Backdoor.Tidserv!inf Problems.

View previous topic View next topic Go down

Solved Backdoor.Tidserv!inf Problems.

Post by Anjohl on Tue Nov 25, 2008 1:10 pm

This thing has been bugging me for a while now, malbyteware removes it, or seems to, and then it comes back, even though I had system restore off when I did my biggest cleaning. I am not sure what you guys need to help me, but anything you can do would be greatly appreciated. In Norton, the log shows that the infected files were two temp files, 165 and 169, I deleted both just today, and am doing another scan.


Last edited by Anjohl on Tue Nov 25, 2008 2:48 pm; edited 1 time in total

Anjohl
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-11-25
OS OS : windows xp
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Doctor Inferno on Tue Nov 25, 2008 2:26 pm

Hello, welcome to GeekPolice.

Please read [You must be registered and logged in to see this link.] and follow the instructions there. Then post a HijackThis log.

A Tech Staff will be assisting you later on.


Last edited by Doctor Inferno on Wed Nov 26, 2008 2:51 am; edited 1 time in total


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104594
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Anjohl on Tue Nov 25, 2008 2:50 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:21 AM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Rogers\SelfHealing\shs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\WINDOWS\system32\ZuneWlanCfgSvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Zune\Zune.exe
C:\Program Files\Common Files\Symantec Shared\SecurityHistory\mcui32.exe
C:\PROGRA~1\Symantec\Norton AntiVirus\navw32.exe
C:\Documents and Settings\Jason\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Rogers SHS] C:\Program Files\Rogers\SelfHealing\shs.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdfct.exe] C:\WINDOWS\system32\kdfct.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'John')
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 (User 'John')
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'John')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - [You must be registered and logged in to see this link.]
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - [You must be registered and logged in to see this link.]
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - [You must be registered and logged in to see this link.]
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {916C95B3-55DA-43F7-A88F-32D37770306A} (prjOCFTools.OCFTools) - [You must be registered and logged in to see this link.]
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games Hearts) - [You must be registered and logged in to see this link.]
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - [You must be registered and logged in to see this link.]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - [You must be registered and logged in to see this link.]
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E68C89AA-554F-43F3-8D5E-9B36D873081B} (prjOCFTools.OCFTools) - [You must be registered and logged in to see this link.]
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 13544 bytes

Anjohl
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-11-25
OS OS : windows xp
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Belahzur on Tue Nov 25, 2008 5:49 pm

Hello. Execute this.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdfct.exe] C:\WINDOWS\system32\kdfct.exe
    O24 - Desktop Component 0: Privacy Protection - (no file)


  • Press "Fix Checked"
  • Close Hijack This.


Delete this file bold:
C:\WINDOWS\system32\kdfct.exe

Since you already have MBAM on your system, we'll start there.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log with a fresh copy of HijackThis log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Anjohl on Tue Nov 25, 2008 7:10 pm

Malwarebytes' Anti-Malware 1.30
Database version: 1423
Windows 5.1.2600 Service Pack 3

11/25/2008 3:41:19 PM
mbam-log-2008-11-25 (15-41-19).txt

Scan type: Quick Scan
Objects scanned: 66036
Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:54 PM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Rogers\SelfHealing\shs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\WINDOWS\system32\ZuneWlanCfgSvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Zune\Zune.exe
C:\Program Files\Steam\Steam.exe
c:\program files\steam\steamapps\anjohl\the ship single player\ship.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jason\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Rogers SHS] C:\Program Files\Rogers\SelfHealing\shs.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'John')
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 (User 'John')
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'John')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - [You must be registered and logged in to see this link.]
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - [You must be registered and logged in to see this link.]
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - [You must be registered and logged in to see this link.]
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {916C95B3-55DA-43F7-A88F-32D37770306A} (prjOCFTools.OCFTools) - [You must be registered and logged in to see this link.]
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games Hearts) - [You must be registered and logged in to see this link.]
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - [You must be registered and logged in to see this link.]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - [You must be registered and logged in to see this link.]
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E68C89AA-554F-43F3-8D5E-9B36D873081B} (prjOCFTools.OCFTools) - [You must be registered and logged in to see this link.]
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 13511 bytes

Anjohl
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-11-25
OS OS : windows xp
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Belahzur on Tue Nov 25, 2008 7:27 pm

I see the DNS hijacker went away, but the Privacy Protection 024 item didn't.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Anjohl on Tue Nov 25, 2008 8:36 pm

ComboFix 08-11-26.01 - Jason 2008-11-25 17:03:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.534 [GMT -3.5:30]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Jason\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Jason\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\windows\Downloaded Program Files\Quarantine
c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 15:22 . 2008-11-25 15:24 d-------- C:\Hellgate London Demo Setup
2008-11-19 12:43 . 2008-11-19 12:43 d-------- c:\program files\CDisplay
2008-11-19 09:34 . 2008-11-25 15:31 d-------- c:\windows\LastGood
2008-11-18 00:30 . 2008-11-18 00:37 d-------- c:\program files\Soulseek
2008-11-13 01:38 . 2008-11-13 01:38 d-------- c:\documents and settings\All Users\Application Data\CCP
2008-11-12 05:13 . 2008-09-04 13:45 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 05:13 . 2008-10-24 07:51 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 23:29 . 2008-11-11 23:29 d-------- c:\windows\WinRAR
2008-11-11 23:27 . 2008-11-12 02:22 d-------- c:\program files\a-squared Free
2008-11-11 23:11 . 2008-11-11 23:11 0 --a------ c:\windows\ativpsrm.bin
2008-11-11 23:08 . 2008-11-11 23:08 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-11 23:01 . 2008-11-11 23:18 d-------- c:\program files\Uniblue
2008-11-11 22:52 . 2008-11-11 23:18 d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2008-11-11 22:47 . 2008-11-11 22:49 1,631 --a------ c:\windows\ATICIM.INI
2008-11-11 22:39 . 2008-11-11 22:39 d-------- c:\documents and settings\Jason\Application Data\ATI
2008-11-11 22:36 . 2008-11-11 22:36 d-------- C:\ATI
2008-11-10 12:23 . 2008-11-10 12:23 243,840 --a------ c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 . 2008-11-10 12:23 60,032 --a------ c:\windows\system32\ZuneBusEnum.exe
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\documents and settings\Jason\Application Data\Malwarebytes
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-03 19:32 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-03 19:32 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-03 00:19 . 2008-11-03 00:19 d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-11-02 23:20 . 2008-11-02 23:20 d-------- c:\documents and settings\Administrator\Application Data\Yahoo!
2008-11-02 23:16 . 2008-02-17 22:31 d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-02 23:16 . 2008-11-02 23:16 d-------- c:\documents and settings\Administrator
2008-11-01 01:24 . 2007-10-12 14:14 3,734,536 --a------ c:\windows\system32\d3dx9_36.dll
2008-11-01 01:24 . 2007-10-12 14:14 1,374,232 --a------ c:\windows\system32\D3DCompiler_36.dll
2008-11-01 01:24 . 2007-07-19 17:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-01 01:24 . 2007-10-02 08:56 444,776 --a------ c:\windows\system32\d3dx10_36.dll
2008-11-01 01:24 . 2007-07-19 17:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-01 01:24 . 2007-10-22 02:39 267,272 --a------ c:\windows\system32\xactengine2_10.dll
2008-11-01 01:24 . 2007-07-19 23:57 267,112 --a------ c:\windows\system32\xactengine2_9.dll
2008-10-30 20:42 . 2008-10-30 20:42 d-------- c:\documents and settings\Mary\Application Data\Ahead
2008-10-30 20:41 . 2008-10-30 20:41 664 --a------ c:\windows\system32\d3d9caps.dat
2008-10-27 20:22 . 2008-10-27 20:23 d-------- c:\program files\Juice

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 20:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-26 20:35 --------- d-----w c:\documents and settings\Jason\Application Data\uTorrent
2008-11-25 17:53 --------- d-----w c:\program files\Steam
2008-11-19 10:46 --------- d-----w c:\program files\Zune
2008-11-13 05:40 --------- d-----w c:\documents and settings\Jason\Application Data\GetRightToGo
2008-11-12 04:09 --------- d-----w c:\documents and settings\Jason\Application Data\LimeWire
2008-11-12 04:08 --------- d-----w c:\documents and settings\Jason\Application Data\Apple Computer
2008-11-12 02:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 02:21 --------- d-----w c:\program files\ATI Technologies
2008-11-12 02:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 19:17 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 15:39 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 15:39 70,656 ----a-w c:\windows\system32\ZuneIPTransport.dll
2008-11-10 15:39 57,344 ----a-w c:\windows\system32\ZuneRegUtil.dll
2008-11-10 15:39 310,272 ----a-w c:\windows\system32\ZuneNetProxy.dll
2008-11-10 15:39 18,944 ----a-w c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 15:39 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll
2008-11-10 15:39 12,800 ----a-w c:\windows\system32\ZunePTDNS.dll
2008-11-02 04:28 --------- d-----w c:\program files\Rogers
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 21:38 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-20 13:55 --------- d-----w c:\documents and settings\John\Application Data\Uniblue
2008-10-16 17:43 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 17:43 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 17:42 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 17:42 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 17:39 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 17:39 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 17:36 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 17:36 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-10 20:01 --------- d-----w c:\documents and settings\Ryan\Application Data\Yahoo!
2008-10-09 02:12 --------- d-----w c:\program files\uTorrent
2008-10-05 05:06 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-10-05 05:06 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-10-05 05:05 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-10-05 04:35 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-10-05 04:35 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-10-03 18:04 625,032 ----a-w c:\windows\system32\SymNeti.dll
2008-10-03 18:04 242,056 ----a-w c:\windows\system32\SymRedir.dll
2008-10-03 17:44 39,984 ----a-w c:\windows\system32\drivers\symids.sys
2008-10-03 17:44 37,936 ----a-w c:\windows\system32\drivers\symndisv.sys
2008-10-03 17:44 35,120 ----a-w c:\windows\system32\drivers\symndis.sys
2008-10-03 17:44 27,696 ----a-w c:\windows\system32\drivers\symredrv.sys
2008-10-03 17:44 187,952 ----a-w c:\windows\system32\drivers\symtdi.sys
2008-10-03 17:44 146,096 ----a-w c:\windows\system32\drivers\symfw.sys
2008-10-03 17:44 12,848 ----a-w c:\windows\system32\drivers\symdns.sys
2008-10-03 17:44 10,804 ----a-w c:\windows\system32\drivers\SymRedir.cat
2008-10-03 17:44 1,358 ----a-w c:\windows\system32\drivers\SymRedir.inf
2008-09-30 20:13 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-29 00:20 --------- d-----w c:\program files\Messenger Plus! Live
2008-09-29 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2008-09-27 18:56 --------- d-----w c:\program files\Split Join Convert Video
2008-09-24 02:18 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w c:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w c:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w c:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w c:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w c:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w c:\windows\system32\atiadlxx.dll
2008-09-24 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w c:\windows\system32\ati2cqag.dll
2008-09-24 00:35 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-27 18:49 581,192 ----a-w c:\windows\system32\WinUSBCoInstaller.dll
2008-08-27 18:49 1,302,600 ----a-w c:\windows\system32\WUDFUpdate_01007.dll
2008-08-27 18:48 1,112,288 ----a-w c:\windows\system32\WdfCoInstaller01007.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-05-06 11:59 30,142 -c--a-w c:\documents and settings\John\Application Data\wklnhst.dat
2008-03-04 02:32 424 ----a-w c:\documents and settings\Mary\Application Data\wklnhst.dat
2007-10-16 22:31 59,600 ----a-w c:\documents and settings\Mary\Application Data\GDIPFONTCACHEV1.DAT
2006-12-21 01:12 544 -c--a-w c:\documents and settings\Ryan\Application Data\wklnhst.dat
2006-07-06 03:45 889 -csha-w c:\windows\system32\mmf(2)(2)(2).sys
2006-07-06 00:58 889 -csha-w c:\windows\system32\mmf(2)(2)(3).sys
2006-07-06 00:58 889 -csha-w c:\windows\system32\mmf(2)(2)(4).sys
2006-07-05 03:05 889 -csha-w c:\windows\system32\mmf(2)(2).sys
2006-07-06 03:54 889 -csha-w c:\windows\system32\mmf(2)(3)(2).sys
2006-06-24 21:40 889 -csha-w c:\windows\system32\mmf(2)(3).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(2)(4).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(2)(5).sys
2006-07-06 03:54 889 -csha-w c:\windows\system32\mmf(2)(6).sys
2007-01-22 20:13 889 -csha-w c:\windows\system32\mmf(2)(7).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(3)(2).sys
2006-07-06 01:04 889 -csha-w c:\windows\system32\mmf(3)(3).sys
2006-07-06 10:55 889 -csha-w c:\windows\system32\mmf(3)(4).sys
2006-07-06 01:04 889 -csha-w c:\windows\system32\mmf(4)(2).sys

Anjohl
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-11-25
OS OS : windows xp
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Anjohl on Tue Nov 25, 2008 8:36 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 290816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 335872]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="c:\progra~1\Symantec\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2008-05-16 2733416]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\system32\CTASIO.DLL]
"CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\system32\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16881:TCP"= 16881:TCP:BitTorrent
"16881:UDP"= 16881:UDP:Torrent
"80:TCP"= 80:TCP:MSN games port
"1863:TCP"= 1863:TCP:MSN Port 2

R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2005-10-10 2560]
R2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-11-03 170640]
R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [2008-05-16 140648]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [2008-04-22 163840]
R2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [2008-09-12 40832]
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-11-03 15504]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-11 27904]

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\Malwarebytes' Scheduled Update for Jason.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 16:10]

2008-11-25 c:\windows\Tasks\Norton Security Online - Run Full System Scan - Jason.job
- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 05:39]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF}
IE: {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - -

c:\windows\system32\usbaptest.dll - O16 -: {040F4385-8DAD-4306-94BF-B8291D841FAE}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\usbaptest.inf

c:\windows\Downloaded Program Files\sysreqlab3.dll - c:\windows\Downloaded Program Files\sysreqlab_srl.dll
O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\sysreqlab.osd

c:\windows\system32\capicom.dll - c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\Downloaded Program Files\prjOCFTools.ocx
O16 -: {916C95B3-55DA-43F7-A88F-32D37770306A}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\prjOCFTools.INF

c:\windows\system32\capicom.dll - c:\windows\system32\MSINET.OCX
c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\Downloaded Program Files\CONFLICT.2\prjOCFTools.ocx
O16 -: {E68C89AA-554F-43F3-8D5E-9B36D873081B}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\CONFLICT.2\prjOCFTools.INF
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-26 17:05:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-11-26 17:06:39
ComboFix-quarantined-files.txt 2008-11-26 20:36:36

Pre-Run: 120,865,566,720 bytes free
Post-Run: 121,224,257,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

286 --- E O F --- 2008-11-12 23:24:02

Anjohl
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-11-25
OS OS : windows xp
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Belahzur on Tue Nov 25, 2008 8:50 pm

Nearly there, this CFScript should do it.

Now open a new notepad file.
Input this into the notepad file:

Driver::
Ndisprot

File::
c:\windows\system32\drivers\ndisprot.sys
c:\windows\ativpsrm.bin

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Anjohl on Tue Nov 25, 2008 10:24 pm

ComboFix 08-11-26.01 - Jason 2008-11-26 18:46:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.535 [GMT -3.5:30]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\ativpsrm.bin
c:\windows\system32\drivers\ndisprot.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ativpsrm.bin
c:\windows\system32\drivers\ndisprot.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISPROT
-------\Service_Ndisprot


((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 15:22 . 2008-11-25 15:24 d-------- C:\Hellgate London Demo Setup
2008-11-19 12:43 . 2008-11-19 12:43 d-------- c:\program files\CDisplay
2008-11-18 00:30 . 2008-11-18 00:37 d-------- c:\program files\Soulseek
2008-11-13 01:38 . 2008-11-13 01:38 d-------- c:\documents and settings\All Users\Application Data\CCP
2008-11-12 05:13 . 2008-09-04 13:45 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 05:13 . 2008-10-24 07:51 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 23:29 . 2008-11-11 23:29 d-------- c:\windows\WinRAR
2008-11-11 23:27 . 2008-11-12 02:22 d-------- c:\program files\a-squared Free
2008-11-11 23:01 . 2008-11-11 23:18 d-------- c:\program files\Uniblue
2008-11-11 22:52 . 2008-11-11 23:18 d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2008-11-11 22:47 . 2008-11-11 22:49 1,631 --a------ c:\windows\ATICIM.INI
2008-11-11 22:39 . 2008-11-11 22:39 d-------- c:\documents and settings\Jason\Application Data\ATI
2008-11-11 22:36 . 2008-11-11 22:36 d-------- C:\ATI
2008-11-10 12:23 . 2008-11-10 12:23 243,840 --a------ c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 . 2008-11-10 12:23 60,032 --a------ c:\windows\system32\ZuneBusEnum.exe
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\documents and settings\Jason\Application Data\Malwarebytes
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-03 19:32 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-03 19:32 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-03 00:19 . 2008-11-03 00:19 d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-11-02 23:20 . 2008-11-02 23:20 d-------- c:\documents and settings\Administrator\Application Data\Yahoo!
2008-11-02 23:16 . 2008-02-17 22:31 d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-02 23:16 . 2008-11-02 23:16 d-------- c:\documents and settings\Administrator
2008-11-01 01:24 . 2007-10-12 14:14 3,734,536 --a------ c:\windows\system32\d3dx9_36.dll
2008-11-01 01:24 . 2007-10-12 14:14 1,374,232 --a------ c:\windows\system32\D3DCompiler_36.dll
2008-11-01 01:24 . 2007-07-19 17:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-01 01:24 . 2007-10-02 08:56 444,776 --a------ c:\windows\system32\d3dx10_36.dll
2008-11-01 01:24 . 2007-07-19 17:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-01 01:24 . 2007-10-22 02:39 267,272 --a------ c:\windows\system32\xactengine2_10.dll
2008-11-01 01:24 . 2007-07-19 23:57 267,112 --a------ c:\windows\system32\xactengine2_9.dll
2008-10-30 20:42 . 2008-10-30 20:42 d-------- c:\documents and settings\Mary\Application Data\Ahead
2008-10-30 20:41 . 2008-10-30 20:41 664 --a------ c:\windows\system32\d3d9caps.dat
2008-10-27 20:22 . 2008-10-27 20:23 d-------- c:\program files\Juice

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 22:19 --------- d-----w c:\documents and settings\Jason\Application Data\uTorrent
2008-11-26 21:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-25 17:53 --------- d-----w c:\program files\Steam
2008-11-19 10:46 --------- d-----w c:\program files\Zune
2008-11-13 05:40 --------- d-----w c:\documents and settings\Jason\Application Data\GetRightToGo
2008-11-12 04:09 --------- d-----w c:\documents and settings\Jason\Application Data\LimeWire
2008-11-12 04:08 --------- d-----w c:\documents and settings\Jason\Application Data\Apple Computer
2008-11-12 02:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 02:21 --------- d-----w c:\program files\ATI Technologies
2008-11-12 02:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 19:17 --------- d-----w c:\program files\Common Files\Adobe
2008-11-02 04:28 --------- d-----w c:\program files\Rogers
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 21:38 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-20 13:55 --------- d-----w c:\documents and settings\John\Application Data\Uniblue
2008-10-10 20:01 --------- d-----w c:\documents and settings\Ryan\Application Data\Yahoo!
2008-10-09 02:12 --------- d-----w c:\program files\uTorrent
2008-10-05 05:06 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-10-05 05:06 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-10-05 05:05 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-10-05 04:35 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-10-05 04:35 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-10-03 17:44 39,984 ----a-w c:\windows\system32\drivers\symids.sys
2008-10-03 17:44 37,936 ----a-w c:\windows\system32\drivers\symndisv.sys
2008-10-03 17:44 35,120 ----a-w c:\windows\system32\drivers\symndis.sys
2008-10-03 17:44 27,696 ----a-w c:\windows\system32\drivers\symredrv.sys
2008-10-03 17:44 187,952 ----a-w c:\windows\system32\drivers\symtdi.sys
2008-10-03 17:44 146,096 ----a-w c:\windows\system32\drivers\symfw.sys
2008-10-03 17:44 12,848 ----a-w c:\windows\system32\drivers\symdns.sys
2008-10-03 17:44 10,804 ----a-w c:\windows\system32\drivers\SymRedir.cat
2008-10-03 17:44 1,358 ----a-w c:\windows\system32\drivers\SymRedir.inf
2008-09-29 00:20 --------- d-----w c:\program files\Messenger Plus! Live
2008-09-29 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2008-09-27 18:56 --------- d-----w c:\program files\Split Join Convert Video
2008-05-06 11:59 30,142 -c--a-w c:\documents and settings\John\Application Data\wklnhst.dat
2008-03-04 02:32 424 ----a-w c:\documents and settings\Mary\Application Data\wklnhst.dat
2007-10-16 22:31 59,600 ----a-w c:\documents and settings\Mary\Application Data\GDIPFONTCACHEV1.DAT
2006-12-21 01:12 544 -c--a-w c:\documents and settings\Ryan\Application Data\wklnhst.dat
2006-07-06 03:45 889 -csha-w c:\windows\system32\mmf(2)(2)(2).sys
2006-07-06 00:58 889 -csha-w c:\windows\system32\mmf(2)(2)(3).sys
2006-07-06 00:58 889 -csha-w c:\windows\system32\mmf(2)(2)(4).sys
2006-07-05 03:05 889 -csha-w c:\windows\system32\mmf(2)(2).sys
2006-07-06 03:54 889 -csha-w c:\windows\system32\mmf(2)(3)(2).sys
2006-06-24 21:40 889 -csha-w c:\windows\system32\mmf(2)(3).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(2)(4).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(2)(5).sys
2006-07-06 03:54 889 -csha-w c:\windows\system32\mmf(2)(6).sys
2007-01-22 20:13 889 -csha-w c:\windows\system32\mmf(2)(7).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(3)(2).sys
2006-07-06 01:04 889 -csha-w c:\windows\system32\mmf(3)(3).sys
2006-07-06 10:55 889 -csha-w c:\windows\system32\mmf(3)(4).sys
2006-07-06 01:04 889 -csha-w c:\windows\system32\mmf(4)(2).sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 23:32:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-07-19 00:40:20 36,552 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 17:38:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2008-07-19 00:40:20 36,552 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 17:38:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2008-07-19 00:40:40 45,768 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 17:39:44 43,544 ----a-w c:\windows\system32\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 290816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 335872]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="c:\progra~1\Symantec\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2008-05-16 2733416]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\system32\CTASIO.DLL]
"CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\system32\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16881:TCP"= 16881:TCP:BitTorrent
"16881:UDP"= 16881:UDP:Torrent
"80:TCP"= 80:TCP:MSN games port
"1863:TCP"= 1863:TCP:MSN Port 2

R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2005-10-10 2560]
R2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-11-03 170640]
R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [2008-05-16 140648]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [2008-04-22 163840]
R2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [2008-09-12 40832]
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-11-03 15504]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\Malwarebytes' Scheduled Update for Jason.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 16:10]

2008-11-25 c:\windows\Tasks\Norton Security Online - Run Full System Scan - Jason.job
- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 05:39]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-26 18:52:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\Yahoo!\YOP\SSDK02.exe
.
**************************************************************************
.
Completion time: 2008-11-26 18:55:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-26 22:25:46
ComboFix2.txt 2008-11-26 20:36:41

Pre-Run: 121,218,052,096 bytes free
Post-Run: 121,133,318,144 bytes free

215 --- E O F --- 2008-11-12 23:24:02

Anjohl
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-11-25
OS OS : windows xp
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Belahzur on Tue Nov 25, 2008 10:30 pm

How is everything now?
Log looks clean.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Anjohl on Tue Nov 25, 2008 11:50 pm

Looks good! First off, regardless if any of this worked, thanks a lot, this site is a real godsend.

I do have a few questions though, what are those two programs, hijackthis and combofix actually doing? It seems strange fro two free programs to be able to get rid of something that has been PLAGUING me for almost 2 months now!

Anjohl
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-11-25
OS OS : windows xp
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Belahzur on Tue Nov 25, 2008 11:52 pm

Hijack This is basically our eyes to see the infection, then we use combofix to take it out. But combofix is extremely powerful and should only be used with supervision.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Anjohl on Tue Dec 02, 2008 2:47 am

I have had the tidserv show up in my Norton Scan again...ugh...please help!

Anjohl
Novice
Novice

Posts Posts : 9
Joined Joined : 2008-11-25
OS OS : windows xp
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Belahzur on Tue Dec 02, 2008 10:08 am

How did that happen? Let me think
This threads alittle old now, so please start a new thread and post a Hijack This log in the topic.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv!inf Problems.

Post by Doctor Inferno on Tue Dec 09, 2008 2:37 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104594
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum