backdoor.tidserv!inf and Trojan Horse - need help

View previous topic View next topic Go down

backdoor.tidserv!inf and Trojan Horse - need help

Post by chacha123 on 4th December 2008, 2:44 am

Symentac full scan is showing backdoor.tidserv!inf (file name TDSS135e.tmp ) and Trojan Horse (file name snapsnet.tmp ). Please find the hijackthis and fixwareout reports.

----------hijackthis log -------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:11 PM, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\PAYCLOCK\PCSCMGR.EXE
C:\PAYCLOCK\TouchStation\TSMGR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - C:\WINDOWS\system32\cbXNGyYo.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {F71A5BB8-9560-4941-8D92-4745475B7570} - C:\WINDOWS\system32\ddcBQjHy.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [PayClockServer] C:\PAYCLOCK\PCSCMGR.EXE
O4 - HKLM\..\Run: [PayClockTerminalService] C:\PAYCLOCK\PC50\PCTSCMGR.EX_
O4 - HKLM\..\Run: [TouchStation] C:\PAYCLOCK\TouchStation\TSMGR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FTP Utility.lnk = C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Similar Pages - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A01A7790-4640-4A52-AAF9-A5B269D9CEE1}: NameServer = 10.51.54.1
O20 - AppInit_DLLs: vjjaqt.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Intel(R) AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: User Authentication Manager (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7666 bytes

----------------Fixwareout report -----------

Username "Administrator" - 12/03/2008 19:47:36 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"RTHDCPL"="RTHDCPL.EXE"
"PTHOSTTR"="C:\\Program Files\\Hewlett-Packard\\HP ProtectTools Security Manager\\PTHOSTTR.EXE /Start"
"atchk"="\"C:\\Program Files\\Intel\\AMT\\atchk.exe\""
"SetRefresh"="C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe"
"CognizanceTS"="rundll32.exe C:\\PROGRA~1\\HPQ\\IAM\\Bin\\AsTsVcc.dll,RegisterModule"
"Recguard"="C:\\WINDOWS\\Sminst\\Recguard.exe"
"Reminder"="C:\\WINDOWS\\Creator\\Remind_XP.exe"
"Scheduler"="C:\\WINDOWS\\SMINST\\Scheduler.exe"
"PayClockServer"="C:\\PAYCLOCK\\PCSCMGR.EXE"
"PayClockTerminalService"="C:\\PAYCLOCK\\PC50\\PCTSCMGR.EX_"
"TouchStation"="C:\\PAYCLOCK\\TouchStation\\TSMGR.EXE"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

chacha123
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2008-12-04
OS OS : xp sp2
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv!inf and Trojan Horse - need help

Post by Belahzur on 4th December 2008, 1:46 pm

Hello.
Fixwareout won't do anything, that fixes DNS hijackers, and you don't have a DNS hijacker.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - C:\WINDOWS\system32\cbXNGyYo.dll (file missing)
    O2 - BHO: (no name) - {F71A5BB8-9560-4941-8D92-4745475B7570} - C:\WINDOWS\system32\ddcBQjHy.dll (file missing)
    O20 - AppInit_DLLs: C:\WINDOWS\system32\vjjaqt.dll


  • Press "Fix Checked"
  • Close Hijack This.


Delete this file in bold:
C:\WINDOWS\system32\vjjaqt.dll



  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

backdoor.tidserv!inf and Trojan Horse - need help

Post by chacha123 on 5th December 2008, 4:40 am

ComboFix 08-12-04.04 - Administrator 2008-12-04 21:59:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.501 [GMT -6:00]
Running from: c:\hijack\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\IUpd721
c:\documents and settings\Administrator\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\cyfair2\Application Data\gadcom
c:\documents and settings\cyfair2\Application Data\IUpd721
c:\documents and settings\cyfair2\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\cyfair2\Application Data\NI.GSCNS
c:\documents and settings\cyfair2\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\cyfair2\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\cyfair2\Application Data\SpeedRunner
c:\documents and settings\cyfair2\Application Data\SpeedRunner\config.cfg
c:\documents and settings\cyfair2\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\cyfair2\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\cyfair2\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\cyfair2\Start Menu\Programs\Startup\DW_Start.lnk
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
c:\windows\system32\beyjmpmr.ini
c:\windows\system32\dlpxunyg.dll
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\gpitwgfl.ini
c:\windows\system32\kkneag.dll
c:\windows\system32\x64
c:\windows\system32\xfxlbkvs.ini
c:\windows\system32\yHjQBcdd.ini
c:\windows\system32\yHjQBcdd.ini2
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-03 20:14 . 2008-12-03 20:14 d-------- c:\program files\Trend Micro
2008-12-03 19:47 . 2008-12-03 20:15 d-------- C:\fixwareout
2008-12-03 13:00 . 2008-12-03 13:00 0 --a------ c:\windows\vpc32.INI
2008-12-03 12:55 . 2008-12-03 12:55 d-------- c:\program files\Symantec
2008-12-03 12:55 . 2006-09-18 17:55 109,744 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-03 12:55 . 2006-09-18 17:55 48,816 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-03 12:54 . 2008-12-04 22:09 d-------- c:\program files\Symantec AntiVirus
2008-12-03 12:54 . 2008-12-03 12:55 d-------- c:\program files\Common Files\Symantec Shared
2008-12-03 12:54 . 2008-12-03 12:55 d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-03 12:43 . 2008-12-03 12:43 d-------- c:\windows\ERUNT
2008-12-03 12:42 . 2008-12-03 12:52 d-------- C:\SDFix
2008-12-03 09:19 . 2008-12-03 18:46 d-------- c:\program files\UnHackMe
2008-12-03 09:19 . 2008-12-03 09:19 (2) -rahs-ot- c:\windows\winstart.bat
2008-12-03 03:02 . 2008-12-04 21:04 d-------- C:\hijack
2008-12-02 12:29 . 2008-12-02 12:26 70,892,224 --a------ C:\counterspy.exe
2008-12-01 20:48 . 2008-12-01 20:48 d--h----- c:\windows\system32\GroupPolicy
2008-12-01 18:49 . 2008-12-01 18:49 9,662 --a------ c:\windows\system32\pinkip.ico
2008-12-01 10:12 . 2008-12-01 21:05 118,784 --a------ c:\windows\system32\chg.exe
2008-12-01 08:36 . 2008-12-01 21:30 2,259 --a------ c:\windows\system32\TDSSxbqe.dll
2008-12-01 08:31 . 2008-12-03 13:29 d-------- c:\windows\system32\VC
2008-12-01 08:31 . 2008-12-03 13:39 d-------- c:\windows\system32\uv9
2008-12-01 08:31 . 2008-12-03 13:27 d-------- c:\windows\system32\ki3
2008-12-01 08:31 . 2008-12-03 13:27 d-------- c:\windows\system32\hov
2008-12-01 08:31 . 2008-12-01 08:31 d-------- c:\windows\system32\bin
2008-12-01 08:31 . 2008-12-01 08:31 d-------- c:\temp\DIV55
2008-12-01 08:31 . 2008-12-03 12:51 d-------- C:\Temp
2008-12-01 08:31 . 2008-12-01 08:31 192,604 --a------ c:\windows\system32\g80.exe
2008-11-30 09:26 . 2008-12-03 13:08 d-------- c:\documents and settings\cyfair2\Application Data\Twain
2008-11-29 09:15 . 2008-11-29 09:15 318,464 --a------ c:\windows\system32\DDCBQJHY.DLL.del

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-01 16:37 18,456 ----a-w c:\documents and settings\cyfair2\Application Data\GDIPFONTCACHEV1.DAT
2008-06-11 22:26 61,224 ----a-w c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 131072]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-01-09 404288]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]
"PayClockServer"="c:\payclock\PCSCMGR.EXE" [2007-12-12 372736]
"TouchStation"="c:\payclock\TouchStation\TSMGR.EXE" [2008-01-24 303104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-04 c:\windows\RTHDCPL.exe]

c:\documents and settings\cyfair2\Start Menu\Programs\Startup\
netuse.bat [2007-09-23 113]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
FTP Utility.lnk - c:\program files\KONICA MINOLTA\FTP Utility\KMFtp.exe [2004-10-27 102400]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2006-06-07 13:26 40448 c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-04-06 22:00 434176 c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli AsWlnPkg

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Medisoft\\Bin\\MAPA.EXE"=
"c:\\Program Files\\Medisoft\\Bin\\Ohp.exe"=
"c:\\PAYCLOCK\\MAPDB.exe"=
"c:\\PAYCLOCK\\MapDBWizard.exe"=
"c:\\PAYCLOCK\\Bteng32m.exe"=
"c:\\PAYCLOCK\\Bt32smgr.exe"=
"c:\\PAYCLOCK\\RBEdit.exe"=
"c:\\PAYCLOCK\\InstChecker.exe"=
"c:\\PAYCLOCK\\Pcihsv.exe"=
"c:\\PAYCLOCK\\Pcscmgr.exe"=
"c:\\PAYCLOCK\\dbmgr.exe"=
"c:\\PAYCLOCK\\RENYRUN.exe"=
"c:\\PAYCLOCK\\TERMMGR.exe"=
"c:\\PAYCLOCK\\Export32.exe"=
"c:\\PAYCLOCK\\LicMgr32.exe"=
"c:\\PAYCLOCK\\Reny.exe"=
"c:\\PAYCLOCK\\RepWrite.exe"=
"c:\\PAYCLOCK\\Register32.exe"=
"c:\\PAYCLOCK\\EZConfig.exe"=
"c:\\PAYCLOCK\\ExpressConfig.exe"=
"c:\\PAYCLOCK\\QB02Sync.exe"=
"c:\\PAYCLOCK\\QBExport.exe"=
"c:\\PAYCLOCK\\QB03Sync.exe"=
"c:\\PAYCLOCK\\QBSetup.exe"=
"c:\\PAYCLOCK\\QB03Wiz.exe"=
"c:\\PAYCLOCK\\QB03Exp.exe"=
"c:\\PAYCLOCK\\EmpReports.exe"=
"c:\\PAYCLOCK\\PC50\\MAPDB.exe"=
"c:\\PAYCLOCK\\PC50\\MapDBWizard.exe"=
"c:\\PAYCLOCK\\PC50\\Bteng32m.exe"=
"c:\\PAYCLOCK\\PC50\\Bt32smgr.exe"=
"c:\\PAYCLOCK\\PC50\\RBEdit.exe"=
"c:\\PAYCLOCK\\PC50\\Pcihsv.exe"=
"c:\\PAYCLOCK\\PC50\\PCTSCMGR.EXE"=
"c:\\PAYCLOCK\\PC50\\FingerConvert.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\MAPDB.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\MapDBWizard.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\Bteng32m.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\Bt32smgr.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\RBEdit.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\Pcihsv.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\EnrollWiz.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\TSMgr.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\FingerConvert.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-04-06 31104]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-03 99376]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-07-06 36608]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k netsvcs [2006-02-27 14336]
S3 dpK00701;U.are.UŽ Fingerprint Reader Upper Driver;c:\windows\system32\DRIVERS\dpK00701.sys [2008-06-06 46592]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys []
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2006-09-27 116464]
S3 TOUCHDSP;TouchStation LCD/LED USB driver;c:\windows\system32\Drivers\TOUCHDSP.sys [2008-06-06 49152]
S3 TOUCHSTA;TOUCHSTA;c:\windows\system32\drivers\TouchSta.sys [2008-06-06 20736]
S3 usbdpfp;U.are.UŽ Fingerprint Reader Class Driver;c:\windows\system32\DRIVERS\usbdpfp.sys [2008-06-06 47104]
S3 VirtDisk;XSS Virtual Disk Driver;\??\c:\windows\sminst\VirtDisk.sys [2007-07-06 57344]
S4 PayClockServer;PayClock Database Service;c:\payclock\BTENG32M.EXE /SCN:PayClockServer [2008-06-06 208955]
S4 PayClockTerminalServer;PayClock Terminal Service;c:\payclock\TOUCHS~1\BTENG32M.EXE /SCN:PayClockTerminalServer [2008-06-06 208955]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-06-10 c:\windows\Tasks\shut.job
- c:\tools\shut.bat [2008-04-22 18:17]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PayClockTerminalService - c:\payclock\PC50\PCTSCMGR.EX_
MSConfigStartUp-51478563 - c:\windows\system32\rmpmjyeb.dll
MSConfigStartUp-SpeedRunner - c:\documents and settings\cyfair2\Application Data\SpeedRunner\SpeedRunner.exe
MSConfigStartUp-uodhbiiqudvkbp - c:\windows\system32\oewknkyiyev.dll
MSConfigStartUp-webHancer Agent - c:\program files\webHancer\Programs\whagent.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-04 22:10:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PayClockServer]
"ImagePath"="c:\payclock\BTENG32M.EXE /SCN:PayClockServer"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PayClockTerminalServer]
"ImagePath"="c:\payclock\TOUCHS~1\BTENG32M.EXE /SCN:PayClockTerminalServer"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'lsass.exe'(1196)
c:\program files\HPQ\IAM\bin\AsWlnPkg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\DigitalPersona\Bin\DpHost.exe
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\HPQ\IAM\Bin\asghost.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-04 22:12:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 04:12:52

Pre-Run: 58,960,220,160 bytes free
Post-Run: 59,480,363,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

248 --- E O F --- 2008-11-13 09:01:53

chacha123
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2008-12-04
OS OS : xp sp2
Points Points : 29290
# Likes # Likes : 0

View user profile

Back to top Go down

Re: backdoor.tidserv!inf and Trojan Horse - need help

Post by Belahzur on 5th December 2008, 2:44 pm

Hello.
Just a few leftovers to get.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\chg.exe
c:\windows\system32\TDSSxbqe.dll
c:\windows\winstart.bat
c:\windows\system32\g80.exe
c:\documents and settings\cyfair2\Start Menu\Programs\Startup\netuse.bat

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: backdoor.tidserv!inf and Trojan Horse - need help

Post by Doctor Inferno on 20th December 2008, 2:55 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104650
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum