screenshots: [You must be registered and logged in to see this link.]


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 14th May 2010, 10:36 am

Ok here is the details, plus a link it provides on removal, I've not attempted the manual removal as I'm not at all sure what Im doing

[You must be registered and logged in to see this link.]


Taken a screen shot but I cant post it in here. not giving me the paste option when I copy it. It says that Affected Areas are 1 file and 1 Browser Cache and then below gives these details.....

c:\windows\system32\drivers\iastor.sys


Hope this helps....and again ty for your help and patience!!

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 15th May 2010, 4:06 am

  • Please go to VirSCAN.org FREE on-line scan
    service

  • Browse for the following file path into the "Suspicious files to scan" box on the top of the page:
    • c:\windows\system32\drivers\iastor.sys

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 18th May 2010, 3:42 pm

Sorry about all this, must wish you never replied.. it wont let me open iastor.sys. It comes up that i dont have permission to open this file, contact owner of file or administrator.. ???

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 18th May 2010, 4:58 pm

Well that's odd. If the file was not infected, then it would let you scan it.

Let's try a different method:

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    iastor.sys
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 18th May 2010, 5:27 pm

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:25 on 18/05/2010 by stewart (Administrator - Elevation successful)

No Context: filefind

No Context: iastor.sys

No Context: atapi.sys

-=End Of File=-

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 18th May 2010, 7:28 pm

Hi

Make sure to copy the colon sign before the filefind part.

:filefind

Please try again.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 19th May 2010, 2:39 pm

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:36 on 19/05/2010 by stewart (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\Windows\Drivers\INF\SATA Driver (Intel) (Non-RAID)\iastor.sys --a--- 277784 bytes [18:01 13/03/2008] [00:03 01/03/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys --a--- 277784 bytes [18:01 13/03/2008] [00:03 01/03/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
C:\Windows\System32\drivers\iaStor.sys --a--- 277784 bytes [18:01 13/03/2008] [00:03 01/03/2007] (Unable to calculate MD5)

Searching for "atapi.sys"
C:\Windows\ERDNT\cache\atapi.sys --a--- 21560 bytes [11:01 11/05/2010] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [06:58 11/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9

-=End Of File=-

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 19th May 2010, 10:53 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    TDL::
    C:\Windows\System32\drivers\iaStor.sys

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 20th May 2010, 12:06 pm

ComboFix 10-05-19.02 - stewart 20/05/2010 12:33:55.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1100 [GMT 1:00]
Running from: c:\users\stewart\Desktop\ComboFix.exe
Command switches used :: c:\users\stewart\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))
.

2010-05-20 11:44 . 2010-05-20 11:50 -------- d-----w- c:\users\stewart\AppData\Local\temp
2010-05-20 11:44 . 2010-05-20 11:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-20 11:44 . 2010-05-20 11:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-18 17:00 . 2010-05-18 17:00 -------- d-----w- c:\program files\iPod
2010-05-18 17:00 . 2010-05-18 17:01 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-18 17:00 . 2010-05-18 17:01 -------- d-----w- c:\program files\iTunes
2010-05-18 16:56 . 2010-05-18 16:57 -------- d-----w- c:\program files\QuickTime
2010-05-18 16:51 . 2010-05-18 16:51 -------- d-----w- c:\program files\Bonjour
2010-05-18 16:37 . 2010-05-18 16:37 -------- d-----w- c:\program files\Safari
2010-05-12 11:21 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 02:04 . 2010-02-12 10:48 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-10 21:40 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-10 21:40 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-10 21:40 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-10 21:40 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-05-10 21:37 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-10 21:37 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-10 21:37 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-10 20:58 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-10 20:58 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-07 13:56 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 13:56 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-06 10:06 . 2010-05-06 10:07 -------- d-----w- c:\windows\system32\MustBeRandomlyNamed
2010-05-04 14:34 . 2010-05-04 14:34 -------- d-----w- c:\program files\Trend Micro
2010-04-22 20:56 . 2010-04-22 21:04 -------- d-----w- c:\temp\aol
2010-04-22 20:56 . 2010-04-22 20:56 -------- d-----w- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-20 11:52 . 2010-04-08 20:20 -------- d-----w- c:\programdata\Kontiki
2010-05-19 22:43 . 2008-08-25 12:49 91653 ----a-w- c:\users\stewart\AppData\Roaming\nvModes.dat
2010-05-18 17:00 . 2008-10-25 08:32 -------- d-----w- c:\program files\Common Files\Apple
2010-05-18 16:43 . 2010-05-18 16:43 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-18 16:33 . 2010-05-18 16:33 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-05-13 02:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 02:04 . 2008-04-10 20:46 -------- d-----w- c:\programdata\Microsoft Help
2010-05-07 13:56 . 2010-03-28 12:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 14:34 . 2010-05-04 14:34 388096 ----a-r- c:\users\stewart\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-03 18:56 . 2009-11-15 09:43 -------- d-----w- c:\users\stewart\AppData\Roaming\Ventrilo
2010-04-28 11:00 . 2008-08-25 14:19 -------- d-----w- c:\program files\PKR
2010-04-16 07:33 . 2010-04-16 07:33 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 07:33 . 2010-04-16 07:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-11 19:30 . 2008-04-10 20:55 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-09 01:55 . 2008-08-25 14:06 -------- d-----w- c:\users\stewart\AppData\Roaming\DivX
2010-04-09 01:14 . 2010-04-09 01:14 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-09 01:14 . 2010-04-09 01:09 -------- d-----w- c:\programdata\DivX
2010-04-09 01:14 . 2008-04-10 20:55 -------- d-----w- c:\program files\DivX
2010-04-09 01:14 . 2010-04-09 01:14 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-04-09 01:09 . 2010-04-09 01:09 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-09 01:09 . 2010-04-09 01:14 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-04-09 01:09 . 2010-04-09 01:14 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-08 20:19 . 2010-04-08 20:18 -------- d-----w- c:\program files\Kontiki
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\programdata\Sky
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\program files\Sky
2010-04-08 20:06 . 2010-04-08 20:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-08 12:20 . 2010-04-08 12:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20 . 2010-04-08 12:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-31 01:58 . 2008-04-10 21:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58 . 2007-12-20 20:54 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2007-12-20 10:00 44944 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-03-29 16:34 . 2010-03-29 16:34 48323 ----a-w- C:\MGlogs.zip
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\users\stewart\AppData\Roaming\SUPERAntiSpyware.com
2010-03-28 19:12 . 2009-11-15 09:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-28 17:24 . 2010-03-28 12:10 -------- d-----w- c:\program files\Yahoo!
2010-03-28 16:56 . 2010-03-28 16:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\users\stewart\AppData\Roaming\Malwarebytes
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\programdata\Malwarebytes
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\program files\CCleaner
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\users\stewart\AppData\Roaming\Yahoo!
2010-03-24 21:20 . 2009-07-25 14:33 -------- d-----w- c:\program files\Steam
2010-03-09 16:28 . 2010-05-10 21:38 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-05-10 21:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-05-10 21:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-07 13:35 . 2010-03-07 10:55 77353 ----a-w- c:\windows\hpqins05.dat
2010-03-07 13:31 . 2008-08-25 12:49 123952 ----a-w- c:\users\stewart\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:39 . 2010-03-11 03:02 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 03:02 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 03:02 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-02-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-12 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-23 4718592]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-30 30192]
"MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe" [2008-04-10 36864]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-08-25 26112]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2007-12-21 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"HostManager"="c:\program files\Common Files\AOL\1243367064\ee\AOLSoftware.exe" [2006-11-14 50736]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-17 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\users\stewart\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-12 0]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 03:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 gupdate1ca1b5c4204d2d0;Google Update Service (gupdate1ca1b5c4204d2d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 133104]
R3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-10-30 30192]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-04-29 38224]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [2008-03-05 104288]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [2008-03-05 350048]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [2008-03-05 63328]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-03-03 333088]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-03-03 87328]
R3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [2009-01-08 4136960]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2009-08-22 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2009-08-22 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2009-08-22 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100513.002\IDSvix86.sys [2009-10-28 343088]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2009-08-22 117640]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2008-03-10 229376]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-12 102448]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2009-08-22 48688]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Sony\VAIO Power Management\SPMgr.exe
c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe
c:\windows\system32\DllHost.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Apoint\Apntex.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-20 12:58:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-20 11:58
ComboFix2.txt 2010-05-11 20:01
ComboFix3.txt 2010-05-11 11:50
ComboFix4.txt 2010-05-11 11:03

Pre-Run: 90,027,859,968 bytes free
Post-Run: 90,335,838,208 bytes free

- - End Of File - - 756A5B34B5DD28EA44CAE9C292D33A77

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 20th May 2010, 3:20 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    FCopy::
    C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys | C:\Windows\System32\drivers\iaStor.sys

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 22nd May 2010, 5:20 pm

ComboFix 10-05-21.06 - stewart 22/05/2010 17:50:50.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.977 [GMT 1:00]
Running from: c:\users\stewart\Desktop\ComboFix.exe
Command switches used :: c:\users\stewart\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys --> c:\windows\System32\drivers\iaStor.sys
.
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-22 17:00 . 2010-05-22 17:03 -------- d-----w- c:\users\stewart\AppData\Local\temp
2010-05-22 17:00 . 2010-05-22 17:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-22 17:00 . 2010-05-22 17:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-18 17:00 . 2010-05-18 17:00 -------- d-----w- c:\program files\iPod
2010-05-18 17:00 . 2010-05-18 17:01 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-18 17:00 . 2010-05-18 17:01 -------- d-----w- c:\program files\iTunes
2010-05-18 16:56 . 2010-05-18 16:57 -------- d-----w- c:\program files\QuickTime
2010-05-18 16:51 . 2010-05-18 16:51 -------- d-----w- c:\program files\Bonjour
2010-05-18 16:37 . 2010-05-18 16:37 -------- d-----w- c:\program files\Safari
2010-05-12 11:21 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 02:04 . 2010-02-12 10:48 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-10 21:40 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-10 21:40 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-10 21:40 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-10 21:40 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-05-10 21:37 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-10 21:37 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-10 21:37 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-10 20:58 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-10 20:58 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-07 13:56 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 13:56 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-06 10:06 . 2010-05-06 10:07 -------- d-----w- c:\windows\system32\MustBeRandomlyNamed
2010-05-04 14:34 . 2010-05-04 14:34 -------- d-----w- c:\program files\Trend Micro
2010-04-22 20:56 . 2010-04-22 21:04 -------- d-----w- c:\temp\aol
2010-04-22 20:56 . 2010-04-22 20:56 -------- d-----w- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 17:06 . 2010-04-08 20:20 -------- d-----w- c:\programdata\Kontiki
2010-05-22 16:40 . 2008-08-25 12:49 91653 ----a-w- c:\users\stewart\AppData\Roaming\nvModes.dat
2010-05-18 17:00 . 2008-10-25 08:32 -------- d-----w- c:\program files\Common Files\Apple
2010-05-18 16:43 . 2010-05-18 16:43 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-18 16:33 . 2010-05-18 16:33 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-05-13 02:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 02:04 . 2008-04-10 20:46 -------- d-----w- c:\programdata\Microsoft Help
2010-05-07 13:56 . 2010-03-28 12:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 14:34 . 2010-05-04 14:34 388096 ----a-r- c:\users\stewart\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-03 18:56 . 2009-11-15 09:43 -------- d-----w- c:\users\stewart\AppData\Roaming\Ventrilo
2010-04-28 11:00 . 2008-08-25 14:19 -------- d-----w- c:\program files\PKR
2010-04-16 07:33 . 2010-04-16 07:33 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 07:33 . 2010-04-16 07:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-11 19:30 . 2008-04-10 20:55 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-09 01:55 . 2008-08-25 14:06 -------- d-----w- c:\users\stewart\AppData\Roaming\DivX
2010-04-09 01:14 . 2010-04-09 01:14 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-09 01:14 . 2010-04-09 01:09 -------- d-----w- c:\programdata\DivX
2010-04-09 01:14 . 2008-04-10 20:55 -------- d-----w- c:\program files\DivX
2010-04-09 01:14 . 2010-04-09 01:14 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-04-09 01:09 . 2010-04-09 01:09 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-09 01:09 . 2010-04-09 01:14 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-04-09 01:09 . 2010-04-09 01:14 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-08 20:19 . 2010-04-08 20:18 -------- d-----w- c:\program files\Kontiki
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\programdata\Sky
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\program files\Sky
2010-04-08 20:06 . 2010-04-08 20:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-08 12:20 . 2010-04-08 12:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20 . 2010-04-08 12:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-31 01:58 . 2008-04-10 21:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58 . 2007-12-20 20:54 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2007-12-20 10:00 44944 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-03-29 16:34 . 2010-03-29 16:34 48323 ----a-w- C:\MGlogs.zip
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\users\stewart\AppData\Roaming\SUPERAntiSpyware.com
2010-03-28 19:12 . 2009-11-15 09:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-28 17:24 . 2010-03-28 12:10 -------- d-----w- c:\program files\Yahoo!
2010-03-28 16:56 . 2010-03-28 16:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\users\stewart\AppData\Roaming\Malwarebytes
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\programdata\Malwarebytes
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\program files\CCleaner
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\users\stewart\AppData\Roaming\Yahoo!
2010-03-24 21:20 . 2009-07-25 14:33 -------- d-----w- c:\program files\Steam
2010-03-09 16:28 . 2010-05-10 21:38 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-05-10 21:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-05-10 21:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-07 13:35 . 2010-03-07 10:55 77353 ----a-w- c:\windows\hpqins05.dat
2010-03-07 13:31 . 2008-08-25 12:49 123952 ----a-w- c:\users\stewart\AppData\Local\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-02-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-12 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-23 4718592]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-30 30192]
"MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe" [2008-04-10 36864]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-08-25 26112]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2007-12-21 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"HostManager"="c:\program files\Common Files\AOL\1243367064\ee\AOLSoftware.exe" [2006-11-14 50736]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-17 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\users\stewart\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-12 0]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 03:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 gupdate1ca1b5c4204d2d0;Google Update Service (gupdate1ca1b5c4204d2d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 133104]
R3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-10-30 30192]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [2008-03-05 104288]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [2008-03-05 350048]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [2008-03-05 63328]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-03-03 333088]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-03-03 87328]
R3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [2009-01-08 4136960]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2009-08-22 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2009-08-22 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2009-08-22 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100513.002\IDSvix86.sys [2009-10-28 343088]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2009-08-22 117640]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2008-03-10 229376]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-12 102448]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2009-08-22 48688]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-22 18:06
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3960)
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Kontiki\KService.exe
c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe
c:\windows\system32\DllHost.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\Apntex.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Sony\VAIO Power Management\SPMgr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\WerCon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\WerFault.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\wermgr.exe
c:\program files\NORTON 360\ENGINE\3.8.0.41\cltLMH.exe
c:\windows\system32\WerFault.exe
.
**************************************************************************
.
Completion time: 2010-05-22 18:12:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-22 17:12
ComboFix2.txt 2010-05-20 11:58
ComboFix3.txt 2010-05-11 20:01
ComboFix4.txt 2010-05-11 11:50
ComboFix5.txt 2010-05-22 16:46

Pre-Run: 89,820,651,520 bytes free
Post-Run: 89,597,952,000 bytes free

- - End Of File - - B2C7938CED9B70322ECC53DB4F7941D1

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 22nd May 2010, 9:38 pm

Now, see if that threat is still being picked up. (backdoor.tidserv.inf)


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 23rd May 2010, 8:00 pm

Just ran a quick scan and all gone!!! Thank you so much for your help and patience. Really appreciate all the time and effort you have put in here...thanks again

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 23rd May 2010, 8:17 pm

We must clean up our tools now. Smile

To manually create a new Restore Point

  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive i.e. C
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete
You are now done

To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


==

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on 23rd May 2010, 9:02 pm

Results of screen317's Security Check version 0.99.4
Windows Vista Service Pack 1 (UAC is disabled!)
[You must be registered and logged in to see this link.]
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Norton 360
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 13
Out of date Java installed!
Adobe Flash Player
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24403
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on 24th May 2010, 2:45 am

Please consider updating to Windows Vista Service Pack 2 (SP2).
Windows Vista Service Pack 2 (SP2) contains all the updates released since SP1 plus support for new types of hardware and emerging hardware standards.
It is now available via [You must be registered and logged in to see this link.] or as a standalone installation [You must be registered and logged in to see this link.].

================

Please download the newest version of Adobe Acrobat Reader from [You must be registered and logged in to see this link.]

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

=========================

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum