backdoor tidserv!inf

View previous topic View next topic Go down

backdoor tidserv!inf

Post by fluffyfeet on 25th July 2010, 1:39 pm

Hi,

Really losing the will to live with this one! Norton found a backdoor tidserv!inf and says it needs to be manually removed. It is showing as c:\windows\system32\drivers\serial.sys. I have tried all kind of removal tools including Malware/Emisoft A2 but nothing. Norton homepage is not helpful for a none 'Techy' like me. When running other detection programs it is showing I also have Ratsou (Virus) and Gen downloader.1 (Trojan) - Norton doesn't show these? I seem to be going around in circles..Can anyone help?

I have ran the OTl report but everytime I include it I get an IE connection fault and it won't let me post it

fluffyfeet
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-07-25
OS OS : xp
Points Points : 23373
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor tidserv!inf

Post by Dr Jay on 27th July 2010, 8:02 pm

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





We need to do some diagnostics to get started.

1. Please download and run RKill.

[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.]

  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • Please post its log in your next reply.
  • After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

2. Download [You must be registered and logged in to see this link.] to your desktop.
  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your desktop
  • Open this report and post its content in your next reply.


3. Please download [You must be registered and logged in to see this link.] by me, and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


4. In your next reply, please post the following logs for my review:
  • MBRCheck log (2)
  • Cheetah log (3)


Thanks! Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor tidserv!inf

Post by fluffyfeet on 28th July 2010, 5:12 pm

Dragonmaster Jay, logs as requested:

Ran as KIERAN on 28/07/2010 at 18:01:47.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\KIERAN\Desktop\rkill.exe

- Malware removal tools check --
CCleaner
Malwarebytes' Anti-Malware
SpywareBlaster


-- Known infection --

C:\WINDOWS\system32\drivers\kgpcpy.cfg (SecurityTool.RGE)
C:\Program Files\Common Files\ParetoLogic (ParetoLogic.RGE)


Extra message: Detection only.


EOF
Rkill completed on 28/07/2010 at 18:01:57.

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Windows XP MBR code detected

Thanks for your help

KK


fluffyfeet
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-07-25
OS OS : xp
Points Points : 23373
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor tidserv!inf

Post by Dr Jay on 28th July 2010, 9:15 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
Alternate link: [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor tidserv!inf

Post by fluffyfeet on 29th July 2010, 5:47 pm

Dragonmaster Jay, Below as requested

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4367

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

29/07/2010 18:32:45
mbam-log-2010-07-29 (18-32-45).txt

Scan type: Quick scan
Objects scanned: 144326
Time elapsed: 16 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

fluffyfeet
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-07-25
OS OS : xp
Points Points : 23373
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor tidserv!inf

Post by Dr Jay on 29th July 2010, 6:55 pm

Please download [You must be registered and logged in to see this link.] and install it. If you already have it, no need to reinstall.

Then, download [You must be registered and logged in to see this link.] and save the setup to your Desktop.

  • Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  • Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
  • Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
  • It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
  • Once inside the interface, do not fix anything. Click on the Report tab.
  • Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  • It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
  • When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor tidserv!inf

Post by fluffyfeet on 31st July 2010, 1:37 pm

Dragonmaster Jay,

Did everything you said - when the C Dive was selected and I hit ok after a few moments I got an error message 'Error starting Helper service. I was then alerted by Norton ' Sonar detected sercurity risk 6cd43a8d.exe' restart needed for removal.
A report was generated in the background of all this which I is below:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtAlertResumeThread, Type: Address change 0x805CAE66-->86CFC108 [Unknown module filename]
ntkrnlpa.exe-->NtAlertThread, Type: Address change 0x805CAE16-->86CFC1C8 [Unknown module filename]
ntkrnlpa.exe-->NtAllocateVirtualMemory, Type: Address change 0x8059DE30-->865EB368 [Unknown module filename]
ntkrnlpa.exe-->NtAssignProcessToJobObject, Type: Address change 0x805CC944-->86C95E10 [Unknown module filename]
ntkrnlpa.exe-->NtConnectPort, Type: Address change 0x8059995A-->86DEEF48 [Unknown module filename]
ntkrnlpa.exe-->NtCreateFile, Type: Address change 0x8056E2EE-->B24D1446 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x8061A344-->B2620210 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntkrnlpa.exe-->NtCreateMutant, Type: Address change 0x8060D868-->86CA2008 [Unknown module filename]
ntkrnlpa.exe-->NtCreateSymbolicLinkObject, Type: Address change 0x805B9614-->86C95C30 [Unknown module filename]
ntkrnlpa.exe-->NtCreateThread, Type: Address change 0x805C7288-->86BC9320 [Unknown module filename]
ntkrnlpa.exe-->NtDebugActiveProcess, Type: Address change 0x80639DBC-->86C95EF0 [Unknown module filename]
ntkrnlpa.exe-->NtDeleteFile, Type: Address change 0x8056BE8E-->B24D1592 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtDeleteKey, Type: Address change 0x8061A7E0-->B2620490 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntkrnlpa.exe-->NtDeleteValueKey, Type: Address change 0x8061A9B0-->B26209F0 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntkrnlpa.exe-->NtDuplicateObject, Type: Address change 0x805B38CE-->86BC9D78 [Unknown module filename]
ntkrnlpa.exe-->NtFreeVirtualMemory, Type: Address change 0x805A8470-->86CFB178 [Unknown module filename]
ntkrnlpa.exe-->NtImpersonateAnonymousToken, Type: Address change 0x805EEDD6-->86CA1120 [Unknown module filename]
ntkrnlpa.exe-->NtImpersonateThread, Type: Address change 0x805CDADC-->86CA1008 [Unknown module filename]
ntkrnlpa.exe-->NtLoadDriver, Type: Address change 0x805795FA-->86DB6C50 [Unknown module filename]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Address change 0x805A74F0-->86CFB098 [Unknown module filename]
ntkrnlpa.exe-->NtOpenEvent, Type: Address change 0x806052CE-->86CA2140 [Unknown module filename]
ntkrnlpa.exe-->NtOpenFile, Type: Address change 0x8056F40C-->B24D14F6 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x805C1316-->86CFAD38 [Unknown module filename]
ntkrnlpa.exe-->NtOpenProcessToken, Type: Address change 0x805E3A7C-->86BC9500 [Unknown module filename]
ntkrnlpa.exe-->NtOpenSection, Type: Address change 0x8059F792-->86BC7168 [Unknown module filename]
ntkrnlpa.exe-->NtOpenThread, Type: Address change 0x805C15A2-->86BC95C0 [Unknown module filename]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Address change 0x805ADA88-->86C95D20 [Unknown module filename]
ntkrnlpa.exe-->NtQueryValueKey, Type: Address change 0x80618568-->B24D4B48 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtRenameKey, Type: Address change 0x80619D66-->B24D4AB2 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtReplaceKey, Type: Address change 0x8061C418-->B24D4AE4 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtRestoreKey, Type: Address change 0x8061BD24-->B24D4B16 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtResumeThread, Type: Address change 0x805CACA2-->86CE10E8 [Unknown module filename]
ntkrnlpa.exe-->NtSetContextThread, Type: Address change 0x805C79AA-->86CF7188 [Unknown module filename]
ntkrnlpa.exe-->NtSetInformationFile, Type: Address change 0x805702F6-->B24D15F2 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtSetInformationProcess, Type: Address change 0x805C3DD4-->86C9C0B8 [Unknown module filename]
ntkrnlpa.exe-->NtSetSystemInformation, Type: Address change 0x80605F20-->86C95FD0 [Unknown module filename]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x806188B6-->B2620C40 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntkrnlpa.exe-->NtSuspendProcess, Type: Address change 0x805CAD6A-->86CA2060 [Unknown module filename]
ntkrnlpa.exe-->NtSuspendThread, Type: Address change 0x805CABDC-->86CE11C8 [Unknown module filename]
ntkrnlpa.exe-->NtTerminateProcess, Type: Address change 0x805C8CAA-->86C945F0 [Unknown module filename]
ntkrnlpa.exe-->NtTerminateThread, Type: Address change 0x805C8EA4-->86CF70A8 [Unknown module filename]
ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Address change 0x805A8306-->86C9C188 [Unknown module filename]
ntkrnlpa.exe-->NtWriteVirtualMemory, Type: Address change 0x805A9890-->865EB298 [Unknown module filename]
==============================================
>Shadow
==============================================
win32k.sys-->NtUserAttachThreadInput, Type: Address change 0xBF8F556E-->863F7D20 [Unknown module filename]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0xBF83C845-->86433940 [Unknown module filename]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0xBF8A0C8F-->86294100 [Unknown module filename]
win32k.sys-->NtUserGetKeyState, Type: Address change 0xBF81C763-->864339C0 [Unknown module filename]
win32k.sys-->NtUserGetRawInputData, Type: Address change 0xBF916210-->863F7C50 [Unknown module filename]
win32k.sys-->NtUserMessageCall, Type: Address change 0xBF80EE8D-->86290AC8 [Unknown module filename]
win32k.sys-->NtUserPostMessage, Type: Address change 0xBF808306-->86296D48 [Unknown module filename]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0xBF8B9E23-->86296C78 [Unknown module filename]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0xBF8A0D4F-->8626C628 [Unknown module filename]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0xBF8F98FA-->8626C410 [Unknown module filename]
==============================================
>Processes
==============================================
0x871C5628 [4] System
0x85EBADA0 [256] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Windows Update)
0x86BC8398 [428] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x862BA208 [500] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x8621EBC0 [524] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x860E09E0 [568] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x860DADA0 [580] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x86061BC0 [740] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8604CDA0 [792] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8601C9E0 [860] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85FF9BC0 [988] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85FEEDA0 [1080] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85F61DA0 [1220] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x85E04BC0 [1364] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x85FBDDA0 [1700] C:\WINDOWS\system32\cisvc.exe (Microsoft Corporation, Content Index service)
0x85F549E0 [1804] C:\Program Files\Microsoft LifeCam\MSCamS32.exe (Microsoft Corporation, MsCamSvc.exe)
0x85F359E0 [1852] C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe (Symantec Corporation, Symantec Service Framework)
0x85D9B9E0 [1904] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x85F14DA0 [1960] C:\WINDOWS\system32\slserv.exe ( , User-Level Modem Service)
0x85F2ADA0 [2008] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85BC2BC0 [2296] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc., GoogleToolbarNotifier)
0x85A92878 [2336] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation, Windows Live Messenger)
0x859739E0 [2436] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x85BA39E0 [2456] C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe (Symantec Corporation, Symantec Service Framework)
0x85AC0BC0 [3156] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8595CDA0 [3360] C:\Documents and Settings\KIERAN\Local Settings\Temp\7zOF.tmp\MustBeRandomlyNamed\2hieWd.exe (UG North, RKULE, SR2 Normandy)
==============================================
>Drivers
==============================================
0xF6E1A000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2314240 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xBF084000 C:\WINDOWS\System32\ati3duag.dll 2240512 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2066816 bytes
0x804D7000 RAW 2066816 bytes
0x804D7000 WMIxWDM 2066816 bytes
0xB20B4000 C:\WINDOWS\system32\DRIVERS\VX1000.sys 1957888 bytes (Microsoft Corporation, Microsoft LifeCam VX1000 Device Driver)
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB0FE7000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100730.048\NAVEX15.SYS 1359872 bytes (Symantec Corporation, AV Engine)
0xF709A000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 897024 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xB2292000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100709.001\BHDrvx86.sys 704512 bytes (Symantec Corporation, BASH Driver)
0xF72CC000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB233E000 C:\WINDOWS\system32\drivers\NIS\1107000.00C\ccHPx86.sys 520192 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0xBF2A7000 C:\WINDOWS\System32\ativvaxx.dll 479232 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xB2438000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB23DA000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF6CC8000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB26AC000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB1223000 C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SRTSP.SYS 356352 bytes (Symantec Corporation, Symantec AutoProtect)
0xB1AC8000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xB2655000 C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SYMTDI.SYS 356352 bytes (Symantec Corporation, Network Dispatch Driver)
0xF739D000 SYMDS.SYS 352256 bytes
0xB25B5000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100730.001\IDSxpx86.sys 348160 bytes (Symantec Corporation, IDS Core Driver)
0xF6D7E000 C:\WINDOWS\system32\DRIVERS\slntamr.sys 344064 bytes ( , slntamr driver)
0xB24D0000 C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 331776 bytes (Trusteer Ltd., RapportPG)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB12F2000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF04A000 C:\WINDOWS\System32\ati2cqag.dll 237568 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 229376 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xF74B8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB1C0F000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF729F000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF7370000 SYMEFA.SYS 184320 bytes
0xB2521000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF74E6000 szkgfs.sys 167936 bytes (iS3, Inc., STOPzilla Kernel Guard File System, x86-32 )
0xB258D000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB262F000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB260A000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0xF6DF6000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6DD2000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF704F000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB256B000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D0000 ACPI_HAL 131840 bytes
0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF73F3000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7488000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB254C000 C:\WINDOWS\system32\drivers\NIS\1107000.00C\Ironx86.SYS 126976 bytes (Symantec Corporation, Iron Driver)
0xF6D60000 C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys 122880 bytes ( , mtlmnt5 driver)
0xB23BD000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xF7285000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7458000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB209C000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7470000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF7359000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6D37000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB17BB000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB0FD3000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100730.048\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xF7072000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF7086000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB2705000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF6D4E000 C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys 73728 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xF74A7000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6D26000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF71E5000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF76B0000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76D0000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF76C0000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB1900000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7620000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xF7830000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7235000 C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys 57344 bytes (Trusteer Ltd., RapportKE)
0xF7610000 szkg.sys 57344 bytes (iS3 Inc., szkg Device Driver)
0xF76F0000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7680000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7740000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF71F5000 C:\WINDOWS\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF7650000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7710000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7225000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7690000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7640000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7750000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7720000 uagp35.sys 45056 bytes (Microsoft Corporation, MS AGPv3.5 Filter)
0xB1FE4000 C:\WINDOWS\system32\DRIVERS\EAPPkt.sys 40960 bytes (Realtek, Realtek EAPPkt Protocol Driver)
0xF7630000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF77E0000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB1C7C000 C:\WINDOWS\system32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xF7255000 C:\WINDOWS\system32\drivers\NIS\1107000.00C\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xF77B0000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF76A0000 C:\WINDOWS\System32\Drivers\AFS2K.SYS 36864 bytes (Oak Technology Inc., Audio File System)
0xF76E0000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7245000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7730000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF77A0000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7870000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB0F53000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7700000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7840000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF78C8000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF79F0000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF79D8000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF78A0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7928000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7938000 C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys 28672 bytes (GEAR Software Inc., CD/DVD Class Filter Driver)
0xF79C8000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7890000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF78C0000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7A18000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7970000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF79D0000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7940000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF79A8000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF79E0000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7898000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF78F8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7968000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF78B0000 C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys 20480 bytes (Vireo Software, Description string for SlWdmSup driver)
0xF78E8000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7958000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF79B0000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB2754000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7179000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB1F60000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7A20000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB24B0000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF71AD000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7AE0000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xF71A1000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF718D000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7AF0000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7B76000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7B96000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B72000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B10000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7B7A000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7B7E000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B22000 speedfan.sys 8192 bytes
0xF7B64000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B6E000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7B12000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7CD4000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7CF3000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7BD9000 giveio.sys 4096 bytes
0xF7D1D000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7BD8000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002ABD4, Type: Inline - PushRet 0x80501BD4-->CFC1C886 [unknown_code_page]
ntkrnlpa.exe+0x0002ACB4, Type: Inline - RelativeJump 0x80501CB4-->80501C57 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002ACF0, Type: Inline - RelativeJump 0x80501CF0-->80501CA7 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AEDC, Type: Inline - RelativeCall 0x80501EDC-->A0D6ECF1 [unknown_code_page]
ntkrnlpa.exe+0x0006AA8A, Type: Inline - RelativeJump 0x80541A8A-->80541A91 [ntkrnlpa.exe]
[1364]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1364]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1364]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1364]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1364]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1364]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[1364]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]

fluffyfeet
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-07-25
OS OS : xp
Points Points : 23373
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor tidserv!inf

Post by Dr Jay on 31st July 2010, 8:13 pm

GMER

Note about this tool:
  • This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
  • This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
  • No matter what is in the log, please post all the information/contents of the log.


Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: backdoor tidserv!inf

Post by fluffyfeet on 1st August 2010, 2:38 pm

Dragon master Jay,

Log as instructed


GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-01 15:36:09
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\KIERAN\LOCALS~1\Temp\fwtyrpog.sys


---- System - GMER 1.0.15 ----

SSDT 86AB0300 ZwAlertResumeThread
SSDT 869FE230 ZwAlertThread
SSDT 862BA6C0 ZwAllocateVirtualMemory
SSDT 86AFF050 ZwAssignProcessToJobObject
SSDT 870E2B90 ZwConnectPort
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xB2114446]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB2567210]
SSDT 862BDC70 ZwCreateMutant
SSDT 86AC8168 ZwCreateSymbolicLinkObject
SSDT 86B36338 ZwCreateThread
SSDT 869F2050 ZwDebugActiveProcess
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xB2114592]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB2567490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB25679F0]
SSDT 862C1930 ZwDuplicateObject
SSDT 862B7BB8 ZwFreeVirtualMemory
SSDT 86B43890 ZwImpersonateAnonymousToken
SSDT 86B0A890 ZwImpersonateThread
SSDT 86FC1D68 ZwLoadDriver
SSDT 862B5D70 ZwMapViewOfSection
SSDT 86B01050 ZwOpenEvent
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xB21144F6]
SSDT 862AB5C0 ZwOpenProcess
SSDT 869F7050 ZwOpenProcessToken
SSDT 86B00050 ZwOpenSection
SSDT 862C1A00 ZwOpenThread
SSDT 86AC9058 ZwProtectVirtualMemory
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xB2117B48]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xB2117AB2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xB2117AE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xB2117B16]
SSDT 86B08C90 ZwResumeThread
SSDT 86B4C050 ZwSetContextThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xB21145F2]
SSDT 862B33B8 ZwSetInformationProcess
SSDT 869F4050 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB2567C40]
SSDT 86419050 ZwSuspendProcess
SSDT 86ACB050 ZwSuspendThread
SSDT 86B03050 ZwTerminateProcess
SSDT 86B3E050 ZwTerminateThread
SSDT 86AED050 ZwUnmapViewOfSection
SSDT 862BA5F0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fastfat \Fat B0841D20

AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

fluffyfeet
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-07-25
OS OS : xp
Points Points : 23373
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor tidserv!inf

Post by Dr Jay on 1st August 2010, 8:05 pm

Sorry, but please disable the STOPzilla guard, if it is on, and any Symantec/Norton products running, then run GMER again and post a log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum