Yet another Backdoor.tidserv!inf

View previous topic View next topic Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:13 am

I have an XP cd from a different machine. Will that work?

carljp
Novice
Novice

Posts Posts : 26
Joined Joined : 2008-12-27
OS OS : windows xp pro sp2
Points Points : 29010
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 12:18 am

Maybe, but lets try it this way first.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

FMOVE::
c:\windows\system32\userinit.exe | c:\userinit.exe
c:\documents and settings\Carl Pantuso\Desktop\userinit.exe | c:\windows\system32\userinit.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:43 am

ComboFix 08-12-26.03 - Carl Pantuso 2008-12-28 16:29:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1596 [GMT -8:00]
Running from: c:\documents and settings\Carl Pantuso\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Carl Pantuso\Desktop\cfscript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 16:36 . 2008-12-28 16:36 496 --a------ c:\windows\system32\win32hlp.cnf
2008-12-27 20:45 . 2008-12-27 20:50 d-------- c:\windows\system32\NtmsData
2008-12-27 20:34 . 2008-12-28 14:03 d-------- c:\windows\system32\CatRoot_bak
2008-12-27 20:34 . 2008-08-14 01:51 138,368 --------- c:\windows\system32\dllcache\afd.sys
2008-12-27 20:33 . 2008-08-14 01:57 2,185,984 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-27 20:33 . 2008-08-14 01:55 2,142,720 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-27 20:33 . 2008-08-14 01:18 2,062,976 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-27 20:33 . 2008-08-14 01:18 2,020,864 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-27 20:33 . 2008-09-15 03:57 1,846,016 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-27 20:12 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-27 20:12 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-26 14:56 . 2008-12-26 14:56 d-------- c:\program files\Norton Support
2008-12-26 14:51 . 2008-12-28 15:47 d-------- c:\windows\system32\drivers\NAV
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Windows Sidebar
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Symantec
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\program files\Norton AntiVirus
2008-12-26 14:51 . 2008-12-26 14:51 d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-26 14:51 . 2008-12-26 14:51 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-26 14:51 . 2008-12-26 14:51 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-26 14:51 . 2008-12-11 19:08 36,272 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-26 14:51 . 2008-12-26 14:51 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-26 14:51 . 2008-12-26 14:51 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-26 14:49 . 2008-12-26 14:49 d-------- c:\program files\NortonInstaller
2008-12-26 14:49 . 2008-12-26 14:49 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-24 17:16 . 2008-12-27 20:52 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-24 13:23 . 2008-12-24 13:23 d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-24 09:49 . 2008-12-24 09:49 111,616 --a------ c:\windows\system32\dllcache\userinit.exe
2008-12-10 11:37 . 2008-12-10 11:37 d-------- c:\windows\system32\drivers\Samsung
2008-12-10 11:37 . 2005-03-02 20:32 151,552 --a------ c:\windows\system32\SUGG1CI.exe
2008-12-10 11:37 . 2004-10-11 04:25 57,344 --a------ c:\windows\system32\SUGG1CI.dll
2008-12-10 11:37 . 2006-08-31 21:05 22,663 --a------ c:\windows\system32\SUGG1LMK.DLL
2008-12-10 11:37 . 2005-07-08 12:54 11,502 --------- c:\windows\Dr. Printer Icon.ico
2008-12-10 11:37 . 2005-09-08 22:04 555 --a------ c:\windows\system32\SUGG1LMK.SMT
2008-12-10 11:36 . 2008-12-10 11:36 d-------- c:\program files\Samsung
2008-12-10 10:05 . 2004-08-10 22:39 41,984 --------- c:\windows\system32\drivers\DGIVECP.SYS
2008-12-01 14:00 . 2008-12-24 17:26 1,324 --a------ c:\windows\system32\d3d9caps.dat
2008-11-29 14:43 . 2008-11-29 14:43 d-------- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 04:25 --------- d-----w c:\program files\Common Files\Nikon
2008-12-28 04:11 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-27 20:46 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-27 20:46 --------- d-----w c:\program files\NetWaiting
2008-12-27 20:46 --------- d-----w c:\program files\CONEXANT
2008-12-27 20:42 --------- d-----w c:\program files\Creative
2008-12-27 20:33 --------- d-----w c:\program files\NCH Swift Sound
2008-12-27 20:31 --------- d-----w c:\program files\On-Screen Takeoff 3
2008-12-27 20:30 --------- d-----w c:\program files\Common Files\muvee Technologies
2008-12-27 20:28 --------- d-----w c:\program files\Microsoft Works
2008-12-27 20:26 --------- d-----w c:\program files\Hewlett-Packard
2008-12-27 20:24 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbx.DAT
2008-12-27 20:22 --------- d-----w c:\program files\Common Files\Adobe
2008-12-27 06:57 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\U3
2008-12-26 23:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-26 22:45 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\AdobeUM
2008-12-25 07:19 --------- d-----w c:\program files\Topo USA 4.0
2008-12-25 07:18 --------- d-----w c:\program files\Roxio
2008-12-25 07:18 --------- d-----w c:\program files\Rhapsody
2008-12-25 07:18 --------- d-----w c:\program files\QuickTime
2008-12-25 07:16 --------- d-----w c:\program files\Maxtor
2008-12-25 07:15 --------- d-----w c:\program files\Quickensetup
2008-12-25 07:15 --------- d-----w c:\program files\Quicken
2008-12-25 07:15 --------- d-----w c:\program files\Pro Imaging Powertoys
2008-12-25 07:15 --------- d-----w c:\program files\Nikon
2008-12-25 07:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-25 07:15 --------- d-----w c:\program files\IrfanView
2008-12-25 07:14 --------- d-----w c:\program files\MyPhotoBooks
2008-12-25 07:14 --------- d-----w c:\program files\My Photo Calendars and Cards
2008-12-25 07:14 --------- d-----w c:\program files\My Photo Books
2008-12-25 07:13 --------- d-----w c:\program files\HPQ
2008-12-25 07:13 --------- d-----w c:\program files\HP
2008-12-25 07:12 --------- d-----w c:\program files\Google
2008-12-25 07:12 --------- d-----w c:\program files\DivX
2008-12-25 07:12 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-12-25 07:12 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\Research In Motion
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\LightScribe
2008-12-25 07:11 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-24 22:38 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Nikon
2008-12-24 22:38 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\muvee Technologies
2008-12-24 22:36 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-21 22:04 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-18 20:37 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Download Manager
2008-11-18 00:43 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\Digilabs
2008-10-31 04:22 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-31 04:22 --------- d-----w c:\program files\SyncToy 2.0 Beta
2008-10-31 04:22 --------- d-----w c:\program files\music_now
2008-10-31 04:22 --------- d-----w c:\program files\Encarta Online
2008-10-31 03:16 --------- d-----w c:\documents and settings\Carl Pantuso\Application Data\0000005738
2008-09-27 04:25 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLck.DAT
2008-05-14 15:35 18,024 ----a-w c:\documents and settings\Carl Pantuso\Application Data\wklnhst.dat
2008-01-09 05:31 20 ---ha-w c:\documents and settings\All Users\Application Data\PKP_DLeh.DAT
2006-12-27 06:20 20 ---ha-w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-08-26 05:15 12,208 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-04 08:11 16,384 --sha-w c:\windows\system32\config\systemprofile\History\History.IE5\index.dat
2008-08-04 08:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-04-13 16:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe
2008-12-24 09:49 111616 e7385484625fb48224948ac3fc131f2d c:\windows\system32\userinit.exe
2008-12-24 09:49 111616 e7385484625fb48224948ac3fc131f2d c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.

carljp
Novice
Novice

Posts Posts : 26
Joined Joined : 2008-12-27
OS OS : windows xp pro sp2
Points Points : 29010
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:47 am

Part 2:
+ 2007-07-12 23:28:55 765,952 ----a-w c:\windows\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w c:\windows\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w c:\windows\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w c:\windows\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w c:\windows\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w c:\windows\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2008-07-07 20:06:43 253,952 ----a-w c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
+ 2008-07-07 20:26:58 253,952 ----a-w c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
+ 2008-07-07 20:23:18 253,952 ----a-w c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB950974\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB950974\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB950974\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w c:\windows\$hf_mig$\KB950974\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w c:\windows\$hf_mig$\KB950974\update\updspapi.dll
+ 2008-05-07 04:55:40 1,288,192 ----a-w c:\windows\$hf_mig$\KB951698\SP2QFE\quartz.dll
+ 2008-05-07 05:12:40 1,288,192 ----a-w c:\windows\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2008-05-07 05:04:15 1,288,192 ----a-w c:\windows\$hf_mig$\KB951698\SP3QFE\quartz.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB951698\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB951698\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB951698\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB951698\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB951698\update\updspapi.dll
+ 2008-06-24 16:28:00 74,240 ----a-w c:\windows\$hf_mig$\KB952954\SP2QFE\mscms.dll
+ 2008-06-24 16:43:16 74,240 ----a-w c:\windows\$hf_mig$\KB952954\SP3GDR\mscms.dll
+ 2008-06-24 16:53:10 74,240 ----a-w c:\windows\$hf_mig$\KB952954\SP3QFE\mscms.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB952954\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB952954\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB952954\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB952954\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB952954\update\updspapi.dll
+ 2008-10-22 09:47:25 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP2QFE\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3GDR\tzchange.exe
+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2008-10-23 12:51:04 284,160 ----a-w c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll
+ 2008-10-23 12:43:42 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-07-08 13:02:01 17,272 ----a-w c:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2008-07-08 13:02:02 231,288 ----a-w c:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-07-08 13:02:01 26,488 ----a-w c:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB956802\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB956802\update\updspapi.dll
- 2006-05-10 20:54:04 1,257,472 -c--a-w c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-12-28 21:47:16 1,265,664 ----a-w c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2006-05-10 20:46:56 1,224,704 -c--a-w c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-12-28 21:47:17 1,232,896 ----a-w c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2008-12-28 21:47:37 61,440 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_27d71bbb\CustomMarshalers.dll
+ 2008-12-28 21:48:27 118,784 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_7548a1ae\CustomMarshalers.dll
+ 2008-12-28 21:48:41 8,908,800 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_5c3ced9a\mscorlib.dll
+ 2008-12-28 21:48:22 3,391,488 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_c10a1af7\mscorlib.dll
+ 2008-12-28 21:48:36 3,395,584 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_a2a48ac7\System.Design.dll
+ 2008-12-28 21:48:18 1,470,464 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_ec9316cc\System.Design.dll
+ 2008-12-28 21:48:27 192,512 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_b8ecb48b\System.Drawing.Design.dll
+ 2008-12-28 21:47:45 90,112 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_fa353716\System.Drawing.Design.dll
+ 2008-12-28 21:48:19 835,584 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_44416046\System.Drawing.dll
+ 2008-12-28 21:48:37 2,244,608 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_46003de9\System.Drawing.dll
+ 2008-12-28 21:48:32 7,884,800 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_3a8990da\System.Windows.Forms.dll
+ 2008-12-28 21:47:58 3,018,752 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_954ad60b\System.Windows.Forms.dll
+ 2008-12-28 21:48:35 5,513,216 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_44531b21\System.Xml.dll
+ 2008-12-28 21:48:10 2,088,960 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_ab0b8d8c\System.Xml.dll
+ 2008-12-28 21:47:30 1,966,080 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_29d53b3b\System.dll
+ 2008-12-28 21:48:27 4,788,224 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_aa45376e\System.dll
+ 2008-06-13 13:10:50 272,128 ------w c:\windows\Driver Cache\i386\bthport.sys
- 2006-05-05 09:41:45 453,120 -c--a-w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\Driver Cache\i386\mrxsmb.sys
- 2005-10-12 00:18:18 2,136,064 -c--a-w c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:55:01 2,142,720 ----a-w c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2005-10-11 23:54:50 2,057,344 -c--a-w c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:18:44 2,062,976 ----a-w c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2005-10-11 23:54:50 2,015,232 -c--a-w c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 09:18:46 2,020,864 ----a-w c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2005-10-12 00:20:27 2,180,096 -c--a-w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-08-14 09:57:20 2,185,984 ----a-w c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-05-04 23:33:52 1,077,312 -c--a-w c:\windows\Help\SBSI\Training\orun32.exe
+ 2006-08-21 23:57:14 1,077,321 ----a-w c:\windows\Help\SBSI\Training\orun32.exe
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-14 02:54:10 765,952 -c----w c:\windows\ie7updates\KB938127-IE7\vgx.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-07-12 23:31:54 765,952 -c----w c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2007-10-10 23:55:51 124,928 -c----w c:\windows\ie7updates\KB958215-IE7\advpack.dll
+ 2007-08-14 02:35:46 346,624 -c----w c:\windows\ie7updates\KB958215-IE7\dxtmsft.dll
+ 2007-10-10 23:55:51 214,528 -c----w c:\windows\ie7updates\KB958215-IE7\dxtrans.dll
+ 2007-10-10 23:55:51 132,608 -c----w c:\windows\ie7updates\KB958215-IE7\extmgr.dll
+ 2007-10-10 23:55:51 63,488 -c----w c:\windows\ie7updates\KB958215-IE7\icardie.dll
+ 2007-10-10 10:59:40 70,656 -c----w c:\windows\ie7updates\KB958215-IE7\ie4uinit.exe
+ 2007-10-10 23:55:51 153,088 -c----w c:\windows\ie7updates\KB958215-IE7\ieakeng.dll
+ 2007-10-10 23:55:51 230,400 -c----w c:\windows\ie7updates\KB958215-IE7\ieaksie.dll
+ 2007-10-10 05:46:55 161,792 -c----w c:\windows\ie7updates\KB958215-IE7\ieakui.dll
+ 2007-10-10 23:55:52 383,488 -c----w c:\windows\ie7updates\KB958215-IE7\ieapfltr.dll
+ 2007-10-10 23:55:52 384,512 -c----w c:\windows\ie7updates\KB958215-IE7\iedkcs32.dll
+ 2007-10-10 23:55:54 6,065,664 -c----w c:\windows\ie7updates\KB958215-IE7\ieframe.dll
+ 2007-10-10 23:55:55 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\iernonce.dll
+ 2007-10-10 23:55:55 267,776 -c----w c:\windows\ie7updates\KB958215-IE7\iertutil.dll
+ 2007-10-10 10:59:40 13,824 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2007-10-10 10:59:52 625,152 -c----w c:\windows\ie7updates\KB958215-IE7\iexplore.exe
+ 2007-10-10 23:55:56 27,648 -c----w c:\windows\ie7updates\KB958215-IE7\jsproxy.dll
+ 2007-10-10 23:55:56 459,264 -c----w c:\windows\ie7updates\KB958215-IE7\msfeeds.dll
+ 2007-10-10 23:55:56 52,224 -c----w c:\windows\ie7updates\KB958215-IE7\msfeedsbs.dll
+ 2007-10-10 23:55:58 478,208 -c----w c:\windows\ie7updates\KB958215-IE7\mshtmled.dll
+ 2007-10-10 23:55:58 193,024 -c----w c:\windows\ie7updates\KB958215-IE7\msrating.dll
+ 2007-10-10 23:55:59 671,232 -c----w c:\windows\ie7updates\KB958215-IE7\mstime.dll
+ 2007-10-10 23:55:59 102,400 -c----w c:\windows\ie7updates\KB958215-IE7\occache.dll
+ 2007-08-14 02:36:12 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\updspapi.dll
+ 2007-10-10 23:55:59 105,984 -c----w c:\windows\ie7updates\KB958215-IE7\url.dll
+ 2007-10-10 23:56:00 1,159,680 -c----w c:\windows\ie7updates\KB958215-IE7\urlmon.dll
+ 2007-10-10 23:56:00 232,960 -c----w c:\windows\ie7updates\KB958215-IE7\webcheck.dll
+ 2007-10-10 23:56:00 824,832 -c----w c:\windows\ie7updates\KB958215-IE7\wininet.dll
+ 2007-10-31 13:12:30 3,590,656 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll

carljp
Novice
Novice

Posts Posts : 26
Joined Joined : 2008-12-27
OS OS : windows xp pro sp2
Points Points : 29010
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:48 am

Part 3:
- 2006-11-02 02:31:34 315,904 ----a-w c:\windows\inf\unregmp2.exe
+ 2007-06-27 06:10:26 317,440 ----a-w c:\windows\inf\unregmp2.exe
+ 2008-12-28 21:44:05 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2004-07-15 16:49:16 258,048 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2007-04-14 05:30:52 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-07-15 16:49:22 32,768 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2007-04-14 05:30:52 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2004-07-15 15:32:22 81,920 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2007-04-14 04:57:52 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2003-02-21 10:09:14 86,016 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2007-04-14 04:57:58 86,016 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2004-07-15 15:25:06 315,392 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-14 04:56:30 315,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-15 15:33:04 102,400 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2007-04-14 04:58:00 102,400 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2004-07-16 05:29:02 2,138,112 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2007-04-14 04:50:46 2,142,208 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2003-02-21 10:09:18 77,824 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2007-04-14 04:58:02 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2004-07-15 15:26:52 2,510,848 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2007-04-14 04:57:00 2,523,136 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2004-07-15 15:28:34 2,502,656 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-04-14 04:57:28 2,514,944 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2004-06-23 04:52:22 106,496 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2007-01-16 00:11:26 73,728 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2004-07-15 16:49:16 258,048 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_aspnet_isapi.dll
+ 2004-07-15 15:32:22 81,920 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_CORPerfMonExt.dll
+ 2004-07-15 15:24:30 282,624 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_fusion.dll
+ 2004-07-15 15:25:06 315,392 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_mscorjit.dll
+ 2004-07-16 05:29:02 2,138,112 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_mscorlib.dll
+ 2003-02-21 10:09:18 77,824 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_mscorsn.dll
+ 2004-07-15 15:26:52 2,510,848 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_mscorsvr.dll
+ 2004-07-15 15:28:34 2,502,656 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_mscorwks.dll
+ 2003-02-21 19:42:22 348,160 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_msvcr71.dll
+ 2004-07-15 15:34:50 94,208 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2976\_PerfCounter.dll
- 2004-07-16 05:31:16 1,224,704 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2007-04-14 05:35:38 1,232,896 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2004-10-08 21:20:12 1,257,472 -c--a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2007-04-14 05:35:46 1,265,664 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-10-10 23:55:51 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
- 2007-07-31 03:19:20 92,504 -c--a-w c:\windows\system32\cdm.dll
+ 2008-10-16 22:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2008-09-29 06:17:37 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-27 20:46:03 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-09-29 06:17:37 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-27 20:46:03 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-29 06:17:37 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-27 20:46:03 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-10 23:55:51 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-16 20:38:34 124,928 ------w c:\windows\system32\dllcache\advpack.dll
- 2007-07-31 03:19:20 92,504 ----a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 22:09:44 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
- 2007-08-14 02:35:46 346,624 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2007-10-10 23:55:51 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ------w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-07-07 20:32:22 253,952 ------w c:\windows\system32\dllcache\es.dll
- 2007-10-10 23:55:51 132,608 ----a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-23 13:01:36 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
- 2007-10-10 23:55:51 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-10-16 20:38:35 63,488 ------w c:\windows\system32\dllcache\icardie.dll
- 2007-10-10 10:59:40 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
- 2007-10-10 23:55:51 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
- 2007-10-10 23:55:51 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
- 2007-10-10 05:46:55 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
- 2007-10-10 23:55:52 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
- 2007-10-10 23:55:52 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2007-10-10 23:55:54 6,065,664 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
- 2007-10-10 23:55:55 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll
- 2007-10-10 23:55:55 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
- 2007-10-10 10:59:40 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
- 2007-10-10 10:59:52 625,152 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-10-15 07:06:26 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
- 2006-11-08 05:06:13 679,424 -c----w c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ------w c:\windows\system32\dllcache\inetcomm.dll
- 2007-10-10 23:55:56 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-19 04:03:58 100,864 ----a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 09:09:22 100,864 ----a-w c:\windows\system32\dllcache\logagent.exe
- 2006-05-05 09:41:45 453,120 -c----w c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
- 2004-08-04 21:00:00 331,776 ----a-w c:\windows\system32\dllcache\msadce.dll
+ 2008-05-01 14:30:33 331,776 ----a-w c:\windows\system32\dllcache\msadce.dll
+ 2008-06-24 16:23:05 74,240 ------w c:\windows\system32\dllcache\mscms.dll
- 2007-10-10 23:55:56 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
- 2007-10-10 23:55:56 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-10-31 13:12:30 3,590,656 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
- 2007-10-10 23:55:58 478,208 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ------w c:\windows\system32\dllcache\mshtmled.dll
- 2007-10-10 23:55:58 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 20:38:38 193,024 ------w c:\windows\system32\dllcache\msrating.dll
- 2007-10-10 23:55:59 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
- 2006-09-13 05:01:56 1,084,416 -c----w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ------w c:\windows\system32\dllcache\msxml3.dll
- 2006-08-17 12:28:27 332,288 -c----w c:\windows\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
- 2007-10-10 23:55:59 102,400 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\dllcache\occache.dll
- 2007-08-14 02:36:12 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-05-07 05:18:48 1,287,680 ------w c:\windows\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 -c----w c:\windows\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ------w c:\windows\system32\dllcache\rmcast.sys
- 2006-08-14 10:34:41 332,928 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-08-28 10:04:17 333,056 ------w c:\windows\system32\dllcache\srv.sys
- 2006-08-21 17:52:08 246,814 ----a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
- 2006-11-02 02:31:34 315,904 -c--a-w c:\windows\system32\dllcache\unregmp2.exe
+ 2007-06-27 06:10:26 317,440 ----a-w c:\windows\system32\dllcache\unregmp2.exe
- 2007-10-10 23:55:59 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-10-16 20:38:39 105,984 ------w c:\windows\system32\dllcache\url.dll
- 2007-10-10 23:56:00 1,159,680 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ------w c:\windows\system32\dllcache\urlmon.dll

carljp
Novice
Novice

Posts Posts : 26
Joined Joined : 2008-12-27
OS OS : windows xp pro sp2
Points Points : 29010
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:48 am

- 2007-08-14 02:54:10 765,952 ----a-w c:\windows\system32\dllcache\vgx.dll
+ 2008-05-27 17:23:58 765,952 ----a-w c:\windows\system32\dllcache\vgx.dll
- 2007-10-10 23:56:00 232,960 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
- 2007-10-10 23:56:00 824,832 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 20:38:40 826,368 ------w c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 05:47:18 222,208 -c--a-w c:\windows\system32\dllcache\WMASF.dll
+ 2007-10-28 01:40:30 222,720 ----a-w c:\windows\system32\dllcache\wmasf.dll
- 2006-10-19 05:47:20 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 ----a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 05:47:20 10,834,432 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2007-06-12 07:51:12 10,834,944 ----a-w c:\windows\system32\dllcache\wmp.dll
- 2006-10-19 05:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 ----a-w c:\windows\system32\dllcache\WMVCore.dll
- 2007-07-31 03:19:36 549,720 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 22:12:20 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
- 2007-07-31 03:19:16 53,080 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 22:09:44 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
- 2007-07-31 03:19:42 1,712,984 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 22:13:40 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
- 2007-07-31 03:19:32 325,976 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 22:12:22 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
- 2007-07-31 03:18:40 33,624 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 22:08:58 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
- 2007-07-31 03:19:28 203,096 ----a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 22:13:40 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
- 2004-08-04 21:00:00 138,496 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w c:\windows\system32\drivers\afd.sys
- 2006-05-05 09:41:45 453,120 ----a-w c:\windows\system32\drivers\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
+ 2008-12-12 03:08:45 255,536 ----a-w c:\windows\system32\drivers\NAV\1002000.007\BHDrvx86.sys
+ 2008-12-26 22:51:35 362,544 ----a-w c:\windows\system32\drivers\NAV\1002000.007\cchpx86.sys
+ 2008-12-12 03:08:48 306,736 ----a-w c:\windows\system32\drivers\NAV\1002000.007\srtsp.sys
+ 2008-12-12 03:08:48 43,696 ----a-w c:\windows\system32\drivers\NAV\1002000.007\srtspx.sys
+ 2008-12-12 03:08:48 12,976 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symdns.sys
+ 2008-12-12 03:08:48 309,296 ----a-w c:\windows\system32\drivers\NAV\1002000.007\SymEFA.sys
+ 2008-12-12 03:08:48 89,904 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symfw.sys
+ 2008-12-12 03:08:48 34,608 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symids.sys
+ 2008-12-12 03:08:48 37,424 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symndis.sys
+ 2008-12-12 03:08:48 40,496 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symndisv.sys
+ 2008-12-12 03:08:48 24,624 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symredrv.sys
+ 2008-12-12 03:08:49 198,192 ----a-w c:\windows\system32\drivers\NAV\1002000.007\symtdi.sys
- 2006-07-13 08:48:58 202,240 ----a-w c:\windows\system32\drivers\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w c:\windows\system32\drivers\rmcast.sys
- 2006-08-14 10:34:41 332,928 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-08-28 10:04:17 333,056 ----a-w c:\windows\system32\drivers\srv.sys
- 2007-08-14 02:35:46 346,624 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2007-10-10 23:55:51 214,528 ------w c:\windows\system32\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ------w c:\windows\system32\dxtrans.dll
- 2005-07-26 04:39:45 243,200 ----a-w c:\windows\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\es.dll
- 2007-10-10 23:55:51 132,608 -c----w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ------w c:\windows\system32\extmgr.dll
- 2008-11-24 16:06:43 2,223,600 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-28 22:31:06 2,219,704 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2005-12-29 10:54:36 280,064 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 13:01:36 283,648 ----a-w c:\windows\system32\gdi32.dll
- 2007-10-10 23:55:51 63,488 -c--a-w c:\windows\system32\icardie.dll
+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
- 2007-10-10 10:59:40 70,656 ------w c:\windows\system32\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\ie4uinit.exe
- 2007-10-10 23:55:51 153,088 -c----w c:\windows\system32\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\ieakeng.dll
- 2007-10-10 23:55:51 230,400 -c----w c:\windows\system32\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\ieaksie.dll
- 2007-10-10 05:46:55 161,792 -c----w c:\windows\system32\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\ieakui.dll
- 2007-10-10 23:55:52 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2007-10-10 23:55:52 384,512 -c----w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\iedkcs32.dll
- 2007-10-10 23:55:54 6,065,664 ----a-w c:\windows\system32\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2007-10-10 23:55:55 44,544 -c----w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\iernonce.dll
- 2007-10-10 23:55:55 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2007-10-10 10:59:40 13,824 -c--a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2006-11-08 05:06:13 679,424 ----a-w c:\windows\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w c:\windows\system32\inetcomm.dll
- 2007-10-10 23:55:56 27,648 -c----w c:\windows\system32\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ------w c:\windows\system32\jsproxy.dll
- 2006-10-19 04:03:58 100,864 -c--a-w c:\windows\system32\logagent.exe
+ 2008-06-18 09:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2005-06-29 09:46:00 74,240 ----a-w c:\windows\system32\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w c:\windows\system32\mscms.dll
- 2005-09-23 15:28:52 270,848 ----a-w c:\windows\system32\mscoree.dll
+ 2006-12-22 20:28:14 271,360 ----a-w c:\windows\system32\mscoree.dll
- 2007-10-10 23:55:56 459,264 -c--a-w c:\windows\system32\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2007-10-10 23:55:56 52,224 -c--a-w c:\windows\system32\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2007-10-31 13:12:30 3,590,656 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2007-10-10 23:55:58 478,208 ------w c:\windows\system32\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ------w c:\windows\system32\mshtmled.dll
- 2007-10-10 23:55:58 193,024 ------w c:\windows\system32\msrating.dll
+ 2008-10-16 20:38:38 193,024 ------w c:\windows\system32\msrating.dll
- 2007-10-10 23:55:59 671,232 -c----w c:\windows\system32\mstime.dll
+ 2008-10-16 20:38:39 671,232 ------w c:\windows\system32\mstime.dll
- 2006-09-13 05:01:56 1,084,416 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2006-11-04 22:14:00 1,245,696 ----a-w c:\windows\system32\msxml4.dll
+ 2008-10-01 00:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
- 2006-12-04 21:37:58 1,317,648 ----a-w c:\windows\system32\msxml6.dll
+ 2008-08-30 04:06:44 1,350,664 ----a-w c:\windows\system32\msxml6.dll
- 2005-09-23 15:29:00 6,144 -c--a-w c:\windows\system32\mui\0409\mscorees.dll
+ 2006-12-22 21:02:36 6,144 ----a-w c:\windows\system32\mui\0409\mscorees.dll
- 2006-08-17 12:28:27 332,288 ----a-w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32.dll
- 2005-10-11 23:54:50 2,015,232 ----a-w c:\windows\system32\ntkrnlpa.exe
+ 2008-08-14 09:18:46 2,020,864 ----a-w c:\windows\system32\ntkrnlpa.exe
- 2005-10-12 00:18:18 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe
+ 2008-08-14 09:55:01 2,142,720 ----a-w c:\windows\system32\ntoskrnl.exe
- 2007-10-10 23:55:59 102,400 ------w c:\windows\system32\occache.dll
+ 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\occache.dll
- 2007-08-14 02:36:12 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2005-08-30 11:54:26 1,287,168 ----a-w c:\windows\system32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w c:\windows\system32\quartz.dll
+ 2008-10-16 22:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 22:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2006-10-09 04:51:14 14,640 -c----w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2006-08-21 17:52:08 246,814 -c--a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-22 09:47:07 62,976 ------w c:\windows\system32\tzchange.exe
- 2006-03-16 17:06:02 118,784 -c--a-w c:\windows\system32\UCI32105.dll
+ 2006-03-16 17:06:04 118,784 ----a-w c:\windows\system32\Uci32105.dll
- 2007-10-10 23:55:59 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
- 2007-10-10 23:56:00 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2007-10-10 23:56:00 232,960 ----a-w c:\windows\system32\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2005-10-06 00:05:59 1,839,488 ----a-w c:\windows\system32\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
- 2007-10-10 23:56:00 824,832 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
- 2006-10-19 05:47:18 222,208 ----a-w c:\windows\system32\WMASF.dll
+ 2007-10-28 01:40:30 222,720 ----a-w c:\windows\system32\wmasf.dll
- 2006-10-19 05:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-19 05:47:20 10,834,432 ----a-w c:\windows\system32\wmp.dll
+ 2007-06-12 07:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
- 2006-10-19 05:47:20 295,936 ------w c:\windows\system32\wmpeffects.dll
+ 2008-06-25 02:12:58 295,936 ------w c:\windows\system32\wmpeffects.dll
- 2006-10-19 05:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
- 2007-07-31 03:19:36 549,720 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 22:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2007-07-31 03:19:16 53,080 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 22:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2007-07-31 03:19:42 1,712,984 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 22:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2007-07-31 03:19:32 325,976 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 22:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2007-07-31 03:18:40 33,624 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 22:08:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2007-07-31 03:19:12 43,352 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 22:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
- 2007-07-31 03:19:28 203,096 -c--a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 22:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
+ 2008-12-29 00:37:10 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1e4.dat
+ 2008-12-29 00:36:25 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7f0.dat
+ 2008-10-01 00:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-10-01 00:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2008-04-15 17:54:19 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

carljp
Novice
Novice

Posts Posts : 26
Joined Joined : 2008-12-27
OS OS : windows xp pro sp2
Points Points : 29010
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:50 am

Part 4:
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-19 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-19 86016]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"\\Reception\EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Auto EPSON Stylus CX4800 Series on Reception"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-02 98304]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 c:\windows\system32\ICO.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Carl Pantuso\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 09:10 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pool Studio Newsletter.lnk]
backup=c:\windows\pss\Pool Studio Newsletter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
--a------ 2005-02-02 04:00 98304 c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
--a--c--- 2003-06-04 03:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-12-24 15:46 133104 c:\documents and settings\Carl Pantuso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a--c--- 2006-09-11 04:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2006-09-11 04:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2006-09-11 04:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
--a------ 2007-09-06 13:53 169264 c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a--c--- 2006-11-06 10:58 159744 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
-----c--- 2007-10-18 18:12 102400 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
-----c--- 2005-10-11 09:23 1187840 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
-----c--- 2006-02-09 08:52 643072 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a--c--- 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-10-22 19:36 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-06-16 21:22 794713 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2005-08-18 09:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a--c--- 2006-06-02 07:02 61952 c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2006-07-19 21:58 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NAV\1002000.007\SYMEFA.SYS []
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NAV\1002000.007\BHDrvx86.sys [2008-12-27 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NAV\1002000.007\ccHPx86.sys [2008-12-27 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [2008-12-26 274808]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};\??\c:\program files\HP\QuickPlay\000.fcl [2008-01-20 16:33:48 39408]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll" /prefetch:1 []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-26 99376]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\DRIVERS\pelmouse.sys [2006-11-21 16512]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\DRIVERS\pelusblf.sys [2006-11-21 13184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db99d018-452e-11dc-a7d8-001636b16cad}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-28 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Carl Pantuso\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 15:46]

2008-12-28 c:\windows\Tasks\system32.job
- c:\windows\system32 [2008-12-28 16:36]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 -: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DSTUpdateLoaderUSB.inf
FF - ProfilePath - c:\documents and settings\Carl Pantuso\Application Data\Mozilla\Firefox\Profiles\musjq95b.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-28 16:36:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Hf??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1396)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\msdtc.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
.
**************************************************************************
.
Completion time: 2008-12-28 16:40:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 00:40:25
ComboFix2.txt 2008-12-28 04:15:29
ComboFix3.txt 2008-12-27 19:40:31
ComboFix4.txt 2008-12-27 18:58:41

Pre-Run: 28,211,994,624 bytes free
Post-Run: 28,141,174,784 bytes free

712 --- E O F --- 2008-12-28 21:50:18

carljp
Novice
Novice

Posts Posts : 26
Joined Joined : 2008-12-27
OS OS : windows xp pro sp2
Points Points : 29010
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 12:51 am

Hello.
From my earlier instructions, do you still have operating system files shown?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 12:56 am

I'm sorry I don't know what you mean

carljp
Novice
Novice

Posts Posts : 26
Joined Joined : 2008-12-27
OS OS : windows xp pro sp2
Points Points : 29010
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 1:00 am

Okay, nevermind.
Lets use it the XP disc way.
Insert the disc and let me know what drive letter it uses.

Press Start > open "My Computer"
What drive letter is the CD Drive?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 1:02 am

Drive letter is e:\

carljp
Novice
Novice

Posts Posts : 26
Joined Joined : 2008-12-27
OS OS : windows xp pro sp2
Points Points : 29010
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 1:07 am

Please make sure the XP disc is in the machine.


  • Now open a new notepad file.
  • Input this into the notepad file:

    expand E:\i386\userinit.ex_ C:\WINDOWS\system32\userinit.exe
    expand E:\i386\userinit.ex_ C:\WINDOWS\system32\dllcache\userinit.exe

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • A black cmd window will open and close, this is normal.


Once you have done that, please re-run this script to search for the userinit file again.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 1:13 am

Here's what the second script found
"C:\WINDOWS\system32\userinit.exe" 111616 12/24/2008 09:49 AM
"C:\WINDOWS\system32\dllcache\userinit.exe" 111616 12/24/2008 09:49 AM
"C:\WINDOWS\system32\userinit.exe" 24576 08/04/2004 05:00 AM
"C:\WINDOWS\system32\dllcache\userinit.exe" 24576 08/04/2004 05:00 AM

carljp
Novice
Novice

Posts Posts : 26
Joined Joined : 2008-12-27
OS OS : windows xp pro sp2
Points Points : 29010
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 1:18 am

Hello.
There is a good and bad userinit files now.

Follow this path and navigate to the system32 folder again.
C:\Windows\system32\

Scroll across and find userinit.exe
There maybe two of them.
Right click each one and open the Properties of each file.
Look at the file size of each.
One is: 111616 bytes
And the other: 24576 bytes

Delete the one that is 111616 bytes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 1:19 am

I only found the good one

carljp
Novice
Novice

Posts Posts : 26
Joined Joined : 2008-12-27
OS OS : windows xp pro sp2
Points Points : 29010
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Belahzur on Mon Dec 29, 2008 1:20 am

Is it 24576 bytes?

If so, good.
What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by carljp on Mon Dec 29, 2008 1:27 am

It is and I'll let you know!
Again, if ever in LAs Vegas let me know and I'll get you drunk!

carljp
Novice
Novice

Posts Posts : 26
Joined Joined : 2008-12-27
OS OS : windows xp pro sp2
Points Points : 29010
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another Backdoor.tidserv!inf

Post by Doctor Inferno on Sat Feb 14, 2009 3:57 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum