Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton wont remove Backdoor.Tidserv!inf


  • This topic is locked This topic is locked
5 replies to this topic

#1 mandownmandown

mandownmandown

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 28 December 2008 - 06:26 PM

it's one of those - I'm usually careful about what I download but not this time - type deals. So anyway, norton found a few things and removed all except backdoor.Tidserv!inf. Norton gives instructions on how to manually remove it but doesn't work. So I installed malwarebytes, updated and ran it, and got a few more things but didn't get rid of the one I mentioned. Last night I rebooted in safe mode and ran full scans with both norton and malwarebytes and they didn't find anything. Rebooted in normal mode and norton still lists backdoor.Tidserv!inf under "unresolved security risks". And if I double click a drive in "my computer" it says,

"Windows cannot find 'resycled\boot.com'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

any help is greatly appreciated.


I've attached the attach.txt log and here is my DDS.txt log:



DDS (Version 1.1.0) - NTFSx86
Run by Desmond at 17:47:05.70 on Sun 12/28/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2331 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Languages\Java\jre1.6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Utils\Unlocker\UnlockerAssistant.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Browsers\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Desmond\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.2.0.7\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\languages\java\jre1.6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\languages\java\jre1.6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\languages\java\jre1.6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [SunJavaUpdateSched] "c:\languages\java\jre1.6\bin\jusched.exe"
mRun: [UnlockerAssistant] "c:\utils\unlocker\UnlockerAssistant.exe"
mRun: [Adobe Reader Speed Launcher] "c:\media\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\media\quicktime\QTTask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
TCP: {CC918AEA-3C5E-48E3-B7EA-09D1DC914F22} = 24.151.8.211,24.151.8.210
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\desmond\applic~1\mozilla\firefox\profiles\l32szkr8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\desmond\application

data\mozilla\firefox\profiles\l32szkr8.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - plugin: c:\languages\java\jre1.6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\languages\java\jre1.6\bin\new_plugin\npjp2.dll
FF - plugin: c:\media\adobe\reader 9.0\reader\browser\nppdf32.dll
FF - plugin: c:\media\divx\divx web player\npdivx32.dll
FF - plugin: c:\media\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\media\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\media\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\media\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NAV\1002000.007\SYMEFA.SYS []
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1002000.007\BHDrvx86.sys [2008-12-27 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1002000.007\ccHPx86.sys [2008-12-27 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081220.001\IDSxpx86.sys [2008-12-27 274808]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-17 10384]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\norton antivirus\engine\16.2.0.7\ccsvchst.exe" /s "norton antivirus" /m "c:\program files\norton

antivirus\engine\16.2.0.7\diMaster.dll" /prefetch:1 []
R2 TeamViewer4;TeamViewer 4;"c:\program files\teamviewer\version4\TeamViewer_Service.exe" -service [2008-12-10 185640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-27 99376]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\lccfltr.sys [2008-12-17 14095]
R3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081228.003\NAVENG.SYS [2008-12-28 89104]
R3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20081228.003\NAVEX15.SYS [2008-12-28 876112]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-12-10 272128]

=============== Created Last 30 ================

2008-12-27 21:19 <DIR> --d--r-- c:\program files\Norton Support
2008-12-27 19:03 <DIR> --d----- c:\docume~1\desmond\applic~1\Malwarebytes
2008-12-27 19:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-27 19:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 19:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 19:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 18:18 255 ---shr-- C:\autorun.inf
2008-12-27 17:30 <DIR> --d----- c:\program files\common files\Macrovision Shared
2008-12-27 16:22 169 a------- c:\windows\RtlRack.ini
2008-12-27 16:00 32,592 a------- c:\windows\system32\msonpmon.dll
2008-12-27 15:55 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2008-12-27 15:54 <DIR> --d----- c:\windows\SHELLNEW
2008-12-27 10:53 <DIR> --d----- c:\docume~1\desmond\applic~1\NeroDCTemplates
2008-12-26 14:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2008-12-26 14:23 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-26 14:12 69,232 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-12-26 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-12-26 14:11 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys
2008-12-26 14:11 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-26 14:11 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-26 14:11 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-26 14:11 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-26 14:11 <DIR> --d----- c:\program files\Symantec
2008-12-26 14:11 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-12-26 14:10 <DIR> --d----- c:\windows\system32\drivers\NAV
2008-12-26 14:10 <DIR> --d----- c:\program files\Norton AntiVirus
2008-12-26 14:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2008-12-26 14:10 <DIR> --d----- c:\program files\NortonInstaller
2008-12-26 14:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2008-12-26 14:09 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2008-12-26 13:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2008-12-26 13:44 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-26 13:44 14,048 -------- c:\windows\system32\spmsg2.dll
2008-12-26 13:39 <DIR> --d----- c:\program files\UltraCompare
2008-12-26 13:33 <DIR> --d----- c:\program files\UltraEdit
2008-12-26 13:33 <DIR> --d----- c:\program files\IDM Computer Solutions
2008-12-26 13:28 <DIR> --d----- c:\program files\MSXML 4.0
2008-12-26 13:25 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-12-20 15:45 90,112 a------- c:\windows\unvise32.exe
2008-12-20 15:44 <DIR> --d----- c:\program files\The Rosetta Stone
2008-12-20 03:00 <DIR> --d----- c:\windows\system32\LogFiles
2008-12-19 18:33 69 a------- c:\windows\NeroDigital.ini
2008-12-19 17:39 359 a------- c:\windows\COVERE~1.INI
2008-12-18 10:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2008-12-17 20:26 <DIR> --d----- c:\windows\RegisteredPackages
2008-12-17 15:12 12,953 -------- c:\windows\system32\drivers\itchfltr.sys
2008-12-17 15:12 14,095 a------- c:\windows\system32\drivers\LCcfltr.sys
2008-12-17 15:12 37,887 -------- c:\windows\system32\drivers\Lhidusb.sys
2008-12-17 15:12 1,060,864 a------- c:\windows\system32\MFC71.dll
2008-12-17 15:12 54,784 a------- c:\windows\system32\MSVCI70.DLL
2008-12-17 15:12 <DIR> --d----- c:\program files\common files\Logitech
2008-12-17 15:05 10,384 a------- c:\windows\system32\drivers\LBeepKE.sys
2008-12-17 15:05 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-17 15:05 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-17 15:05 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-17 15:04 301,656 a------- c:\windows\system32\BtCoreIf.dll
2008-12-17 15:04 170,512 a------- c:\windows\system32\kemutb.dll
2008-12-17 15:04 145,936 a------- c:\windows\system32\KemUtil.dll
2008-12-17 15:04 117,264 a------- c:\windows\system32\KemWnd.dll
2008-12-17 15:04 84,496 a------- c:\windows\system32\KemXML.dll
2008-12-17 11:12 <DIR> --d----- c:\program files\Essentials Codec Pack
2008-12-17 08:47 <DIR> --d----- c:\program files\Yahoo!
2008-12-11 15:39 <DIR> --d----- c:\docume~1\desmond\applic~1\FireShot
2008-12-10 20:17 <DIR> --d----- c:\docume~1\desmond\applic~1\uTorrent
2008-12-10 20:11 <DIR> --d----- C:\P2P
2008-12-10 19:53 <DIR> --d----- c:\program files\TeamViewer
2008-12-10 19:30 <DIR> --d----- C:\Security
2008-12-10 19:18 <DIR> --d----- c:\windows\system32\URTTemp
2008-12-10 19:17 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-12-10 19:16 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-12-10 19:16 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-10 19:16 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-10 19:16 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-10 19:16 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-10 19:16 138,496 -c------ c:\windows\system32\dllcache\afd.sys
2008-12-10 19:16 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2008-12-10 19:07 <DIR> --d----- C:\media
2008-12-10 19:03 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-10 18:59 <DIR> --d----- c:\windows\system32\scripting
2008-12-10 18:59 <DIR> --d----- c:\windows\system32\en
2008-12-10 18:59 <DIR> --d----- c:\windows\system32\bits
2008-12-10 18:59 <DIR> --d----- c:\windows\l2schemas
2008-12-10 18:58 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-10 18:57 <DIR> --d----- c:\windows\network diagnostic
2008-12-10 18:54 <DIR> --d----- c:\program files\Sun
2008-12-10 18:54 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-10 18:54 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-10 18:52 499,712 a------- c:\windows\system32\msvcp71.dll
2008-12-10 18:52 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-10 18:52 <DIR> --d----- c:\windows\system32\Adobe
2008-12-10 18:52 <DIR> --d----- C:\Languages
2008-12-10 18:49 701,440 -------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-10 18:45 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2008-12-10 18:39 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2008-12-10 18:39 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2008-12-10 18:39 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2008-12-10 18:38 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-12-10 18:38 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-12-10 18:30 266,360 a------- c:\windows\system32\TweakUI.exe
2008-12-10 18:30 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2008-12-10 18:10 <DIR> --d----- C:\Browsers
2008-12-10 18:07 200,819 a------- c:\windows\system32\nvapps.xml
2008-12-10 18:07 453,152 a------- c:\windows\system32\nvudisp.exe
2008-12-10 18:07 18,477 a------- c:\windows\system32\nvdisp.nvu
2008-12-10 18:07 <DIR> --d----- c:\windows\nview
2008-12-10 18:06 <DIR> --d----- C:\DriversNVIDIA
2008-12-10 18:02 <DIR> --d----- C:\SourceCD
2008-12-10 17:56 26,488 a------- c:\windows\system32\spupdsvc.exe
2008-12-10 17:56 <DIR> --d----- c:\windows\system32\PreInstall
2008-12-10 17:56 <DIR> --d-h--- c:\windows\$hf_mig$
2008-12-10 17:55 <DIR> --dsh--- c:\documents and settings\desmond\UserData
2008-12-10 17:53 664 a------- c:\windows\system32\d3d9caps.dat
2008-12-10 17:53 552 a------- c:\windows\system32\d3d8caps.dat
2008-12-10 17:53 <DIR> --d----- c:\program files\SystemRequirementsLab
2008-12-10 17:26 164 a------- c:\windows\avrack.ini
2008-12-10 17:26 <DIR> --d----- c:\program files\Realtek Sound Manager
2008-12-10 17:26 <DIR> --d----- c:\program files\AvRack
2008-12-10 17:26 <DIR> --d----- c:\program files\Realtek AC97
2008-12-10 17:25 9,410,048 a------- c:\windows\system32\RTLCPL.EXE
2008-12-10 17:25 2,324,480 a------- c:\windows\system32\drivers\ALCXWDM.SYS
2008-12-10 17:25 156,672 a------- c:\windows\system32\RTLCPAPI.dll
2008-12-10 17:25 141,016 a------- c:\windows\system32\ALSNDMGR.WAV
2008-12-10 17:25 77,824 a------- c:\windows\SOUNDMAN.EXE
2008-12-10 17:25 40,960 a------- c:\windows\system32\ChCfg.exe
2008-12-10 17:25 18,751,488 a------- c:\windows\system32\ALSNDMGR.CPL
2008-12-10 17:25 294,912 a------- c:\windows\alcupd.exe
2008-12-10 17:25 200,704 a------- c:\windows\alcrmv.exe
2008-12-10 17:22 <DIR> --d----- c:\windows\Downloaded Installations
2008-12-10 17:21 454,656 a------- c:\windows\system32\CapabilityTable.exe
2008-12-10 17:19 176,128 a------- c:\windows\system32\nvunrm.exe
2008-12-10 17:19 3,596 a------- c:\windows\system32\nvnrm.nvu
2008-12-10 17:19 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-10 17:19 176,128 a------- c:\windows\system32\nvusmb.exe
2008-12-10 17:19 1,231 a------- c:\windows\system32\nvsmb.nvu
2008-12-10 17:19 <DIR> --d----- c:\windows\system32\ReinstallBackups
2008-12-10 17:15 <DIR> --d----- c:\documents and settings\desmond\temp
2008-12-10 17:15 <DIR> --d----- c:\docume~1\desmond\applic~1\TeamViewer
2008-12-10 17:13 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2008-12-10 17:09 1,069,056 a------- c:\windows\system32\libeay32.dll
2008-12-10 17:09 966,765 a------- c:\windows\system32\acAuth.dll
2008-12-10 17:09 344,064 a------- c:\windows\system32\SCMLib.dll
2008-12-10 17:09 272,128 a------- c:\windows\system32\drivers\wg111v2.sys
2008-12-10 17:09 266,240 a------- c:\windows\system32\WG1v2lib.dll
2008-12-10 17:09 143,360 a------- c:\windows\system32\IpLib.dll
2008-12-10 17:05 300,032 a------- c:\windows\system32\idecoi.dll
2008-12-10 17:05 92,800 a------- c:\windows\system32\drivers\nvata.sys
2008-12-10 17:05 261,888 a------- c:\windows\system32\drivers\nvnrm.sys
2008-12-10 17:05 208,256 a------- c:\windows\system32\drivers\nvsnpu.sys
2008-12-10 17:05 33,536 a------- c:\windows\system32\drivers\NVENETFD.sys
2008-12-10 17:05 32,256 a------- c:\windows\system32\nvconrm.dll
2008-12-10 17:05 12,928 a------- c:\windows\system32\drivers\nvnetbus.sys
2008-12-10 17:05 201,728 a------- c:\windows\system32\fdco1ins.dll
2008-12-10 17:05 201,728 a------- c:\windows\system32\fdco1.dll
2008-12-10 17:05 9,728 a------- c:\windows\system32\bdco1ins.dll
2008-12-10 17:05 9,728 a------- c:\windows\system32\bdco1.dll
2008-12-10 16:58 <DIR> --d----- C:\Drivers
2008-12-05 12:31 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2008-12-05 12:30 <DIR> --d----- c:\program files\NETGEAR
2008-12-05 12:24 2,422 a------- c:\windows\system32\wpa.bak
2008-12-05 12:11 <DIR> --d----- c:\documents and settings\Desmond
2008-12-05 12:08 <DIR> --ds---- c:\windows\system32\Microsoft
2008-12-05 12:08 8,192 a------- c:\windows\REGLOCS.OLD
2008-12-05 12:06 185,344 ac------ c:\windows\system32\dllcache\thawbrkr.dll
2008-12-05 12:05 187,938 ac------ c:\windows\system32\dllcache\c_20005.nls
2008-12-05 12:04 <DIR> --dsh--- c:\documents and settings\all users\DRM
2008-12-05 12:04 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2008-12-05 12:04 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2008-12-05 12:04 <DIR> --ds---- c:\windows\Downloaded Program Files
2008-12-05 12:04 <DIR> --d--r-- c:\windows\Offline Web Pages
2008-12-05 12:04 749 a---hr-- c:\windows\WindowsShell.Manifest
2008-12-05 12:04 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2008-12-05 12:04 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2008-12-05 12:04 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2008-12-05 12:04 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2008-12-05 12:04 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2008-12-05 12:04 <DIR> --d-h--- c:\program files\WindowsUpdate
2008-12-05 12:03 <DIR> --d----- c:\program files\common files\MSSoap
2008-12-05 12:02 <DIR> --d----- c:\program files\Online Services
2008-12-05 12:02 <DIR> --d----- c:\program files\Messenger
2008-12-05 12:02 <DIR> --d----- c:\program files\MSN Gaming Zone
2008-12-05 12:01 <DIR> --d----- c:\program files\Windows NT
2008-12-05 06:42 <DIR> --d----- c:\program files\common files\ODBC
2008-12-05 06:42 <DIR> --d----- c:\program files\common files\SpeechEngines
2008-12-05 06:42 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2008-12-10 19:00 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-05 12:02 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-10 14:46 69,632 a------- c:\windows\KHALMNPR.Exe
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 17:47:31.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mandownmandown

mandownmandown
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 28 December 2008 - 06:29 PM

here are a few logs from the malwarebytes scans:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/27/2008 7:35:04 PM
mbam-log-2008-12-27 (19-35-04).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|I:\|)
Objects scanned: 102032
Time elapsed: 26 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\RtlGina2.dll (Trojan.FakeGina) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\RtlGina2.dll (Trojan.FakeGina) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/27/2008 7:59:46 PM
mbam-log-2008-12-27 (19-59-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 123162
Time elapsed: 21 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-BD1.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

12/27/2008 9:15:31 PM
mbam-log-2008-12-27 (21-15-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 124153
Time elapsed: 23 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Browsers\Mozilla Firefox\components\iamfamous.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Desmond\Local Settings\Temp\tmp3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Desmond\Local Settings\Temp\tmp5.tmp (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Desmond\Local Settings\Temp\tmp591.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msqpdxlrdefkab.dll (Trojan.TDSS) -> Delete on reboot.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxmwxsamwi.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxuruwbabu.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-6D.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-19D.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

12/27/2008 10:57:11 PM
mbam-log-2008-12-27 (22-57-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 124386
Time elapsed: 29 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Desmond\Local Settings\Temp\tmpC.tmp (Trojan.Agent) -> Delete on reboot.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-21F.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.



#3 mandownmandown

mandownmandown
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 28 December 2008 - 06:40 PM

here is a log from Norton of resolved security threats:

Category: Resolved Security Risks
Date & Time,Risk Level,Activity,Status,Recommended Action,Component,Definitions Version,Risk Name,Risk Category,Risk Type,Risk State,ERASER Version,File Name
12/27/2008 10:09 PM,High,Trojan.ByteVerify detected by Virus scanner,Removed,Resolved - No Action,Virus scanner,2008.12.27.019,Trojan.ByteVerify,Virus,Compressed File,Fully removed,,
12/27/2008 9:29 PM,High,W32.Tidserv detected by Virus scanner,Removed,Resolved - No Action,Virus scanner,2008.12.27.019,W32.Tidserv,Virus,File Based,Fully removed,108.2.4.3,
12/27/2008 9:21 PM,High,Auto-Protect has detected W32.Tidserv,"Blocked, Blocked",Resolved - No Action,Auto-Protect,2008.12.27.019,,Virus,,,,c:\browsers\mozilla firefox\components\iamfamous.dll
12/27/2008 9:21 PM,High,W32.Tidserv detected by Auto-Protect,Removed,Resolved - No Action,Auto-Protect,2008.12.27.019,W32.Tidserv,Virus,File Based,Fully removed,108.2.4.3,
12/27/2008 9:21 PM,High,Auto-Protect has detected Backdoor.Tidserv!inf,"Blocked, Blocked",Resolved - No Action,Auto-Protect,2008.12.27.019,,Virus,,,,c:\documents and settings\desmond\local settings\temp\tmpc.tmp
12/27/2008 6:40 PM,Low,Tracking Cookie detected by Virus scanner,Removed,Resolved - No Action,Virus scanner,2008.12.27.002,Tracking Cookie,Cookie,File Based,Fully removed,108.2.4.3,
12/27/2008 6:18 PM,High,W32.Tidserv detected by Auto-Protect,Removed,Resolved - No Action,Auto-Protect,2008.12.27.002,W32.Tidserv,Virus,File Based,Fully removed,108.2.4.3,
12/27/2008 6:18 PM,High,Auto-Protect has detected Backdoor.Tidserv!inf,"Blocked, Blocked",Resolved - No Action,Auto-Protect,2008.12.27.002,,Virus,,,,c:\documents and settings\desmond\local settings\temp\tmp591.tmp



#4 mandownmandown

mandownmandown
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 29 December 2008 - 08:30 AM

to clarify, the message I get when I double click the C:\ drive is

"Windows cannot find 'resycled\boot.com'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

the message I get when I double click all my other drives is

"resycled\boot.com is not a valid Win32 application"

also, I noticed there is a hidden folder called "resycled" in the top level of all my drives except the C drive. And it contains a file called "boot.com".

Norton and malwarebytes aren't finding anything more with full scans. Norton still lists Backdoor.Tidserv!inf under Unresolved Security Risks.

thanks again for any help you guys are able to give.

#5 mandownmandown

mandownmandown
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 29 December 2008 - 08:30 PM

I think I got rid of the virus. Here's what I did:

First I followed these steps to get rid of the resycled\boot.com problem when double clicking a drive in My Computer

Taken from: http://forums.techarena.in/windows-xp-support/1064141-2.htm

You should do these steps after a fresh reboot or in safe mode.

1) Navigate to the problem drive(s) via the Explore option.

2) Click on TOOLS -> FOLDER OPTIONS

3) Click the button which says ‘Show hidden files and folders.

4) UNCHECK the following boxes:

Hide extensions for known file types
Hide protected operrating system files

5) Find and delete the autorun.ini file and the resycled folder on the root directory of all affected drives.

6) Check “c:\windows\system32\dllcache” for boot.com file and delete it if present.

7) Check “c:\windows\prefetch” for boot.com file and delete if present.

8) Delete all files from c:\windows\temp

(Some files may not delete, that’s ok, they’re in use by the system and not virus files.)

9) Delete all files from c:\Documents and Settings\[USER PROFILE]\Local Settings\Temp

(Again, a couple files may not delete, don’t worry.)

10) Run Regedit

11) Make sure you are at the very first entry of the registry hive. (y Computer should be hilighted) then click EDIT -> FIND

12) Search for “boot.com”. If it finds an entry, delete it. Keep hitting F3 until you’ve deleted all instances of boot.com in the entire registry.

13) Scroll the left comumn back up to the top and hilight the My Computer again at the top of the registry hive.

14) Click Edit -> Find again and search for ‘resycled’ and repeat as in step 13, deleting the entries as it finds them. (I found 2 of each)

15) Close registry editor and try opening the infected drives. They should work now.


Then I went back into Norton to where it lists the unresolved security threats. The Backdoor.Tidserv!inf was listed twice. So I asked Norton to remove them (and crossed my figures) and they were successfully removed.

no sign of any problems and I'm running another full scan with norton just to be sure.

I guess you can close this topic. If something pops up again I'll start a fresh thread and refer to this one. Thanks for helping out with this stuff. It's nice to know I can go somewhere and get some professional help when my computer gets inoculated :thumbsup:

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 05 January 2009 - 09:39 AM

Thank you for notify us.. I will now close this topic.. Please pm any Moderator or HijackThis Team should you need to re-open this topic..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users