Backdoor.trdserv.I!inf

I have windows XP. I recently downloaded the upgrade from norton 2009 to 2010, and the automatic scan found that there is backdoor.trdserv.I! on my computer in the system file termdd.sys. I followed the instructions on the norton website to download the norton update 20100504-004-v5i32, but norton says that manual removal is required and I do not know how to remove it, and how to be sure that it has really been removed.


DDS (Ver_10-03-17.01) - NTFSx86
Run by user 1 at 19:35:37.59 on Thu 05/06/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2377 [GMT 2:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user 1\Desktop\scan.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nytimes.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.6.0.32\IPSBHO.DLL
BHO: {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user1~1\applic~1\mozilla\firefox\profiles\s7v0wzkd.default\
FF - prefs.js: browser.startup.homepage - http:www.nytimes.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\user 1\application data\mozilla\firefox\profiles\s7v0wzkd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\user 1\application data\mozilla\firefox\profiles\s7v0wzkd.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1106000.020\SymDS.sys [2010-5-2 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1106000.020\SymEFA.sys [2010-5-2 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1106000.020\cchpx86.sys [2010-5-2 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1106000.020\Ironx86.sys [2010-5-2 116784]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.6.0.32\ccSvcHst.exe [2010-5-2 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-2 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\definitions\ipsdefs\20100429.001\IDSXpx86.sys [2010-5-3 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\definitions\virusdefs\20100504.004\naveng.sys [2010-5-4 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.6.0.32\definitions\virusdefs\20100504.004\navex15.sys [2010-5-4 1324720]

=============== Created Last 30 ================

2010-05-06 17:18:53 20 ----a-w- c:\documents and settings\user 1\defogger_reenable
2010-05-04 20:24:39 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-05-02 20:01:56 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-02 20:01:56 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-02 20:01:56 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-02 20:01:56 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-02 20:01:55 0 d-----w- c:\program files\Symantec
2010-05-02 20:00:50 0 d-----w- c:\windows\system32\drivers\NAV
2010-05-02 20:00:37 0 d-----w- c:\program files\Norton AntiVirus
2010-05-02 19:50:02 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSettings
2010-05-02 19:49:38 0 d-----w- c:\program files\NortonInstaller
2010-05-02 19:49:38 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-04-22 11:07:56 0 d-----w- c:\program files\CCleaner
2010-04-06 20:25:27 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-06 20:25:27 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-06 20:25:26 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-06 20:25:26 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-06 20:25:25 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-06 20:25:25 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-06 20:24:49 0 d-----w- c:\docume~1\user1~1\applic~1\23B79DABFF3F4921C2FD0AAB69AE3B34

==================== Find3M ====================

2010-05-04 20:24:38 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-03-23 10:37:43 20368 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:05:09 668672 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:05:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-16 17:35:40 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 16:57:54 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 19:36:40.50 ===============

Hello, joki.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

• Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
• Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
• Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
• Please reply within 3 days to be fair to other people asking for help.
• When in doubt, please stop and ask first. There's no harm in asking questions!

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.











Step 1

Next, please download ComboFix from one of these locations:

• Bleepingcomputer
  
• ForoSpyware

* IMPORTANT !!! Save ComboFix.exe to your Desktop as jokiCF.exe

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on jokiCF.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares

still with us?

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.