Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Tidserv - Infected Computer


  • Please log in to reply
11 replies to this topic

#1 Giga

Giga

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 06 August 2009 - 05:13 AM

Hi all.

I've recently been infected with the Backdoor.Tidserv virus. I've ran Norton Antivirus 9, and it fails to remove it. Norton's instructions to remove this virus don't help me at all: http://www.symantec.com/security_response/...-99&tabid=3 because none of those exist in the registry.

Norton finds the following "globalroot\system32\geyekrelnyicbm.dll". I've tried Malwarebytes, AVG, Norton, none of them seem to kill it, so I came to the pros.

Please tell me what I need to do, and I'll do it. If you need more detailed information please point me to the program to create the logs you need, and I'll get them up ASAP.

I'm using Windows XP SP3.

Thanks again

Edited by Giga, 06 August 2009 - 05:14 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 AM

Posted 06 August 2009 - 07:07 AM

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.

Please download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Giga

Giga
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 07 August 2009 - 04:33 AM

MBAM:
Malwarebytes' Anti-Malware 1.40Database version: 2555Windows 5.1.2600 Service Pack 38/7/2009 2:21:05 AMmbam-log-2009-08-07 (02-21-04).txtScan type: Full Scan (C:\|)Objects scanned: 243753Time elapsed: 1 hour(s), 20 minute(s), 51 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)


Rooter:
Rooter.exe (v1.0.2) by Eric_71.SeDebugPrivilege granted successfully ....Windows XP . (5.1.2600) Service Pack 3[32_bits] - x86 Family 6 Model 15 Stepping 6, GenuineIntel.[wscsvc] (Security Center) RUNNING (state:4)[SharedAccess] RUNNING (state:4)Windows Firewall -> Disabled !.Internet Explorer 8.0.6001.18702.C:\  [Fixed-NTFS] .. ( Total:232 Go - Free:195 Go )D:\  [CD_Rom]E:\  [CD_Rom]F:\  [Fixed-NTFS] .. ( Total:74 Go - Free:64 Go ).Scan : 00:59.13Path : C:\Documents and Settings\V\Desktop\Rooter.exeUser : V ( Administrator -> YES ).----------------------\\ Processes.Locked [System Process] (0)______ System (4)______ \SystemRoot\System32\smss.exe (868)______ \??\C:\WINDOWS\system32\csrss.exe (920)______ \??\C:\WINDOWS\system32\winlogon.exe (948)______ C:\WINDOWS\system32\services.exe (992)______ C:\WINDOWS\system32\lsass.exe (1004)______ C:\WINDOWS\system32\svchost.exe (1200)______ C:\WINDOWS\system32\svchost.exe (1272)______ C:\WINDOWS\System32\svchost.exe (1452)______ C:\WINDOWS\system32\svchost.exe (1648)______ C:\WINDOWS\system32\svchost.exe (1772)______ C:\WINDOWS\system32\spoolsv.exe (1876)______ C:\WINDOWS\Explorer.EXE (548)______ C:\WINDOWS\system32\svchost.exe (1152)______ C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe (180)______ C:\WINDOWS\system32\svchost.exe (460)______ C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe (3304)______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe (2248)______ C:\Documents and Settings\V\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (680)______ C:\Documents and Settings\V\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (3340)______ C:\Documents and Settings\V\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (3660)______ C:\Documents and Settings\V\Desktop\Rooter.exe (232).----------------------\\ Device\Harddisk0\.\Device\Harddisk0 [Sectors : 63 x 512 Bytes].\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:250056705024).----------------------\\ Scheduled Tasks.C:\WINDOWS\Tasks\desktop.iniC:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-920026266-725345543-1003Core.jobC:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-920026266-725345543-1003UA.jobC:\WINDOWS\Tasks\SA.DATC:\WINDOWS\Tasks\User_Feed_Synchronization-{A7158E4B-5058-41E8-AD48-FA94A68AF189}.job.----------------------\\ Registry..----------------------\\ Files & Folders.----------------------\\ Scan completed at 00:59.39.C:\Rooter$\Rooter_2.txt - (07/08/2009 | 00:59.39)


Dr. Web
C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekrelnyicbm.dll.vir infected with BackDoor.Tdss.333 - deletedC:\System Volume Information\_restore{3550B728-C339-4F8E-BBC4-A51A6F76DF22}\RP0\A0000002.dll infected with BackDoor.Tdss.333 - deleted-----------------------------------------------------------------------------Scan statistics-----------------------------------------------------------------------------Scanned: 415982Infected: 2Modifications: 0Suspicious: 1Adware: 0Dialers: 0Jokes: 0Riskware: 0Hacktools: 1Cured: 0Deleted: 2Renamed: 0Moved: 0Ignored: 0Scan speed: 229 Kb/sScan time: 03:28:33-----------------------------------------------------------------------------C:\Linksys Driver\WMP300N_20071019\AutoRun\Setup.exe - deletedC:\SDFix\apps\Process.exe - deleted=============================================================================Total session statistics=============================================================================Scanned: 417136Infected: 2Modifications: 0Suspicious: 1Adware: 0Dialers: 0Jokes: 0Riskware: 0Hacktools: 1Cured: 0Deleted: 4Renamed: 0Moved: 0Ignored: 0Scan speed: 241 Kb/sScan time: 03:30:07=============================================================================



Norton is still calling out that it's infected, what should I do next?? Thank you for the help.

My computer is starting to really slow down, especially my internet connection.

Edited by Giga, 07 August 2009 - 06:58 AM.


#4 Giga

Giga
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 08 August 2009 - 04:39 AM

I'm pretty sure something keeps turning my firewall off as well. I redid all of the scans you had me do today and found nothing, but I'd like to be very very sure. I'm having a hard time getting Norton to load up now as well.

Edited by Giga, 08 August 2009 - 04:39 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 AM

Posted 08 August 2009 - 06:36 AM

Please download RootRepeal.zip and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Unzip the file on your Desktop or create a new folder on the hard drive called RootRepeal (C:\RootRepeal) and extract it there.
    (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    This will ensure more accurate results and avoid common issues that may cause false detections.
  • Click this link to see a list of such programs and how to disable them.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • When the program opens, click the Report tab at the bottom, then click the Scan button.
  • In the Select Scan, dialog which asks What do you want to include in the scan?, check all the boxes.
    Posted Image
  • Click OK.
  • In the Select Drives, dialog Please select drives to scan: select your primary system drive (usually C:), then click OK.
  • The scan can take some time to finish. Do not use the computer while the scan is running.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop.
  • A copy of the report with the date (i.e. RootRepeal report 07-30-09 (17-35-54).txt) is also saved to the root of your system drive (usually C:\).
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Giga

Giga
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 08 August 2009 - 09:25 AM

RootRepeal
ROOTREPEAL  AD, 2007-2009==================================================Scan Start Time:		2009/08/08 07:13Program Version:		Version 1.3.3.0Windows Version:		Windows XP SP3==================================================Drivers-------------------Name: dump_atapi.sysImage Path: C:\WINDOWS\System32\Drivers\dump_atapi.sysAddress: 0xAB6FC000	Size: 98304	File Visible: No	Signed: -Status: -Name: dump_WMILIB.SYSImage Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYSAddress: 0xBA5F2000	Size: 8192	File Visible: No	Signed: -Status: -Name: PCI_PNP7876Image Path: \Driver\PCI_PNP7876Address: 0x00000000	Size: 0	File Visible: No	Signed: -Status: -Name: rootrepeal.sysImage Path: C:\WINDOWS\system32\drivers\rootrepeal.sysAddress: 0xA7CB1000	Size: 49152	File Visible: No	Signed: -Status: -Name: spbj.sysImage Path: spbj.sysAddress: 0xB9EA7000	Size: 1048576	File Visible: No	Signed: -Status: -Name: sptdImage Path: \Driver\sptdAddress: 0x00000000	Size: 0	File Visible: No	Signed: -Status: -Name: SYMEFA.SYSImage Path: SYMEFA.SYSAddress: 0xB9D84000	Size: 323584	File Visible: No	Signed: -Status: -Hidden/Locked Files-------------------Path: c:\documents and settings\v\local settings\temp\etilqs_sdai3vei4yp5qtp1stduStatus: Allocation size mismatch (API: 32768, Raw: 0)Path: c:\documents and settings\v\local settings\temp\etilqs_wenfp5siicy3xa4airjzStatus: Allocation size mismatch (API: 8192, Raw: 0)Path: C:\Documents and Settings\V\Local Settings\Application Data\Google\Chrome\User Data\Local StateStatus: Could not get file information (Error 0xc0000008)SSDT-------------------#: 012	Function Name: NtAlertResumeThreadStatus: Hooked by "<unknown>" at address 0x8a36d210#: 013	Function Name: NtAlertThreadStatus: Hooked by "<unknown>" at address 0x8a369050#: 017	Function Name: NtAllocateVirtualMemoryStatus: Hooked by "<unknown>" at address 0x893e3a50#: 019	Function Name: NtAssignProcessToJobObjectStatus: Hooked by "<unknown>" at address 0x893ecca8#: 031	Function Name: NtConnectPortStatus: Hooked by "<unknown>" at address 0x8acc8178#: 041	Function Name: NtCreateKeyStatus: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaba6c040#: 043	Function Name: NtCreateMutantStatus: Hooked by "<unknown>" at address 0x89454940#: 052	Function Name: NtCreateSymbolicLinkObjectStatus: Hooked by "<unknown>" at address 0x893dacc0#: 053	Function Name: NtCreateThreadStatus: Hooked by "<unknown>" at address 0x8a369eb0#: 057	Function Name: NtDebugActiveProcessStatus: Hooked by "<unknown>" at address 0x8a36c910#: 063	Function Name: NtDeleteKeyStatus: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaba6c2c0#: 065	Function Name: NtDeleteValueKeyStatus: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaba6c820#: 068	Function Name: NtDuplicateObjectStatus: Hooked by "<unknown>" at address 0x893e3d28#: 071	Function Name: NtEnumerateKeyStatus: Hooked by "spbj.sys" at address 0xb9ec6ca2#: 073	Function Name: NtEnumerateValueKeyStatus: Hooked by "spbj.sys" at address 0xb9ec7030#: 083	Function Name: NtFreeVirtualMemoryStatus: Hooked by "<unknown>" at address 0x893e31b0#: 089	Function Name: NtImpersonateAnonymousTokenStatus: Hooked by "<unknown>" at address 0x89465590#: 091	Function Name: NtImpersonateThreadStatus: Hooked by "<unknown>" at address 0x89465e50#: 097	Function Name: NtLoadDriverStatus: Hooked by "<unknown>" at address 0x8a3931f0#: 108	Function Name: NtMapViewOfSectionStatus: Hooked by "<unknown>" at address 0x893e3050#: 114	Function Name: NtOpenEventStatus: Hooked by "<unknown>" at address 0x89467cd0#: 119	Function Name: NtOpenKeyStatus: Hooked by "spbj.sys" at address 0xb9ea80c0#: 122	Function Name: NtOpenProcessStatus: Hooked by "<unknown>" at address 0x8945a128#: 123	Function Name: NtOpenProcessTokenStatus: Hooked by "<unknown>" at address 0x8a44b590#: 125	Function Name: NtOpenSectionStatus: Hooked by "<unknown>" at address 0x8a36cdd0#: 128	Function Name: NtOpenThreadStatus: Hooked by "<unknown>" at address 0x893e3eb8#: 137	Function Name: NtProtectVirtualMemoryStatus: Hooked by "<unknown>" at address 0x894518f8#: 160	Function Name: NtQueryKeyStatus: Hooked by "spbj.sys" at address 0xb9ec7108#: 177	Function Name: NtQueryValueKeyStatus: Hooked by "spbj.sys" at address 0xb9ec6f88#: 206	Function Name: NtResumeThreadStatus: Hooked by "<unknown>" at address 0x8a4d6148#: 213	Function Name: NtSetContextThreadStatus: Hooked by "<unknown>" at address 0x8a370210#: 228	Function Name: NtSetInformationProcessStatus: Hooked by "<unknown>" at address 0x89459d30#: 240	Function Name: NtSetSystemInformationStatus: Hooked by "<unknown>" at address 0x8a36cb90#: 247	Function Name: NtSetValueKeyStatus: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaba6ca70#: 253	Function Name: NtSuspendProcessStatus: Hooked by "<unknown>" at address 0x89467a50#: 254	Function Name: NtSuspendThreadStatus: Hooked by "<unknown>" at address 0x8a36b050#: 257	Function Name: NtTerminateProcessStatus: Hooked by "<unknown>" at address 0x89466358#: 258	Function Name: NtTerminateThreadStatus: Hooked by "<unknown>" at address 0x89e4c050#: 267	Function Name: NtUnmapViewOfSectionStatus: Hooked by "<unknown>" at address 0x8a3753d0#: 277	Function Name: NtWriteVirtualMemoryStatus: Hooked by "<unknown>" at address 0x893e3640Stealth Objects-------------------Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]Process: System	Address: 0x8adfb1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]Process: System	Address: 0x8adfc1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]Process: System	Address: 0x8adfc1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8adfc1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8adfc1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]Process: System	Address: 0x8adfc1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8adfc1f8	Size: 121Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]Process: System	Address: 0x8adfc1f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]Process: System	Address: 0x8aad21f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]Process: System	Address: 0x8aad21f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]Process: System	Address: 0x8aad21f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]Process: System	Address: 0x8aad21f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]Process: System	Address: 0x8aad21f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8aad21f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8aad21f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]Process: System	Address: 0x8aad21f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]Process: System	Address: 0x8aad21f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8aad21f8	Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]Process: System	Address: 0x8aad21f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]Process: System	Address: 0x8ad8d1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]Process: System	Address: 0x8ad8d1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_READ]Process: System	Address: 0x8ad8d1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]Process: System	Address: 0x8ad8d1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]Process: System	Address: 0x8ad8d1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8ad8d1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8ad8d1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]Process: System	Address: 0x8ad8d1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]Process: System	Address: 0x8ad8d1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8ad8d1f8	Size: 121Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]Process: System	Address: 0x8ad8d1f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]Process: System	Address: 0x8ab931f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]Process: System	Address: 0x8ab931f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8ab931f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8ab931f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]Process: System	Address: 0x8ab931f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8ab931f8	Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]Process: System	Address: 0x8ab931f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]Process: System	Address: 0x8adfd1f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]Process: System	Address: 0x8adfd1f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]Process: System	Address: 0x8adfd1f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]Process: System	Address: 0x8adfd1f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8adfd1f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8adfd1f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]Process: System	Address: 0x8adfd1f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]Process: System	Address: 0x8adfd1f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]Process: System	Address: 0x8adfd1f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8adfd1f8	Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]Process: System	Address: 0x8adfd1f8	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]Process: System	Address: 0x8a373500	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]Process: System	Address: 0x8a373500	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8a373500	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8a373500	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]Process: System	Address: 0x8a373500	Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]Process: System	Address: 0x8a373500	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]Process: System	Address: 0x8aad61f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]Process: System	Address: 0x8aad61f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8aad61f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x8aad61f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]Process: System	Address: 0x8aad61f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x8aad61f8	Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]Process: System	Address: 0x8aad61f8	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]Process: System	Address: 0x89eda500	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_CREATE]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_CLOSE]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_READ]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_QUERY_INFORMATION]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_SET_INFORMATION]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_QUERY_VOLUME_INFORMATION]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_DIRECTORY_CONTROL]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_FILE_SYSTEM_CONTROL]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_DEVICE_CONTROL]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_SHUTDOWN]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_LOCK_CONTROL]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_CLEANUP]Process: System	Address: 0x8ab2f1f8	Size: 121Object: Hidden Code [Driver: Cdfs؅潉济؁ః瑎て࢐ߡ, IRP_MJ_PNP]Process: System	Address: 0x8ab2f1f8	Size: 121Shadow SSDT-------------------#: 307	Function Name: NtUserAttachThreadInputStatus: Hooked by "<unknown>" at address 0x8a5082d0#: 383	Function Name: NtUserGetAsyncKeyStateStatus: Hooked by "<unknown>" at address 0x8a514100#: 414	Function Name: NtUserGetKeyboardStateStatus: Hooked by "<unknown>" at address 0x8a391440#: 416	Function Name: NtUserGetKeyStateStatus: Hooked by "<unknown>" at address 0x8a5127b0#: 428	Function Name: NtUserGetRawInputDataStatus: Hooked by "<unknown>" at address 0x8abf2408#: 460	Function Name: NtUserMessageCallStatus: Hooked by "<unknown>" at address 0x8a4f9b70#: 475	Function Name: NtUserPostMessageStatus: Hooked by "<unknown>" at address 0x8abe79d8#: 476	Function Name: NtUserPostThreadMessageStatus: Hooked by "<unknown>" at address 0x8ac08bc0#: 549	Function Name: NtUserSetWindowsHookExStatus: Hooked by "<unknown>" at address 0x8ab2af58#: 552	Function Name: NtUserSetWinEventHookStatus: Hooked by "<unknown>" at address 0x8ac3dfb0==EOF==

Edited by Giga, 08 August 2009 - 09:27 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 AM

Posted 08 August 2009 - 02:51 PM

Please download OTM by OldTimer and save to your Desktop.
  • Double-click on OTM.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
explorer.exe

:Services

:Reg

:Files
c:\documents and settings\v\local settings\temp\etilqs_sdai3vei4yp5qtp1stdu
c:\documents and settings\v\local settings\temp\etilqs_wenfp5siicy3xa4airjz

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Giga

Giga
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 08 August 2009 - 05:41 PM

OTM
All processes killed========== PROCESSES ==========No active process named explorer.exe was found!========== SERVICES/DRIVERS ==================== REGISTRY ==================== FILES ==========File/Folder c:\documents and settings\v\local settings\temp\etilqs_sdai3vei4yp5qtp1stdu not found.File/Folder c:\documents and settings\v\local settings\temp\etilqs_wenfp5siicy3xa4airjz not found.========== COMMANDS ========== [EMPTYTEMP] User: Administrator->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 33170 bytes User: All Users User: Default User->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytes User: LocalService->Temp folder emptied: 0 bytesFile delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 33170 bytes User: V->Temp folder emptied: 44221 bytes->Temporary Internet Files folder emptied: 12533977 bytes->Java cache emptied: 6325 bytes->Google Chrome cache emptied: 65502907 bytes %systemdrive% .tmp files removed: 0 bytes%systemroot% .tmp files removed: 0 bytes%systemroot%\System32 .tmp files removed: 0 bytesWindows Temp folder emptied: 483 bytesRecycleBin emptied: 0 bytes Total Files Cleaned = 74.57 mb  OTM by OldTimer - Version 3.0.0.6 log created on 08082009_153707Files moved on Reboot...Registry entries deleted on Reboot...


#9 Giga

Giga
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 09 August 2009 - 08:07 AM

I should be available all day. Let me know what's next on the list when you get a chance. Thank you very much for your help!

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 AM

Posted 09 August 2009 - 03:04 PM

What is Norton indicating now? Please be specific and include any file names with location (full path).


IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Edited by quietman7, 09 August 2009 - 03:06 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Giga

Giga
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 09 August 2009 - 06:17 PM

I ran all of the scans again today, none of them found anything. I sure hope it's gone, that was so annoying.

Thank you SO much for your help.

Edited by Giga, 09 August 2009 - 06:17 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 AM

Posted 10 August 2009 - 07:02 AM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users