Backdoor.Tidserv!inf - please help

View previous topic View next topic Go down

Backdoor.Tidserv!inf - please help

Post by wheelio on 5th May 2010, 7:21 pm

Hi there,

I am really not too knowledgeable about computers but my Symantic antivirus tells me that I have Backdoor.tidserv!inf (filename: ahcix86s.sys) on my computer and it can't fix it. I don't know if this is right but I downloaded Malwarebytes and got this log:

Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 4025

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882

23/04/2010 12:08:30 PM
mbam-log-2010-04-23 (12-08-30).txt

Scan type: Full scan (C:\|)
Objects scanned: 246188
Time elapsed: 1 hour(s), 59 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\User\AppData\Local\Temp\0000324b (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\User\Desktop\SPSS folder\KEYGEN\keygen.exe (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.




I also downloaded combofix and got this log:


ComboFix 10-05-04.06 - User 05/05/2010 11:59:59.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.1789.1078 [GMT -4:00]
Running from: c:\users\User\Pictures\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-948558897-1585649047-789922506-500
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-05 16:09 . 2010-05-05 16:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-04 16:07 . 2010-03-29 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100504.004\NAVENG.SYS
2010-05-04 16:07 . 2010-03-29 08:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100504.004\NAVEX15.SYS
2010-05-04 16:07 . 2009-09-17 06:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100504.004\NAVENG32.DLL
2010-05-04 16:07 . 2009-09-17 06:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100504.004\NAVEX32A.DLL
2010-05-04 16:07 . 2010-03-29 08:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100504.004\CCERASER.DLL
2010-05-04 16:07 . 2010-03-29 08:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100504.004\ECMSVR32.DLL
2010-05-04 16:07 . 2009-09-17 06:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100504.004\EECTRL.SYS
2010-05-04 16:07 . 2009-09-17 06:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100504.004\ERASER.SYS
2010-05-04 16:01 . 2010-05-05 03:36 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-04 15:02 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-04 15:02 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-04 15:02 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-04-23 13:49 . 2010-04-23 13:49 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2010-04-23 13:49 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-23 13:48 . 2010-04-23 13:48 -------- d-----w- c:\programdata\Malwarebytes
2010-04-23 13:48 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 13:48 . 2010-04-23 13:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 01:24 . 2010-03-29 08:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100420.024\NAVEX15.SYS
2010-04-21 01:24 . 2009-09-17 06:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100420.024\NAVEX32A.DLL
2010-04-21 01:24 . 2010-03-29 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100420.024\NAVENG.SYS
2010-04-21 01:24 . 2009-09-17 06:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100420.024\EECTRL.SYS
2010-04-21 01:24 . 2009-09-17 06:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100420.024\NAVENG32.DLL
2010-04-21 01:24 . 2009-09-17 06:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100420.024\ERASER.SYS
2010-04-21 01:24 . 2010-03-29 08:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100420.024\CCERASER.DLL
2010-04-21 01:24 . 2010-03-29 08:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100420.024\ECMSVR32.DLL
2010-04-15 17:34 . 2010-04-15 17:34 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-15 15:43 . 2010-04-15 15:43 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-15 15:43 . 2010-04-15 15:43 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 84040 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-04-14 03:03 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 03:03 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 03:03 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 03:02 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 03:02 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 03:02 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 03:02 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 20:23 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 20:22 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 16:00 . 2010-01-25 15:03 104992 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-04 15:50 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-04 15:31 . 2009-05-28 04:29 -------- d-----w- c:\programdata\Microsoft Help
2010-04-22 16:54 . 2010-01-27 04:20 -------- d-----w- c:\users\User\AppData\Roaming\BitTorrent
2010-04-22 16:51 . 2010-03-12 04:50 1356 ----a-w- c:\users\User\AppData\Local\d3d9caps.dat
2010-04-15 17:35 . 2010-03-25 04:17 -------- d-----w- c:\programdata\DivX
2010-04-15 15:43 . 2010-03-25 04:18 -------- d-----w- c:\program files\DivX
2010-04-15 15:42 . 2010-03-25 04:20 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-15 15:36 . 2010-03-25 04:21 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-04-15 15:35 . 2010-03-25 04:21 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-07 22:26 . 2010-01-25 05:31 -------- d-----w- c:\program files\ApexDC++
2010-04-05 02:55 . 2010-04-05 02:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-05 02:55 . 2009-05-28 04:50 -------- d-----w- c:\programdata\Symantec
2010-04-05 02:53 . 2010-04-05 02:48 -------- d-----w- c:\program files\Symantec
2010-04-05 02:53 . 2010-04-05 02:52 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-05 02:53 . 2010-04-05 02:52 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-05 02:53 . 2010-04-05 02:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-05 02:40 . 2009-05-28 04:50 -------- d-----w- c:\programdata\Norton
2010-03-30 13:05 . 2010-03-30 13:05 0 ----a-w- c:\windows\system32\cd.dat
2010-03-29 08:00 . 2010-03-29 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVENG.SYS
2010-03-29 08:00 . 2010-03-29 08:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\CCERASER.DLL
2010-03-29 08:00 . 2010-03-29 08:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ECMSVR32.DLL
2010-03-29 08:00 . 2010-03-29 08:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVEX15.SYS
2010-03-29 04:02 . 2010-02-05 04:15 -------- d-----w- c:\program files\SPSS
2010-03-25 04:21 . 2010-03-25 04:21 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-03-25 04:21 . 2010-03-25 04:21 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-03-25 04:21 . 2010-03-25 04:21 -------- d-----w- c:\users\User\AppData\Roaming\DivX
2010-03-25 04:20 . 2010-03-25 04:20 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 54629 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-25 04:20 . 2010-03-25 04:20 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-03-25 04:19 . 2010-03-25 04:19 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-03-24 13:29 . 2009-05-28 04:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-15 05:17 . 2010-03-13 21:58 -------- d-----w- c:\program files\Java
2010-03-15 05:14 . 2010-03-15 05:14 -------- d-----w- c:\program files\Common Files\Java
2010-03-13 21:58 . 2010-03-13 21:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-11 05:36 . 2010-03-11 05:30 -------- d-----w- c:\program files\Hotspot Shield
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-24 14:16 . 2010-01-27 16:26 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-30 18:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-30 18:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-30 18:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-30 18:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-14 00:33 . 2010-02-14 00:33 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-05 04:19 . 2010-02-05 04:19 1024 ----a-w- c:\windows\system32\clauth2.dll
2010-02-05 04:19 . 2010-02-05 04:19 1024 ----a-w- c:\windows\system32\clauth1.dll
2010-02-05 04:14 . 2010-02-05 04:14 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-02-04 05:00 . 2010-02-04 05:00 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2010-01-13 16:32 157168 ----a-w- c:\programdata\Partner\partner.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-01-20 15:34 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2010-03-11 05:30 220208 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-01-13 6711840]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-04 30192]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-04-03 698912]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-04-10 862728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-13 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R1 mhekxrev;mhekxrev;c:\windows\system32\drivers\mhekxrev.sys [x]
R2 EraserSvc10923;Symantec Eraser Service;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2009-07-09 108392]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-02-04 30192]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 Partner Service;Partner Service;c:\programdata\Partner\partner.exe [2010-01-13 110576]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-04-03 723488]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-01-08 285744]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-17 102448]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-01-15 49664]

.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\gho04mjk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-05 12:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-05 12:17:20
ComboFix-quarantined-files.txt 2010-05-05 16:17

Pre-Run: 42,558,828,544 bytes free
Post-Run: 44,821,078,016 bytes free

- - End Of File - - 95B4EEBE13D1E2E269840F6C04744AC0

Any help with this would be sooo sooo greatly appreciated. Thanks.

wheelio
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium 2007
Points Points : 24258
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by Belahzur on 5th May 2010, 7:55 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Driver::
    mhekxrev

    DDS::
    uStart Page = hxxp://www.ask.com?o=15450&l=dis

    Firefox::
    FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\gho04mjk.default\
    FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=BT4&o=15447&locale=en_US&q=
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by wheelio on 5th May 2010, 11:42 pm

ok here is the log I got:

ComboFix 10-05-05.04 - User 05/05/2010 18:06:49.2.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.1789.961 [GMT -4:00]
Running from: c:\users\User\Desktop\Combo-Fix.exe
Command switches used :: c:\users\User\Desktop\CFscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_mhekxrev


((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-05 22:15 . 2010-05-05 22:20 -------- d-----w- c:\users\User\AppData\Local\temp
2010-05-05 22:15 . 2010-05-05 22:15 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-05 22:15 . 2010-05-05 22:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-05 17:50 . 2010-05-05 17:51 -------- d-----w- C:\Combo-Fix
2010-05-04 16:01 . 2010-05-05 03:36 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-04 15:02 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-04 15:02 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-04 15:02 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-04-23 13:49 . 2010-04-23 13:49 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2010-04-23 13:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-23 13:48 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 13:48 . 2010-04-23 13:48 -------- d-----w- c:\programdata\Malwarebytes
2010-04-23 13:48 . 2010-05-05 17:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 03:03 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 03:03 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 03:03 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 03:02 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 03:02 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 03:02 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 03:02 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 20:23 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 20:22 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 17:26 . 2010-05-05 17:26 6153352 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-05 17:16 . 2010-03-13 21:58 -------- d-----w- c:\program files\Java
2010-05-04 16:00 . 2010-01-25 15:03 104992 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-04 15:50 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-04 15:31 . 2009-05-28 04:29 -------- d-----w- c:\programdata\Microsoft Help
2010-04-22 16:54 . 2010-01-27 04:20 -------- d-----w- c:\users\User\AppData\Roaming\BitTorrent
2010-04-22 16:51 . 2010-03-12 04:50 1356 ----a-w- c:\users\User\AppData\Local\d3d9caps.dat
2010-04-15 17:35 . 2010-03-25 04:17 -------- d-----w- c:\programdata\DivX
2010-04-15 17:34 . 2010-04-15 17:34 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-15 15:43 . 2010-04-15 15:43 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-15 15:43 . 2010-04-15 15:43 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-04-15 15:43 . 2010-03-25 04:18 -------- d-----w- c:\program files\DivX
2010-04-15 15:42 . 2010-04-15 15:42 84040 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-04-15 15:42 . 2010-03-25 04:20 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-15 15:42 . 2010-04-15 15:42 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-04-15 15:36 . 2010-03-25 04:21 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-04-15 15:35 . 2010-03-25 04:21 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-07 22:26 . 2010-01-25 05:31 -------- d-----w- c:\program files\ApexDC++
2010-04-05 02:55 . 2010-04-05 02:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-05 02:55 . 2009-05-28 04:50 -------- d-----w- c:\programdata\Symantec
2010-04-05 02:53 . 2010-04-05 02:48 -------- d-----w- c:\program files\Symantec
2010-04-05 02:53 . 2010-04-05 02:52 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-05 02:53 . 2010-04-05 02:52 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-05 02:53 . 2010-04-05 02:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-05 02:40 . 2009-05-28 04:50 -------- d-----w- c:\programdata\Norton
2010-03-30 13:05 . 2010-03-30 13:05 0 ----a-w- c:\windows\system32\cd.dat
2010-03-29 04:02 . 2010-02-05 04:15 -------- d-----w- c:\program files\SPSS
2010-03-25 04:21 . 2010-03-25 04:21 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-03-25 04:21 . 2010-03-25 04:21 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-03-25 04:21 . 2010-03-25 04:21 -------- d-----w- c:\users\User\AppData\Roaming\DivX
2010-03-25 04:20 . 2010-03-25 04:20 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 54629 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-25 04:20 . 2010-03-25 04:20 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-03-25 04:19 . 2010-03-25 04:19 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-03-24 13:29 . 2009-05-28 04:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-13 21:58 . 2010-03-13 21:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-11 05:36 . 2010-03-11 05:30 -------- d-----w- c:\program files\Hotspot Shield
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-24 14:16 . 2010-01-27 16:26 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-30 18:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-30 18:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-30 18:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-30 18:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-14 00:33 . 2010-02-14 00:33 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-05 04:19 . 2010-02-05 04:19 1024 ----a-w- c:\windows\system32\clauth2.dll
2010-02-05 04:19 . 2010-02-05 04:19 1024 ----a-w- c:\windows\system32\clauth1.dll
2010-02-05 04:14 . 2010-02-05 04:14 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-02-04 05:00 . 2010-02-04 05:00 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2010-01-13 16:32 157168 ----a-w- c:\programdata\Partner\partner.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-01-20 15:34 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2010-03-11 05:30 220208 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-01-13 6711840]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-04 30192]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-04-03 698912]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-04-10 862728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-13 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R2 EraserSvc10923;Symantec Eraser Service;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2009-07-09 108392]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-02-04 30192]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 Partner Service;Partner Service;c:\programdata\Partner\partner.exe [2010-01-13 110576]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-04-03 723488]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-01-08 285744]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-17 102448]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-01-15 49664]

.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\gho04mjk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-05 18:20
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ahcix86s.sys >>UNKNOWN [0x868518C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8759d322
\Driver\ACPI -> acpi.sys @ 0x80614d4c
\Driver\atapi -> ataport.SYS @ 0x807389a8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\windows\system32\conime.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Symantec\Symantec Endpoint Protection\SavUI.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\eMachines\eMachines Recovery Management\NotificationCenter\Notification.exe
.
**************************************************************************
.
Completion time: 2010-05-05 18:30:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 22:30
ComboFix2.txt 2010-05-05 16:17

Pre-Run: 47,569,063,936 bytes free
Post-Run: 47,134,183,424 bytes free

- - End Of File - - 70216909B0B11BDEF46F7396F27ADCEF

wheelio
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium 2007
Points Points : 24258
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by Belahzur on 6th May 2010, 9:26 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by wheelio on 7th May 2010, 4:36 pm

Hi,

I tried running GMER and it wouldn't work in normal mode (screen went blue and computer would freeze) so I also tried in safe mode and by renaming the save file but none of it seemed to work. It would stop before completing and sometimes a message would say an error has occurred in the file and it cannot continue. This is all I got from it:

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit quick scan 2010-05-06 20:03:25
Windows 6.0.6001 Service Pack 1
Running: t.exe; Driver: C:\Users\User\AppData\Local\Temp\pxldapob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

wheelio
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium 2007
Points Points : 24258
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by Belahzur on 7th May 2010, 5:14 pm

Hello.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by wheelio on 8th May 2010, 4:06 am

uninstall list from HijackThis:

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
ApexDC++ 1.2.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
BitTorrent
Bonjour
Compatibility Pack for the 2007 Office system
DivX Setup
eMachines Games
eMachines Power Management
eMachines Recovery Management
eMachines ScreenSaver
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotspot Shield 1.37
HP OrderReminder
InterVideo WinDVD 8
iTunes
Java(TM) 6 Update 16
Junk Mail filter update
K-Lite Codec Pack 5.5.1 (Basic)
LaserJet 1018
Launch Manager
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Internet Security
Norton Security Scan
NTI Backup Now 5
NTI Media Maker 8
QuickTime
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
SecondLife (remove only)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
SPSS 15.0 for Windows
Symantec Endpoint Protection
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb981433)
VC80CRTRedist - 8.0.50727.4053
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
WinRAR archiver

wheelio
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium 2007
Points Points : 24258
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by Belahzur on 8th May 2010, 11:32 pm

Hello.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight the following:

    Ask Toolbar
    Java(TM) 6 Update 16

  • Click on the Uninstall/Change button at the top.


  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by wheelio on 10th May 2010, 12:06 am

Hello again, here is the TDSSKiller scan text:

19:08:39:309 4552 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
19:08:39:309 4552 ================================================================================
19:08:39:309 4552 SystemInfo:

19:08:39:309 4552 OS Version: 6.0.6001 ServicePack: 1.0
19:08:39:309 4552 Product type: Workstation
19:08:39:309 4552 ComputerName: USER-PC
19:08:39:309 4552 UserName: User
19:08:39:309 4552 Windows directory: C:\Windows
19:08:39:309 4552 Processor architecture: Intel x86
19:08:39:309 4552 Number of processors: 1
19:08:39:309 4552 Page size: 0x1000
19:08:39:309 4552 Boot type: Normal boot
19:08:39:309 4552 ================================================================================
19:08:39:325 4552 UnloadDriverW: NtUnloadDriver error 2
19:08:39:325 4552 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:08:56:313 4552 wfopen_ex: Trying to open file C:\Windows\system32\config\system
19:08:56:360 4552 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:08:56:360 4552 wfopen_ex: Trying to KLMD file open
19:08:56:360 4552 wfopen_ex: File opened ok (Flags 2)
19:08:56:360 4552 wfopen_ex: Trying to open file C:\Windows\system32\config\software
19:08:56:360 4552 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:08:56:360 4552 wfopen_ex: Trying to KLMD file open
19:08:56:360 4552 wfopen_ex: File opened ok (Flags 2)
19:08:56:360 4552 Initialize success
19:08:56:360 4552
19:08:56:360 4552 Scanning Services ...
19:08:58:076 4552 Raw services enum returned 441 services
19:08:58:092 4552
19:08:58:092 4552 Scanning Kernel memory ...
19:08:58:092 4552 Devices to scan: 1
19:08:58:092 4552
19:08:58:092 4552 Driver Name: ahcix86s
19:08:58:092 4552 IRP_MJ_CREATE : 82F8460A
19:08:58:092 4552 IRP_MJ_CREATE_NAMED_PIPE : 81E5F013
19:08:58:092 4552 IRP_MJ_CLOSE : 82F84565
19:08:58:092 4552 IRP_MJ_READ : 81E5F013
19:08:58:092 4552 IRP_MJ_WRITE : 81E5F013
19:08:58:092 4552 IRP_MJ_QUERY_INFORMATION : 81E5F013
19:08:58:092 4552 IRP_MJ_SET_INFORMATION : 81E5F013
19:08:58:092 4552 IRP_MJ_QUERY_EA : 81E5F013
19:08:58:092 4552 IRP_MJ_SET_EA : 81E5F013
19:08:58:092 4552 IRP_MJ_FLUSH_BUFFERS : 81E5F013
19:08:58:092 4552 IRP_MJ_QUERY_VOLUME_INFORMATION : 81E5F013
19:08:58:092 4552 IRP_MJ_SET_VOLUME_INFORMATION : 81E5F013
19:08:58:092 4552 IRP_MJ_DIRECTORY_CONTROL : 81E5F013
19:08:58:092 4552 IRP_MJ_FILE_SYSTEM_CONTROL : 81E5F013
19:08:58:092 4552 IRP_MJ_DEVICE_CONTROL : 82F846CB
19:08:58:092 4552 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82F53EE3
19:08:58:092 4552 IRP_MJ_SHUTDOWN : 81E5F013
19:08:58:092 4552 IRP_MJ_LOCK_CONTROL : 81E5F013
19:08:58:092 4552 IRP_MJ_CLEANUP : 81E5F013
19:08:58:092 4552 IRP_MJ_CREATE_MAILSLOT : 81E5F013
19:08:58:092 4552 IRP_MJ_QUERY_SECURITY : 81E5F013
19:08:58:092 4552 IRP_MJ_SET_SECURITY : 81E5F013
19:08:58:092 4552 IRP_MJ_POWER : 82F5998F
19:08:58:092 4552 IRP_MJ_SYSTEM_CONTROL : 82F848FE
19:08:58:092 4552 IRP_MJ_DEVICE_CHANGE : 81E5F013
19:08:58:092 4552 IRP_MJ_QUERY_QUOTA : 81E5F013
19:08:58:092 4552 IRP_MJ_SET_QUOTA : 81E5F013
19:08:58:138 4552 C:\Windows\system32\DRIVERS\ahcix86s.sys - Verdict: 2
19:08:58:138 4552 File "C:\Windows\system32\DRIVERS\ahcix86s.sys" infected by TDSS rootkit ... 19:08:58:138 4552 Processing driver file: C:\Windows\system32\DRIVERS\ahcix86s.sys
19:08:58:248 4552 vfvi6
19:08:58:419 4552 dsvbh1
19:09:03:552 4552 fdfb1
19:09:03:552 4552 Backup copy found, using it..
19:09:03:739 4552 will be cured on next reboot
19:09:03:739 4552 Reboot required for cure complete..
19:09:03:754 4552 Cure on reboot scheduled successfully
19:09:03:754 4552
19:09:03:754 4552 Completed
19:09:03:754 4552
19:09:03:754 4552 Results:
19:09:03:754 4552 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
19:09:03:754 4552 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:09:03:754 4552 File objects infected / cured / cured on reboot: 1 / 0 / 1
19:09:03:754 4552
19:09:03:754 4552 fclose_ex: Trying to close file C:\Windows\system32\config\system
19:09:03:801 4552 fclose_ex: Trying to close file C:\Windows\system32\config\software
19:09:03:801 4552 UnloadDriverW: NtUnloadDriver error 1
19:09:03:801 4552 KLMD(ARK) unloaded successfully

wheelio
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium 2007
Points Points : 24258
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by Belahzur on 10th May 2010, 9:52 pm

Please run Combofix one more time and post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by wheelio on 11th May 2010, 10:41 pm

do I use the same script as i did from above, this time?

wheelio
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium 2007
Points Points : 24258
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by Belahzur on 12th May 2010, 10:30 pm

No, just double click to run it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by wheelio on 14th May 2010, 12:05 am

Here is the combofix log:

ComboFix 10-05-13.02 - User 13/05/2010 18:20:46.3.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.1789.1114 [GMT -4:00]
Running from: c:\users\User\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\User\praat.exe
c:\windows\system32\vb40032.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.

2010-05-13 22:29 . 2010-05-13 22:29 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-13 22:29 . 2010-05-13 22:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-08 04:03 . 2010-05-08 04:03 388096 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-05-08 04:03 . 2010-05-08 04:03 -------- d-----w- c:\program files\TrendMicro
2010-05-06 16:09 . 2010-05-06 16:09 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-06 16:09 . 2010-05-06 16:09 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-05-06 16:09 . 2010-05-06 16:09 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-05-06 16:07 . 2010-05-06 16:07 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-05-06 16:07 . 2010-05-06 16:07 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-05-06 16:06 . 2010-05-06 16:06 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-05 22:15 . 2010-05-13 22:30 -------- d-----w- c:\users\User\AppData\Local\temp
2010-05-05 22:04 . 2010-05-05 22:30 -------- d-----w- C:\Combo-Fix7755C
2010-05-05 17:50 . 2010-05-05 17:51 -------- d-----w- C:\Combo-Fix
2010-05-04 16:01 . 2010-05-05 03:36 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-04 15:02 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-04 15:02 . 2010-02-20 21:18 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-04 15:02 . 2010-02-20 23:37 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-04-23 13:49 . 2010-04-23 13:49 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2010-04-23 13:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-23 13:48 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 13:48 . 2010-04-23 13:48 -------- d-----w- c:\programdata\Malwarebytes
2010-04-23 13:48 . 2010-05-05 17:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-15 17:34 . 2010-05-06 16:10 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-15 15:42 . 2010-04-15 15:42 84040 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-04-15 15:42 . 2010-04-15 15:42 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-04-14 03:03 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 03:03 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 03:03 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 03:02 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 03:02 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 03:02 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 03:02 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 23:10 . 2009-05-28 06:10 183312 ----a-w- c:\windows\system32\drivers\ahcix86s.sys
2010-05-08 04:30 . 2009-05-28 04:50 -------- d-----w- c:\programdata\Norton
2010-05-07 20:24 . 2010-05-07 20:24 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-05-07 04:41 . 2010-03-12 04:50 1356 ----a-w- c:\users\User\AppData\Local\d3d9caps.dat
2010-05-06 19:07 . 2009-05-28 04:50 -------- d-----w- c:\programdata\Symantec
2010-05-06 16:10 . 2010-03-25 04:17 -------- d-----w- c:\programdata\DivX
2010-05-06 16:09 . 2010-03-25 04:18 -------- d-----w- c:\program files\DivX
2010-05-06 16:06 . 2010-03-25 04:21 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-05-06 16:06 . 2010-03-25 04:21 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-05-04 16:00 . 2010-01-25 15:03 104992 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-04 15:50 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-04 15:31 . 2009-05-28 04:29 -------- d-----w- c:\programdata\Microsoft Help
2010-04-22 16:54 . 2010-01-27 04:20 -------- d-----w- c:\users\User\AppData\Roaming\BitTorrent
2010-04-15 15:42 . 2010-03-25 04:20 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-07 22:26 . 2010-01-25 05:31 -------- d-----w- c:\program files\ApexDC++
2010-04-05 02:55 . 2010-04-05 02:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-05 02:53 . 2010-04-05 02:48 -------- d-----w- c:\program files\Symantec
2010-04-05 02:53 . 2010-04-05 02:52 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-05 02:53 . 2010-04-05 02:52 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-05 02:53 . 2010-04-05 02:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-30 13:05 . 2010-03-30 13:05 0 ----a-w- c:\windows\system32\cd.dat
2010-03-29 04:02 . 2010-02-05 04:15 -------- d-----w- c:\program files\SPSS
2010-03-25 04:21 . 2010-03-25 04:21 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-03-25 04:21 . 2010-03-25 04:21 -------- d-----w- c:\users\User\AppData\Roaming\DivX
2010-03-25 04:20 . 2010-03-25 04:20 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 54629 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:20 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-25 04:20 . 2010-03-25 04:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-25 04:20 . 2010-03-25 04:20 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-03-25 04:19 . 2010-03-25 04:19 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-03-24 13:29 . 2009-05-28 04:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-13 21:58 . 2010-03-13 21:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-24 14:16 . 2010-01-27 16:26 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-30 18:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-30 18:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-30 18:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-30 18:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-14 00:33 . 2010-02-14 00:33 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-04 05:00 . 2010-02-04 05:00 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2010-01-13 16:32 157168 ----a-w- c:\programdata\Partner\partner.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2010-03-11 05:30 220208 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-01-13 6711840]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-04 30192]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-04-03 698912]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-04-10 862728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-02-04 30192]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 Partner Service;Partner Service;c:\programdata\Partner\partner.exe [2010-01-13 110576]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-04-03 723488]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-01-08 285744]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-17 102448]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-01-15 49664]

.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\gho04mjk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-13 18:30
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-13 18:35:37
ComboFix-quarantined-files.txt 2010-05-13 22:35
ComboFix2.txt 2010-05-05 22:30
ComboFix3.txt 2010-05-05 16:17

Pre-Run: 45,575,610,368 bytes free
Post-Run: 45,555,335,168 bytes free

- - End Of File - - 6F3C8275A7D9CC89DFC08C497609D829

wheelio
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium 2007
Points Points : 24258
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by Belahzur on 14th May 2010, 9:29 am

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by wheelio on 26th May 2010, 4:32 am

hi sorry it took so long to reply but I'm not sure what happened the scan completed and deleted a file but then I think I deleted the scan program before it saved a log...is this possible?
should I do it again?
this is the file it found:

C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application cleaned by deleting - quarantined

Thanks for your help

wheelio
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium 2007
Points Points : 24258
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by Belahzur on 26th May 2010, 9:56 pm

Hello.
No, that's fine.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by wheelio on 27th May 2010, 3:27 pm

Seems to be running fine. Norton has stopped popping up telling me there is a virus on the computer. Does this mean my computer is virus free ?? Smile ?? Big Grin

wheelio
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium 2007
Points Points : 24258
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by Belahzur on 27th May 2010, 8:56 pm

Should be. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by wheelio on 28th May 2010, 2:50 am

wow that is GREAT! Thanks sooo much for your help!! Smile Hooray!

wheelio
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-05
OS OS : Windows Vista Home Premium 2007
Points Points : 24258
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf - please help

Post by Belahzur on 28th May 2010, 6:09 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum