Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.tidserv, How do I remove it?


  • This topic is locked This topic is locked
14 replies to this topic

#1 njd.7983

njd.7983

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 20 January 2009 - 06:58 PM

Hi,

My Symantec Antivirus detected backdoor.tidserv on my computer and doesnt take any action on it. I tried deleting it manually, but that doesnt help either, it wont get deleted. My problem is, everytime i search for something on google I get search results on the google page and within seconds i have results for the same search popping up on another window, some random search engine. Also the Symantec auto protect disables itself and refuses to turn itself on. Why?

I need help deleting the virus.

Thanks.

N

BC AdBot (Login to Remove)

 


#2 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 20 January 2009 - 08:12 PM

Hello,

I am now facing another problem. My computer keeps shutting down. It desplays the following message before it shuts down - "Windows must now restart because the DCOM Server process launcher service terminated unexpectedly". Why is that happening? Is it related to the virus infection?

N

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:06 AM

Posted 20 January 2009 - 08:22 PM

If you are using a router, disconnect from the internet. Reset the router and give it a strong password.
Download Mbam using Safemode w/networking, if you must. You can also download to another computer and use a thumb drive or burn it to a CD
If you use Spybod S&D, turn off the Teatimer function
--------------------------------------------------------------------

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

---------------------------------

If mbam won't install

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 21 January 2009 - 02:07 PM

Hello,

Thanks for the response. I downloaded the MBAM and performed the scan as directed. Below is the log generated. Hope to hear from you soon on what to do next. I did not see any of the backdoor.tidserv virus being detected by MBAM, so just wondering if it is still on the computer and how to deal with it. It shows up every time Symantec runs a scan.

Thanks.

N

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

1/21/2009 12:47:53 PM
mbam-log-2009-01-21 (12-47-53).txt

Scan type: Quick Scan
Objects scanned: 65233
Time elapsed: 8 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 21
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jzgnkr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ssqNHxwv.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a0f3a4e9-94d4-4672-b29d-928da2fa8f39} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a0f3a4e9-94d4-4672-b29d-928da2fa8f39} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4c66f2a-a36c-445d-bd43-30e88608eec6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c4c66f2a-a36c-445d-bd43-30e88608eec6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c4c66f2a-a36c-445d-bd43-30e88608eec6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqnhxwv (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a0f3a4e9-94d4-4672-b29d-928da2fa8f39} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gxdnhaoq (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxdnhaoq (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\omztkrdv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\omztkrdv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hliyo (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hzadaxeqeta (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\opnNGxXP.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PXxGNnpo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PXxGNnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jzgnkr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cewqldbj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jbdlqwec.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqNHxwv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\aqomci.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\edebtfuq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lasjyiob.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ggmhbkwi.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\vjuulruq.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\jignesh doshi\Local Settings\Temporary Internet Files\Content.IE5\3W4OLPZ2\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\jignesh doshi\Local Settings\Temporary Internet Files\Content.IE5\ZVP1DP1U\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Llukidonokec.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ugajesuxitoke.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msiconf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awttsQgH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\jignesh doshi\Desktop\Internet Security Suite.url (Rogue.Link) -> Quarantined and deleted successfully.

#5 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 21 January 2009 - 03:28 PM

Hello again,

I thought I should mention this. I just noticed my computer still keeps shutting down on its own. It first displays this message
"Generic host process for Win 32 services encountered a problem and needs to close". It asks me if I want to send a report and when I say "dont send" the message window closes and almost immediately displays this message "Windows must now restart because the DCOM Server process launcher service terminated unexpectedly". Then the computer shuts down in 60 seconds. What is causing this???

Thanks

N

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:06 AM

Posted 21 January 2009 - 04:02 PM

You still have some nasties. It can take several different scans to clean up everything.
For right now:

Please reboot the computer
Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan
After scan click Remove Selected, Post new scan log for review
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 21 January 2009 - 04:14 PM

Hi,

Ok so I will do as said. I thought so too, the random sites still keep popping up. will get back soon.

Thanks

N

#8 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 21 January 2009 - 05:16 PM

Hi Mark,

So I tried running a full scan, but about 20 minutes through the scan the computer shut down. I had enough time to abort the scan remove the infected objects detected and save the log. How do I run a full scan without encountering the shut down problem?? The computer was in normal mode and connected to the internet when I ran the scan.

N

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 2

1/21/2009 3:59:36 PM
mbam-log-2009-01-21 (15-59-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 37352
Time elapsed: 22 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\wvUKdBqN.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9ff51b1-5116-4bda-9c5c-53a8fcab526e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e9ff51b1-5116-4bda-9c5c-53a8fcab526e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wvUKdBqN.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wvUKdBqN.dllbox (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\c:\windows\system32\wvukdbqn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\NqBdKUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NqBdKUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

#9 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:06 AM

Posted 21 January 2009 - 08:02 PM

Reboot and try the full scan in safemode
We're making some progress
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#10 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 21 January 2009 - 08:21 PM

Hi Mark,

I managed to run a full scan and avoided the shut down by a method that I came across in another thread.

- Click on Start>Run and type cmd
- Press enter
- At the command prompt type : shutdown -a
- Press enter

So I used the above and have the new log report. The DCOM error message persists. Thanks for all the help so far.

N

Here is the log.

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 2

1/21/2009 6:36:38 PM
mbam-log-2009-01-21 (18-36-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 176324
Time elapsed: 1 hour(s), 20 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\klunqqfd (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\klunqqfd (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klunqqfd (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\qnxsxebi.sys (Rootkit.Agent) -> Delete on reboot.

#11 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:06 AM

Posted 22 January 2009 - 04:52 PM

Try to run SAS


ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Now SAS,may need an hour
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 22 January 2009 - 05:25 PM

Hi Mark,

Here is the SAS scan log. It did not detect backdoor.tidserv, I am sure Symantec did. How do I know if its still there or gone, I understand my computer maybe compromised with such a trojan infection.

N

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/22/2009 at 02:27 PM

Application Version : 4.25.1012

Core Rules Database Version : 3716
Trace Rules Database Version: 1690

Scan type : Complete Scan
Total Scan Time : 01:32:54

Memory items scanned : 255
Memory threats detected : 0
Registry items scanned : 9228
Registry threats detected : 20
File items scanned : 113371
File threats detected : 16

Spyware.WebSearch (WinTools/HuntBar)
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks#{87766247-311C-43B4-8499-3D5FEC94A183}
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks#{87766247-311C-43B4-8499-3D5FEC94A183}
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc

Adware.Ezula
C:\Program Files\Ezula\Images
C:\Program Files\Ezula

Rogue.Component/Trace
HKLM\Software\Microsoft\BCFB3132
HKLM\Software\Microsoft\BCFB3132#bcfb3132
HKLM\Software\Microsoft\BCFB3132#Version
HKLM\Software\Microsoft\BCFB3132#bcfb9cb2
HKLM\Software\Microsoft\BCFB3132#bcfbf557
HKU\S-1-5-21-2261774221-2518843664-236324173-1006\Software\Microsoft\CS41275
HKU\S-1-5-21-2261774221-2518843664-236324173-1006\Software\Microsoft\FIAS4018

Rogue.RapidAntivirus
HKU\.DEFAULT\Software\Rapid Antivirus
HKU\S-1-5-18\Software\Rapid Antivirus

Adware.Tracking Cookie
C:\Documents and Settings\Guest\Cookies\guest@a.websponsors[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adknowledge[1].txt

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WTSSVIT.EXE.VIR
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\2029C8E92BA04DD1
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\24EA62767F314ADF
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\63B1B2DDE817DB68
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\7B9A38CBDA725511
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\85A357AA2F0C96CB
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\895BF67E32789B81
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\93C27FBBAC8BBD48
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\94AFF9CAB6D0B9BF
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\EBBA651DAF08BC9

Trojan.Vundo-Variant/Packed-GEN
C:\WINDOWS\SYSTEM32\GEBTQKLM.DLL
C:\WINDOWS\SYSTEM32\IIFCYSRJ.DLL

#13 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:06 AM

Posted 22 January 2009 - 08:58 PM

I'm going to suggest that you follow the instructions and prepare a HJT log, here:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post the log in the proper form here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Our team members are rather busy, so it may take a while to get to you
Be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 njd.7983

njd.7983
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 22 January 2009 - 09:22 PM

Hello!

Ok, sounds good. I guessed they are busy, it took you relatively more time to reply. :thumbsup: Thanks for all the help. Really appreciate it.

N

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:06 AM

Posted 23 January 2009 - 09:34 PM

Hello njd.7983,

Now that you have a log posted here: http://www.bleepingcomputer.com/forums/t/197497/backdoortidservinf-virus/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users