Backdoor.Tidserv

View previous topic View next topic Go down

Solved Backdoor.Tidserv

Post by joethedon on Fri Dec 19, 2008 9:00 pm

hello

while i was usuing my computer a few minutes ago i got an alert from norton which said that my computer had been infected with 'backdoor.tidserv' and in order to remove it i must restart the computer, i did this and then researched the symptoms of the problem and it sounds very harmful, so i just wanted to check that it had been properly removed, and if it is not properly removed how should i go about removing it?

here is a HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:24, on 19/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\P4P\P4P.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\System32\ACEngSvr.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATK Hotkey\KBFiltr.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Owner\Documents\Downloads\virus fix\Hijack(GP)This.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PowerForPhone] "C:\Program Files\P4P\P4P.exe"
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\Windows\ASScrProlog.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11168 bytes

joethedon
Novice
Novice

Posts Posts : 38
Joined Joined : 2008-12-14
Gender Gender : Male
OS OS : Windows Vista home premium
Points Points : 29301
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by Belahzur on Fri Dec 19, 2008 9:07 pm

How did that happen? Sad tearing


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by joethedon on Fri Dec 19, 2008 9:54 pm

not sure to be honest Indifferent or Blank

heres the combofix log:

ComboFix 08-12-14.02 - Owner 2008-12-19 13:25:03.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2060 [GMT -8:00]
Running from: c:\users\Owner\Documents\Downloads\virus fix\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\WycMonnn.ini
c:\windows\system32\WycMonnn.ini2

.
((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-12-19 13:17 . 2003-07-29 18:18 3,839 --a------ c:\windows\System32\drivers\GETPADD.sys
2008-12-18 08:52 . 2008-12-18 08:52 0 --a------ c:\windows\nsreg.dat
2008-12-17 16:04 . 2008-12-17 16:05 d-------- c:\users\Owner\AppData\Roaming\Media Player Classic
2008-12-17 16:04 . 2008-12-17 16:04 d-------- c:\program files\Essentials Codec Pack
2008-12-14 18:00 . 2008-12-14 18:00 d-------- C:\VundoFix Backups
2008-12-14 17:51 . 2008-12-14 17:51 d-------- c:\users\Owner\AppData\Roaming\Malwarebytes
2008-12-14 17:51 . 2008-12-14 17:51 d-------- c:\users\All Users\Malwarebytes
2008-12-14 17:51 . 2008-12-14 17:51 d-------- c:\programdata\Malwarebytes
2008-12-14 17:51 . 2008-12-14 17:51 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-14 17:51 . 2008-12-03 19:54 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-14 17:51 . 2008-12-03 19:54 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-14 17:37 . 2008-12-14 17:37 d-------- c:\users\Owner\AppData\Roaming\PC Tools
2008-12-14 17:37 . 2008-12-14 23:53 d-------- c:\program files\Spyware Doctor
2008-12-14 17:37 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2008-12-14 17:37 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2008-12-14 17:37 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2008-12-14 17:37 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2008-12-14 14:30 . 2008-12-14 14:30 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-14 13:00 . 2008-12-19 13:18 318,976 --a------ c:\windows\System32\cmd.execf
2008-12-14 07:53 . 2008-12-14 07:53 d-------- c:\program files\Lavasoft
2008-12-14 07:52 . 2008-12-14 07:52 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-14 07:08 . 2008-12-14 07:16 d-------- c:\users\All Users\Lavasoft
2008-12-14 07:08 . 2008-12-14 07:16 d-------- c:\programdata\Lavasoft
2008-12-14 06:31 . 2008-12-19 13:34 d-a------ c:\users\All Users\TEMP
2008-12-14 06:31 . 2008-12-19 13:34 d-a------ c:\programdata\TEMP
2008-12-11 09:32 . 2008-12-11 09:32 691 --a------ c:\users\Owner\AppData\Roaming\GetValue.vbs
2008-12-11 09:32 . 2008-12-11 09:32 35 --a------ c:\users\Owner\AppData\Roaming\SetValue.bat
2008-12-11 09:10 . 2008-12-11 09:51 256 --a------ c:\windows\wininit.ini
2008-12-11 08:48 . 2008-12-11 09:10 d-------- c:\users\All Users\Registry Helper
2008-12-11 08:48 . 2008-12-11 09:10 d-------- c:\programdata\Registry Helper
2008-12-08 11:24 . 2008-12-08 11:53 d-------- c:\users\All Users\Spybot - Search & Destroy
2008-12-08 11:24 . 2008-12-08 11:53 d-------- c:\programdata\Spybot - Search & Destroy
2008-12-08 11:24 . 2008-12-08 11:52 d-------- c:\program files\Spybot - Search & Destroy
2008-12-07 13:31 . 2008-12-07 13:31 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-12-06 17:53 . 2008-06-19 17:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2008-12-06 17:53 . 2008-06-19 17:14 622,080 --a------ c:\windows\System32\icardagt.exe
2008-12-06 17:53 . 2008-06-19 17:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2008-12-06 17:53 . 2008-06-19 17:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2008-12-06 17:53 . 2008-06-19 17:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2008-12-06 17:53 . 2008-06-19 17:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2008-12-06 17:53 . 2008-06-19 17:14 11,264 --a------ c:\windows\System32\icardres.dll
2008-12-06 17:52 . 2008-06-19 17:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2008-12-06 17:09 . 2008-12-06 17:09 d-------- C:\PerfLogs
2008-12-06 14:57 . 2008-07-27 10:00 282,112 --a------ c:\windows\System32\mscoree.dll
2008-12-06 14:57 . 2008-07-27 10:00 158,720 --a------ c:\windows\System32\mscorier.dll
2008-12-06 14:57 . 2008-07-27 10:00 96,760 --a------ c:\windows\System32\dfshim.dll
2008-12-06 14:57 . 2008-07-27 10:00 41,984 --a------ c:\windows\System32\netfxperf.dll
2008-12-06 14:56 . 2008-07-27 10:00 83,968 --a------ c:\windows\System32\mscories.dll
2008-11-30 11:23 . 2008-11-30 11:27 d-------- c:\program files\Driving Test Success ROAD SIGNS
2008-11-28 23:44 . 2008-11-28 23:44 dr------- c:\users\Owner\Pictures
2008-11-27 17:38 . 2008-10-16 13:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-27 17:38 . 2008-10-16 12:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-27 17:38 . 2008-10-16 13:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-27 17:38 . 2008-10-16 13:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-27 17:37 . 2008-10-16 13:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-27 17:37 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-27 17:37 . 2008-10-16 12:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-27 17:37 . 2008-10-16 13:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-27 17:37 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-26 15:39 . 2008-11-26 15:40 d-------- c:\program files\Hamachi
2008-11-26 15:39 . 2008-11-26 15:39 25,280 --a------ c:\windows\System32\drivers\hamachi.sys
2008-11-26 13:50 . 2008-10-20 21:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-26 13:50 . 2008-08-27 19:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-26 13:50 . 2008-08-27 19:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-26 13:50 . 2008-08-27 19:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-26 13:50 . 2008-10-21 19:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-26 13:50 . 2008-01-18 23:36 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-11-26 13:50 . 2008-01-18 23:36 94,720 --a------ c:\windows\System32\PortableDeviceClassExtension.dll

joethedon
Novice
Novice

Posts Posts : 38
Joined Joined : 2008-12-14
Gender Gender : Male
OS OS : Windows Vista home premium
Points Points : 29301
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by joethedon on Fri Dec 19, 2008 9:55 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 23:09 --------- d-----w c:\users\Owner\AppData\Roaming\Azureus
2008-12-14 22:33 --------- d-----w c:\program files\Java
2008-12-12 01:06 2,828 --sha-w c:\users\All Users\KGyGaAvL.sys
2008-12-12 01:06 2,828 --sha-w c:\programdata\KGyGaAvL.sys
2008-12-11 18:07 --------- d-----w c:\programdata\Microsoft Help
2008-12-11 16:49 --------- d-----w c:\program files\Bonjour
2008-12-09 17:11 --------- d-----w c:\program files\Windows Mail
2008-12-07 01:20 174 --sha-w c:\program files\desktop.ini
2008-12-07 01:11 --------- d-----w c:\program files\Windows Sidebar
2008-12-07 01:11 --------- d-----w c:\program files\Windows Photo Gallery
2008-12-07 01:11 --------- d-----w c:\program files\Windows Journal
2008-12-07 01:11 --------- d-----w c:\program files\Windows Defender
2008-12-07 01:11 --------- d-----w c:\program files\Windows Collaboration
2008-12-07 01:11 --------- d-----w c:\program files\Windows Calendar
2008-12-07 00:24 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-12-07 00:24 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-11-30 19:23 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-29 18:22 --------- d-----w c:\programdata\Symantec
2008-11-28 01:24 --------- d-----w c:\users\Owner\AppData\Roaming\Hamachi
2008-11-27 06:27 --------- d-----w c:\programdata\InterVideo
2008-11-18 18:43 --------- d-----w c:\users\Owner\AppData\Roaming\Sports Interactive
2008-11-18 18:40 --------- d-----w c:\programdata\Sports Interactive
2008-11-18 18:29 --------- d-----w c:\program files\Sports Interactive
2008-11-18 18:26 --------- d-----w c:\program files\Common Files\Steam
2008-11-05 01:43 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-05 00:48 --------- d-----w c:\program files\Norton 360
2008-10-27 05:20 --------- d-----w c:\program files\Azureus
2008-10-19 16:30 --------- d-----w c:\program files\Apple Software Update
2008-10-19 16:29 --------- d-----w c:\program files\iTunes
2008-10-19 16:29 --------- d-----w c:\program files\iPod
2008-10-19 16:27 --------- d-----w c:\programdata\Apple Computer
2008-10-19 16:27 --------- d-----w c:\program files\QuickTime
2008-10-19 16:27 --------- d-----w c:\program files\Common Files\Apple
2008-10-16 22:11 98,304 ----a-w c:\windows\System32\CmdLineExt.dll
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-08-28 19:29 88 --sh--r c:\users\All Users\5CD5D7E829.sys
2008-08-28 19:29 88 --sh--r c:\programdata\5CD5D7E829.sys
2008-06-30 20:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 16:08 143360 --a------ c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-28 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-19 36864]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 857648]
"PowerForPhone"="c:\program files\P4P\P4P.exe" [2007-08-02 778240]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2008-08-23 33136]
"ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2008-08-23 37232]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-23 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-05 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-06-15 c:\windows\SkyTel.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AB8CA5B7-FB63-43E8-8D3D-D485E3052C89}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E80FD683-87E1-41BB-9066-79C51CDFC503}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BDB41943-B758-4A27-9BDE-611A707B0E31}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{FF8225D1-2415-45F9-92E4-EC1B15BD67F2}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{25E03E1A-9E26-4722-A124-18A17B9BACCD}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7C4CBE1E-4052-44B4-B8BC-5E07E452A461}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{740B17DC-4314-4027-8785-C590C2E1C873}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9F1F69EA-BAC3-4152-BDE9-7609D0E29ED7}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E3FA159F-DBE8-4467-AC7B-09FCD5803641}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{ED9AD069-AE55-41E2-A615-87B61D3FB0FB}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{40E8C8C1-7D7F-46AA-936B-B985DD9C48D3}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{B823A83D-8198-4898-B2AF-56A87F4D7185}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{9B679B2A-27A0-432B-880B-216B2B27C037}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{284C1B52-2FDE-49B1-B5BB-8B5753C1C5B1}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{FFD51E20-94D7-415B-9876-B2984FE496AB}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{77795313-9922-4A25-BDDE-B10C7957BE8D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{9CFF412C-5E5D-47DA-BED0-DA7B92898D19}"= Disabled:UDP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{5582C687-D53A-4D5E-857C-F368B0F14568}"= Disabled:TCP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{B42CFFE5-588C-42A4-BE00-92AA524D3133}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{0F9B01EA-CCC8-43C3-94AA-29B710F45B5A}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{E659201C-00F6-48F3-96A1-AAAEB8FD08C2}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{154136A4-5C42-49D2-A86B-96A49FB30A83}c:\\program files\\sports interactive\\football manager 2009\\fm.exe"= UDP:c:\program files\sports interactive\football manager 2009\fm.exe:Football Manager 2009
"UDP Query User{5515CF92-F588-48BE-AB61-4CF14E597F88}c:\\program files\\sports interactive\\football manager 2009\\fm.exe"= TCP:c:\program files\sports interactive\football manager 2009\fm.exe:Football Manager 2009
"TCP Query User{3F977C0F-3BE3-4065-A3BE-5824E896DA4B}c:\\program files\\azureus\\azureus.exe"= UDP:c:\program files\azureus\azureus.exe:Azureus
"UDP Query User{93553662-3E79-4346-B01A-BDFB0233C83D}c:\\program files\\azureus\\azureus.exe"= TCP:c:\program files\azureus\azureus.exe:Azureus

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081212.001\IDSvix86.sys [2008-12-14 270384]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-11-04 149352]
R2 regi;regi;\??\c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-12-08 809296]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-14 356920]
R3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL f:\resycled\boot.com f:
\shell\Open\command - f:\resycled\boot.com f:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b149df41-716e-11dd-a4fc-001fc6796c36}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL f:\resycled\boot.com f:
\shell\Open\command - f:\resycled\boot.com f:

*Newly Created Service* - COMHOST
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-19 13:42:38
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\ADSM_PData_0150

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-12-19 13:51:01
ComboFix-quarantined-files.txt 2008-12-19 21:50:56
ComboFix2.txt 2008-12-14 21:39:52
ComboFix3.txt 2008-12-14 20:46:08

Pre-Run: 91,471,122,432 bytes free
Post-Run: 91,180,003,328 bytes free

244 --- E O F --- 2008-12-11 18:07:34

joethedon
Novice
Novice

Posts Posts : 38
Joined Joined : 2008-12-14
Gender Gender : Male
OS OS : Windows Vista home premium
Points Points : 29301
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by Belahzur on Fri Dec 19, 2008 10:00 pm

Hello.
CF log shows a flash drive infection, the infection is sat on something plugged in using the letter F:\

Do you know what was/is plugged into F:\?
Do you have any external drives because they need to be cleaned.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by joethedon on Fri Dec 19, 2008 10:08 pm

yep, i do have an external hardrive which gets plugged in to f:\
how can i go about cleaning it?

joethedon
Novice
Novice

Posts Posts : 38
Joined Joined : 2008-12-14
Gender Gender : Male
OS OS : Windows Vista home premium
Points Points : 29301
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by Belahzur on Fri Dec 19, 2008 10:10 pm

Was it plugged in when CF was run?
If not, plug it in now (you'll get instantly infected, but we have to do that to clean it)
Once it's plugged in, run CF again and DO NOT unplug it, even if CF wants to reboot.
Leave it plugged in even after you have the report, because we can then stop it from returning.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by joethedon on Fri Dec 19, 2008 10:19 pm

nah it wasnt
ok then, il run it again with the drive plugged in, and leave the log here shortly....

joethedon
Novice
Novice

Posts Posts : 38
Joined Joined : 2008-12-14
Gender Gender : Male
OS OS : Windows Vista home premium
Points Points : 29301
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by joethedon on Fri Dec 19, 2008 11:04 pm

here is the log with the external hardrive plugged in:

ComboFix 08-12-14.02 - Owner 2008-12-19 14:36:24.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1917 [GMT -8:00]
Running from: c:\users\Owner\Documents\Downloads\virus fix\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf
F:\resycled

.
((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-12-19 13:17 . 2003-07-29 18:18 3,839 --a------ c:\windows\System32\drivers\GETPADD.sys
2008-12-18 08:52 . 2008-12-18 08:52 0 --a------ c:\windows\nsreg.dat
2008-12-17 16:04 . 2008-12-17 16:05 d-------- c:\users\Owner\AppData\Roaming\Media Player Classic
2008-12-17 16:04 . 2008-12-17 16:04 d-------- c:\program files\Essentials Codec Pack
2008-12-14 18:00 . 2008-12-14 18:00 d-------- C:\VundoFix Backups
2008-12-14 17:51 . 2008-12-14 17:51 d-------- c:\users\Owner\AppData\Roaming\Malwarebytes
2008-12-14 17:51 . 2008-12-14 17:51 d-------- c:\users\All Users\Malwarebytes
2008-12-14 17:51 . 2008-12-14 17:51 d-------- c:\programdata\Malwarebytes
2008-12-14 17:51 . 2008-12-14 17:51 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-14 17:51 . 2008-12-03 19:54 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-14 17:51 . 2008-12-03 19:54 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-14 17:37 . 2008-12-14 17:37 d-------- c:\users\Owner\AppData\Roaming\PC Tools
2008-12-14 17:37 . 2008-12-14 23:53 d-------- c:\program files\Spyware Doctor
2008-12-14 17:37 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2008-12-14 17:37 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2008-12-14 17:37 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2008-12-14 17:37 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2008-12-14 14:30 . 2008-12-14 14:30 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-14 13:00 . 2008-12-19 14:30 318,976 --a------ c:\windows\System32\cmd.execf
2008-12-14 07:53 . 2008-12-14 07:53 d-------- c:\program files\Lavasoft
2008-12-14 07:52 . 2008-12-14 07:52 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-14 07:08 . 2008-12-14 07:16 d-------- c:\users\All Users\Lavasoft
2008-12-14 07:08 . 2008-12-14 07:16 d-------- c:\programdata\Lavasoft
2008-12-14 06:31 . 2008-12-19 14:47 d-a------ c:\users\All Users\TEMP
2008-12-14 06:31 . 2008-12-19 14:47 d-a------ c:\programdata\TEMP
2008-12-11 09:32 . 2008-12-11 09:32 691 --a------ c:\users\Owner\AppData\Roaming\GetValue.vbs
2008-12-11 09:32 . 2008-12-11 09:32 35 --a------ c:\users\Owner\AppData\Roaming\SetValue.bat
2008-12-11 09:10 . 2008-12-11 09:51 256 --a------ c:\windows\wininit.ini
2008-12-11 08:48 . 2008-12-11 09:10 d-------- c:\users\All Users\Registry Helper
2008-12-11 08:48 . 2008-12-11 09:10 d-------- c:\programdata\Registry Helper
2008-12-08 11:24 . 2008-12-08 11:53 d-------- c:\users\All Users\Spybot - Search & Destroy
2008-12-08 11:24 . 2008-12-08 11:53 d-------- c:\programdata\Spybot - Search & Destroy
2008-12-08 11:24 . 2008-12-08 11:52 d-------- c:\program files\Spybot - Search & Destroy
2008-12-07 13:31 . 2008-12-07 13:31 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-12-06 17:53 . 2008-06-19 17:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2008-12-06 17:53 . 2008-06-19 17:14 622,080 --a------ c:\windows\System32\icardagt.exe
2008-12-06 17:53 . 2008-06-19 17:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2008-12-06 17:53 . 2008-06-19 17:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2008-12-06 17:53 . 2008-06-19 17:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2008-12-06 17:53 . 2008-06-19 17:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2008-12-06 17:53 . 2008-06-19 17:14 11,264 --a------ c:\windows\System32\icardres.dll
2008-12-06 17:52 . 2008-06-19 17:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2008-12-06 17:09 . 2008-12-06 17:09 d-------- C:\PerfLogs
2008-12-06 14:57 . 2008-07-27 10:00 282,112 --a------ c:\windows\System32\mscoree.dll
2008-12-06 14:57 . 2008-07-27 10:00 158,720 --a------ c:\windows\System32\mscorier.dll
2008-12-06 14:57 . 2008-07-27 10:00 96,760 --a------ c:\windows\System32\dfshim.dll
2008-12-06 14:57 . 2008-07-27 10:00 41,984 --a------ c:\windows\System32\netfxperf.dll
2008-12-06 14:56 . 2008-07-27 10:00 83,968 --a------ c:\windows\System32\mscories.dll
2008-11-30 11:23 . 2008-11-30 11:27 d-------- c:\program files\Driving Test Success ROAD SIGNS
2008-11-28 23:44 . 2008-11-28 23:44 dr------- c:\users\Owner\Pictures
2008-11-27 17:38 . 2008-10-16 13:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-27 17:38 . 2008-10-16 12:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-27 17:38 . 2008-10-16 13:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-27 17:38 . 2008-10-16 13:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-27 17:37 . 2008-10-16 13:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-27 17:37 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-27 17:37 . 2008-10-16 12:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-27 17:37 . 2008-10-16 13:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-27 17:37 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-26 15:39 . 2008-11-26 15:40 d-------- c:\program files\Hamachi
2008-11-26 15:39 . 2008-11-26 15:39 25,280 --a------ c:\windows\System32\drivers\hamachi.sys
2008-11-26 13:50 . 2008-10-20 21:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-26 13:50 . 2008-08-27 19:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-26 13:50 . 2008-08-27 19:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-26 13:50 . 2008-08-27 19:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-26 13:50 . 2008-10-21 19:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-26 13:50 . 2008-01-18 23:36 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-11-26 13:50 . 2008-01-18 23:36 94,720 --a------ c:\windows\System32\PortableDeviceClassExtension.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 23:09 --------- d-----w c:\users\Owner\AppData\Roaming\Azureus
2008-12-14 22:33 --------- d-----w c:\program files\Java
2008-12-12 01:06 2,828 --sha-w c:\users\All Users\KGyGaAvL.sys
2008-12-12 01:06 2,828 --sha-w c:\programdata\KGyGaAvL.sys
2008-12-11 18:07 --------- d-----w c:\programdata\Microsoft Help
2008-12-11 16:49 --------- d-----w c:\program files\Bonjour
2008-12-09 17:11 --------- d-----w c:\program files\Windows Mail
2008-12-07 01:20 174 --sha-w c:\program files\desktop.ini
2008-12-07 01:11 --------- d-----w c:\program files\Windows Sidebar
2008-12-07 01:11 --------- d-----w c:\program files\Windows Photo Gallery
2008-12-07 01:11 --------- d-----w c:\program files\Windows Journal
2008-12-07 01:11 --------- d-----w c:\program files\Windows Defender
2008-12-07 01:11 --------- d-----w c:\program files\Windows Collaboration
2008-12-07 01:11 --------- d-----w c:\program files\Windows Calendar
2008-12-07 00:24 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-12-07 00:24 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-11-30 19:23 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-29 18:22 --------- d-----w c:\programdata\Symantec
2008-11-28 01:24 --------- d-----w c:\users\Owner\AppData\Roaming\Hamachi
2008-11-27 06:27 --------- d-----w c:\programdata\InterVideo
2008-11-18 18:43 --------- d-----w c:\users\Owner\AppData\Roaming\Sports Interactive
2008-11-18 18:40 --------- d-----w c:\programdata\Sports Interactive
2008-11-18 18:29 --------- d-----w c:\program files\Sports Interactive
2008-11-18 18:26 --------- d-----w c:\program files\Common Files\Steam
2008-11-05 01:43 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-05 00:48 --------- d-----w c:\program files\Norton 360
2008-10-27 05:20 --------- d-----w c:\program files\Azureus
2008-10-19 16:30 --------- d-----w c:\program files\Apple Software Update
2008-10-19 16:29 --------- d-----w c:\program files\iTunes
2008-10-19 16:29 --------- d-----w c:\program files\iPod
2008-10-19 16:27 --------- d-----w c:\programdata\Apple Computer
2008-10-19 16:27 --------- d-----w c:\program files\QuickTime
2008-10-19 16:27 --------- d-----w c:\program files\Common Files\Apple
2008-10-16 22:11 98,304 ----a-w c:\windows\System32\CmdLineExt.dll
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-08-28 19:29 88 --sh--r c:\users\All Users\5CD5D7E829.sys
2008-08-28 19:29 88 --sh--r c:\programdata\5CD5D7E829.sys
2008-06-30 20:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

joethedon
Novice
Novice

Posts Posts : 38
Joined Joined : 2008-12-14
Gender Gender : Male
OS OS : Windows Vista home premium
Points Points : 29301
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by joethedon on Fri Dec 19, 2008 11:05 pm

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-19 22:36:01 6,332,416 ----a-w c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
- 2008-12-19 21:17:01 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-19 22:27:11 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-19 21:17:01 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-19 22:27:11 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-19 21:19:11 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-19 22:29:24 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-19 22:29:24 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-12-19 21:19:06 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-19 22:29:19 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-19 22:29:19 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-12-19 21:43:00 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-19 22:47:26 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-19 21:43:00 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-19 22:47:26 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-19 21:43:00 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-19 22:47:26 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-19 21:21:59 105,852 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-19 22:32:28 105,852 ----a-w c:\windows\System32\perfc009.dat
- 2008-12-19 21:21:59 600,378 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-19 22:32:28 600,378 ----a-w c:\windows\System32\perfh009.dat
- 2008-12-10 00:08:41 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-12-19 22:34:07 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-12-19 21:19:32 10,342 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2542765397-551537198-1868045467-1000_UserData.bin
+ 2008-12-19 22:29:42 10,350 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2542765397-551537198-1868045467-1000_UserData.bin
- 2008-12-19 21:19:31 72,438 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-19 22:29:41 72,478 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-19 21:19:28 44,310 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-19 22:29:38 44,554 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-12-08 16:33:51 155,569,891 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-12-19 22:42:56 166,038,299 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-02-22 05:01:41 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18157_none_01b9e7cda1f54c23\WininetPlugin.dll
+ 2008-08-24 01:23:10 2,455,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16764_none_f96efb376ec50571\ieapfltr.dat
+ 2008-08-24 01:23:10 2,455,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20937_none_fa1c0a8a87c79a94\ieapfltr.dat
+ 2008-01-19 07:36:35 129,536 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18157_none_47749ea98ca66a80\sqmapi.dll
+ 2008-08-24 01:22:56 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18157_none_647360efae414386\ieui.dll
+ 2006-11-02 12:35:51 2,048 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.18096_none_9c03e1ac0d053e06\mferror.dll
+ 2008-01-19 07:33:15 24,576 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.18096_none_9c03e1ac0d053e06\mfpmp.exe
+ 2008-01-19 07:34:45 98,816 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.18096_none_9c03e1ac0d053e06\mfps.dll
+ 2008-01-19 07:33:25 53,248 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.18096_none_9c03e1ac0d053e06\rrinstaller.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 16:08 143360 --a------ c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-28 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-19 36864]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 857648]
"PowerForPhone"="c:\program files\P4P\P4P.exe" [2007-08-02 778240]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2008-08-23 33136]
"ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2008-08-23 37232]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-23 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-05 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-06-15 c:\windows\SkyTel.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AB8CA5B7-FB63-43E8-8D3D-D485E3052C89}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E80FD683-87E1-41BB-9066-79C51CDFC503}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BDB41943-B758-4A27-9BDE-611A707B0E31}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{FF8225D1-2415-45F9-92E4-EC1B15BD67F2}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{25E03E1A-9E26-4722-A124-18A17B9BACCD}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7C4CBE1E-4052-44B4-B8BC-5E07E452A461}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{740B17DC-4314-4027-8785-C590C2E1C873}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9F1F69EA-BAC3-4152-BDE9-7609D0E29ED7}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E3FA159F-DBE8-4467-AC7B-09FCD5803641}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{ED9AD069-AE55-41E2-A615-87B61D3FB0FB}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{40E8C8C1-7D7F-46AA-936B-B985DD9C48D3}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{B823A83D-8198-4898-B2AF-56A87F4D7185}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{9B679B2A-27A0-432B-880B-216B2B27C037}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{284C1B52-2FDE-49B1-B5BB-8B5753C1C5B1}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{FFD51E20-94D7-415B-9876-B2984FE496AB}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{77795313-9922-4A25-BDDE-B10C7957BE8D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{9CFF412C-5E5D-47DA-BED0-DA7B92898D19}"= Disabled:UDP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{5582C687-D53A-4D5E-857C-F368B0F14568}"= Disabled:TCP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{B42CFFE5-588C-42A4-BE00-92AA524D3133}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{0F9B01EA-CCC8-43C3-94AA-29B710F45B5A}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{E659201C-00F6-48F3-96A1-AAAEB8FD08C2}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{154136A4-5C42-49D2-A86B-96A49FB30A83}c:\\program files\\sports interactive\\football manager 2009\\fm.exe"= UDP:c:\program files\sports interactive\football manager 2009\fm.exe:Football Manager 2009
"UDP Query User{5515CF92-F588-48BE-AB61-4CF14E597F88}c:\\program files\\sports interactive\\football manager 2009\\fm.exe"= TCP:c:\program files\sports interactive\football manager 2009\fm.exe:Football Manager 2009
"TCP Query User{3F977C0F-3BE3-4065-A3BE-5824E896DA4B}c:\\program files\\azureus\\azureus.exe"= UDP:c:\program files\azureus\azureus.exe:Azureus
"UDP Query User{93553662-3E79-4346-B01A-BDFB0233C83D}c:\\program files\\azureus\\azureus.exe"= TCP:c:\program files\azureus\azureus.exe:Azureus

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081212.001\IDSvix86.sys [2008-12-14 270384]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-11-04 149352]
R2 regi;regi;\??\c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-12-08 809296]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-14 356920]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\shell\Open\command - resycled\boot.com f:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b149df41-716e-11dd-a4fc-001fc6796c36}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com f:
\shell\Open\command - resycled\boot.com f:

*Newly Created Service* - COMHOST
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-19 14:54:02
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\ADSM_PData_0150

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-12-19 15:02:19
ComboFix-quarantined-files.txt 2008-12-19 23:02:06
ComboFix2.txt 2008-12-19 21:51:04
ComboFix3.txt 2008-12-14 21:39:52
ComboFix4.txt 2008-12-14 20:46:08

Pre-Run: 91,158,786,048 bytes free
Post-Run: 91,112,738,816 bytes free

289 --- E O F --- 2008-12-11 18:07:34

joethedon
Novice
Novice

Posts Posts : 38
Joined Joined : 2008-12-14
Gender Gender : Male
OS OS : Windows Vista home premium
Points Points : 29301
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by Belahzur on Fri Dec 19, 2008 11:09 pm

Hello.
That got it.
Keep the external drive plugged in.


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b149df41-716e-11dd-a4fc-001fc6796c36}]

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


Now we have to protect this drive from future attacks.

Please download Flash_Disinfector from [You must be registered and logged in to see this link.]

  • First, download it to your desktop.
  • Now double click it to run it and will tell it you what to do when you open it.
  • It will temporarily kill explorer.exe and your desktop will go blank.
  • Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  • It will make a dummy autorun.inf in the root of every drive.
  • You can now delete Flash_Disinfector.exe.


You can unplug it now if you want.

What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by joethedon on Fri Dec 19, 2008 11:21 pm

nope thats the lot for now
thanks a lot!

joethedon
Novice
Novice

Posts Posts : 38
Joined Joined : 2008-12-14
Gender Gender : Male
OS OS : Windows Vista home premium
Points Points : 29301
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by Belahzur on Fri Dec 19, 2008 11:35 pm

Glad I could help. Smile
Delete this folder:
C:\Qoobox


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.Tidserv

Post by Doctor Inferno on Sat Jan 24, 2009 10:14 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum