Backdoor.Tidserv Inf.....I'm convinced by now it can't be removed!

View previous topic View next topic Go down

Backdoor.Tidserv Inf.....I'm convinced by now it can't be removed!

Post by banderson on Sat 05 Mar 2011, 1:35 pm

For the life of me, I cannot seem to remove this virus. Norton can't remove it, nor all the other "recommended" downloads, they've proven totally unhelpful.
I have windows Vista (a mistake I will not repeat), and Norton says the source file rdpcdd.sys, a driver in System32.

Can anyone actually prove that this virus can be removed? I've read the forums, everyone's got an idea but none are working for me and of course not all systems require the same methods. I hear bullets work. Throw me a line if you have a working solution. Thanks

banderson

Newbie Surfer
Newbie Surfer

Posts : 5
Joined : 2011-03-05
Operating System : Vista

View user profile

Back to top Go down

Re: Backdoor.Tidserv Inf.....I'm convinced by now it can't be removed!

Post by Pancake on Sun 06 Mar 2011, 9:15 am

Hi.Welcome to the forum


Please run all these programs..


Download the TDSSKiller.exe and extract to your Desktop.


Execute TDSSKiller.exe by doubleclicking on it. You may be prompted to restart your machine. Type Y at the prompt.

Once complete, a log will be produced at root. It will be named

UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt.


Attach that log here please.



====================================================


Please download Malwarebytes' Anti-Malware from one of these places:

Majorgeeks or Besttechie


Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.Do so.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.



===============================================



Download Combofix from Bleepingcomputer or Geekstogo and place it on your Desktop

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing before it starts scanning.Just leave it,it will start.

You can get help on disabling your protection programs here : [You must be registered and logged in to see this link.]

Please include the C:\ComboFix.txt in your next reply for further review.


Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper













Home Town Web Page

Pancake

Tech Staff
Tech Staff

Posts : 222
Joined : 2010-03-06
Operating System : Windows 7

View user profile

Back to top Go down

Re: Backdoor.Tidserv Inf.....I'm convinced by now it can't be removed!

Post by banderson on Mon 07 Mar 2011, 5:24 am

I've done both of your recommendations before (as they seem to be the most common suggestions found on the internet), both to no avail.

However, for good measure I did download Malwarebyte's Anti-malware and ran not only a quick scan, but a full scan as well....both results are pasted here:

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 5974

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

3/6/2011 10:05:37 AM
mbam-log-2011-03-06 (10-05-37).txt

Scan type: Quick scan
Objects scanned: 150282
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and the full scan results are here:

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 5974

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

3/6/2011 1:10:37 PM
mbam-log-2011-03-06 (13-10-37).txt

Scan type: Full scan (C:\|D:\|H:\|)
Objects scanned: 550613
Time elapsed: 2 hour(s), 59 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

TDSSKiller is no help either. This virus seems to evade all scans I've tried with various protection programs. So either this thing is buried deep, or it's affecting the anti-virus' programs' ability to remove it. Norton at least detects it. But the two downloads you recommended can't even seem to detect it.

So unless you know of some other foolproof scan to get rid of this particular bug, I need some alternative suggestions here.

Thanks for your help, much appreciated.












banderson

Newbie Surfer
Newbie Surfer

Posts : 5
Joined : 2011-03-05
Operating System : Vista

View user profile

Back to top Go down

Re: Backdoor.Tidserv Inf.....I'm convinced by now it can't be removed!

Post by Pancake on Mon 07 Mar 2011, 8:08 am

And the log from Combofix ?.Also do a check and remove anything related to boot.com

WARNING these fixes are designed for this user only and may cause damage if run on any other machine.

Please download the OTM.exe by OldTimer.
Save it to your Desktop.
Please double-click OTM.exe to run it.
Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes
explorer.exe
:otl
:files
C:/Windows/System32/rujamika
C:/Windows/System32/tutatezu
ipconfig /flushdns /c
:reg
:services
:Commands
[clearallrestorepoints]
[createrestorepoint]
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Return to OTM.exe, right click in the "Paste Instructions for Items to be Moved" window (under the light yellow bar) and choose Paste.
Click the red Moveit! button.
A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.






Home Town Web Page

Pancake

Tech Staff
Tech Staff

Posts : 222
Joined : 2010-03-06
Operating System : Windows 7

View user profile

Back to top Go down

Re: Backdoor.Tidserv Inf.....I'm convinced by now it can't be removed!

Post by banderson on Mon 07 Mar 2011, 10:17 am

As far as Combofix....the red lettered disclaimer made me a little uncomfortable. "Wrongful use can damage my computer". Plus I'll admit I'm skeptical that the virus will evade another scan from merely another detector.

But if you can put me (not a total rookie, but still unsure of downloading stuff without explanation as to what it does) at ease about Combofix and explain why it might prove to be successful in light of the other failed attempts at extra scans, then please do explain.


Norton is telling me specifically where this corruption resides:
C:\Windows.old.000\Windows\System32\drivers\RDPCCD.sys

two accounts of it actually, the other is located here:

C:\Windows.old.000\Windows\winsxs\x86_microsoft-windows-t..niportdisplaydriver_31bf3856ad364e35_6.0.6001.18000_none_d4db241b3e3ef7e4

Both are RDPCDD.sys and are infected files. Windows will not allow me to remove these files, says I need "permission to perform this action"

The other files you recommended removing were not found. Plus as a general rule I don't like removing files when i don't know what they are. Norton identified where the virus is residing, but these two accounts cannot be removed apparently. Would safe mode make a difference?

I know it's tough to not be physically present so I'm trying to give you as much pertinent info as possible.



banderson

Newbie Surfer
Newbie Surfer

Posts : 5
Joined : 2011-03-05
Operating System : Vista

View user profile

Back to top Go down

Re: Backdoor.Tidserv Inf.....I'm convinced by now it can't be removed!

Post by Pancake on Mon 07 Mar 2011, 10:42 am

I have run Combofix hundreds of times and have not lost a patient yet.That warninig is only to stop people running it who dont know what they are doing.






Home Town Web Page

Pancake

Tech Staff
Tech Staff

Posts : 222
Joined : 2010-03-06
Operating System : Windows 7

View user profile

Back to top Go down

Re: Backdoor.Tidserv Inf.....I'm convinced by now it can't be removed!

Post by banderson on Tue 17 May 2011, 8:21 am

Hey Pancake,
It occurred to me that I never got back to you on this, I guess I got frustrated and shelved it for a while. But I just renewed my Norton 360 Antivirus subscription and the Backdoor.Tidserv is still on my PC (windows Vista) and the software still can't remove it (gotta love paying $83 for a subscription that can't remove a virus).

Anyway, I did run Combofix and these are the results. Let me know if I did this right or if there's other instructions I need or more information I need to provide. Would love to get rid of this thing once and for all without having to wipe out the hard drive or restore it to "x" point in time.




ComboFix 11-03-06.01 - BA 03/06/2011 18:53:55.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1877 [GMT -5:00]
Running from: c:\users\BA\Downloads\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\AutoRun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
.
.
2011-03-07 00:03 . 2011-03-07 00:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-06 23:20 . 2011-03-06 23:20 -------- d-----w- C:\_OTM
2011-03-06 14:59 . 2011-03-06 14:59 -------- d-----w- c:\users\BA\AppData\Roaming\Malwarebytes
2011-03-06 14:59 . 2011-03-06 14:59 -------- d-----w- c:\programdata\Malwarebytes
2011-03-06 14:59 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-06 14:59 . 2011-03-06 14:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-06 14:59 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-05 01:15 . 2011-03-05 01:15 -------- d-----w- c:\windows\system32\log
2011-02-20 16:37 . 2011-02-21 23:05 -------- d-----w- c:\users\BA\AppData\Roaming\PhotoScape
2011-02-20 16:36 . 2011-02-20 16:36 -------- d-----w- c:\program files\PhotoScape
2011-02-14 16:04 . 2011-02-14 16:04 -------- d-----w- c:\program files\Common Files\Skype
2011-02-12 08:19 . 2011-02-12 08:19 -------- d-----w- c:\program files\Windows Portable Devices
2011-02-12 08:03 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2011-02-12 08:03 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2011-02-12 08:03 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-02-12 08:03 . 2009-09-25 01:33 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-02-12 08:03 . 2009-09-25 02:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-02-12 08:03 . 2009-09-25 02:07 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-02-12 08:03 . 2009-09-25 02:04 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-02-12 08:03 . 2009-09-25 01:33 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-02-12 08:03 . 2009-09-25 01:32 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-02-12 08:03 . 2009-09-25 01:31 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-02-12 08:02 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2011-02-12 08:02 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2011-02-12 08:02 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2011-02-12 08:02 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2011-02-12 08:02 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2011-02-12 08:02 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2011-02-12 08:02 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2011-02-12 08:02 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2011-02-12 08:02 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2011-02-12 08:02 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2011-02-12 08:02 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2011-02-12 08:02 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2011-02-12 08:00 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-02-12 08:00 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2011-02-12 08:00 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-02-09 21:18 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
2011-02-08 18:53 . 2011-02-08 18:53 -------- d-----w- c:\windows\system32\ca-ES
2011-02-08 18:53 . 2011-02-08 18:53 -------- d-----w- c:\windows\system32\eu-ES
2011-02-08 18:53 . 2011-02-08 18:53 -------- d-----w- c:\windows\system32\vi-VN
2011-02-08 18:27 . 2011-02-08 18:27 -------- d-----w- c:\windows\system32\EventProviders
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-28 15:55 . 2011-01-12 13:01 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-12 13:01 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-10-12 22:41 . 2010-05-14 03:47 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\BA\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\BA\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\BA\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\BA\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\BA\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-05-14 136176]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-14 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-10-12 30192]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"AoboBlocker"="c:\program files\AoboBlocker\AoboBlocker.exe" [2010-01-21 907264]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
.
c:\users\BA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\BA\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-12-16 23343848]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-7-8 503808]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-5-13 385024]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 136176]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-10-12 30192]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-01-06 528896]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1205000.07D\SYMDS.SYS [2010-10-21 340016]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1205000.07D\SYMEFA.SYS [2010-11-18 652336]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110225.002\BHDrvx86.sys [2011-02-25 800376]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110303.001\IDSvix86.sys [2010-11-09 353912]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1205000.07D\Ironx86.SYS [2010-11-16 136312]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1205000.07D\SYMTDIV.SYS [2010-12-01 330360]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe [2010-11-24 130000]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-10-14 98304]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:28]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 16:28]
.
2010-10-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-431953967-2656716875-3770434716-1000Core1cb6d7313651790.job
- c:\users\BA\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-14 16:24]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\users\BA\AppData\Roaming\Mozilla\Firefox\Profiles\hsj4qi38.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-03-06 19:04
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-06 19:06:45
ComboFix-quarantined-files.txt 2011-03-07 00:06
.
Pre-Run: 99,047,014,400 bytes free
Post-Run: 98,189,012,992 bytes free
.
- - End Of File - - 294AD478578BC109859C965B48DDE840

banderson

Newbie Surfer
Newbie Surfer

Posts : 5
Joined : 2011-03-05
Operating System : Vista

View user profile

Back to top Go down

Re: Backdoor.Tidserv Inf.....I'm convinced by now it can't be removed!

Post by Belahzur on Wed 18 May 2011, 2:23 am

Hello.
Pancake is away so I will take over from here.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Backdoor.Tidserv Inf.....I'm convinced by now it can't be removed!

Post by banderson on Thu 19 May 2011, 9:07 am

Before I do this....have you heard of this virus and dealt with it before? I've downloaded probably 4 or 5 virus scan tools (including the removal tool from Symantec that is supposedly for this particular virus), and this thing either goes undetected or is simply not removed.

I'm sure you can understand, it's a bit frustrating to be doing different versions of the same thing all to no avail. But if you're supremely confident that ESET Online Scan will not only find it, but remove it....then I'll give it a go.

banderson

Newbie Surfer
Newbie Surfer

Posts : 5
Joined : 2011-03-05
Operating System : Vista

View user profile

Back to top Go down

Re: Backdoor.Tidserv Inf.....I'm convinced by now it can't be removed!

Post by Sponsored content Today at 7:38 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum