backdoor.tidserv!inf virus reported from norton

View previous topic View next topic Go down

Solved backdoor.tidserv!inf virus reported from norton

Post by apiplani on 2nd December 2008, 6:20 am

Hi,

Norton scan is showing system is infected with backdoor virus and not able to delete the temp file too saying its in use.
Here are the info on hijack this log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:16 AM, on 12/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\AMIT PIPLANI\Application Data\Mozilla\Profiles\default\fh6843y7.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - [You must be registered and logged in to see this link.]
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10156 bytes

apiplani
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2008-12-02
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: backdoor.tidserv!inf virus reported from norton

Post by Belahzur on 2nd December 2008, 10:01 am

Hello.
Nothing harmful showing in the log, I see you have turned some items off at startup via msconfig.



  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: backdoor.tidserv!inf virus reported from norton

Post by apiplani on 2nd December 2008, 11:30 pm

ComboFix 08-12-01.03 - Amit Piplani 2008-12-02 18:17:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.376 [GMT -5:00]
Running from: c:\documents and settings\Amit Piplani.PC139818592325\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Amit Piplani\Application Data\.rdr.ini
c:\documents and settings\Sonal Piplani\Application Data\.rdr.ini
c:\windows\IE4 Error Log.txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-02 08:36 . 2008-12-02 08:49 d-------- c:\windows\LastGood
2008-12-02 03:43 . 2008-12-02 08:55 d-------- c:\windows\system32\CatRoot_bak
2008-12-02 03:43 . 2008-09-15 06:57 1,846,016 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-02 03:43 . 2008-08-28 05:04 333,056 --------- c:\windows\system32\dllcache\srv.sys
2008-12-02 03:43 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-02 03:43 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-02 03:43 . 2008-08-14 04:51 138,368 --------- c:\windows\system32\dllcache\afd.sys
2008-12-02 03:39 . 2006-12-06 23:14 2,330,624 --------- c:\windows\system32\dllcache\wmvcore.dll
2008-12-02 03:39 . 2008-09-04 11:42 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-02 03:39 . 2008-04-11 13:50 683,520 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-02 03:39 . 2008-10-24 06:10 453,632 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-02 03:39 . 2008-10-15 11:57 332,800 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-02 03:39 . 2008-05-01 09:30 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-02 03:38 . 2008-05-08 07:28 202,752 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-02 01:14 . 2008-12-02 01:14 d-------- c:\program files\Trend Micro
2008-12-02 00:20 . 2008-12-02 00:39 d-------- C:\NSS
2008-12-01 18:42 . 2008-12-02 00:13 d-------- c:\program files\Norton 360 Premier Edition
2008-12-01 18:41 . 2008-12-01 18:57 d-------- c:\program files\Symantec
2008-12-01 18:41 . 2008-12-01 18:58 d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-01 18:41 . 2008-12-01 18:57 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-01 18:41 . 2008-12-01 18:57 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-28 21:40 . 2008-11-28 21:40 d-------- c:\documents and settings\NetworkService\Application Data\Webroot
2008-11-28 17:38 . 2008-11-28 17:38 d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-28 13:42 . 2008-11-28 13:42 d-------- c:\windows\system32\N360_BACKUP
2008-11-28 13:31 . 2008-11-28 13:31 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 13:20 . 2008-12-01 19:06 d-------- c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Symantec
2008-11-28 13:16 . 2008-11-28 13:16 d-------- c:\program files\Windows Sidebar
2008-11-28 13:13 . 2008-12-01 18:57 10,671 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-28 13:13 . 2008-12-01 18:57 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-11-18 19:51 . 2008-12-01 17:36 d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-13 19:15 . 2008-11-13 19:15 d-------- c:\documents and settings\Amit Piplani.PC139818592325\WINDOWS
2008-11-13 19:15 . 1999-11-10 08:16 200,192 --a------ c:\windows\RRM46.pls
2008-11-13 19:15 . 1999-11-10 08:16 188,960 --a------ c:\windows\system32\WINGDE.DLL
2008-11-13 19:15 . 1999-11-10 08:16 92,208 --a------ c:\windows\system32\WING.DLL
2008-11-13 19:15 . 1999-11-10 08:16 12,800 --a------ c:\windows\system32\WING32.DLL
2008-11-13 19:15 . 1999-11-10 08:16 6,736 --a------ c:\windows\system32\WINGDIB.DRV
2008-11-13 19:15 . 1999-11-10 08:16 5,024 --a------ c:\windows\system32\WINGPAL.WND
2008-11-13 19:10 . 2008-11-13 19:10 d-------- c:\windows\BBSTORE
2008-11-12 09:55 . 2002-01-05 05:18 84,992 --a------ c:\windows\system32\atl70.dll
2008-11-04 17:07 . 2008-11-04 17:08 d-------- c:\documents and settings\Amit Piplani.PC139818592325\.SunDownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 23:21 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-02 17:59 --------- d-----w c:\program files\lx_cats
2008-12-02 17:58 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\AdobeUM
2008-12-01 21:17 --------- d-----w c:\program files\brighter child
2008-11-19 00:52 --------- d-----w c:\program files\Google
2008-11-14 00:15 --------- d-----w c:\program files\The Learning Company
2008-11-14 00:10 --------- d-----w c:\program files\NZRVR
2008-11-14 00:10 --------- d-----w c:\program files\Connection Wizard
2008-11-12 14:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-01 01:55 --------- d-----w c:\program files\NetBeans 6.0.1
2008-11-01 01:55 --------- d-----w c:\program files\glassfish-v2ur1
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 19:04 --------- d-----w c:\program files\Vongo
2008-10-23 19:00 --------- d-----w c:\documents and settings\Gargee Piplani\Application Data\Webroot
2008-10-23 19:00 --------- d-----w c:\documents and settings\Gargee Piplani\Application Data\FaxCtr
2008-10-19 23:42 --------- d-----w c:\program files\Microsoft Money 2006
2008-10-19 23:29 --------- d-----w c:\program files\Java
2008-10-18 15:50 --------- d-----w c:\program files\GemMaster
2008-10-18 15:50 --------- d-----w c:\program files\ESPNMotion
2008-10-18 15:40 --------- d-----w c:\program files\Yahoo!
2008-10-16 22:19 --------- d-----w c:\program files\QuickTime
2008-10-16 22:19 --------- d-----w c:\program files\Common Files\Apple
2008-10-16 22:18 --------- d-----w c:\program files\Apple Software Update
2008-10-16 22:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-16 22:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-14 21:57 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\FaxCtr
2008-10-09 10:18 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\TVU Networks
2008-10-09 10:18 --------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks
2008-10-09 10:11 --------- d-----w c:\program files\Common Files\NSV
2008-10-08 00:24 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-04 15:14 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Sonic
2008-10-04 15:13 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Leadertech
2008-10-03 01:15 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Yahoo!
2008-10-02 23:31 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\WildTangent
2008-10-02 23:31 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-10-02 23:29 --------- d-----w c:\program files\WildTangent
2008-10-02 23:23 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-10-02 14:00 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Netscape
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-30 00:51 90,112 ----a-w c:\windows\DUMP2e43.tmp
2008-09-30 00:49 90,112 ----a-w c:\windows\DUMP375b.tmp
2008-09-28 17:59 164 ----a-w C:\install.dat
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2007-12-25 01:01 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-03-06 23:16 836 ----a-w c:\documents and settings\Amit Piplani\Application Data\ViewerApp.dat
2006-12-27 18:30 17,172,599 ----a-w c:\documents and settings\Sonal Piplani\setup_blazemp.exe
2006-07-09 01:00 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-11 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-22 185896]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 286720]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 290816]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 5367608]
"MsmqIntCert"="mqrt.dll" [2004-08-10 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-03-14 73728]

c:\documents and settings\Amit Piplani\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-03-14 73728]

c:\documents and settings\Gargee Piplani\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-03-14 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-07-25 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-07-25 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-01 99376]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]

*Newly Created Service* - COMHOST
*Newly Created Service* - EHRECVR
*Newly Created Service* - EHSCHED
*Newly Created Service* - MCRDSVC
*Newly Created Service* - PROCEXP90
.
.

apiplani
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2008-12-02
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: backdoor.tidserv!inf virus reported from norton

Post by apiplani on 2nd December 2008, 11:30 pm

------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Mozilla\Firefox\Profiles\sik3ue7i.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - [You must be registered and logged in to see this link.]
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-02 18:20:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\AMITPI~1.PC1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308)
c:\windows\system32\WRLogonNTF.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2008-12-02 18:23:31
ComboFix-quarantined-files.txt 2008-12-02 23:23:23

Pre-Run: 22,631,108,608 bytes free
Post-Run: 22,658,134,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

218 --- E O F --- 2008-12-02 09:08:02

apiplani
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2008-12-02
OS OS : Windows XP
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: backdoor.tidserv!inf virus reported from norton

Post by Belahzur on 2nd December 2008, 11:33 pm

Looks okay, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: backdoor.tidserv!inf virus reported from norton

Post by Doctor Inferno on 17th December 2008, 1:52 pm

Since this issue appears, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum