GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Yet another Backdoor.tidserv!inf

View previous topic View next topic Go down

Solved Yet another Backdoor.tidserv!inf

Post by carljp on Sat Dec 27, 2008 3:11 am

I got it bad and that ain't good. I ran a full scan with Norton Recovery CD and it found a bunch of stuff it was able to fix and 4 instances of backdoor.tidserv it was not able to remove. I've tried Malware Bytes with no success and also Registry Mechanic. I've been reading some of the other posts regarding this and decided to post this as a separate topic. I'm sending this from a different machine than one infected.
Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:02 PM, on 12/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Documents and Settings\Carl Pantuso\Application Data\U3\0000060328098931\LaunchPad.exe
C:\Documents and Settings\Carl Pantuso\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see [You must be registered and logged in to see this link.]
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\CARL PANTUSO\\APPLICATION DATA\\Mozilla\\Profiles\\default\\0pa0h1bg.slt");
user_pref("browser.download.dir", "C:\\Temp\\New Folder");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetmenu.browser.cache", "UT
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [\\Reception\EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P38 "\\Reception\EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4800 Series on Reception] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P44 "Auto EPSON Stylus CX4800 Series on Reception" /O16 "\\RECEPTION\4800" /M "Stylus CX4800"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} (DeviceMon Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 8694 bytes


Uninstall List:
Adobe Acrobat 8.1.2 Standard
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge 1.0
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Common File Installer
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Help Center 1.0
Adobe Linguistics CS4
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS2
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 7.0.5
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Alt-Tab Task Switcher Powertoy for Windows XP
Apple Software Update
Autodesk DWF Viewer 7
BlackBerry Desktop Software 4.3
BlackBerry Desktop Software 4.3
BlackBerry Web Tool for DST 2007 Device Updates
Calculator Powertoy for Windows XP
Camera Control Pro
Canon i70
Capture NX 2
CDDRV_Installer
ClearType Tuning Control Panel Applet
Compatibility Pack for the 2007 Office system
Conexant HD Audio
Connect
Creative Jukebox Driver
Creative Removable Disk Manager
Creative System Information
Creative Zen Micro
DesignCAD 3D Max 16.3
DivX
EPSON Printer Software
EPSON Scan
erLT
Google Earth
Google Updater
GrabIt 1.7.1 Beta (build 960)
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
HP Help and Support
HP PrecisionScan LTX
HP Quick Launch Buttons 6.10 B9
HP QuickPlay 2.3
HP Share-to-Web
HP Update
HP User Guides 0036
HP Wireless Assistant 2.00 G2
HTML Slideshow Powertoy for Windows XP
Image Resizer Powertoy for Windows XP
Intel(R) PRO Network Connections Drivers
IPIN Viewing System Lite Support Files
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 10
KhalInstallWrapper
kuler
Logitech SetPoint
Macromedia Flash Player 8
Macromedia Shockwave Player
Magnifier Powertoy for Windows XP
Malwarebytes' Anti-Malware
Maxtor Manager
Maxtor Manager
MFC80
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Color Control Panel Applet for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft Office Word Viewer 2003
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mouse Suite
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
muvee autoProducer 5.0
My Photo Calendars and Cards
MyPhotoBooks
Netscape (7.2)
NetWaiting
Nikon Message Center
Norton AntiVirus
NVIDIA Drivers
Office 2003 Trial Assistant
On-Screen Takeoff
PDF Settings CS4
Photoshop Camera Raw
Picasa 3
Picture Control Utility
Pool Studio
Pool Studio
QuickTime
Registry Mechanic 8.0
Rhapsody
Rhapsody Player Engine
Roxio Media Manager
Samsung CLP-300 Series
Security Update for Windows Internet Explorer 7 (KB942615)
Slideshow Generator Powertoy for Windows XP
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Suite Shared Configuration CS4
Switch
Synaptics Pointing Device Driver
SyncToy 2.0 Beta
Topo USA 4.0
TourSetup
Tweak UI
Update for Windows XP (KB904942)
Virtual Desktop Manager Powertoy for Windows XP
Vongo
Water Smart Landscaping in Southern Nevada
WildTangent Web Driver
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Wireless Home Network Setup

Thanks

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Sat Dec 27, 2008 3:14 am

I see MBAM already on your system, so lets use that.


  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sat Dec 27, 2008 4:55 am

It didn't find anything but here's the log:
Malwarebytes' Anti-Malware 1.24
Database version: 1024
Windows 5.1.2600 Service Pack 2

8:39:47 PM 12/26/2008
mbam-log-12-26-2008 (20-39-47).txt

Scan type: Quick Scan
Objects scanned: 47835
Time elapsed: 7 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sat Dec 27, 2008 5:17 am

here is the log from when I ran it immediately after I got infected

Malwarebytes' Anti-Malware 1.24
Database version: 1024
Windows 5.1.2600 Service Pack 2

11:30:19 AM 12/24/2008
mbam-log-12-24-2008 (11-30-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 181418
Time elapsed: 1 hour(s), 24 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Sat Dec 27, 2008 1:26 pm


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sat Dec 27, 2008 7:08 pm

Here is the log from combofix:
ComboFix 08-12-26.03 - Carl Pantuso 2008-12-27 10:48:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1602 [GMT -8:00]
Running from: c:\documents and settings\Carl Pantuso\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Carl Pantuso\Application Data\Adobe\crc.dat
c:\documents and settings\Carl Pantuso\Application Data\Adobe\Player.exe.bak
C:\resycled
c:\resycled\boot.com
c:\windows\system32\ahtn.htm
c:\windows\system32\frmwrk32.exe
c:\windows\system32\ntdll64.exe
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-26 14:56 . 2008-12-26 14:56 d-------- c:\program files\Norton Support
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\windows\system32\drivers\NAV
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Windows Sidebar
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Symantec
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Norton AntiVirus
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-26 14:51 . 2008-12-26 14:51 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-26 14:51 . 2008-12-26 14:51 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-26 14:51 . 2008-12-26 14:51 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-26 14:51 . 2008-12-26 14:51 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-26 14:51 . 2008-12-26 14:51 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-26 14:49 . 2008-12-26 14:49 d-------- c:\program files\NortonInstaller
2008-12-26 14:49 . 2008-12-26 14:49 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-24 17:16 . 2008-12-26 14:45 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-24 13:23 . 2008-12-24 13:23 d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-24 09:49 . 2008-12-24 09:49 111,616 --a------ c:\windows\system32\dllcache\userinit.exe
2008-12-10 11:37 . 2008-12-10 11:37 d-------- c:\windows\system32\drivers\Samsung
2008-12-10 11:37 . 2005-03-02 20:32 151,552 --a------ c:\windows\system32\SUGG1CI.exe
2008-12-10 11:37 . 2004-10-11 04:25 57,344 --a------ c:\windows\system32\SUGG1CI.dll
2008-12-10 11:37 . 2006-08-31 21:05 22,663 --a------ c:\windows\system32\SUGG1LMK.DLL
2008-12-10 11:37 . 2005-07-08 12:54 11,502 --------- c:\windows\Dr. Printer Icon.ico
2008-12-10 11:37 . 2005-09-08 22:04 555 --a------ c:\windows\system32\SUGG1LMK.SMT
2008-12-10 11:36 . 2008-12-10 11:36 d-------- c:\program files\Samsung
2008-12-10 10:05 . 2004-08-10 22:39 41,984 --------- c:\windows\system32\drivers\DGIVECP.SYS
2008-12-01 14:00 . 2008-12-24 17:26 1,324 --a------ c:\windows\system32\d3d9caps.dat
2008-11-29 14:43 . 2008-11-29 14:43 d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 06:57 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\U3
2008-12-26 23:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-26 22:45 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\AdobeUM
2008-12-26 21:09 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-25 07:19 --------- d-----w c:\program files\WildTangent
2008-12-25 07:19 --------- d-----w c:\program files\Topo USA 4.0
2008-12-25 07:18 --------- d-----w c:\program files\Roxio
2008-12-25 07:18 --------- d-----w c:\program files\Rhapsody
2008-12-25 07:18 --------- d-----w c:\program files\QuickTime
2008-12-25 07:17 --------- d-----w c:\program files\Microsoft Works
2008-12-25 07:16 --------- d-----w c:\program files\Maxtor
2008-12-25 07:15 --------- d-----w c:\program files\Quickensetup
2008-12-25 07:15 --------- d-----w c:\program files\Quicken
2008-12-25 07:15 --------- d-----w c:\program files\Pro Imaging Powertoys
2008-12-25 07:15 --------- d-----w c:\program files\On-Screen Takeoff 3
2008-12-25 07:15 --------- d-----w c:\program files\Nikon
2008-12-25 07:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-25 07:15 --------- d-----w c:\program files\IrfanView
2008-12-25 07:14 --------- d-----w c:\program files\MyPhotoBooks
2008-12-25 07:14 --------- d-----w c:\program files\My Photo Calendars and Cards
2008-12-25 07:14 --------- d-----w c:\program files\My Photo Books
2008-12-25 07:13 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 07:13 --------- d-----w c:\program files\HPQ
2008-12-25 07:13 --------- d-----w c:\program files\HP
2008-12-25 07:12 --------- d-----w c:\program files\Hewlett-Packard
2008-12-25 07:12 --------- d-----w c:\program files\Google
2008-12-25 07:12 --------- d-----w c:\program files\DivX
2008-12-25 07:12 --------- d-----w c:\program files\Creative
2008-12-25 07:12 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-12-25 07:12 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\Research In Motion
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\Nikon
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\LightScribe
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\Adobe
2008-12-25 07:10 --------- d-----w c:\program files\Common Files\muvee Technologies
2008-12-25 07:10 --------- d-----w c:\program files\Apple Software Update
2008-12-24 22:38 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Nikon
2008-12-24 22:38 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\muvee Technologies
2008-12-24 22:36 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-21 22:06 --------- d-----w c:\program files\Adobe Media Player
2008-11-21 22:04 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-18 20:37 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Download Manager
2008-11-18 00:43 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Digilabs
2008-10-31 04:22 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-31 04:22 --------- d-----w c:\program files\SyncToy 2.0 Beta
2008-10-31 04:22 --------- d-----w c:\program files\NetWaiting
2008-10-31 04:22 --------- d-----w c:\program files\music_now
2008-10-31 04:22 --------- d-----w c:\program files\Encarta Online
2008-10-31 03:16 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\0000005738
2008-10-12 22:05 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2008-09-27 04:25 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLck.DAT
2008-05-14 15:35 18,024 ----a-w c:\documents and settings\Carl Pantuso\Application Data\wklnhst.dat
2008-01-09 05:31 20 ---ha-w c:\documents and settings\All Users\Application Data\PKP_DLeh.DAT
2006-12-27 06:20 20 ---ha-w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-08-26 05:15 12,208 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-04 08:11 16,384 --sha-w c:\windows\system32\config\systemprofile\History\History.IE5\index.dat
2008-08-04 08:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-12-24 09:49 111616 e7385484625fb48224948ac3fc131f2d c:\windows\system32\userinit.exe
2008-12-24 09:49 111616 e7385484625fb48224948ac3fc131f2d c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sat Dec 27, 2008 7:09 pm

part 2:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-19 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-19 86016]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"\\Reception\EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Auto EPSON Stylus CX4800 Series on Reception"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 c:\windows\system32\ICO.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Carl Pantuso\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 09:10 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pool Studio Newsletter.lnk]
backup=c:\windows\pss\Pool Studio Newsletter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Carl Pantuso^Start Menu^Programs^StartUp^Rapid Antivirus.lnk]
backup=c:\windows\pss\Rapid Antivirus.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 07:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
--a------ 2005-02-02 04:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
--a--c--- 2003-06-04 03:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-12-24 15:46 133104 c:\documents and settings\Carl Pantuso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a--c--- 2006-09-11 04:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2006-09-11 04:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2006-09-11 04:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
--a------ 2007-09-06 13:53 169264 c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a--c--- 2006-11-06 10:58 159744 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
-----c--- 2007-10-18 18:12 102400 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
-----c--- 2005-10-11 09:23 1187840 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
--a------ 2008-07-08 17:41 2828184 c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
-----c--- 2006-02-09 08:52 643072 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-10-22 19:36 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-06-16 21:22 794713 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2005-08-18 09:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a--c--- 2006-06-02 07:02 61952 c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2006-07-19 21:58 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-12-26 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-12-26 254512]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-12-26 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [2008-12-26 274808]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};\??\c:\program files\HP\QuickPlay\000.fcl [2008-01-20 16:33:48 39408]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll" /prefetch:1 []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-26 99376]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\DRIVERS\pelmouse.sys [2006-11-21 16512]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\DRIVERS\pelusblf.sys [2006-11-21 13184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db99d018-452e-11dc-a7d8-001636b16cad}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-27 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Carl Pantuso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 15:46]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Framework Windows - frmwrk32.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DSTUpdateLoaderUSB.inf
FF - ProfilePath - c:\documents and settings\Carl Pantuso\Application Data\Mozilla\Firefox\Profiles\musjq95b.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-27 10:56:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Hf??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxnoyudvkp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1392)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\msdtc.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\mqsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
.
**************************************************************************
.
Completion time: 2008-12-27 10:58:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-27 18:58:37

Pre-Run: 26,576,601,088 bytes free
Post-Run: 27,481,407,488 bytes free

311
-----------------------------
Thanks

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Sat Dec 27, 2008 7:20 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Vongo
  • WildTangent Web Driver


Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\program files\WildTangent

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Carl Pantuso^Start Menu^Programs^StartUp^Rapid Antivirus.lnk]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msqpdxserv.sys]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sat Dec 27, 2008 7:44 pm

Part 1:
ComboFix 08-12-26.03 - Carl Pantuso 2008-12-27 11:37:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1655 [GMT -8:00]
Running from: c:\documents and settings\Carl Pantuso\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Carl Pantuso\Desktop\CFscript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WildTangent
c:\program files\WildTangent\LicenseStores\WT\WT.sto

.
((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-26 14:56 . 2008-12-26 14:56 d-------- c:\program files\Norton Support
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\windows\system32\drivers\NAV
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Windows Sidebar
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Symantec
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Norton AntiVirus
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-26 14:51 . 2008-12-26 14:51 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-26 14:51 . 2008-12-26 14:51 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-26 14:51 . 2008-12-26 14:51 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-26 14:51 . 2008-12-26 14:51 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-26 14:51 . 2008-12-26 14:51 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-26 14:49 . 2008-12-26 14:49 d-------- c:\program files\NortonInstaller
2008-12-26 14:49 . 2008-12-26 14:49 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-24 17:16 . 2008-12-26 14:45 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-24 13:23 . 2008-12-24 13:23 d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-24 09:49 . 2008-12-24 09:49 111,616 --a------ c:\windows\system32\dllcache\userinit.exe
2008-12-10 11:37 . 2008-12-10 11:37 d-------- c:\windows\system32\drivers\Samsung
2008-12-10 11:37 . 2005-03-02 20:32 151,552 --a------ c:\windows\system32\SUGG1CI.exe
2008-12-10 11:37 . 2004-10-11 04:25 57,344 --a------ c:\windows\system32\SUGG1CI.dll
2008-12-10 11:37 . 2006-08-31 21:05 22,663 --a------ c:\windows\system32\SUGG1LMK.DLL
2008-12-10 11:37 . 2005-07-08 12:54 11,502 --------- c:\windows\Dr. Printer Icon.ico
2008-12-10 11:37 . 2005-09-08 22:04 555 --a------ c:\windows\system32\SUGG1LMK.SMT
2008-12-10 11:36 . 2008-12-10 11:36 d-------- c:\program files\Samsung
2008-12-10 10:05 . 2004-08-10 22:39 41,984 --------- c:\windows\system32\drivers\DGIVECP.SYS
2008-12-01 14:00 . 2008-12-24 17:26 1,324 --a------ c:\windows\system32\d3d9caps.dat
2008-11-29 14:43 . 2008-11-29 14:43 d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 06:57 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\U3
2008-12-26 23:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-26 22:45 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\AdobeUM
2008-12-26 21:09 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-25 07:19 --------- d-----w c:\program files\Topo USA 4.0
2008-12-25 07:18 --------- d-----w c:\program files\Roxio
2008-12-25 07:18 --------- d-----w c:\program files\Rhapsody
2008-12-25 07:18 --------- d-----w c:\program files\QuickTime
2008-12-25 07:17 --------- d-----w c:\program files\Microsoft Works
2008-12-25 07:16 --------- d-----w c:\program files\Maxtor
2008-12-25 07:15 --------- d-----w c:\program files\Quickensetup
2008-12-25 07:15 --------- d-----w c:\program files\Quicken
2008-12-25 07:15 --------- d-----w c:\program files\Pro Imaging Powertoys
2008-12-25 07:15 --------- d-----w c:\program files\On-Screen Takeoff 3
2008-12-25 07:15 --------- d-----w c:\program files\Nikon
2008-12-25 07:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-25 07:15 --------- d-----w c:\program files\IrfanView
2008-12-25 07:14 --------- d-----w c:\program files\MyPhotoBooks
2008-12-25 07:14 --------- d-----w c:\program files\My Photo Calendars and Cards
2008-12-25 07:14 --------- d-----w c:\program files\My Photo Books
2008-12-25 07:13 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 07:13 --------- d-----w c:\program files\HPQ
2008-12-25 07:13 --------- d-----w c:\program files\HP
2008-12-25 07:12 --------- d-----w c:\program files\Hewlett-Packard
2008-12-25 07:12 --------- d-----w c:\program files\Google
2008-12-25 07:12 --------- d-----w c:\program files\DivX
2008-12-25 07:12 --------- d-----w c:\program files\Creative
2008-12-25 07:12 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-12-25 07:12 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\Research In Motion
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\Nikon
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\LightScribe
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\Adobe
2008-12-25 07:10 --------- d-----w c:\program files\Common Files\muvee Technologies
2008-12-25 07:10 --------- d-----w c:\program files\Apple Software Update
2008-12-24 22:38 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Nikon
2008-12-24 22:38 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\muvee Technologies
2008-12-24 22:36 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-24 17:49 111,616 ----a-w c:\windows\system32\userinit.exe
2008-11-21 22:06 --------- d-----w c:\program files\Adobe Media Player
2008-11-21 22:04 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-18 20:37 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Download Manager
2008-11-18 00:43 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Digilabs
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-10-31 04:22 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-31 04:22 --------- d-----w c:\program files\SyncToy 2.0 Beta
2008-10-31 04:22 --------- d-----w c:\program files\NetWaiting
2008-10-31 04:22 --------- d-----w c:\program files\music_now
2008-10-31 04:22 --------- d-----w c:\program files\Encarta Online
2008-10-31 03:16 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\0000005738
2008-10-23 03:36 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-12 22:05 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2008-09-27 04:25 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLck.DAT
2008-05-14 15:35 18,024 ----a-w c:\documents and settings\Carl Pantuso\Application Data\wklnhst.dat
2008-01-09 05:31 20 ---ha-w c:\documents and settings\All Users\Application Data\PKP_DLeh.DAT
2006-12-27 06:20 20 ---ha-w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-08-26 05:15 12,208 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-04 08:11 16,384 --sha-w c:\windows\system32\config\systemprofile\History\History.IE5\index.dat
2008-08-04 08:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-12-24 09:49 111616 e7385484625fb48224948ac3fc131f2d c:\windows\system32\userinit.exe
2008-12-24 09:49 111616 e7385484625fb48224948ac3fc131f2d c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-27 19:33:39 16,384 ----atw c:\windows\temp\Perflib_Perfdata_344.dat
+ 2008-12-27 19:34:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_3d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sat Dec 27, 2008 7:45 pm

Part 2:

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-19 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-19 86016]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"\\Reception\EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Auto EPSON Stylus CX4800 Series on Reception"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 c:\windows\system32\ICO.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Carl Pantuso\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 09:10 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pool Studio Newsletter.lnk]
backup=c:\windows\pss\Pool Studio Newsletter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 07:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
--a------ 2005-02-02 04:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
--a--c--- 2003-06-04 03:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-12-24 15:46 133104 c:\documents and settings\Carl Pantuso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a--c--- 2006-09-11 04:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2006-09-11 04:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2006-09-11 04:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
--a------ 2007-09-06 13:53 169264 c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a--c--- 2006-11-06 10:58 159744 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
-----c--- 2007-10-18 18:12 102400 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
-----c--- 2005-10-11 09:23 1187840 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
--a------ 2008-07-08 17:41 2828184 c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
-----c--- 2006-02-09 08:52 643072 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-10-22 19:36 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-06-16 21:22 794713 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2005-08-18 09:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a--c--- 2006-06-02 07:02 61952 c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2006-07-19 21:58 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-12-26 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-12-26 254512]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-12-26 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [2008-12-26 274808]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};\??\c:\program files\HP\QuickPlay\000.fcl [2008-01-20 16:33:48 39408]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll" /prefetch:1 []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-26 99376]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\DRIVERS\pelmouse.sys [2006-11-21 16512]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\DRIVERS\pelusblf.sys [2006-11-21 13184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db99d018-452e-11dc-a7d8-001636b16cad}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-27 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Carl Pantuso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 15:46]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DSTUpdateLoaderUSB.inf
FF - ProfilePath - c:\documents and settings\Carl Pantuso\Application Data\Mozilla\Firefox\Profiles\musjq95b.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-27 11:39:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Hf??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxnoyudvkp.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1360)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2008-12-27 11:40:30
ComboFix-quarantined-files.txt 2008-12-27 19:40:28
ComboFix2.txt 2008-12-27 18:58:41

Pre-Run: 27,556,839,424 bytes free
Post-Run: 27,541,082,112 bytes free

274

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Sat Dec 27, 2008 8:15 pm

Hello.
Looks good now, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sat Dec 27, 2008 8:48 pm

Start up takes a long time when it gets to "Loading your personal settings"
When I insert jump drives or SD cards the wizards do not start. This function is rather important to me I use it daily. Is it possible to reactivate this? If not I can work around.
I also am going to return Norton AV, do you recommend another AV?
What are your thoughts on Registry Mechanic?

Thanks a million!
If ever in Las Vegas let me know and I'll buy you a drink!

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Sat Dec 27, 2008 8:54 pm

For AV:

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) [You must be registered and logged in to see this link.]
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.
3) [You must be registered and logged in to see this link.]
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

I personally wouldn't recommend a registry helper.
If the registry mechanic had a false positive in it and delete a legit key, your gonna be screwed and will probably end up re-installing windows as the only solution to fix it.

By jump drive, do you mean USB flash drive?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sat Dec 27, 2008 9:00 pm

Yes i mean a usb fllash drive and SD cards from my cameras

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Sat Dec 27, 2008 9:02 pm

Crud.
They are infected too.
Please plug them in and your AV may notify you of an infection, and ask if you want to block it.
Block it for the time being and run combofix again, the infection you had infects flash drives.

Post the log once done.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sun Dec 28, 2008 4:20 am

I plugged it in and scanned it with both Norton and Malwarebytes and neither one found anything. I hope that's good.
Here's the latest log from CF:
ComboFix 08-12-26.03 - Carl Pantuso 2008-12-27 20:12:53.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1630 [GMT -8:00]
Running from: c:\documents and settings\Carl Pantuso\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\msqpdxiycbjgew.sys
c:\windows\system32\drivers\msqpdxnoyudvkp.sys
c:\windows\system32\msqpdxcwwfyavu.dll

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-27 20:08 . 2008-12-27 20:11 d-------- c:\windows\LastGood
2008-12-26 14:56 . 2008-12-26 14:56 d-------- c:\program files\Norton Support
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\windows\system32\drivers\NAV
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Windows Sidebar
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Symantec
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Norton AntiVirus
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-26 14:51 . 2008-12-26 14:51 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-26 14:51 . 2008-12-26 14:51 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-26 14:51 . 2008-12-26 14:51 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-26 14:51 . 2008-12-26 14:51 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-26 14:51 . 2008-12-26 14:51 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-26 14:49 . 2008-12-26 14:49 d-------- c:\program files\NortonInstaller
2008-12-26 14:49 . 2008-12-26 14:49 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-24 17:16 . 2008-12-26 14:45 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-24 13:23 . 2008-12-24 13:23 d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-24 09:49 . 2008-12-24 09:49 111,616 --a------ c:\windows\system32\dllcache\userinit.exe
2008-12-10 11:37 . 2008-12-10 11:37 d-------- c:\windows\system32\drivers\Samsung
2008-12-10 11:37 . 2005-03-02 20:32 151,552 --a------ c:\windows\system32\SUGG1CI.exe
2008-12-10 11:37 . 2004-10-11 04:25 57,344 --a------ c:\windows\system32\SUGG1CI.dll
2008-12-10 11:37 . 2006-08-31 21:05 22,663 --a------ c:\windows\system32\SUGG1LMK.DLL
2008-12-10 11:37 . 2005-07-08 12:54 11,502 --------- c:\windows\Dr. Printer Icon.ico
2008-12-10 11:37 . 2005-09-08 22:04 555 --a------ c:\windows\system32\SUGG1LMK.SMT
2008-12-10 11:36 . 2008-12-10 11:36 d-------- c:\program files\Samsung
2008-12-10 10:05 . 2004-08-10 22:39 41,984 --------- c:\windows\system32\drivers\DGIVECP.SYS
2008-12-01 14:00 . 2008-12-24 17:26 1,324 --a------ c:\windows\system32\d3d9caps.dat
2008-11-29 14:43 . 2008-11-29 14:43 d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 04:11 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-27 20:46 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-27 20:46 --------- d-----w c:\program files\NetWaiting
2008-12-27 20:46 --------- d-----w c:\program files\CONEXANT
2008-12-27 20:42 --------- d-----w c:\program files\Creative
2008-12-27 20:33 --------- d-----w c:\program files\NCH Swift Sound
2008-12-27 20:31 --------- d-----w c:\program files\On-Screen Takeoff 3
2008-12-27 20:30 --------- d-----w c:\program files\Common Files\muvee Technologies
2008-12-27 20:28 --------- d-----w c:\program files\Microsoft Works
2008-12-27 20:26 --------- d-----w c:\program files\Hewlett-Packard
2008-12-27 20:24 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2008-12-27 20:24 --------- d-----w c:\program files\Common Files\Nikon
2008-12-27 20:22 --------- d-----w c:\program files\Common Files\Adobe
2008-12-27 06:57 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\U3
2008-12-26 23:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-26 22:45 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\AdobeUM
2008-12-25 07:19 --------- d-----w c:\program files\Topo USA 4.0
2008-12-25 07:18 --------- d-----w c:\program files\Roxio
2008-12-25 07:18 --------- d-----w c:\program files\Rhapsody
2008-12-25 07:18 --------- d-----w c:\program files\QuickTime
2008-12-25 07:16 --------- d-----w c:\program files\Maxtor
2008-12-25 07:15 --------- d-----w c:\program files\Quickensetup
2008-12-25 07:15 --------- d-----w c:\program files\Quicken
2008-12-25 07:15 --------- d-----w c:\program files\Pro Imaging Powertoys
2008-12-25 07:15 --------- d-----w c:\program files\Nikon
2008-12-25 07:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-25 07:15 --------- d-----w c:\program files\IrfanView
2008-12-25 07:14 --------- d-----w c:\program files\MyPhotoBooks
2008-12-25 07:14 --------- d-----w c:\program files\My Photo Calendars and Cards
2008-12-25 07:14 --------- d-----w c:\program files\My Photo Books
2008-12-25 07:13 --------- d-----w c:\program files\HPQ
2008-12-25 07:13 --------- d-----w c:\program files\HP
2008-12-25 07:12 --------- d-----w c:\program files\Google
2008-12-25 07:12 --------- d-----w c:\program files\DivX
2008-12-25 07:12 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-12-25 07:12 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\Research In Motion
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\LightScribe
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-24 22:38 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Nikon
2008-12-24 22:38 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\muvee Technologies
2008-12-24 22:36 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-24 17:49 111,616 ----a-w c:\windows\system32\userinit.exe
2008-11-21 22:04 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-18 20:37 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Download Manager
2008-11-18 00:43 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Digilabs
2008-11-17 20:04 2,306,113 ----a-w c:\windows\system32\GPhotos.scr
2008-10-31 04:22 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-31 04:22 --------- d-----w c:\program files\SyncToy 2.0 Beta
2008-10-31 04:22 --------- d-----w c:\program files\music_now
2008-10-31 04:22 --------- d-----w c:\program files\Encarta Online
2008-10-31 03:16 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\0000005738
2008-10-23 03:36 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-09-27 04:25 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLck.DAT
2008-05-14 15:35 18,024 ----a-w c:\documents and settings\Carl Pantuso\Application Data\wklnhst.dat
2008-01-09 05:31 20 ---ha-w c:\documents and settings\All Users\Application Data\PKP_DLeh.DAT
2006-12-27 06:20 20 ---ha-w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-08-26 05:15 12,208 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-04 08:11 16,384 --sha-w c:\windows\system32\config\systemprofile\History\History.IE5\index.dat
2008-08-04 08:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-12-24 09:49 111616 e7385484625fb48224948ac3fc131f2d c:\windows\system32\userinit.exe
2008-12-24 09:49 111616 e7385484625fb48224948ac3fc131f2d c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-31 03:19:20 92,504 ----a-w c:\windows\LastGood\system32\cdm.dll
+ 2007-07-31 03:19:36 549,720 ----a-w c:\windows\LastGood\system32\wuapi.dll
+ 2007-07-31 03:19:16 53,080 ----a-w c:\windows\LastGood\system32\wuauclt.exe
+ 2007-07-31 03:19:42 1,712,984 ----a-w c:\windows\LastGood\system32\wuaueng.dll
+ 2007-07-31 03:19:32 325,976 ----a-w c:\windows\LastGood\system32\wucltui.dll
+ 2007-07-31 03:18:40 33,624 ----a-w c:\windows\LastGood\system32\wups.dll
+ 2007-07-31 03:19:12 43,352 ----a-w c:\windows\LastGood\system32\wups2.dll
+ 2007-07-31 03:19:28 203,096 ----a-w c:\windows\LastGood\system32\wuweb.dll
- 2008-09-29 06:17:37 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-27 20:46:03 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-09-29 06:17:37 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-27 20:46:03 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-29 06:17:37 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-27 20:46:03 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-24 16:06:43 2,223,600 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-27 20:43:08 2,222,888 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-10-16 22:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 22:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2006-03-16 17:06:02 118,784 -c--a-w c:\windows\system32\UCI32105.dll
+ 2006-03-16 17:06:04 118,784 ----a-w c:\windows\system32\Uci32105.dll
+ 2008-12-28 04:02:46 16,384 ----atw c:\windows\temp\Perflib_Perfdata_3b0.dat
+ 2008-12-28 04:02:13 16,384 ----atw c:\windows\temp\Perflib_Perfdata_ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sun Dec 28, 2008 4:20 am

Part 2:
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-19 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-19 86016]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"\\Reception\EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Auto EPSON Stylus CX4800 Series on Reception"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 c:\windows\system32\ICO.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Carl Pantuso\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 09:10 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pool Studio Newsletter.lnk]
backup=c:\windows\pss\Pool Studio Newsletter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
--a------ 2005-02-02 04:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
--a--c--- 2003-06-04 03:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-12-24 15:46 133104 c:\documents and settings\Carl Pantuso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a--c--- 2006-09-11 04:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2006-09-11 04:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2006-09-11 04:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
--a------ 2007-09-06 13:53 169264 c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a--c--- 2006-11-06 10:58 159744 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
-----c--- 2007-10-18 18:12 102400 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
-----c--- 2005-10-11 09:23 1187840 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
--a------ 2008-07-08 17:41 2828184 c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
-----c--- 2006-02-09 08:52 643072 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-10-22 19:36 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-06-16 21:22 794713 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2005-08-18 09:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a--c--- 2006-06-02 07:02 61952 c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2006-07-19 21:58 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-12-26 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-12-26 254512]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-12-26 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [2008-12-26 274808]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};\??\c:\program files\HP\QuickPlay\000.fcl [2008-01-20 16:33:48 39408]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll" /prefetch:1 []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-26 99376]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\DRIVERS\pelmouse.sys [2006-11-21 16512]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\DRIVERS\pelusblf.sys [2006-11-21 13184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db99d018-452e-11dc-a7d8-001636b16cad}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Carl Pantuso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 15:46]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AdobeCS4ServiceManager - c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DSTUpdateLoaderUSB.inf
FF - ProfilePath - c:\documents and settings\Carl Pantuso\Application Data\Mozilla\Firefox\Profiles\musjq95b.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-27 20:14:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Hf??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1364)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2008-12-27 20:15:28
ComboFix-quarantined-files.txt 2008-12-28 04:14:57
ComboFix2.txt 2008-12-27 19:40:31
ComboFix3.txt 2008-12-27 18:58:41

Pre-Run: 29,555,789,824 bytes free
Post-Run: 29,542,150,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

307

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Sun Dec 28, 2008 1:19 pm

Hello.
CF log says userinit is infected and we need to check.

Please upload this file below:
c:\windows\system32\userinit.exe
To this site for a scan:
[You must be registered and logged in to see this link.]
Copy and paste the results back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sun Dec 28, 2008 9:52 pm

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: userinit.exe
Status:
INFECTED/MALWARE
MD5: e7385484625fb48224948ac3fc131f2d
Packers detected:
-
Scanner results
Scan taken on 28 Dec 2008 21:47:45 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.XPACK.Gen
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.FakeAlert.TK
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found Win32/FakeInit.A
Norman Virus Control
Found W32/Smalltroj.JVYH
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Powered by
images/asquared.png images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/cpsecure.gif images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/gdata.png images/ikarus.gif images/kaspersky.png images/nod32.gif images/norman.png images/panda.gif images/sophos.gif images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
Statistics
Last file scanned at least one scanner reported something about: Go-Go-Downloader.exe (MD5: b152b2958a75759566ac7090579ca5a1, size: 104960 bytes), detected by:

Scanner Malware name
A-Squared Trojan-Dropper.Agent!IK
AntiVir ADSPY/AdSpy.Gen
ArcaVir X
Avast Win32:Agent-ACRW
AVG Antivirus X
BitDefender Trojan.Generic.750966
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-Downloader.Win32.Agent.aizr
G DATA Win32:Agent-ACRW
Ikarus AdWare.AdSpy
Kaspersky Anti-Virus Trojan-Downloader.Win32.Agent.aizr
NOD32 a variant of Win32/TrojanDownloader.Agent.OGF
Norman Virus Control X
Panda Antivirus Trj/Downloader.MDW
Sophos Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.



Frequently asked questions - Privacy policy

Debian

Page generated by JTPL

2004-2008 Jotti

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Sun Dec 28, 2008 9:55 pm

Hello.
Yes, userinit is infected and we need to find a clean copy.


  • Now open a new notepad file.
  • Input this into the notepad file:

    For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\system32\userinit.exe'
    ) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
    start notepad report.txt & exit

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Sun Dec 28, 2008 11:19 pm

"C:\WINDOWS\system32\userinit.exe" 111616 12/24/2008 09:49 AM
"C:\WINDOWS\system32\dllcache\userinit.exe" 111616 12/24/2008 09:49 AM

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Sun Dec 28, 2008 11:33 pm

Darn it, both of them are infected.
These instructions might seem alittle long to you, so ask if you don't understand some of it.

Please download this file to your desktop, it's a clean copy of userinit.exe
[You must be registered and logged in to see this link.]

I suggest you copy these instructions into a notepad file, because we need to use safe mode and you won't have internet access to read from here.

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

Now we need to unhide hidden files and folders, read here how to:

    To Unhide Files and folders:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.

    Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Show hidden files and folders" option.
  • Hit the "Apply To All Folders" option.
  • Click Yes to confirm. Click OK.


Locate these two files now:
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\dllcache\userinit.exe

You will have to do this one by one, but right click each one > Rename, and add a .bad extension onto the file name, so it will now be called userinit.exe.bad
Now locate userinit.exe from your desktop you got the from the link, and right click it > Copy. Now using Windows Explorer (Not Internet Explorer!!) and right click > Paste a copy of the clean userinit into system32 folder and dllcache folder.
Boot back to normal mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:00 am

Bad news, the computer is hanging when booting into safe mode. Specifically after a bunch of : multi(0)disk(0)rdisk(0)partition(1)\windows\system32\drivers\*.sys Last one is Mup.sys
It will boot normal but hangs as above when trying safe mode.
Can you replace those files using a batch file? I'm on a different machine now so I can read instructions from here and execute them on the infected machine

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 12:02 am

Yes.
Just a question, because this way is easier.
Do you have your XP disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:04 am

It's an HP so all I have are the System recovery DVDs Will these work?

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:13 am

I have an XP cd from a different machine. Will that work?

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 12:18 am

Maybe, but lets try it this way first.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

FMOVE::
c:\windows\system32\userinit.exe | c:\userinit.exe
c:\documents and settings\Carl Pantuso\Desktop\userinit.exe | c:\windows\system32\userinit.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:43 am

ComboFix 08-12-26.03 - Carl Pantuso 2008-12-28 16:29:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1596 [GMT -8:00]
Running from: c:\documents and settings\Carl Pantuso\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Carl Pantuso\Desktop\cfscript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 16:36 . 2008-12-28 16:36 496 --a------ c:\windows\system32\win32hlp.cnf
2008-12-27 20:45 . 2008-12-27 20:50 d-------- c:\windows\system32\NtmsData
2008-12-27 20:34 . 2008-12-28 14:03 d-------- c:\windows\system32\CatRoot_bak
2008-12-27 20:34 . 2008-08-14 01:51 138,368 --------- c:\windows\system32\dllcache\afd.sys
2008-12-27 20:33 . 2008-08-14 01:57 2,185,984 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-27 20:33 . 2008-08-14 01:55 2,142,720 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-27 20:33 . 2008-08-14 01:18 2,062,976 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-27 20:33 . 2008-08-14 01:18 2,020,864 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-27 20:33 . 2008-09-15 03:57 1,846,016 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-27 20:12 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-27 20:12 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-26 14:56 . 2008-12-26 14:56 d-------- c:\program files\Norton Support
2008-12-26 14:51 . 2008-12-28 15:47 d-------- c:\windows\system32\drivers\NAV
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Windows Sidebar
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Symantec
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Norton AntiVirus
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-26 14:51 . 2008-12-26 14:51 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-26 14:51 . 2008-12-26 14:51 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-26 14:51 . 2008-12-11 19:08 36,272 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-26 14:51 . 2008-12-26 14:51 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-26 14:51 . 2008-12-26 14:51 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-26 14:49 . 2008-12-26 14:49 d-------- c:\program files\NortonInstaller
2008-12-26 14:49 . 2008-12-26 14:49 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-24 17:16 . 2008-12-27 20:52 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-24 13:23 . 2008-12-24 13:23 d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-24 09:49 . 2008-12-24 09:49 111,616 --a------ c:\windows\system32\dllcache\userinit.exe
2008-12-10 11:37 . 2008-12-10 11:37 d-------- c:\windows\system32\drivers\Samsung
2008-12-10 11:37 . 2005-03-02 20:32 151,552 --a------ c:\windows\system32\SUGG1CI.exe
2008-12-10 11:37 . 2004-10-11 04:25 57,344 --a------ c:\windows\system32\SUGG1CI.dll
2008-12-10 11:37 . 2006-08-31 21:05 22,663 --a------ c:\windows\system32\SUGG1LMK.DLL
2008-12-10 11:37 . 2005-07-08 12:54 11,502 --------- c:\windows\Dr. Printer Icon.ico
2008-12-10 11:37 . 2005-09-08 22:04 555 --a------ c:\windows\system32\SUGG1LMK.SMT
2008-12-10 11:36 . 2008-12-10 11:36 d-------- c:\program files\Samsung
2008-12-10 10:05 . 2004-08-10 22:39 41,984 --------- c:\windows\system32\drivers\DGIVECP.SYS
2008-12-01 14:00 . 2008-12-24 17:26 1,324 --a------ c:\windows\system32\d3d9caps.dat
2008-11-29 14:43 . 2008-11-29 14:43 d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 04:25 --------- d-----w c:\program files\Common Files\Nikon
2008-12-28 04:11 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-27 20:46 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-27 20:46 --------- d-----w c:\program files\NetWaiting
2008-12-27 20:46 --------- d-----w c:\program files\CONEXANT
2008-12-27 20:42 --------- d-----w c:\program files\Creative
2008-12-27 20:33 --------- d-----w c:\program files\NCH Swift Sound
2008-12-27 20:31 --------- d-----w c:\program files\On-Screen Takeoff 3
2008-12-27 20:30 --------- d-----w c:\program files\Common Files\muvee Technologies
2008-12-27 20:28 --------- d-----w c:\program files\Microsoft Works
2008-12-27 20:26 --------- d-----w c:\program files\Hewlett-Packard
2008-12-27 20:24 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2008-12-27 20:22 --------- d-----w c:\program files\Common Files\Adobe
2008-12-27 06:57 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\U3
2008-12-26 23:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-26 22:45 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\AdobeUM
2008-12-25 07:19 --------- d-----w c:\program files\Topo USA 4.0
2008-12-25 07:18 --------- d-----w c:\program files\Roxio
2008-12-25 07:18 --------- d-----w c:\program files\Rhapsody
2008-12-25 07:18 --------- d-----w c:\program files\QuickTime
2008-12-25 07:16 --------- d-----w c:\program files\Maxtor
2008-12-25 07:15 --------- d-----w c:\program files\Quickensetup
2008-12-25 07:15 --------- d-----w c:\program files\Quicken
2008-12-25 07:15 --------- d-----w c:\program files\Pro Imaging Powertoys
2008-12-25 07:15 --------- d-----w c:\program files\Nikon
2008-12-25 07:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-25 07:15 --------- d-----w c:\program files\IrfanView
2008-12-25 07:14 --------- d-----w c:\program files\MyPhotoBooks
2008-12-25 07:14 --------- d-----w c:\program files\My Photo Calendars and Cards
2008-12-25 07:14 --------- d-----w c:\program files\My Photo Books
2008-12-25 07:13 --------- d-----w c:\program files\HPQ
2008-12-25 07:13 --------- d-----w c:\program files\HP
2008-12-25 07:12 --------- d-----w c:\program files\Google
2008-12-25 07:12 --------- d-----w c:\program files\DivX
2008-12-25 07:12 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-12-25 07:12 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\Research In Motion
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\LightScribe
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-24 22:38 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Nikon
2008-12-24 22:38 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\muvee Technologies
2008-12-24 22:36 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-21 22:04 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-18 20:37 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Download Manager
2008-11-18 00:43 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Digilabs
2008-10-31 04:22 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-31 04:22 --------- d-----w c:\program files\SyncToy 2.0 Beta
2008-10-31 04:22 --------- d-----w c:\program files\music_now
2008-10-31 04:22 --------- d-----w c:\program files\Encarta Online
2008-10-31 03:16 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\0000005738
2008-09-27 04:25 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLck.DAT
2008-05-14 15:35 18,024 ----a-w c:\documents and settings\Carl Pantuso\Application Data\wklnhst.dat
2008-01-09 05:31 20 ---ha-w c:\documents and settings\All Users\Application Data\PKP_DLeh.DAT
2006-12-27 06:20 20 ---ha-w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-08-26 05:15 12,208 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-04 08:11 16,384 --sha-w c:\windows\system32\config\systemprofile\History\History.IE5\index.dat
2008-08-04 08:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-04-13 16:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe
2008-12-24 09:49 111616 e7385484625fb48224948ac3fc131f2d c:\windows\system32\userinit.exe
2008-12-24 09:49 111616 e7385484625fb48224948ac3fc131f2d c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:47 am

Part 2:
+ 2007-07-12 23:28:55 765,952 ----a-w c:\windows\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w c:\windows\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w c:\windows\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w c:\windows\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w c:\windows\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w c:\windows\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2008-07-07 20:06:43 253,952 ----a-w c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
+ 2008-07-07 20:26:58 253,952 ----a-w c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
+ 2008-07-07 20:23:18 253,952 ----a-w c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB950974\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB950974\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB950974\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w c:\windows\$hf_mig$\KB950974\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w c:\windows\$hf_mig$\KB950974\update\updspapi.dll
+ 2008-05-07 04:55:40 1,288,192 ----a-w c:\windows\$hf_mig$\KB951698\SP2QFE\quartz.dll
+ 2008-05-07 05:12:40 1,288,192 ----a-w c:\windows\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2008-05-07 05:04:15 1,288,192 ----a-w c:\windows\$hf_mig$\KB951698\SP3QFE\quartz.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB951698\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB951698\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB951698\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB951698\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB951698\update\updspapi.dll
+ 2008-06-24 16:28:00 74,240 ----a-w c:\windows\$hf_mig$\KB952954\SP2QFE\mscms.dll
+ 2008-06-24 16:43:16 74,240 ----a-w c:\windows\$hf_mig$\KB952954\SP3GDR\mscms.dll
+ 2008-06-24 16:53:10 74,240 ----a-w c:\windows\$hf_mig$\KB952954\SP3QFE\mscms.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB952954\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB952954\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB952954\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB952954\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB952954\update\updspapi.dll
+ 2008-10-22 09:47:25 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP2QFE\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3GDR\tzchange.exe
+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2008-10-23 12:51:04 284,160 ----a-w c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll
+ 2008-10-23 12:43:42 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-07-08 13:02:01 17,272 ----a-w c:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2008-07-08 13:02:02 231,288 ----a-w c:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-07-08 13:02:01 26,488 ----a-w c:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB956802\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB956802\update\updspapi.dll
- 2006-05-10 20:54:04 1,257,472 -c--a-w c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-12-28 21:47:16 1,265,664 ----a-w c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2006-05-10 20:46:56 1,224,704 -c--a-w c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-12-28 21:47:17 1,232,896 ----a-w c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-12-28 21:47:37 61,440 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_27d71bbb\CustomMarshalers.dll
+ 2008-12-28 21:48:27 118,784 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_7548a1ae\CustomMarshalers.dll
+ 2008-12-28 21:48:41 8,908,800 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_5c3ced9a\mscorlib.dll
+ 2008-12-28 21:48:22 3,391,488 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_c10a1af7\mscorlib.dll
+ 2008-12-28 21:48:36 3,395,584 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_a2a48ac7\System.Design.dll
+ 2008-12-28 21:48:18 1,470,464 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_ec9316cc\System.Design.dll
+ 2008-12-28 21:48:27 192,512 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_b8ecb48b\System.Drawing.Design.dll
+ 2008-12-28 21:47:45 90,112 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_fa353716\System.Drawing.Design.dll
+ 2008-12-28 21:48:19 835,584 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_44416046\System.Drawing.dll
+ 2008-12-28 21:48:37 2,244,608 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_46003de9\System.Drawing.dll
+ 2008-12-28 21:48:32 7,884,800 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_3a8990da\System.Windows.Forms.dll
+ 2008-12-28 21:47:58 3,018,752 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_954ad60b\System.Windows.Forms.dll
+ 2008-12-28 21:48:35 5,513,216 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_44531b21\System.Xml.dll
+ 2008-12-28 21:48:10 2,088,960 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_ab0b8d8c\System.Xml.dll
+ 2008-12-28 21:47:30 1,966,080 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_29d53b3b\System.dll
+ 2008-12-28 21:48:27 4,788,224 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_aa45376e\System.dll
+ 2008-06-13 13:10:50 272,128 ------w c:\windows\Driver Cache\i386\bthport.sys
- 2006-05-05 09:41:45 453,120 -c--a-w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\Driver Cache\i386\mrxsmb.sys
- 2005-10-12 00:18:18 2,136,064 -c--a-w c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:55:01 2,142,720 ----a-w c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2005-10-11 23:54:50 2,057,344 -c--a-w c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:18:44 2,062,976 ----a-w c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2005-10-11 23:54:50 2,015,232 -c--a-w c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 09:18:46 2,020,864 ----a-w c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2005-10-12 00:20:27 2,180,096 -c--a-w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-08-14 09:57:20 2,185,984 ----a-w c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-05-04 23:33:52 1,077,312 -c--a-w c:\windows\Help\SBSI\Training\orun32.exe
+ 2006-08-21 23:57:14 1,077,321 ----a-w c:\windows\Help\SBSI\Training\orun32.exe
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-14 02:54:10 765,952 -c----w c:\windows\ie7updates\KB938127-IE7\vgx.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-07-12 23:31:54 765,952 -c----w c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2007-10-10 23:55:51 124,928 -c----w c:\windows\ie7updates\KB958215-IE7\advpack.dll
+ 2007-08-14 02:35:46 346,624 -c----w c:\windows\ie7updates\KB958215-IE7\dxtmsft.dll
+ 2007-10-10 23:55:51 214,528 -c----w c:\windows\ie7updates\KB958215-IE7\dxtrans.dll
+ 2007-10-10 23:55:51 132,608 -c----w c:\windows\ie7updates\KB958215-IE7\extmgr.dll
+ 2007-10-10 23:55:51 63,488 -c----w c:\windows\ie7updates\KB958215-IE7\icardie.dll
+ 2007-10-10 10:59:40 70,656 -c----w c:\windows\ie7updates\KB958215-IE7\ie4uinit.exe
+ 2007-10-10 23:55:51 153,088 -c----w c:\windows\ie7updates\KB958215-IE7\ieakeng.dll
+ 2007-10-10 23:55:51 230,400 -c----w c:\windows\ie7updates\KB958215-IE7\ieaksie.dll
+ 2007-10-10 05:46:55 161,792 -c----w c:\windows\ie7updates\KB958215-IE7\ieakui.dll
+ 2007-10-10 23:55:52 383,488 -c----w c:\windows\ie7updates\KB958215-IE7\ieapfltr.dll
+ 2007-10-10 23:55:52 384,512 -c----w c:\windows\ie7updates\KB958215-IE7\iedkcs32.dll
+ 2007-10-10 23:55:54 6,065,664 -c----w c:\windows\ie7updates\KB958215-IE7\ieframe.dll
+ 2007-10-10 23:55:55 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\iernonce.dll
+ 2007-10-10 23:55:55 267,776 -c----w c:\windows\ie7updates\KB958215-IE7\iertutil.dll
+ 2007-10-10 10:59:40 13,824 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2007-10-10 10:59:52 625,152 -c----w c:\windows\ie7updates\KB958215-IE7\iexplore.exe
+ 2007-10-10 23:55:56 27,648 -c----w c:\windows\ie7updates\KB958215-IE7\jsproxy.dll
+ 2007-10-10 23:55:56 459,264 -c----w c:\windows\ie7updates\KB958215-IE7\msfeeds.dll
+ 2007-10-10 23:55:56 52,224 -c----w c:\windows\ie7updates\KB958215-IE7\msfeedsbs.dll
+ 2007-10-10 23:55:58 478,208 -c----w c:\windows\ie7updates\KB958215-IE7\mshtmled.dll
+ 2007-10-10 23:55:58 193,024 -c----w c:\windows\ie7updates\KB958215-IE7\msrating.dll
+ 2007-10-10 23:55:59 671,232 -c----w c:\windows\ie7updates\KB958215-IE7\mstime.dll
+ 2007-10-10 23:55:59 102,400 -c----w c:\windows\ie7updates\KB958215-IE7\occache.dll
+ 2007-08-14 02:36:12 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\updspapi.dll
+ 2007-10-10 23:55:59 105,984 -c----w c:\windows\ie7updates\KB958215-IE7\url.dll
+ 2007-10-10 23:56:00 1,159,680 -c----w c:\windows\ie7updates\KB958215-IE7\urlmon.dll
+ 2007-10-10 23:56:00 232,960 -c----w c:\windows\ie7updates\KB958215-IE7\webcheck.dll
+ 2007-10-10 23:56:00 824,832 -c----w c:\windows\ie7updates\KB958215-IE7\wininet.dll
+ 2007-10-31 13:12:30 3,590,656 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:48 am

Part 3:
- 2006-11-02 02:31:34 315,904 ----a-w c:\windows\inf\unregmp2.exe
+ 2007-06-27 06:10:26 317,440 ----a-w c:\windows\inf\unregmp2.exe
+ 2008-12-28 21:44:05 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2004-07-15 16:49:16 258,048 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2007-04-14 05:30:52 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-07-15 16:49:22 32,768 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2007-04-14 05:30:52 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2004-07-15 15:32:22 81,920 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2007-04-14 04:57:52 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2003-02-21 10:09:14 86,016 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2007-04-14 04:57:58 86,016 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2004-07-15 15:25:06 315,392 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-14 04:56:30 315,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-15 15:33:04 102,400 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2007-04-14 04:58:00 102,400 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2004-07-16 05:29:02 2,138,112 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2007-04-14 04:50:46 2,142,208 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2003-02-21 10:09:18 77,824 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2007-04-14 04:58:02 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2004-07-15 15:26:52 2,510,848 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2007-04-14 04:57:00 2,523,136 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2004-07-15 15:28:34 2,502,656 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-04-14 04:57:28 2,514,944 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2004-06-23 04:52:22 106,496 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2007-01-16 00:11:26 73,728 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2004-07-15 16:49:16 258,048 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_aspnet_isapi.dll
+ 2004-07-15 15:32:22 81,920 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_CORPerfMonExt.dll
+ 2004-07-15 15:24:30 282,624 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_fusion.dll
+ 2004-07-15 15:25:06 315,392 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_mscorjit.dll
+ 2004-07-16 05:29:02 2,138,112 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_mscorlib.dll
+ 2003-02-21 10:09:18 77,824 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_mscorsn.dll
+ 2004-07-15 15:26:52 2,510,848 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_mscorsvr.dll
+ 2004-07-15 15:28:34 2,502,656 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_mscorwks.dll
+ 2003-02-21 19:42:22 348,160 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_msvcr71.dll
+ 2004-07-15 15:34:50 94,208 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_PerfCounter.dll
- 2004-07-16 05:31:16 1,224,704 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2007-04-14 05:35:38 1,232,896 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2004-10-08 21:20:12 1,257,472 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2007-04-14 05:35:46 1,265,664 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-10-10 23:55:51 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
- 2007-07-31 03:19:20 92,504 -c--a-w c:\windows\system32\cdm.dll
+ 2008-10-16 22:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2008-09-29 06:17:37 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-27 20:46:03 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-09-29 06:17:37 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-27 20:46:03 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-29 06:17:37 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-27 20:46:03 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-10 23:55:51 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-16 20:38:34 124,928 ------w c:\windows\system32\dllcache\advpack.dll
- 2007-07-31 03:19:20 92,504 ----a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 22:09:44 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
- 2007-08-14 02:35:46 346,624 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2007-10-10 23:55:51 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ------w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-07-07 20:32:22 253,952 ------w c:\windows\system32\dllcache\es.dll
- 2007-10-10 23:55:51 132,608 ----a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-23 13:01:36 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
- 2007-10-10 23:55:51 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-10-16 20:38:35 63,488 ------w c:\windows\system32\dllcache\icardie.dll
- 2007-10-10 10:59:40 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
- 2007-10-10 23:55:51 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
- 2007-10-10 23:55:51 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
- 2007-10-10 05:46:55 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
- 2007-10-10 23:55:52 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
- 2007-10-10 23:55:52 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2007-10-10 23:55:54 6,065,664 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
- 2007-10-10 23:55:55 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll
- 2007-10-10 23:55:55 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
- 2007-10-10 10:59:40 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
- 2007-10-10 10:59:52 625,152 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-10-15 07:06:26 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
- 2006-11-08 05:06:13 679,424 -c----w c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ------w c:\windows\system32\dllcache\inetcomm.dll
- 2007-10-10 23:55:56 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-19 04:03:58 100,864 ----a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 09:09:22 100,864 ----a-w c:\windows\system32\dllcache\logagent.exe
- 2006-05-05 09:41:45 453,120 -c----w c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
- 2004-08-04 21:00:00 331,776 ----a-w c:\windows\system32\dllcache\msadce.dll
+ 2008-05-01 14:30:33 331,776 ----a-w c:\windows\system32\dllcache\msadce.dll
+ 2008-06-24 16:23:05 74,240 ------w c:\windows\system32\dllcache\mscms.dll
- 2007-10-10 23:55:56 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
- 2007-10-10 23:55:56 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-10-31 13:12:30 3,590,656 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
- 2007-10-10 23:55:58 478,208 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ------w c:\windows\system32\dllcache\mshtmled.dll
- 2007-10-10 23:55:58 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 20:38:38 193,024 ------w c:\windows\system32\dllcache\msrating.dll
- 2007-10-10 23:55:59 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
- 2006-09-13 05:01:56 1,084,416 -c----w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ------w c:\windows\system32\dllcache\msxml3.dll
- 2006-08-17 12:28:27 332,288 -c----w c:\windows\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
- 2007-10-10 23:55:59 102,400 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\dllcache\occache.dll
- 2007-08-14 02:36:12 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-05-07 05:18:48 1,287,680 ------w c:\windows\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 -c----w c:\windows\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ------w c:\windows\system32\dllcache\rmcast.sys
- 2006-08-14 10:34:41 332,928 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-08-28 10:04:17 333,056 ------w c:\windows\system32\dllcache\srv.sys
- 2006-08-21 17:52:08 246,814 ----a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
- 2006-11-02 02:31:34 315,904 -c--a-w c:\windows\system32\dllcache\unregmp2.exe
+ 2007-06-27 06:10:26 317,440 ----a-w c:\windows\system32\dllcache\unregmp2.exe
- 2007-10-10 23:55:59 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-10-16 20:38:39 105,984 ------w c:\windows\system32\dllcache\url.dll
- 2007-10-10 23:56:00 1,159,680 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ------w c:\windows\system32\dllcache\urlmon.dll

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:48 am

- 2007-08-14 02:54:10 765,952 ----a-w c:\windows\system32\dllcache\vgx.dll
+ 2008-05-27 17:23:58 765,952 ----a-w c:\windows\system32\dllcache\vgx.dll
- 2007-10-10 23:56:00 232,960 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
- 2007-10-10 23:56:00 824,832 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 20:38:40 826,368 ------w c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 05:47:18 222,208 -c--a-w c:\windows\system32\dllcache\WMASF.dll
+ 2007-10-28 01:40:30 222,720 ----a-w c:\windows\system32\dllcache\wmasf.dll
- 2006-10-19 05:47:20 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 ----a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 05:47:20 10,834,432 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2007-06-12 07:51:12 10,834,944 ----a-w c:\windows\system32\dllcache\wmp.dll
- 2006-10-19 05:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 ----a-w c:\windows\system32\dllcache\WMVCore.dll
- 2007-07-31 03:19:36 549,720 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 22:12:20 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
- 2007-07-31 03:19:16 53,080 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 22:09:44 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
- 2007-07-31 03:19:42 1,712,984 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 22:13:40 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
- 2007-07-31 03:19:32 325,976 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 22:12:22 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
- 2007-07-31 03:18:40 33,624 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 22:08:58 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
- 2007-07-31 03:19:28 203,096 ----a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 22:13:40 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
- 2004-08-04 21:00:00 138,496 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w c:\windows\system32\drivers\afd.sys
- 2006-05-05 09:41:45 453,120 ----a-w c:\windows\system32\drivers\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
+ 2008-12-12 03:08:45 255,536 ----a-w c:\windows\system32\drivers\NAV\1002000.007\BHDrvx86.sys
+ 2008-12-26 22:51:35 362,544 ----a-w c:\windows\system32\drivers\NAV\1002000.007\cchpx86.sys
+ 2008-12-12 03:08:48 306,736 ----a-w c:\windows\system32\drivers\NAV\1002000.007\srtsp.sys
+ 2008-12-12 03:08:48 43,696 ----a-w c:\windows\system32\drivers\NAV\1002000.007\srtspx.sys
+ 2008-12-12 03:08:48 12,976 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symdns.sys
+ 2008-12-12 03:08:48 309,296 ----a-w c:\windows\system32\drivers\NAV\1002000.007\SymEFA.sys
+ 2008-12-12 03:08:48 89,904 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symfw.sys
+ 2008-12-12 03:08:48 34,608 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symids.sys
+ 2008-12-12 03:08:48 37,424 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symndis.sys
+ 2008-12-12 03:08:48 40,496 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symndisv.sys
+ 2008-12-12 03:08:48 24,624 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symredrv.sys
+ 2008-12-12 03:08:49 198,192 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symtdi.sys
- 2006-07-13 08:48:58 202,240 ----a-w c:\windows\system32\drivers\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w c:\windows\system32\drivers\rmcast.sys
- 2006-08-14 10:34:41 332,928 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-08-28 10:04:17 333,056 ----a-w c:\windows\system32\drivers\srv.sys
- 2007-08-14 02:35:46 346,624 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2007-10-10 23:55:51 214,528 ------w c:\windows\system32\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ------w c:\windows\system32\dxtrans.dll
- 2005-07-26 04:39:45 243,200 ----a-w c:\windows\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\es.dll
- 2007-10-10 23:55:51 132,608 -c----w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ------w c:\windows\system32\extmgr.dll
- 2008-11-24 16:06:43 2,223,600 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-28 22:31:06 2,219,704 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2005-12-29 10:54:36 280,064 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 13:01:36 283,648 ----a-w c:\windows\system32\gdi32.dll
- 2007-10-10 23:55:51 63,488 -c--a-w c:\windows\system32\icardie.dll
+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
- 2007-10-10 10:59:40 70,656 ------w c:\windows\system32\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\ie4uinit.exe
- 2007-10-10 23:55:51 153,088 -c----w c:\windows\system32\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\ieakeng.dll
- 2007-10-10 23:55:51 230,400 -c----w c:\windows\system32\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\ieaksie.dll
- 2007-10-10 05:46:55 161,792 -c----w c:\windows\system32\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\ieakui.dll
- 2007-10-10 23:55:52 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2007-10-10 23:55:52 384,512 -c----w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\iedkcs32.dll
- 2007-10-10 23:55:54 6,065,664 ----a-w c:\windows\system32\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2007-10-10 23:55:55 44,544 -c----w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\iernonce.dll
- 2007-10-10 23:55:55 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2007-10-10 10:59:40 13,824 -c--a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2006-11-08 05:06:13 679,424 ----a-w c:\windows\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w c:\windows\system32\inetcomm.dll
- 2007-10-10 23:55:56 27,648 -c----w c:\windows\system32\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ------w c:\windows\system32\jsproxy.dll
- 2006-10-19 04:03:58 100,864 -c--a-w c:\windows\system32\logagent.exe
+ 2008-06-18 09:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2005-06-29 09:46:00 74,240 ----a-w c:\windows\system32\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w c:\windows\system32\mscms.dll
- 2005-09-23 15:28:52 270,848 ----a-w c:\windows\system32\mscoree.dll
+ 2006-12-22 20:28:14 271,360 ----a-w c:\windows\system32\mscoree.dll
- 2007-10-10 23:55:56 459,264 -c--a-w c:\windows\system32\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2007-10-10 23:55:56 52,224 -c--a-w c:\windows\system32\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2007-10-31 13:12:30 3,590,656 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2007-10-10 23:55:58 478,208 ------w c:\windows\system32\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ------w c:\windows\system32\mshtmled.dll
- 2007-10-10 23:55:58 193,024 ------w c:\windows\system32\msrating.dll
+ 2008-10-16 20:38:38 193,024 ------w c:\windows\system32\msrating.dll
- 2007-10-10 23:55:59 671,232 -c----w c:\windows\system32\mstime.dll
+ 2008-10-16 20:38:39 671,232 ------w c:\windows\system32\mstime.dll
- 2006-09-13 05:01:56 1,084,416 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2006-11-04 22:14:00 1,245,696 ----a-w c:\windows\system32\msxml4.dll
+ 2008-10-01 00:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
- 2006-12-04 21:37:58 1,317,648 ----a-w c:\windows\system32\msxml6.dll
+ 2008-08-30 04:06:44 1,350,664 ----a-w c:\windows\system32\msxml6.dll
- 2005-09-23 15:29:00 6,144 -c--a-w c:\windows\system32\mui\0409\mscorees.dll
+ 2006-12-22 21:02:36 6,144 ----a-w c:\windows\system32\mui\0409\mscorees.dll
- 2006-08-17 12:28:27 332,288 ----a-w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32.dll
- 2005-10-11 23:54:50 2,015,232 ----a-w c:\windows\system32\ntkrnlpa.exe
+ 2008-08-14 09:18:46 2,020,864 ----a-w c:\windows\system32\ntkrnlpa.exe
- 2005-10-12 00:18:18 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe
+ 2008-08-14 09:55:01 2,142,720 ----a-w c:\windows\system32\ntoskrnl.exe
- 2007-10-10 23:55:59 102,400 ------w c:\windows\system32\occache.dll
+ 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\occache.dll
- 2007-08-14 02:36:12 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2005-08-30 11:54:26 1,287,168 ----a-w c:\windows\system32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w c:\windows\system32\quartz.dll
+ 2008-10-16 22:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 22:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2006-10-09 04:51:14 14,640 -c----w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2006-08-21 17:52:08 246,814 -c--a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-22 09:47:07 62,976 ------w c:\windows\system32\tzchange.exe
- 2006-03-16 17:06:02 118,784 -c--a-w c:\windows\system32\UCI32105.dll
+ 2006-03-16 17:06:04 118,784 ----a-w c:\windows\system32\Uci32105.dll
- 2007-10-10 23:55:59 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
- 2007-10-10 23:56:00 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2007-10-10 23:56:00 232,960 ----a-w c:\windows\system32\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2005-10-06 00:05:59 1,839,488 ----a-w c:\windows\system32\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
- 2007-10-10 23:56:00 824,832 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
- 2006-10-19 05:47:18 222,208 ----a-w c:\windows\system32\WMASF.dll
+ 2007-10-28 01:40:30 222,720 ----a-w c:\windows\system32\wmasf.dll
- 2006-10-19 05:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-19 05:47:20 10,834,432 ----a-w c:\windows\system32\wmp.dll
+ 2007-06-12 07:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
- 2006-10-19 05:47:20 295,936 ------w c:\windows\system32\wmpeffects.dll
+ 2008-06-25 02:12:58 295,936 ------w c:\windows\system32\wmpeffects.dll
- 2006-10-19 05:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
- 2007-07-31 03:19:36 549,720 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 22:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2007-07-31 03:19:16 53,080 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 22:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2007-07-31 03:19:42 1,712,984 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 22:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2007-07-31 03:19:32 325,976 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 22:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2007-07-31 03:18:40 33,624 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 22:08:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2007-07-31 03:19:12 43,352 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 22:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
- 2007-07-31 03:19:28 203,096 -c--a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 22:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
+ 2008-12-29 00:37:10 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1e4.dat
+ 2008-12-29 00:36:25 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7f0.dat
+ 2008-10-01 00:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-10-01 00:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2008-04-15 17:54:19 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:50 am

Part 4:
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-19 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-19 86016]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"\\Reception\EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Auto EPSON Stylus CX4800 Series on Reception"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 c:\windows\system32\ICO.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Carl Pantuso\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 09:10 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pool Studio Newsletter.lnk]
backup=c:\windows\pss\Pool Studio Newsletter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
--a------ 2005-02-02 04:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
--a--c--- 2003-06-04 03:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-12-24 15:46 133104 c:\documents and settings\Carl Pantuso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a--c--- 2006-09-11 04:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2006-09-11 04:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2006-09-11 04:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
--a------ 2007-09-06 13:53 169264 c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a--c--- 2006-11-06 10:58 159744 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
-----c--- 2007-10-18 18:12 102400 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
-----c--- 2005-10-11 09:23 1187840 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
-----c--- 2006-02-09 08:52 643072 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-10-22 19:36 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-06-16 21:22 794713 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2005-08-18 09:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a--c--- 2006-06-02 07:02 61952 c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2006-07-19 21:58 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NAV\1002000.007\SYMEFA.SYS []
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NAV\1002000.007\BHDrvx86.sys [2008-12-27 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NAV\1002000.007\ccHPx86.sys [2008-12-27 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [2008-12-26 274808]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};\??\c:\program files\HP\QuickPlay\000.fcl [2008-01-20 16:33:48 39408]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll" /prefetch:1 []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-26 99376]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\DRIVERS\pelmouse.sys [2006-11-21 16512]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\DRIVERS\pelusblf.sys [2006-11-21 13184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db99d018-452e-11dc-a7d8-001636b16cad}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-28 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Carl Pantuso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 15:46]

2008-12-28 c:\windows\Tasks\system32.job
- c:\windows\system32 [2008-12-28 16:36]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DSTUpdateLoaderUSB.inf
FF - ProfilePath - c:\documents and settings\Carl Pantuso\Application Data\Mozilla\Firefox\Profiles\musjq95b.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-28 16:36:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Hf??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1396)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\msdtc.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
.
**************************************************************************
.
Completion time: 2008-12-28 16:40:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 00:40:25
ComboFix2.txt 2008-12-28 04:15:29
ComboFix3.txt 2008-12-27 19:40:31
ComboFix4.txt 2008-12-27 18:58:41

Pre-Run: 28,211,994,624 bytes free
Post-Run: 28,141,174,784 bytes free

712 --- E O F --- 2008-12-28 21:50:18

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 12:51 am

Hello.
From my earlier instructions, do you still have operating system files shown?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:56 am

I'm sorry I don't know what you mean

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 1:00 am

Okay, nevermind.
Lets use it the XP disc way.
Insert the disc and let me know what drive letter it uses.

Press Start > open "My Computer"
What drive letter is the CD Drive?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 1:02 am

Drive letter is e:\

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 1:07 am

Please make sure the XP disc is in the machine.


  • Now open a new notepad file.
  • Input this into the notepad file:

    expand E:\i386\userinit.ex_ C:\WINDOWS\system32\userinit.exe
    expand E:\i386\userinit.ex_ C:\WINDOWS\system32\dllcache\userinit.exe

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • A black cmd window will open and close, this is normal.


Once you have done that, please re-run this script to search for the userinit file again.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 1:13 am

Here's what the second script found
"C:\WINDOWS\system32\userinit.exe" 111616 12/24/2008 09:49 AM
"C:\WINDOWS\system32\dllcache\userinit.exe" 111616 12/24/2008 09:49 AM
"C:\WINDOWS\system32\userinit.exe" 24576 08/04/2004 05:00 AM
"C:\WINDOWS\system32\dllcache\userinit.exe" 24576 08/04/2004 05:00 AM

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 1:18 am

Hello.
There is a good and bad userinit files now.

Follow this path and navigate to the system32 folder again.
C:\Windows\system32\

Scroll across and find userinit.exe
There maybe two of them.
Right click each one and open the Properties of each file.
Look at the file size of each.
One is: 111616 bytes
And the other: 24576 bytes

Delete the one that is 111616 bytes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 1:19 am

I only found the good one

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 1:20 am

Is it 24576 bytes?

If so, good.
What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 1:27 am

It is and I'll let you know!
Again, if ever in LAs Vegas let me know and I'll get you drunk!

carljp
Novice
Novice

Status :
Online
Offline

Posts : 26
Joined : 2008-12-27
OS : windows xp pro sp2
Points : 28980
# Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Doctor Inferno on Sat Feb 14, 2009 3:57 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64
Points : 104574
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum