Backdoor.Tideserv strikes again! RLR

View previous topic View next topic Go down

Backdoor.Tideserv strikes again! RLR

Post by RLR on 27th April 2009, 10:49 pm

i' been experiencing problems with my computer. I ran symantec antivirus and it detected backdoor.tidserv in my temp files. Itried to delete it or quarantine it but it doesnt seem to work. In addition to that, I can't access my C or D drives because it says RECYCLER\S-0-0-68-100013072--100026458-1368.com.When I do a search on on google or any one of them and when I try to open that link it redirects me to some advertising i've never heard of. I also followed your instructions you laid out on you web site to do before I get to this point. In Symantec the file name are TDSSe60btmp and TDSS815d.tmp. I hope I have given you all the information you need.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:35 PM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Rick Richmond\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Rick Richmond\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Rick Richmond\Desktop\hijackgpthis 04 27 09.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DigidesignMMERefresh] E:\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FirePod] C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Rick Richmond\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [AbacastDistributedOnDemand:11] C:\Documents and Settings\Rick Richmond\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C42DBBD-2735-41DC-A0A3-53605FDBB13B}: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8A25EC9-CBE1-4BD2-89C4-F22F1698D8D8}: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O20 - Winlogon Notify: pptp32 - pptp32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - E:\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

--
End of file - 11805 bytes

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by Belahzur on 27th April 2009, 11:17 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1C42DBBD-2735-41DC-A0A3-53605FDBB13B}: NameServer = 85.255.112.107,85.255.112.226
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C8A25EC9-CBE1-4BD2-89C4-F22F1698D8D8}: NameServer = 85.255.112.107,85.255.112.226
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
    O20 - Winlogon Notify: pptp32 - pptp32.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 28th April 2009, 2:23 pm

Here are the results. Just one thing, when I first opened internet exployer a symantec results box opened and I closed it. I don't what it means if anything. Let me know if there's anything else for me to do.

Thank you for you help!
Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gxvxcserv.sys" found!
ImagePath: \systemroot\system32\drivers\gxvxccoerxaqukvqlpphhwvplhddpotsmrpnj.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by Belahzur on 28th April 2009, 2:52 pm

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
gxvxcserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\gxvxccoerxaqukvqlpphhwvplhddpotsmrpnj.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 28th April 2009, 6:21 pm

Hi again,
Here are the results of the action just taken. When I started internet exployer this time the symantec results window did NOT come up.

Once again thank you!

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "gxvxcserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\gxvxccoerxaqukvqlpphhwvplhddpotsmrpnj.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by Belahzur on 28th April 2009, 6:29 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 28th April 2009, 9:04 pm

Hi Belahzur,
Here are the results of this most current application. Please let me know if there are additional steps.

Thank you for your help!

Malwarebytes' Anti-Malware 1.36
Database version: 2055
Windows 5.1.2600 Service Pack 3

4/28/2009 1:47:46 PM
mbam-log-2009-04-28 (13-47-46).txt

Scan type: Quick Scan
Objects scanned: 77937
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QuickyPlaeyr (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QuickyPlaeyrSoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QuickyPlaeyr (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1c42dbbd-2735-41dc-a0a3-53605fdbb13b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1c42dbbd-2735-41dc-a0a3-53605fdbb13b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{1c42dbbd-2735-41dc-a0a3-53605fdbb13b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Rick Richmond\Start Menu\Programs\QuickyPlaeyr (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Rick Richmond\Local Settings\Temp\TDSS815d.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rick Richmond\Local Settings\Temp\TDSSe60b.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps.a3d (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\klo5.sys (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\klgcptini.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\stt82.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdu.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxvxcqawuvjgogyiogvltpbgknhcadlysuniq.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gxvxcappqltpjbfvrmvnmpkmkgelkaprrjqtm.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gxvxcbbpkmsqhxdqgkvdylkmjxmqpsiakhqxr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gxvxclxwprrilrlxuxngfvphqayfqahoparai.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gxvxcppwgopupfqjruswqvmyxqnsnxsgfpxte.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gxvxcuxjdvlhhonkksmkvpxmkjxndjkyphgve.sys (Trojan.Agent) -> Quarantined and deleted successfully.

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by Belahzur on 28th April 2009, 9:23 pm

One more scan to make sure it's gone.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 29th April 2009, 12:23 am

Hi Belahzur,
Here are the results from this test. I believe it is correct, if not let me know.

Thanks, RLR


DDS (Ver_09-03-16.01) - NTFSx86
Run by Rick Richmond at 17:15:25.21 on Tue 04/28/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1578 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\Rick Richmond\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rick Richmond\Desktop\dds final step.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uWindow Title = Road Runner High Speed Online
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\neroph~2\data\xtras\mssysmgr.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [cdloader] "c:\documents and settings\rick richmond\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [AbacastDistributedOnDemand:11] c:\documents and settings\rick richmond\local settings\application data\abacastdistributedondemand\node\11\AbacastDistributedOnDemand.exe -r:11 -x:1
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DigidesignMMERefresh] e:\digidesign\drivers\MMERefresh.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [medicsp2] c:\program files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FirePod] c:\program files\presonus\1394audiodriver_firepod\FIREPOD.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\[You must be registered and logged in to see this link.]
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
DPF: {01113300-3E00-11D2-8470-0060089874ED} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rickri~1\applic~1\mozilla\firefox\profiles\oj9e481i.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\rick richmond\application data\mozilla\plugins\npAbacast.dll
FF - plugin: c:\documents and settings\rick richmond\application data\mozilla\plugins\NPAbacheck.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\microsoft research\hdview for firefox\nphdview.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-12-16 77312]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-8-6 301200]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 607576]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-8-6 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-8-6 242808]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\drivers\NVTUNEP.SYS [2006-3-18 21906]
R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\NVTVSND.SYS [2006-3-18 25442]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-8-6 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-8-6 1258712]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090427.002\naveng.sys [2009-4-27 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090427.002\navex15.sys [2009-4-27 876144]
R3 Si670m;WayTech Bluetooth USB Filter Driver;c:\windows\system32\drivers\Si670m.sys [2009-3-29 13312]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\digifilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?]
S1 pptp64;MMX virtualization service;\??\c:\windows\system32\pptp64.sys --> c:\windows\system32\pptp64.sys [?]
S2 pptp32;MMX2 virtualization service;\??\c:\windows\system32\pptp64.sys --> c:\windows\system32\pptp64.sys [?]
S2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2008-1-26 202280]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-8-6 87160]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2005-3-26 74240]
S3 iLokDrvr;iLok;c:\windows\system32\drivers\iLokDrvr.sys [2005-1-12 27264]
S3 kore2avs;kore2avs;c:\windows\system32\drivers\kore2avs.sys [2008-4-5 25600]
S3 kore2usb;kore2usb;c:\windows\system32\drivers\kore2usb.sys [2008-4-5 185856]
S3 ni_avs;ni_avs;c:\windows\system32\drivers\ni_avs.sys [2006-4-5 22016]
S3 ni_usb;ni_usb;c:\windows\system32\drivers\ni_usb.sys [2006-4-5 71168]
S3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2005-4-22 71936]
S3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2005-4-22 24576]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-6 169192]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2004-12-24 16896]

=============== Created Last 30 ================

2009-04-28 13:39 --d----- c:\docume~1\rickri~1\applic~1\Malwarebytes
2009-04-28 13:39 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-28 13:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 13:39 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-28 13:39 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-27 08:37 --d----- c:\program files\AVG
2009-04-23 10:01 --d----- c:\documents and settings\rick richmond\.SunDownloadManager
2009-04-17 16:28 310 ---shr-- C:\autorun.inf
2009-04-14 17:05 --d----- c:\program files\iTunes
2009-04-14 17:05 --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-12 15:31 --d----- c:\windows\system32\IOSUBSYS
2009-04-02 18:18 --d----- c:\program files\Ratbag
2009-03-30 15:42 --d----- c:\program files\Bluetooth Mouse
2009-03-30 08:49 30,285 a------- c:\windows\system32\drivers\btwmodem.sys

==================== Find3M ====================

2009-03-27 17:55 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-27 17:55 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2006-08-28 18:50 5,120 a--sh--- c:\program files\Thumbs.db
2008-10-01 20:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 17:16:00.39 ===============

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by Belahzur on 29th April 2009, 11:55 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    DigiFilter
    pptp64
    pptp32

    :files
    C:\autorun.inf
    C:\Documents and Settings\Rick Richmond\Desktop\dds final step.scr


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 29th April 2009, 2:29 pm

Hi again,
Here is the results from this test, please let me know if there's more.

Thank you, RLR

========== SERVICES/DRIVERS ==========

Service\Driver DigiFilter deleted successfully.

Service\Driver pptp64 deleted successfully.

Service\Driver pptp32 deleted successfully.
========== FILES ==========
C:\autorun.inf moved successfully.
C:\Documents and Settings\Rick Richmond\Desktop\dds final step.scr moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04292009_072405

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by Belahzur on 29th April 2009, 2:58 pm

We can remove OTMoveIt now.

  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 29th April 2009, 3:30 pm

Hi Belahzur,
It is really really fast! I checked all the things that were wrong with it and they all work just fine, it's nice to be able to see my files once agian.
Your are an amazing person, your directions on everything you asked me to do were spot on. I'm really happy right now, I didn't know what I was going to do because the Virus' was taking over my whole computer and by being un-employed, I was in a real pickle. (there will be donations).
I can't thank you enough! I have a learned a heck of a lesson and I will shake my Newbie Surfer handle. You rock! RLR

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 29th April 2009, 3:54 pm

Hi Again,
I just checked my D drive and the virus is still there. I ran the Malwarebytes and it says there are no virus' but if you look at the text from the log it says something different. Suggestions? My C drive is just fine. I have the MBAM log if you need it. RLR

This what it says.
RECYCLER\S-0-0-68-100013072-100031127-100026458-1368.com

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by Belahzur on 29th April 2009, 4:12 pm

Just a leftover autorun.inf file. We can use OTMoveIt for that.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    D:\autorun.inf


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 29th April 2009, 4:34 pm

whew!

========== FILES ==========
D:\autorun.inf moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.1

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by Belahzur on 29th April 2009, 4:48 pm

We can remove OTMoveIt now.

  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.

The error shouldn't happen now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 29th April 2009, 5:09 pm

sweet!

Thank you, RLR

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by Belahzur on 29th April 2009, 5:12 pm

Please download Flash_Disinfector from [You must be registered and logged in to see this link.]

  • First, download it to your desktop.
  • Now double click it to run it and will tell it you what to do when you open it.
  • It will temporarily kill explorer.exe and your desktop will go blank.
  • Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  • It will make a dummy autorun.inf in the root of every drive.
  • You can now delete Flash_Disinfector.exe.


We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 29th April 2009, 6:48 pm

After down loading the flash_disinfector, and when I try to run it, it gives me a message that says Flash-Disinfector.exe download is complete but it also brings up a symantec antivirus notification, when I hit run on the verifying flash disinfector that's when a message pops up and it says Flash_Disinfentor.exe not a valid Win32 application, when I hit ok, it goes away and nothing happens.

Is this correct?

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by Belahzur on 29th April 2009, 6:55 pm

Hello.
It's a false positive on that file by Symantec. I know Avira doesn't like F_D neither. Doesn't matter though.

If you see [You must be registered and logged in to see this link.] for instructions on how to disable your AV (Symantec)

Once disabled, download it again and run it, there shouldn't be any problems.

Enable Symantec after running it, then delete F_D


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 29th April 2009, 7:30 pm

Hey man,
I got the AV symantec disabled and was able to run the FD, it did just llike you said and the said it was done. I was able to turn off system restore and then turn it back on.
I am now downloading the updates from MSFT and yes I will take your reccomendations seriously, I do NOT want to have to go thru this again! I am familiar with Ad Aware SE and will use it often.
Thanks again, RLR.

ps. Do you sleep?

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by Belahzur on 29th April 2009, 7:33 pm

Me? sleeping? Never. LMBO or ROFL

Actually, I do. Usually only get about 7-8hrs of sleep.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tideserv strikes again! RLR

Post by RLR on 30th April 2009, 9:23 pm

Hey Man,
Thought you'd like to know, when I first turned on my computer this morning a Trojan virus had already tried to get in, but it was stopped dead in it's tracks, it really surprised me that they didn't waste any time on trying to get back in. So it worked beautifully.

thanks, RLR

RLR
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-04-24
OS OS : windows xp
Points Points : 27855
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum