backdoor.tidserv.inf

View previous topic View next topic Go down

Re: backdoor.tidserv.inf

Post by lidlkid on Tue May 18, 2010 5:27 pm

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:25 on 18/05/2010 by stewart (Administrator - Elevation successful)

No Context: filefind

No Context: iastor.sys

No Context: atapi.sys

-=End Of File=-

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24353
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on Tue May 18, 2010 7:28 pm

Hi

Make sure to copy the colon sign before the filefind part.

:filefind

Please try again.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on Wed May 19, 2010 2:39 pm

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:36 on 19/05/2010 by stewart (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\Windows\Drivers\INF\SATA Driver (Intel) (Non-RAID)\iastor.sys --a--- 277784 bytes [18:01 13/03/2008] [00:03 01/03/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys --a--- 277784 bytes [18:01 13/03/2008] [00:03 01/03/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
C:\Windows\System32\drivers\iaStor.sys --a--- 277784 bytes [18:01 13/03/2008] [00:03 01/03/2007] (Unable to calculate MD5)

Searching for "atapi.sys"
C:\Windows\ERDNT\cache\atapi.sys --a--- 21560 bytes [11:01 11/05/2010] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [06:58 11/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9

-=End Of File=-

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24353
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on Wed May 19, 2010 10:53 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    TDL::
    C:\Windows\System32\drivers\iaStor.sys

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on Thu May 20, 2010 12:06 pm

ComboFix 10-05-19.02 - stewart 20/05/2010 12:33:55.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1100 [GMT 1:00]
Running from: c:\users\stewart\Desktop\ComboFix.exe
Command switches used :: c:\users\stewart\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))
.

2010-05-20 11:44 . 2010-05-20 11:50 -------- d-----w- c:\users\stewart\AppData\Local\temp
2010-05-20 11:44 . 2010-05-20 11:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-20 11:44 . 2010-05-20 11:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-18 17:00 . 2010-05-18 17:00 -------- d-----w- c:\program files\iPod
2010-05-18 17:00 . 2010-05-18 17:01 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-18 17:00 . 2010-05-18 17:01 -------- d-----w- c:\program files\iTunes
2010-05-18 16:56 . 2010-05-18 16:57 -------- d-----w- c:\program files\QuickTime
2010-05-18 16:51 . 2010-05-18 16:51 -------- d-----w- c:\program files\Bonjour
2010-05-18 16:37 . 2010-05-18 16:37 -------- d-----w- c:\program files\Safari
2010-05-12 11:21 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 02:04 . 2010-02-12 10:48 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-10 21:40 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-10 21:40 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-10 21:40 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-10 21:40 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-05-10 21:37 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-10 21:37 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-10 21:37 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-10 20:58 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-10 20:58 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-07 13:56 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 13:56 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-06 10:06 . 2010-05-06 10:07 -------- d-----w- c:\windows\system32\MustBeRandomlyNamed
2010-05-04 14:34 . 2010-05-04 14:34 -------- d-----w- c:\program files\Trend Micro
2010-04-22 20:56 . 2010-04-22 21:04 -------- d-----w- c:\temp\aol
2010-04-22 20:56 . 2010-04-22 20:56 -------- d-----w- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-20 11:52 . 2010-04-08 20:20 -------- d-----w- c:\programdata\Kontiki
2010-05-19 22:43 . 2008-08-25 12:49 91653 ----a-w- c:\users\stewart\AppData\Roaming\nvModes.dat
2010-05-18 17:00 . 2008-10-25 08:32 -------- d-----w- c:\program files\Common Files\Apple
2010-05-18 16:43 . 2010-05-18 16:43 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-18 16:33 . 2010-05-18 16:33 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-05-13 02:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 02:04 . 2008-04-10 20:46 -------- d-----w- c:\programdata\Microsoft Help
2010-05-07 13:56 . 2010-03-28 12:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 14:34 . 2010-05-04 14:34 388096 ----a-r- c:\users\stewart\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-03 18:56 . 2009-11-15 09:43 -------- d-----w- c:\users\stewart\AppData\Roaming\Ventrilo
2010-04-28 11:00 . 2008-08-25 14:19 -------- d-----w- c:\program files\PKR
2010-04-16 07:33 . 2010-04-16 07:33 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 07:33 . 2010-04-16 07:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-11 19:30 . 2008-04-10 20:55 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-09 01:55 . 2008-08-25 14:06 -------- d-----w- c:\users\stewart\AppData\Roaming\DivX
2010-04-09 01:14 . 2010-04-09 01:14 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-09 01:14 . 2010-04-09 01:09 -------- d-----w- c:\programdata\DivX
2010-04-09 01:14 . 2008-04-10 20:55 -------- d-----w- c:\program files\DivX
2010-04-09 01:14 . 2010-04-09 01:14 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-04-09 01:09 . 2010-04-09 01:09 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-09 01:09 . 2010-04-09 01:14 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-04-09 01:09 . 2010-04-09 01:14 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-08 20:19 . 2010-04-08 20:18 -------- d-----w- c:\program files\Kontiki
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\programdata\Sky
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\program files\Sky
2010-04-08 20:06 . 2010-04-08 20:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-08 12:20 . 2010-04-08 12:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20 . 2010-04-08 12:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-31 01:58 . 2008-04-10 21:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58 . 2007-12-20 20:54 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2007-12-20 10:00 44944 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-03-29 16:34 . 2010-03-29 16:34 48323 ----a-w- C:\MGlogs.zip
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\users\stewart\AppData\Roaming\SUPERAntiSpyware.com
2010-03-28 19:12 . 2009-11-15 09:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-28 17:24 . 2010-03-28 12:10 -------- d-----w- c:\program files\Yahoo!
2010-03-28 16:56 . 2010-03-28 16:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\users\stewart\AppData\Roaming\Malwarebytes
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\programdata\Malwarebytes
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\program files\CCleaner
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\users\stewart\AppData\Roaming\Yahoo!
2010-03-24 21:20 . 2009-07-25 14:33 -------- d-----w- c:\program files\Steam
2010-03-09 16:28 . 2010-05-10 21:38 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-05-10 21:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-05-10 21:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-07 13:35 . 2010-03-07 10:55 77353 ----a-w- c:\windows\hpqins05.dat
2010-03-07 13:31 . 2008-08-25 12:49 123952 ----a-w- c:\users\stewart\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:39 . 2010-03-11 03:02 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 03:02 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 03:02 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-02-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-12 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-23 4718592]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-30 30192]
"MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe" [2008-04-10 36864]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-08-25 26112]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2007-12-21 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"HostManager"="c:\program files\Common Files\AOL\1243367064\ee\AOLSoftware.exe" [2006-11-14 50736]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-17 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\users\stewart\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-12 0]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 03:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 gupdate1ca1b5c4204d2d0;Google Update Service (gupdate1ca1b5c4204d2d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 133104]
R3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-10-30 30192]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-04-29 38224]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [2008-03-05 104288]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [2008-03-05 350048]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [2008-03-05 63328]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-03-03 333088]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-03-03 87328]
R3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [2009-01-08 4136960]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2009-08-22 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2009-08-22 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2009-08-22 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100513.002\IDSvix86.sys [2009-10-28 343088]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2009-08-22 117640]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2008-03-10 229376]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-12 102448]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2009-08-22 48688]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Sony\VAIO Power Management\SPMgr.exe
c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe
c:\windows\system32\DllHost.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Apoint\Apntex.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-20 12:58:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-20 11:58
ComboFix2.txt 2010-05-11 20:01
ComboFix3.txt 2010-05-11 11:50
ComboFix4.txt 2010-05-11 11:03

Pre-Run: 90,027,859,968 bytes free
Post-Run: 90,335,838,208 bytes free

- - End Of File - - 756A5B34B5DD28EA44CAE9C292D33A77

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24353
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on Thu May 20, 2010 3:20 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    FCopy::
    C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys | C:\Windows\System32\drivers\iaStor.sys

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on Sat May 22, 2010 5:20 pm

ComboFix 10-05-21.06 - stewart 22/05/2010 17:50:50.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.977 [GMT 1:00]
Running from: c:\users\stewart\Desktop\ComboFix.exe
Command switches used :: c:\users\stewart\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys --> c:\windows\System32\drivers\iaStor.sys
.
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-22 17:00 . 2010-05-22 17:03 -------- d-----w- c:\users\stewart\AppData\Local\temp
2010-05-22 17:00 . 2010-05-22 17:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-22 17:00 . 2010-05-22 17:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-18 17:00 . 2010-05-18 17:00 -------- d-----w- c:\program files\iPod
2010-05-18 17:00 . 2010-05-18 17:01 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-18 17:00 . 2010-05-18 17:01 -------- d-----w- c:\program files\iTunes
2010-05-18 16:56 . 2010-05-18 16:57 -------- d-----w- c:\program files\QuickTime
2010-05-18 16:51 . 2010-05-18 16:51 -------- d-----w- c:\program files\Bonjour
2010-05-18 16:37 . 2010-05-18 16:37 -------- d-----w- c:\program files\Safari
2010-05-12 11:21 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 02:04 . 2010-02-12 10:48 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-10 21:40 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-10 21:40 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-10 21:40 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-10 21:40 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-05-10 21:37 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-10 21:37 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-10 21:37 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-10 20:58 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-10 20:58 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-07 13:56 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 13:56 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-06 10:06 . 2010-05-06 10:07 -------- d-----w- c:\windows\system32\MustBeRandomlyNamed
2010-05-04 14:34 . 2010-05-04 14:34 -------- d-----w- c:\program files\Trend Micro
2010-04-22 20:56 . 2010-04-22 21:04 -------- d-----w- c:\temp\aol
2010-04-22 20:56 . 2010-04-22 20:56 -------- d-----w- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 17:06 . 2010-04-08 20:20 -------- d-----w- c:\programdata\Kontiki
2010-05-22 16:40 . 2008-08-25 12:49 91653 ----a-w- c:\users\stewart\AppData\Roaming\nvModes.dat
2010-05-18 17:00 . 2008-10-25 08:32 -------- d-----w- c:\program files\Common Files\Apple
2010-05-18 16:43 . 2010-05-18 16:43 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-18 16:33 . 2010-05-18 16:33 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-05-13 02:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 02:04 . 2008-04-10 20:46 -------- d-----w- c:\programdata\Microsoft Help
2010-05-07 13:56 . 2010-03-28 12:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 14:34 . 2010-05-04 14:34 388096 ----a-r- c:\users\stewart\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-03 18:56 . 2009-11-15 09:43 -------- d-----w- c:\users\stewart\AppData\Roaming\Ventrilo
2010-04-28 11:00 . 2008-08-25 14:19 -------- d-----w- c:\program files\PKR
2010-04-16 07:33 . 2010-04-16 07:33 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 07:33 . 2010-04-16 07:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-11 19:30 . 2008-04-10 20:55 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-09 01:55 . 2008-08-25 14:06 -------- d-----w- c:\users\stewart\AppData\Roaming\DivX
2010-04-09 01:14 . 2010-04-09 01:14 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-09 01:14 . 2010-04-09 01:09 -------- d-----w- c:\programdata\DivX
2010-04-09 01:14 . 2008-04-10 20:55 -------- d-----w- c:\program files\DivX
2010-04-09 01:14 . 2010-04-09 01:14 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-04-09 01:14 . 2010-04-09 01:14 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-04-09 01:09 . 2010-04-09 01:09 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-09 01:09 . 2010-04-09 01:14 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-04-09 01:09 . 2010-04-09 01:14 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-08 20:19 . 2010-04-08 20:18 -------- d-----w- c:\program files\Kontiki
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\programdata\Sky
2010-04-08 20:18 . 2010-04-08 20:18 -------- d-----w- c:\program files\Sky
2010-04-08 20:06 . 2010-04-08 20:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-08 12:20 . 2010-04-08 12:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20 . 2010-04-08 12:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-31 01:58 . 2008-04-10 21:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58 . 2007-12-20 20:54 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2007-12-20 10:00 44944 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-03-29 16:34 . 2010-03-29 16:34 48323 ----a-w- C:\MGlogs.zip
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\users\stewart\AppData\Roaming\SUPERAntiSpyware.com
2010-03-28 19:12 . 2009-11-15 09:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-28 19:12 . 2010-03-28 16:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-28 17:24 . 2010-03-28 12:10 -------- d-----w- c:\program files\Yahoo!
2010-03-28 16:56 . 2010-03-28 16:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\users\stewart\AppData\Roaming\Malwarebytes
2010-03-28 12:49 . 2010-03-28 12:49 -------- d-----w- c:\programdata\Malwarebytes
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\program files\CCleaner
2010-03-28 12:10 . 2010-03-28 12:10 -------- d-----w- c:\users\stewart\AppData\Roaming\Yahoo!
2010-03-24 21:20 . 2009-07-25 14:33 -------- d-----w- c:\program files\Steam
2010-03-09 16:28 . 2010-05-10 21:38 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-05-10 21:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-05-10 21:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-07 13:35 . 2010-03-07 10:55 77353 ----a-w- c:\windows\hpqins05.dat
2010-03-07 13:31 . 2008-08-25 12:49 123952 ----a-w- c:\users\stewart\AppData\Local\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-02-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-12 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-23 4718592]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-30 30192]
"MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe" [2008-04-10 36864]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-08-25 26112]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2007-12-21 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"HostManager"="c:\program files\Common Files\AOL\1243367064\ee\AOLSoftware.exe" [2006-11-14 50736]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-17 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\users\stewart\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-12 0]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 03:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 gupdate1ca1b5c4204d2d0;Google Update Service (gupdate1ca1b5c4204d2d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 133104]
R3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-10-30 30192]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [2008-03-05 104288]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [2008-03-05 350048]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [2008-03-05 63328]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-03-03 333088]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-03-03 87328]
R3 WiselinkPro;SAMSUNG WiselinkPro Service;c:\program files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [2009-01-08 4136960]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2009-08-22 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2009-08-22 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2009-08-22 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100513.002\IDSvix86.sys [2009-10-28 343088]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2009-08-22 117640]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2008-03-10 229376]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-12 102448]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2009-08-22 48688]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-12 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-22 18:06
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3960)
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Kontiki\KService.exe
c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe
c:\windows\system32\DllHost.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\Apntex.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Sony\VAIO Power Management\SPMgr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\WerCon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\WerFault.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\wermgr.exe
c:\program files\NORTON 360\ENGINE\3.8.0.41\cltLMH.exe
c:\windows\system32\WerFault.exe
.
**************************************************************************
.
Completion time: 2010-05-22 18:12:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-22 17:12
ComboFix2.txt 2010-05-20 11:58
ComboFix3.txt 2010-05-11 20:01
ComboFix4.txt 2010-05-11 11:50
ComboFix5.txt 2010-05-22 16:46

Pre-Run: 89,820,651,520 bytes free
Post-Run: 89,597,952,000 bytes free

- - End Of File - - B2C7938CED9B70322ECC53DB4F7941D1

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24353
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on Sat May 22, 2010 9:38 pm

Now, see if that threat is still being picked up. (backdoor.tidserv.inf)


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on Sun May 23, 2010 8:00 pm

Just ran a quick scan and all gone!!! Thank you so much for your help and patience. Really appreciate all the time and effort you have put in here...thanks again

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24353
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on Sun May 23, 2010 8:17 pm

We must clean up our tools now. Smile

To manually create a new Restore Point

  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive i.e. C
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete
You are now done

To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


==

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by lidlkid on Sun May 23, 2010 9:02 pm

Results of screen317's Security Check version 0.99.4
Windows Vista Service Pack 1 (UAC is disabled!)
[You must be registered and logged in to see this link.]
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Norton 360
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 13
Out of date Java installed!
Adobe Flash Player
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

lidlkid
Novice
Novice

Posts Posts : 19
Joined Joined : 2010-05-04
OS OS : vista
Points Points : 24353
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv.inf

Post by Dr Jay on Mon May 24, 2010 2:45 am

Please consider updating to Windows Vista Service Pack 2 (SP2).
Windows Vista Service Pack 2 (SP2) contains all the updates released since SP1 plus support for new types of hardware and emerging hardware standards.
It is now available via [You must be registered and logged in to see this link.] or as a standalone installation [You must be registered and logged in to see this link.].

================

Please download the newest version of Adobe Acrobat Reader from [You must be registered and logged in to see this link.]

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

=========================

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum