HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Solved HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 7:01 pm

Hi i have a problem with this virus. im sure you guys have heard of it W32.Tidserv and it's really messing up my computer!! please ! if you know how to remove it PLEASE help me!!!
MY HIJACKTHIS IS ....




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:51 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\navw32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CamWizard] C:\Program Files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - S-1-5-18 Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe (User 'Default user')
O4 - .DEFAULT Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe (User 'Default user')
O4 - Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{32BDFCA1-DBEA-4C2E-B85E-048CB3BE1CF2}: NameServer = 85.255.114.28;85.255.112.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C0D9F1C-5F34-4BAD-B006-2BE6A297FCB3}: NameServer = 85.255.114.28;85.255.112.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8863786-5867-4769-A285-54C6BA72F33D}: NameServer = 85.255.114.28;85.255.112.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7CB4411-C0ED-4C6E-A9C1-7E1410232559}: NameServer = 85.255.114.28;85.255.112.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{E019FF2D-41D6-4098-8D75-EDED1B1B8342}: NameServer = 85.255.114.28;85.255.112.99
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.28;85.255.112.99
O17 - HKLM\System\CS1\Services\Tcpip\..\{32BDFCA1-DBEA-4C2E-B85E-048CB3BE1CF2}: NameServer = 85.255.114.28;85.255.112.99
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.28;85.255.112.99
O17 - HKLM\System\CS2\Services\Tcpip\..\{32BDFCA1-DBEA-4C2E-B85E-048CB3BE1CF2}: NameServer = 85.255.114.28;85.255.112.99
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.28;85.255.112.99
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10126 bytes

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Sun Dec 21, 2008 8:12 pm

Hello.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F3 - REG:win.ini: run=
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - S-1-5-18 Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe (User 'Default user')
    O17 - HKLM\System\CCS\Services\Tcpip\..\{32BDFCA1-DBEA-4C2E-B85E-048CB3BE1CF2}: NameServer = 85.255.114.28;85.255.112.99
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5C0D9F1C-5F34-4BAD-B006-2BE6A297FCB3}: NameServer = 85.255.114.28;85.255.112.99
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A8863786-5867-4769-A285-54C6BA72F33D}: NameServer = 85.255.114.28;85.255.112.99
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C7CB4411-C0ED-4C6E-A9C1-7E1410232559}: NameServer = 85.255.114.28;85.255.112.99
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E019FF2D-41D6-4098-8D75-EDED1B1B8342}: NameServer = 85.255.114.28;85.255.112.99
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.28;85.255.112.99
    O17 - HKLM\System\CS1\Services\Tcpip\..\{32BDFCA1-DBEA-4C2E-B85E-048CB3BE1CF2}: NameServer = 85.255.114.28;85.255.112.99
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.28;85.255.112.99
    O17 - HKLM\System\CS2\Services\Tcpip\..\{32BDFCA1-DBEA-4C2E-B85E-048CB3BE1CF2}: NameServer = 85.255.114.28;85.255.112.99
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.28;85.255.112.99


  • Press "Fix Checked"
  • Close Hijack This.




  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 9:25 pm

ok.. so i have done you instructions.. but when the message comes up saying if i want to install Recovery Console...i press yes .. but it says i have no internet connection (while im still on this site) so i click "ok" to continue and it says "failed to download do you wish to continue with scan"....after i press no everything stops working until i restart it.... is there another way to download Recovery Console.

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Sun Dec 21, 2008 9:33 pm

Okay.
Run it again, but scan with no console, it's probably the tdss rootkit stopping it, but we'll do it after a first scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 9:53 pm

ok so i have got the combo fix txt... but it is too large to put on here! Sad tearing
Should i send 1 half then the other half??

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Sun Dec 21, 2008 9:56 pm

Split it up into more than one post.
Do it section by section.

Header + files created within a month
find3m report
reg loading points
all of the rest


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 9:58 pm

ComboFix 08-12-21.01 - David 2008-12-21 16:41:17.2 - NTFSx86
Running from: c:\documents and settings\David\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\David\Application Data\inst.exe
C:\resycled
c:\windows\system32\drivers\msqpdxserv.sys
c:\windows\system32\mfc45.dll
c:\windows\system32\Pncrt.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 12:01 . 2008-12-21 12:44 d-------- c:\program files\Norton AntiVirus
2008-12-21 12:00 . 2008-12-21 12:24 d-------- c:\program files\Symantec
2008-12-21 12:00 . 2008-12-21 12:24 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-21 12:00 . 2008-12-21 12:24 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-20 22:51 . 2008-12-20 22:51 d-------- c:\program files\Trend Micro
2008-12-20 22:13 . 2008-12-20 22:13 d-a------ c:\program files\Silkroad
2008-12-20 21:46 . 2008-12-20 21:47 304 --a------ C:\config.ini
2008-12-20 20:43 . 2008-12-20 20:43 33 --a------ c:\windows\LVMMail.INI
2008-12-20 16:02 . 2008-12-20 16:02 d-------- c:\program files\Common Files\DirectX
2008-12-20 15:36 . 2008-12-20 15:40 d-------- C:\nDoors
2008-12-20 14:34 . 2008-12-20 14:34 96 --ah----- c:\windows\system32\HsInfo.dat
2008-12-20 14:32 . 2008-12-20 14:32 d-------- c:\program files\alaplaya
2008-12-20 12:43 . 2008-12-20 12:43 dr------- c:\documents and settings\David\Application Data\Brother
2008-12-18 23:22 . 2008-12-19 09:47 1,556 --a------ c:\windows\_delis32.ini
2008-12-18 23:20 . 2008-12-21 14:08 d-------- c:\program files\Logitech
2008-12-17 20:19 . 2008-12-17 20:19 d-------- c:\program files\PCI Audio Applications
2008-12-17 19:06 . 2003-03-28 14:19 39,279 --a------ c:\windows\cmijack.dat
2008-12-17 19:06 . 2003-04-03 18:37 23,041 --a------ c:\windows\cmaudio.dat
2008-12-17 19:01 . 2008-12-17 19:01 d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-12-17 17:56 . 2008-12-17 17:56 d-------- c:\windows\Downloaded Installations
2008-12-17 17:55 . 2008-12-17 17:55 d-------- c:\documents and settings\David\Application Data\ScanSoft
2008-12-17 17:39 . 2008-12-17 17:40 d-------- c:\windows\system32\NtmsData
2008-12-17 15:55 . 2008-12-17 15:58 d-------- c:\program files\Image-Line
2008-12-16 22:48 . 2003-03-18 21:14 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-12-16 22:48 . 2003-03-18 20:05 89,088 --a------ c:\windows\system32\atl71.dll
2008-12-16 22:48 . 2003-03-18 21:44 65,536 --a------ c:\windows\system32\MFC71DEU.DLL
2008-12-16 22:48 . 2003-03-18 21:44 61,440 --a------ c:\windows\system32\MFC71ITA.DLL
2008-12-16 22:48 . 2003-03-18 21:44 61,440 --a------ c:\windows\system32\MFC71ESP.DLL
2008-12-16 22:48 . 2003-03-18 21:44 57,344 --a------ c:\windows\system32\MFC71ENU.DLL
2008-12-16 22:48 . 2003-03-18 21:44 49,152 --a------ c:\windows\system32\MFC71KOR.DLL
2008-12-16 22:48 . 2003-03-18 21:44 49,152 --a------ c:\windows\system32\MFC71JPN.DLL
2008-12-16 22:48 . 2003-03-18 21:44 45,056 --a------ c:\windows\system32\MFC71CHT.DLL
2008-12-16 22:48 . 2003-03-18 21:44 40,960 --a------ c:\windows\system32\MFC71CHS.DLL
2008-12-16 20:27 . 2008-12-16 20:27 d-------- c:\documents and settings\David\Application Data\Juce VST Host
2008-12-16 20:06 . 2008-12-17 15:57 d-------- c:\program files\VstPlugins
2008-12-11 22:30 . 2008-12-11 22:30 d-------- c:\program files\Paint.NET
2008-12-09 15:51 . 2008-12-13 07:58 d-------- c:\program files\PeerGuardian2
2008-12-08 19:48 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2008-12-08 16:05 . 2008-12-08 16:05 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2008-12-07 16:29 . 2008-12-07 16:29 d-------- c:\program files\DVDFab Platinum 4
2008-12-05 17:30 . 2002-07-07 17:14 1,294,336 --a------ c:\windows\system32\vorbis.acm
2008-12-05 17:30 . 2006-06-20 03:56 225,280 --a------ c:\windows\system32\rewire.dll
2008-12-05 17:29 . 2008-12-05 17:29 d-------- c:\program files\Outsim
2008-12-03 21:10 . 2008-12-03 21:10 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-03 21:10 . 2008-12-03 21:10 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-12-03 21:09 . 2007-08-31 14:01 1,421,736 --a------ c:\windows\system32\wdfcoinstaller01005.dll
2008-12-03 21:09 . 2007-08-21 03:12 21,760 --a------ c:\windows\system32\drivers\point32.sys
2008-12-03 21:09 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\drivers\hidserv.dll
2008-12-03 21:09 . 2007-08-31 13:58 18,856 --a------ c:\windows\system32\drivers\nuidfltr.sys
2008-12-03 21:06 . 2008-12-03 21:08 d-------- c:\program files\Microsoft IntelliPoint
2008-12-03 21:01 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-03 21:01 . 2008-04-14 05:41 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-12-03 17:00 . 2008-12-03 17:00 d--h----- c:\windows\system32\GroupPolicy
2008-11-29 19:53 . 2008-11-29 19:53 d-------- c:\documents and settings\David\Application Data\gtk-2.0
2008-11-29 16:04 . 2008-11-29 16:04 d-------- C:\Drivers
2008-11-29 16:04 . 2001-11-05 09:23 299,923 --a------ c:\windows\system32\drivers\sonyhcs.sys
2008-11-29 16:04 . 2002-10-15 22:41 102,220 --a------ c:\windows\system32\drivers\sonypvs1.sys
2008-11-29 16:04 . 2001-07-03 20:33 53,248 --a------ c:\windows\system32\SONYHCY.DLL
2008-11-29 16:04 . 2001-11-05 09:23 38,739 --a------ c:\windows\system32\drivers\sonyhcc.sys
2008-11-29 16:04 . 2001-11-05 09:23 6,097 --a------ c:\windows\system32\drivers\sonyhcb.sys
2008-11-29 16:04 . 2001-07-03 20:39 3,654 --a------ c:\windows\system32\drivers\Sonyhcp.dll
2008-11-29 11:26 . 2006-11-02 16:57 118,520 --a------ c:\windows\system32\PxInsI64.exe
2008-11-29 11:26 . 2006-10-18 19:43 115,960 --a------ c:\windows\system32\PxCpyI64.exe
2008-11-29 11:26 . 2006-11-02 16:57 36,624 --a------ c:\windows\system32\drivers\pxhelp20.sys
2008-11-29 11:26 . 2006-08-28 21:48 2,560 --a------ c:\windows\system32\drivers\cdralw2k.sys
2008-11-29 11:26 . 2006-08-28 21:48 2,432 --a------ c:\windows\system32\drivers\cdr4_xp.sys
2008-11-26 21:53 . 2008-12-21 11:41 d-------- c:\documents and settings\David\Application Data\FrostWire
2008-11-26 17:33 . 2008-11-29 11:24 d-------- c:\program files\Sony
2008-11-26 17:32 . 2008-11-26 17:32 d-------- c:\program files\Sony Setup
2008-11-26 16:33 . 2008-11-26 16:33 d-------- c:\program files\MSXML 4.0
2008-11-24 20:50 . 2008-11-24 20:50 d-------- c:\documents and settings\David\Application Data\Apple Computer
2008-11-24 20:44 . 2008-11-24 20:44 419 --a------ c:\windows\BRWMARK.INI
2008-11-24 20:44 . 2008-11-24 20:44 27 --a------ c:\windows\BRPP2KA.INI
2008-11-24 20:43 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-24 20:43 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-24 20:40 . 2008-11-24 20:40 212 --a------ c:\windows\Brpfx04a.ini
2008-11-24 20:40 . 2008-11-24 20:40 93 --a------ c:\windows\brpcfx.ini
2008-11-24 20:40 . 2008-11-24 20:40 50 --a------ c:\windows\system32\bridf07a.dat
2008-11-24 20:39 . 2007-02-01 13:19 1,520,640 --a------ c:\windows\system32\BrWia07a.dll
2008-11-24 20:39 . 2006-12-28 13:39 176,128 --------- c:\windows\system32\BroSNMP.dll
2008-11-24 20:39 . 2006-01-17 01:03 126,976 --------- c:\windows\system32\BrfxD05a.dll
2008-11-24 20:39 . 2007-01-25 17:16 94,208 -r------- c:\windows\system32\BrDctF2.dll
2008-11-24 20:39 . 2007-01-26 16:13 54,784 --a------ c:\windows\system32\brinsstr.dll
2008-11-24 20:39 . 2007-01-26 14:06 45,568 --a------ c:\windows\system32\BrUsi07a.dll
2008-11-24 20:39 . 2004-10-15 12:50 15,295 --a------ c:\windows\system32\drivers\BrScnUsb.sys
2008-11-24 20:39 . 2007-01-15 21:54 12,288 -r------- c:\windows\system32\BrDctF2S.dll
2008-11-24 20:39 . 2007-01-15 16:09 12,288 -r------- c:\windows\system32\BrDctF2L.dll
2008-11-24 20:39 . 2001-11-15 01:00 6,224 --------- c:\windows\CVRPAGE.BMP
2008-11-24 20:39 . 2003-11-28 18:57 0 --a------ c:\windows\brdfxspd.dat
2008-11-24 20:38 . 2008-11-24 20:40 d-------- c:\program files\Brother
2008-11-24 20:38 . 2008-11-24 20:38 d-------- c:\documents and settings\David\Application Data\InstallShield
2008-11-24 20:38 . 2007-01-18 13:51 163,840 --------- c:\windows\system32\NSSearch.dll
2008-11-24 20:38 . 2007-02-15 13:54 131,072 --a------ c:\windows\brunin03.dll
2008-11-24 20:37 . 2008-11-24 20:37 d-------- c:\program files\Nuance
2008-11-24 20:36 . 2008-11-24 20:36 d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-11-24 20:36 . 2006-10-24 15:34 31,567 --a------ c:\windows\maxlink.ini
2008-11-24 20:35 . 2008-11-24 20:35 d-------- c:\program files\ScanSoft
2008-11-24 20:35 . 2008-11-24 20:35 d-------- c:\program files\Common Files\ScanSoft Shared
2008-11-24 20:35 . 2008-11-24 20:36 d-------- c:\documents and settings\All Users\Application Data\ScanSoft
2008-11-24 20:33 . 2008-11-24 20:33 d-------- c:\documents and settings\All Users\Application Data\Brother
2008-11-24 19:54 . 2008-11-24 20:31 d-------- c:\documents and settings\David\Application Data\devede
2008-11-24 19:34 . 2008-12-20 11:24 d-------- c:\documents and settings\David\Application Data\OpenOffice.org2
2008-11-24 11:46 . 2008-10-16 15:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-24 11:46 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-24 11:46 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-24 11:46 . 2008-10-16 15:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-24 11:46 . 2008-10-16 15:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-24 11:46 . 2008-10-16 15:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-24 11:46 . 2008-10-16 15:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-24 11:46 . 2008-10-16 15:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-24 11:46 . 2008-10-16 08:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-23 00:07 . 2008-11-23 00:07 d--hs---- c:\documents and settings\David\UserData
2008-11-22 20:51 . 2008-11-22 20:51 d-------- c:\program files\gui
2008-11-22 20:47 . 2008-11-22 20:47 d-------- C:\gui
2008-11-22 20:44 . 2008-11-22 20:44 d-------- c:\documents and settings\David\Application Data\Atari
2008-11-22 20:36 . 2008-11-22 20:36 d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-11-22 18:40 . 2008-04-14 04:42 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-22 18:40 . 2008-12-18 16:01 69 --a------ c:\windows\NeroDigital.ini
2008-11-22 16:37 . 2008-11-22 16:37 d-------- c:\program files\SystemRequirementsLab
2008-11-22 16:37 . 2008-11-22 16:37 d-------- c:\documents and settings\David\Application Data\SystemRequirementsLab
2008-11-22 16:24 . 2008-11-22 16:24 268 --ah----- C:\sqmdata09.sqm
2008-11-22 16:24 . 2008-11-22 16:24 244 --ah----- C:\sqmnoopt09.sqm
2008-11-22 16:19 . 2008-12-08 16:13 d-------- c:\documents and settings\David\Application Data\Vso
2008-11-22 16:19 . 2008-11-29 19:54 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-11-22 16:19 . 2008-11-29 19:54 47,360 --a------ c:\documents and settings\David\Application Data\pcouffin.sys

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 9:58 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 21:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-21 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-21 17:24 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-21 17:24 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-20 20:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-19 14:45 81,920 ------r c:\windows\bwUnin-6.1.4.36-8876480L.exe
2008-12-17 04:03 --------- d-----w c:\program files\Common Files\Logitech
2008-11-29 16:23 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-27 02:57 --------- d-----w c:\program files\FrostWire
2008-11-23 05:06 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-22 14:46 --------- d-----w c:\program files\Java
2008-11-20 02:11 --------- d-----w c:\program files\iTunes
2008-11-20 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-20 02:10 --------- d-----w c:\program files\QuickTime
2008-11-20 02:10 --------- d-----w c:\program files\iPod
2008-11-20 02:10 --------- d-----w c:\program files\Bonjour
2008-11-20 02:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-20 02:09 --------- d-----w c:\program files\Common Files\Apple
2008-11-20 02:08 --------- d-----w c:\program files\Apple Software Update
2008-11-20 02:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-20 01:55 --------- d-----w c:\program files\Common Files\Java
2008-11-19 21:22 --------- d-----w c:\documents and settings\All Users\Application Data\CA-SupportBridge
2008-11-19 20:16 --------- d-----w c:\program files\Rogers
2008-11-19 02:15 --------- d-----w c:\program files\Windows Media Components
2008-11-19 01:29 --------- d-----w c:\program files\Windows Live
2008-11-19 01:28 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-11-19 00:06 --------- d-----w c:\program files\Common Files\INCA Shared
2008-11-19 00:00 --------- d-----w c:\program files\Gpotato
2008-11-18 23:08 --------- d-----w c:\program files\Windows Sidebar
2008-11-18 22:23 --------- d-----w c:\program files\Common Files\Adobe
2008-11-18 22:15 --------- d-----w c:\program files\OpenOffice.org 2.0
2008-11-18 22:14 --------- d-----w c:\program files\Ahead
2008-11-18 22:13 --------- d-----w c:\program files\Common Files\Ahead
2008-11-18 22:11 --------- d-----w c:\program files\InterVideo
2008-11-18 22:09 4,608 ----a-w c:\windows\system32\w95inf32.dll
2008-11-18 22:09 2,272 ----a-w c:\windows\system32\w95inf16.dll
2008-11-18 22:08 --------- d-----w c:\program files\C-Media
2008-11-18 17:16 --------- d-----w c:\program files\microsoft frontpage
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-12-19 16384]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SystemGuardAlerter"="c:\program files\iolo\System Mechanic 6\SystemGuardAlerter.exe" [2005-12-16 241152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-08-24 714608]
"C-Media Mixer"="Mixer.exe" [2002-06-12 c:\windows\mixer.exe]

c:\documents and settings\David\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-07-14 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-12-19 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352]
R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [2008-05-16 140648]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [2008-04-22 163840]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]
S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys [2008-12-07 220631]
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-04 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 14:01]

2008-12-21 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 12:19]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
HKLM-Run-CamWizard - c:\program files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 9:59 pm

.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\
FF - prefs.js: browser.startup.homepage - msn.com
FF - component: c:\program files\Mozilla Firefox\components\iamfamous.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-21 16:45:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxpxfeoitu.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-21 16:47:35
ComboFix-quarantined-files.txt 2008-12-21 21:47:31

Pre-Run: 39,000,399,872 bytes free
Post-Run: 39,110,287,360 bytes free

296 --- E O F --- 2008-12-09 22:02:02

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Sun Dec 21, 2008 10:08 pm

Hello.
Do you have external drives? (external HD,
Because they are infected too, and we need to clean them also.

If not, do this.

Please download Flash_Disinfector from [You must be registered and logged in to see this link.]

  • First, download it to your desktop.
  • Now double click it to run it and will tell it you what to do when you open it.
  • It will temporarily kill explorer.exe and your desktop will go blank.
  • Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  • It will make a dummy autorun.inf in the root of every drive.
  • You can now delete Flash_Disinfector.exe.


You should be able to get the recovery console this time.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\program files\Mozilla Firefox\components\iamfamous.dll

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 10:29 pm

ok so i have done the Flash_Disinfector... but it still won't let me download the recovery console.. it says i have no internet connection. Should i continue anyway?? By the way should i have system restore on or off during all of this because currently it is on.

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Sun Dec 21, 2008 10:37 pm

Hello.
No, don't turn off system restore.

Do the CFScript without the console again, and we'll install it after this run.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 10:47 pm

ComboFix 08-12-21.01 - David 2008-12-21 17:41:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.87 [GMT -5:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\program files\Mozilla Firefox\components\iamfamous.dll
.

((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 12:01 . 2008-12-21 12:44 d-------- c:\program files\Norton AntiVirus
2008-12-21 12:00 . 2008-12-21 12:24 d-------- c:\program files\Symantec
2008-12-21 12:00 . 2008-12-21 12:24 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-21 12:00 . 2008-12-21 12:24 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-20 22:51 . 2008-12-20 22:51 d-------- c:\program files\Trend Micro
2008-12-20 22:13 . 2008-12-20 22:13 d-a------ c:\program files\Silkroad
2008-12-20 21:46 . 2008-12-20 21:47 304 --a------ C:\config.ini
2008-12-20 20:43 . 2008-12-20 20:43 33 --a------ c:\windows\LVMMail.INI
2008-12-20 16:02 . 2008-12-20 16:02 d-------- c:\program files\Common Files\DirectX
2008-12-20 15:36 . 2008-12-20 15:40 d-------- C:\nDoors
2008-12-20 14:34 . 2008-12-20 14:34 96 --ah----- c:\windows\system32\HsInfo.dat
2008-12-20 14:32 . 2008-12-20 14:32 d-------- c:\program files\alaplaya
2008-12-20 12:43 . 2008-12-20 12:43 dr------- c:\documents and settings\David\Application Data\Brother
2008-12-18 23:22 . 2008-12-19 09:47 1,556 --a------ c:\windows\_delis32.ini
2008-12-18 23:20 . 2008-12-21 14:08 d-------- c:\program files\Logitech
2008-12-17 20:19 . 2008-12-17 20:19 d-------- c:\program files\PCI Audio Applications
2008-12-17 19:06 . 2003-03-28 14:19 39,279 --a------ c:\windows\cmijack.dat
2008-12-17 19:06 . 2003-04-03 18:37 23,041 --a------ c:\windows\cmaudio.dat
2008-12-17 19:01 . 2008-12-17 19:01 d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-12-17 17:56 . 2008-12-17 17:56 d-------- c:\windows\Downloaded Installations
2008-12-17 17:55 . 2008-12-17 17:55 d-------- c:\documents and settings\David\Application Data\ScanSoft
2008-12-17 17:39 . 2008-12-17 17:40 d-------- c:\windows\system32\NtmsData
2008-12-17 15:55 . 2008-12-17 15:58 d-------- c:\program files\Image-Line
2008-12-16 22:48 . 2003-03-18 21:14 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-12-16 22:48 . 2003-03-18 20:05 89,088 --a------ c:\windows\system32\atl71.dll
2008-12-16 22:48 . 2003-03-18 21:44 65,536 --a------ c:\windows\system32\MFC71DEU.DLL
2008-12-16 22:48 . 2003-03-18 21:44 61,440 --a------ c:\windows\system32\MFC71ITA.DLL
2008-12-16 22:48 . 2003-03-18 21:44 61,440 --a------ c:\windows\system32\MFC71ESP.DLL
2008-12-16 22:48 . 2003-03-18 21:44 57,344 --a------ c:\windows\system32\MFC71ENU.DLL
2008-12-16 22:48 . 2003-03-18 21:44 49,152 --a------ c:\windows\system32\MFC71KOR.DLL
2008-12-16 22:48 . 2003-03-18 21:44 49,152 --a------ c:\windows\system32\MFC71JPN.DLL
2008-12-16 22:48 . 2003-03-18 21:44 45,056 --a------ c:\windows\system32\MFC71CHT.DLL
2008-12-16 22:48 . 2003-03-18 21:44 40,960 --a------ c:\windows\system32\MFC71CHS.DLL
2008-12-16 20:27 . 2008-12-16 20:27 d-------- c:\documents and settings\David\Application Data\Juce VST Host
2008-12-16 20:06 . 2008-12-17 15:57 d-------- c:\program files\VstPlugins
2008-12-11 22:30 . 2008-12-11 22:30 d-------- c:\program files\Paint.NET
2008-12-09 15:51 . 2008-12-13 07:58 d-------- c:\program files\PeerGuardian2
2008-12-08 19:48 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2008-12-08 16:05 . 2008-12-08 16:05 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2008-12-07 16:29 . 2008-12-07 16:29 d-------- c:\program files\DVDFab Platinum 4
2008-12-05 17:30 . 2002-07-07 17:14 1,294,336 --a------ c:\windows\system32\vorbis.acm
2008-12-05 17:30 . 2006-06-20 03:56 225,280 --a------ c:\windows\system32\rewire.dll
2008-12-05 17:29 . 2008-12-05 17:29 d-------- c:\program files\Outsim
2008-12-03 21:10 . 2008-12-03 21:10 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-03 21:10 . 2008-12-03 21:10 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-12-03 21:09 . 2007-08-31 14:01 1,421,736 --a------ c:\windows\system32\wdfcoinstaller01005.dll
2008-12-03 21:09 . 2007-08-21 03:12 21,760 --a------ c:\windows\system32\drivers\point32.sys
2008-12-03 21:09 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\drivers\hidserv.dll
2008-12-03 21:09 . 2007-08-31 13:58 18,856 --a------ c:\windows\system32\drivers\nuidfltr.sys
2008-12-03 21:06 . 2008-12-03 21:08 d-------- c:\program files\Microsoft IntelliPoint
2008-12-03 21:01 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-03 21:01 . 2008-04-14 05:41 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-12-03 17:00 . 2008-12-03 17:00 d--h----- c:\windows\system32\GroupPolicy
2008-11-29 19:53 . 2008-11-29 19:53 d-------- c:\documents and settings\David\Application Data\gtk-2.0
2008-11-29 16:04 . 2008-11-29 16:04 d-------- C:\Drivers
2008-11-29 16:04 . 2001-11-05 09:23 299,923 --a------ c:\windows\system32\drivers\sonyhcs.sys
2008-11-29 16:04 . 2002-10-15 22:41 102,220 --a------ c:\windows\system32\drivers\sonypvs1.sys
2008-11-29 16:04 . 2001-07-03 20:33 53,248 --a------ c:\windows\system32\SONYHCY.DLL
2008-11-29 16:04 . 2001-11-05 09:23 38,739 --a------ c:\windows\system32\drivers\sonyhcc.sys
2008-11-29 16:04 . 2001-11-05 09:23 6,097 --a------ c:\windows\system32\drivers\sonyhcb.sys
2008-11-29 16:04 . 2001-07-03 20:39 3,654 --a------ c:\windows\system32\drivers\Sonyhcp.dll
2008-11-29 11:26 . 2006-11-02 16:57 118,520 --a------ c:\windows\system32\PxInsI64.exe
2008-11-29 11:26 . 2006-10-18 19:43 115,960 --a------ c:\windows\system32\PxCpyI64.exe
2008-11-29 11:26 . 2006-11-02 16:57 36,624 --a------ c:\windows\system32\drivers\pxhelp20.sys
2008-11-29 11:26 . 2006-08-28 21:48 2,560 --a------ c:\windows\system32\drivers\cdralw2k.sys
2008-11-29 11:26 . 2006-08-28 21:48 2,432 --a------ c:\windows\system32\drivers\cdr4_xp.sys
2008-11-26 21:53 . 2008-12-21 11:41 d-------- c:\documents and settings\David\Application Data\FrostWire
2008-11-26 17:33 . 2008-11-29 11:24 d-------- c:\program files\Sony
2008-11-26 17:32 . 2008-11-26 17:32 d-------- c:\program files\Sony Setup
2008-11-26 16:33 . 2008-11-26 16:33 d-------- c:\program files\MSXML 4.0
2008-11-24 20:50 . 2008-11-24 20:50 d-------- c:\documents and settings\David\Application Data\Apple Computer
2008-11-24 20:44 . 2008-11-24 20:44 419 --a------ c:\windows\BRWMARK.INI
2008-11-24 20:44 . 2008-11-24 20:44 27 --a------ c:\windows\BRPP2KA.INI
2008-11-24 20:43 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-24 20:43 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-24 20:40 . 2008-11-24 20:40 212 --a------ c:\windows\Brpfx04a.ini
2008-11-24 20:40 . 2008-11-24 20:40 93 --a------ c:\windows\brpcfx.ini
2008-11-24 20:40 . 2008-11-24 20:40 50 --a------ c:\windows\system32\bridf07a.dat
2008-11-24 20:39 . 2007-02-01 13:19 1,520,640 --a------ c:\windows\system32\BrWia07a.dll
2008-11-24 20:39 . 2006-12-28 13:39 176,128 --------- c:\windows\system32\BroSNMP.dll
2008-11-24 20:39 . 2006-01-17 01:03 126,976 --------- c:\windows\system32\BrfxD05a.dll
2008-11-24 20:39 . 2007-01-25 17:16 94,208 -r------- c:\windows\system32\BrDctF2.dll
2008-11-24 20:39 . 2007-01-26 16:13 54,784 --a------ c:\windows\system32\brinsstr.dll
2008-11-24 20:39 . 2007-01-26 14:06 45,568 --a------ c:\windows\system32\BrUsi07a.dll
2008-11-24 20:39 . 2004-10-15 12:50 15,295 --a------ c:\windows\system32\drivers\BrScnUsb.sys
2008-11-24 20:39 . 2007-01-15 21:54 12,288 -r------- c:\windows\system32\BrDctF2S.dll
2008-11-24 20:39 . 2007-01-15 16:09 12,288 -r------- c:\windows\system32\BrDctF2L.dll
2008-11-24 20:39 . 2001-11-15 01:00 6,224 --------- c:\windows\CVRPAGE.BMP
2008-11-24 20:39 . 2003-11-28 18:57 0 --a------ c:\windows\brdfxspd.dat
2008-11-24 20:38 . 2008-11-24 20:40 d-------- c:\program files\Brother
2008-11-24 20:38 . 2008-11-24 20:38 d-------- c:\documents and settings\David\Application Data\InstallShield
2008-11-24 20:38 . 2007-01-18 13:51 163,840 --------- c:\windows\system32\NSSearch.dll
2008-11-24 20:38 . 2007-02-15 13:54 131,072 --a------ c:\windows\brunin03.dll
2008-11-24 20:37 . 2008-11-24 20:37 d-------- c:\program files\Nuance
2008-11-24 20:36 . 2008-11-24 20:36 d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-11-24 20:36 . 2006-10-24 15:34 31,567 --a------ c:\windows\maxlink.ini
2008-11-24 20:35 . 2008-11-24 20:35 d-------- c:\program files\ScanSoft
2008-11-24 20:35 . 2008-11-24 20:35 d-------- c:\program files\Common Files\ScanSoft Shared
2008-11-24 20:35 . 2008-11-24 20:36 d-------- c:\documents and settings\All Users\Application Data\ScanSoft
2008-11-24 20:33 . 2008-11-24 20:33 d-------- c:\documents and settings\All Users\Application Data\Brother
2008-11-24 19:54 . 2008-11-24 20:31 d-------- c:\documents and settings\David\Application Data\devede
2008-11-24 19:34 . 2008-12-20 11:24 d-------- c:\documents and settings\David\Application Data\OpenOffice.org2
2008-11-24 11:46 . 2008-10-16 15:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-24 11:46 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-24 11:46 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-24 11:46 . 2008-10-16 15:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-24 11:46 . 2008-10-16 15:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-24 11:46 . 2008-10-16 15:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-24 11:46 . 2008-10-16 15:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-24 11:46 . 2008-10-16 15:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-24 11:46 . 2008-10-16 08:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-22 20:51 . 2008-11-22 20:51 d-------- c:\program files\gui
2008-11-22 20:47 . 2008-11-22 20:47 d-------- C:\gui
2008-11-22 20:44 . 2008-11-22 20:44 d-------- c:\documents and settings\David\Application Data\Atari
2008-11-22 20:36 . 2008-11-22 20:36 d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-11-22 18:40 . 2008-04-14 04:42 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-22 18:40 . 2008-12-18 16:01 69 --a------ c:\windows\NeroDigital.ini
2008-11-22 16:37 . 2008-11-22 16:37 d-------- c:\program files\SystemRequirementsLab
2008-11-22 16:37 . 2008-11-22 16:37 d-------- c:\documents and settings\David\Application Data\SystemRequirementsLab
2008-11-22 16:24 . 2008-11-22 16:24 268 --ah----- C:\sqmdata09.sqm
2008-11-22 16:24 . 2008-11-22 16:24 244 --ah----- C:\sqmnoopt09.sqm
2008-11-22 16:19 . 2008-12-08 16:13 d-------- c:\documents and settings\David\Application Data\Vso
2008-11-22 16:19 . 2008-11-29 19:54 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-11-22 16:19 . 2008-11-29 19:54 47,360 --a------ c:\documents and settings\David\Application Data\pcouffin.sys
2008-11-22 16:18 . 2006-09-29 12:24 217,127 --a------ c:\windows\system32\drv43260.dll

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 10:48 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 21:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-21 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-21 17:24 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-21 17:24 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-20 20:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-19 14:45 81,920 ------r c:\windows\bwUnin-6.1.4.36-8876480L.exe
2008-12-17 04:03 --------- d-----w c:\program files\Common Files\Logitech
2008-11-29 16:23 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-27 02:57 --------- d-----w c:\program files\FrostWire
2008-11-23 05:06 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-22 14:46 --------- d-----w c:\program files\Java
2008-11-20 02:11 --------- d-----w c:\program files\iTunes
2008-11-20 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-20 02:10 --------- d-----w c:\program files\QuickTime
2008-11-20 02:10 --------- d-----w c:\program files\iPod
2008-11-20 02:10 --------- d-----w c:\program files\Bonjour
2008-11-20 02:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-20 02:09 --------- d-----w c:\program files\Common Files\Apple
2008-11-20 02:08 --------- d-----w c:\program files\Apple Software Update
2008-11-20 02:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-20 01:55 --------- d-----w c:\program files\Common Files\Java
2008-11-19 21:22 --------- d-----w c:\documents and settings\All Users\Application Data\CA-SupportBridge
2008-11-19 20:16 --------- d-----w c:\program files\Rogers
2008-11-19 02:15 --------- d-----w c:\program files\Windows Media Components
2008-11-19 01:29 --------- d-----w c:\program files\Windows Live
2008-11-19 01:28 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-11-19 00:06 --------- d-----w c:\program files\Common Files\INCA Shared
2008-11-19 00:00 --------- d-----w c:\program files\Gpotato
2008-11-18 23:08 --------- d-----w c:\program files\Windows Sidebar
2008-11-18 22:23 --------- d-----w c:\program files\Common Files\Adobe
2008-11-18 22:15 --------- d-----w c:\program files\OpenOffice.org 2.0
2008-11-18 22:14 --------- d-----w c:\program files\Ahead
2008-11-18 22:13 --------- d-----w c:\program files\Common Files\Ahead
2008-11-18 22:11 --------- d-----w c:\program files\InterVideo
2008-11-18 22:09 4,608 ----a-w c:\windows\system32\w95inf32.dll
2008-11-18 22:09 2,272 ----a-w c:\windows\system32\w95inf16.dll
2008-11-18 22:08 --------- d-----w c:\program files\C-Media
2008-11-18 17:16 --------- d-----w c:\program files\microsoft frontpage
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-21 22:22:53 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_8e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-12-19 16384]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SystemGuardAlerter"="c:\program files\iolo\System Mechanic 6\SystemGuardAlerter.exe" [2005-12-16 241152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-08-24 714608]
"C-Media Mixer"="Mixer.exe" [2002-06-12 c:\windows\mixer.exe]

c:\documents and settings\David\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-07-14 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-12-19 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352]
R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [2008-05-16 140648]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [2008-04-22 163840]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]
S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys [2008-12-07 220631]
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-04 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 14:01]

2008-12-21 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 12:19]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\
FF - prefs.js: browser.startup.homepage - msn.com
FF - component: c:\program files\Mozilla Firefox\components\iamfamous.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-21 17:45:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxpxfeoitu.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-21 17:46:52
ComboFix-quarantined-files.txt 2008-12-21 22:46:48
ComboFix2.txt 2008-12-21 21:47:37

Pre-Run: 39,042,056,192 bytes free
Post-Run: 39,030,816,768 bytes free

293 --- E O F --- 2008-12-09 22:02:02

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Sun Dec 21, 2008 10:50 pm

That didn't work for some reason. No way!

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    c:\program files\Mozilla Firefox\components\iamfamous.dll

    :reg
    [-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post a new Hijack This log + OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 11:00 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:56 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - S-1-5-18 Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8025 bytes

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 11:00 pm

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder c:\program files\Mozilla Firefox\components\iamfamous.dll not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\David\LOCALS~1\Temp\etilqs_cIOXu16jQ1YIGs9BJ4Ru scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JETA96F.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_8e0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12212008_175512

Files moved on Reboot...
File C:\DOCUME~1\David\LOCALS~1\Temp\etilqs_cIOXu16jQ1YIGs9BJ4Ru not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\JETA96F.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_8e0.dat not found!
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\jwsuuw1a.default\XUL.mfl moved successfully.

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Sun Dec 21, 2008 11:37 pm

Looks good, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Sun Dec 21, 2008 11:59 pm

thanks a lot for your support.. but i still think something is remaining on it because every time i log on my account ... a message pops up saying.... "Either another instance of OpenOffice.org is accessing your personal settings or your personal settings are locked.
Simultaneous access can lead to inconsistencies in your personal settings. before continuing, you should make sure user 'OWNER-E7DE91275/David' closes OpenOffice.org on host 'OWNER-E7DE91275 Do you really want to continue?" Yes/No. >> is this a virus trying to access personal stuff??

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 12:04 am

No, I think it's the OpenOffice user profile startup key.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - S-1-5-18 Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe (User 'Default user')
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe


  • Press "Fix Checked"
  • Close Hijack This.


Logon to your account again and see if it's still happening.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 12:13 am

THANK YOU!! your amazing looll... i really appreciate everything you have done and you patience and time !! Smile Thanks to you my computer is working great now Smile ... lol thanks again ... Take care .. ill notify you if anything else goes wrong XDD

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 12:14 am

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.


Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 1:45 am

WOW!! omg !! i think i still have a problem !!! can you please check my Hijackthis again... and see if you find anything !! ty Smile The reason why i still think there something cause my computer is freaking out a freezing a lot also Norton anti-virus keeps popping up saying "blocked W32.Tidserv" and Norton keeps turning off the virus protection automatically Indifferent or Blank Im really confused XD

here's Hijackthis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:09 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton AntiVirus\navw32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7984 bytes

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 1:50 am

Hello.
Does it say where? like a filename or location?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 1:54 am

Im doing a full system scan on Norton and it found Backdoor.Tidserv!inf.. it said it's not safe to remove should i anyway?
btw it's not showing a location

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 1:56 am

Okay.
It might be finding combofix deleted stuff.

Delete these two folders:
C:\Qoobox
C:\_OTMoveIt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 2:02 am

ok i did what you said .. but iv got more problems... im still running Norton and it found even more ... it found another w32.tidserv and Backdoor.Tidserv!inf now it have x2 of both ... im sooo confused right now lol Sad tearing

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 2:04 am

Darn.
Let the Norton scan finish, then re-run combofix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 2:13 am

ok.. ill notify you when it's done ..

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 2:21 am

Hello.
Don't run CF, leave that, we'll use something else.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log with a fresh copy of HijackThis log.

Take your time with this and get it right, I have to go offline, getting late here.
So no rush, and I'll look over the log in the morning.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 2:21 am

Hello.
Don't run CF, leave that, we'll use something else.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log with a fresh copy of HijackThis log.

Take your time with this and get it right, I have to go offline, getting late here.
So no rush, and I'll look over the log in the morning.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 2:21 am

Hello.
Don't run CF, leave that, we'll use something else.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log with a fresh copy of HijackThis log.

Take your time with this and get it right, I have to go offline, getting late here.
So no rush, and I'll look over the log in the morning.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 2:36 am

Malwarebytes' Anti-Malware 1.31
Database version: 1528
Windows 5.1.2600 Service Pack 3

12/21/2008 9:35:40 PM
mbam-log-2008-12-21 (21-35-39).txt

Scan type: Quick Scan
Objects scanned: 50481
Time elapsed: 8 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 2:36 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:47 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton AntiVirus\navw32.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8196 bytes

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 4:22 pm

Hello.
Does Norton still give you tdss stuff in the scan? MBAM only found one reg key.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 4:30 pm

yes Norton does still found them.... it found two(x2) of both W32.Tidserv
Backdoor.Tidserv!inf ... Now the problem is, Norton said to manually remove the Backdoor. Tidserv!inf when i do... it says "could not remove"

*I Removed both of the W32.Tidserv... but it's weird cause every 10 mins... Norton's Auto-block says "blocked W32. Tidserv"*

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 4:37 pm

Logs are clean, so I'm gonna guess it's finding leftovers in the system restore.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.


Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 4:50 pm

When i go to Kaspersky Online am i supposed to click on "Kaspersky Online Scanner" cause when i do there's nothing on the page Indifferent or Blank

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 4:56 pm

Hello.
There's no "Continue with free scan" button?
Are you using internet explorer?

If it won't work in IE, try in Firefox.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 4:58 pm

lol Nope i don't see that button Sad tearing
i tried it on both already.
and tried refresh Indifferent or Blank

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 5:04 pm

Okay, we'll use Dr.web

* Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 10:55 pm

data002\32788R22FWJFW\mtee.cfexe;C:\Documents and Settings\David\Desktop\ComboFix.exe\data002;Probably Trojan.Packed.258;;
data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\David\Desktop\ComboFix.exe\data002;Program.PsExec.171;;
data002;C:\Documents and Settings\David\Desktop\ComboFix.exe;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\David\Desktop;Archive contains infected objects;Moved.;

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Mon Dec 22, 2008 10:59 pm

Still nothing bad found.
I don't know where the Norton is finding the problem, but it's not showing in the logs.

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

If no problems remain, I would say you are clean, but Norton is just being picky.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Mon Dec 22, 2008 11:08 pm

ok thank you.. I can see your really busy.. lol
thanks for the software ... im goin to try to do another full system scan on Norton and see if it still finds it. If it does what are some good suggestions?
Also did you want me to send the HiJackThis Log once more just to see if everything it fine ??? lol take your time on the reply no rush.. i know you have a lot of other ppl to answer.

* I won't message you back until the Norton scan is done, It might take about 1 or 2 hours* (Once again no rush lol:))

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Tue Dec 23, 2008 1:33 am

ok.. soo i did do a Norton scan and it found nothing Smile
im pretty sure the virus is gone now..lol
but my computer has been running significantly slower after the removal.
anything i could do to increase Performance ?

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Tue Dec 23, 2008 1:38 am

Could be the amount of startup/service items.
Post a NEW Hijack This log and we'll see what we can do.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Tue Dec 23, 2008 1:40 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:06 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7869 bytes

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Tue Dec 23, 2008 1:45 am


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


  • Press "Fix Checked"
  • Close Hijack This.


Reboot and see if it's any faster.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by ginobwoy on Tue Dec 23, 2008 1:59 am

Meh.. i notice some improvement ... but anyways will it be safe to remove all those things i downloaded (E.g Dr.Web, MalwareBytes, ATI cleaner, OTMoveIT) because i know some of the things might be quarantine.

ginobwoy
Intermediate
Intermediate

Status :
Online
Offline

Posts : 75
Joined : 2008-12-21
OS : Windows XP

View user profile

Back to top Go down

Solved Re: HELP!!! W32.Tidserv aka Backdoor.Tidserv!inf HELP!!

Post by Belahzur on Tue Dec 23, 2008 2:03 am

Yes, remove:
Dr.web
MBAM
OTMoveIt

Keep ATF-Cleaer, that doesn't quarantine anything, it's just a easy to use temp file cleaner and will save you some HD space.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum