Backdoor.Tidserv!inf Please help remove

View previous topic View next topic Go down

Backdoor.Tidserv!inf Please help remove

Post by The Spock of Rock on 25th November 2008, 3:00 am

Hi, this is The Spock of Rock

Description of problem
Upon boot up, shows Desktop background only for normal mode. After hitting Ctrl,Alt,Del and then waiting for about 2 minutes I get task manager. I have to end task to about 3 or 4 scvhost.exe on the list before my desktop appears with icons. I get a "you don't have permission to change settings to control catalyst." Dialog. I can do about 4 things normally after that and then I get another dialog box stating my system will shut down in 55 seconds and then it shuts down. Have Norton and Antivir Installed along with Lava soft Ad-Aware programs do nothing. Try installing NOD32 but it state there is a problem with windows installer or in safe mode. I already had system restore disabled a long time ago. Did more of all three scans via safe mode and still no removal. Can't get into normal running mode anymore. Help!

Followed Hijack-this instructions and now posting the report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:25 PM, on 11/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\Jon\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
D:\DOWNLOADS\New Virus Remover temp though\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\siejf93.dll - {C5AF42A3-94F3-42BD-F434-3604832C897D} - C:\WINDOWS\system32\siejf93.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Jon\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll
O22 - SharedTaskScheduler: lke3iemrl490kgfgdsfd - {C5AF42A3-94F3-42BD-F434-3604832C897D} - C:\WINDOWS\system32\siejf93.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 4393 bytes


UNINSTALL LOG BELOW

Ad-Aware SE Plus
Add or Remove Adobe Creative Suite 3 Production Premium
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe After Effects CS3 Template Projects & Footage
Adobe After Effects CS3 Third Party Content
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Production Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe Encore CS3 Library
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Glyphlet Creation Tool CS3
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 8
Adobe Setup
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Soundbooth CS3 Scores
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Antares AutoTune v3.08
Antares Microphone Modeler - ZONE
Antares Tube v1.0
AppCore
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Parental Control & Encoder
ATT-AACE
Avira AntiVir Personal - Free Antivirus
BBE Sonic Maximizer Plugin
BitDownload 1.5.4
Cakewalk Pro Audio 8.0
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities ZoomBrowser EX
ccCommon
CD/DVD Drive Acoustic Silencer
Component Framework
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Shrink 3.2
High Definition Audio Driver Package - KB835221
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB898108)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
Java(TM) 6 Update 10
LimeWire 4.18.8
Linksys EasyLink Advisor 1.5 (1010)
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Logitech Gaming Software 5.02
LucasArts' Rogue Squadron
LucasArts' TIE Fighter
MAGIX mp3 maker gold
Microsoft .NET Framework 2.0
Microsoft Office 97, Professional Edition
Microsoft Publisher 2002
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2000
MOTU FireWire/USB Audio Installer
Mozilla Firefox (3.0.4)
Multimedia Transcoding Tool
MySpaceIM
Need For Speed III
Nero Suite
Netflix Movie Viewer
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton Protection Center
PDF Settings
PhotoNow! 1.0
Pinnacle Hollywood FX for Studio
PowerDirector
PowerDVD
PrimoPDF
PSP Lexicon PSP 42 v1.2
PSP Video 9 2.25
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
REALTEK RTL8187B Wireless LAN Driver
SAW Pro v1.7
SmartSound Quicktracks Plugin
Sonic Foundry Noise Reduction DX v2.0
Sonic Foundry XFX1 v1.0c
Sonic Foundry XFX2 v1.0c
Sonic Foundry XFX3 v1.0c
Sound Forge v4.5c final (295)
SPBBC 32bit
Star Wars Starfighter
Steinberg Cubase SX v1.0.5.61
Studio 9
Symantec Real Time Storage Protection Component
TC Native Reverb v1.0 (DNV)
TimeWorks Phaser 88 v1.004
TOSHIBA Disc Creator
Video Man v.3.0 Trial
VirtuaGirl HD
Waves 4.0
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
Yahoo! Install Manager
Yahoo! Messenger


Last edited by The Spock of Rock on 25th November 2008, 3:11 am; edited 2 times in total (Reason for editing : Added UNINSTALL LOG)

The Spock of Rock
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2008-11-25
OS OS : XP Pro
Points Points : 29350
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf Please help remove

Post by Belahzur on 25th November 2008, 9:21 am

Hello.
Your log is run from safe mode, if you can get a new Hijack This log in normal mode, please do.
In the mean time, do this.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Malwarebytes fixed it!

Post by The Spock of Rock on 25th November 2008, 6:52 pm

Downloaded Malwarebytes Anti Malware [You must be registered and logged in to see this link.] FREE EDITION from within Safe mode with Networking. It took care of ALL of the problems.

Norton and AntiVir did absolutely nothing.
Hijack this, and ComboFIX did absolutely nothing.
Couldn't install NOD32 whatsoever.

Thanks anyway.

Malwarebytes is the bomb!

The Spock of Rock
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2008-11-25
OS OS : XP Pro
Points Points : 29350
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf Please help remove

Post by Belahzur on 25th November 2008, 6:53 pm

Hello.
Can you post the MBAM log? Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv!inf Please help remove

Post by Doctor Inferno on 5th December 2008, 3:27 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum