Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible sdra64.exe, Backdoor.Tidserv infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 Chazb0

Chazb0

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 03 June 2010 - 05:03 PM

Hello,
this started to look like an AV 2008 virus. There was an icon in the Sys tray. MBAM would not run in regular mode, so I rebooted in Safe Mode and ran it. I ran it a few times and cleared out numerous things.

Windows Update page will not display. Also, when i click on linksfrom Google or elsewhere, they get hijacked and send me to other pages.

I suspect the two viruses listed above are part of the problem because I found entries it the event log regarding them:

Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 5
Date: 6/3/2010
Time: 12:08:11 PM
User: N/A
Computer: USEL3744
Description:


Risk Found!Risk: Backdoor.Tidserv in File: D:\Documents and Settings\user\Local Settings\Temp\12C.tmp by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:


Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 6/3/2010
Time: 9:12:44 AM
User: N/A
Computer: USEL3744
Description:
Faulting application sdra64.exe, version 2.4.4587.1000, faulting module sdra64.exe, version 2.4.4587.1000, fault address 0x000274b2.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 64 72 ure sdr
0018: 61 36 34 2e 65 78 65 20 a64.exe
0020: 32 2e 34 2e 34 35 38 37 2.4.4587
0028: 2e 31 30 30 30 20 69 6e .1000 in
0030: 20 73 64 72 61 36 34 2e sdra64.
0038: 65 78 65 20 32 2e 34 2e exe 2.4.
0040: 34 35 38 37 2e 31 30 30 4587.100
0048: 30 20 61 74 20 6f 66 66 0 at off
0050: 73 65 74 20 30 30 30 32 set 0002
0058: 37 34 62 32 0d 0a 74b2..



Here is the requested information:




DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 15:38:38.06 on Thu 06/03/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.339 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\APPS\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\CA\Unicenter\SD\BIN\SDSERV.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\Unicenter Asset Management\Agents\SWMSvc.exe
C:\PROGRAM FILES\CA\UNICENTER ASSET MANAGEMENT\AGENTS\SWMW32.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\CA\Unicenter\SD\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\UMCSTUB.EXE
C:\APPS\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\CA\Unicenter\SD\BIN\triggusr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\CA\UNICENTER\SxpInst\sxplog32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\AT&T\Communication Manager\SwiApiMux.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\AT&T\Communication Manager\bmop.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://essnet/
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://essnet/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "d:\documents and settings\User\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SDJobCheck] "c:\ca\unicenter\sd\sd\..\bin\triggusr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Sxplog] c:\ca\unicenter\sxpinst\sxpstub.exe
mRun: [CA-AMAgent] "c:\ca\unicenter\am\agents\amagent.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: SetVisualStyle =
dPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: E&xport to Microsoft Excel - /3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: bmnet.dll
Trusted Zone: att.com\webmeeting
Trusted Zone: att.com\www.teleconference
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: transitions.com
Trusted Zone: windowsupdate.com
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169902258193
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233854689941
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {8ffbe65d-2c9c-4669-84bd-5829dc0b603c} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {CAFECAFE-0013-0001-0029-ABCDEFABCDEF}
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://ssl.website.net/dana-cached/setup/JuniperSetupSP1.cab
DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} - hxxp://edn/essnet_sps/Portal/resources/msddsc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-3-30 148496]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-5 353672]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-3-30 464264]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2002-9-29 49152]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R2 SDService;Unicenter Software Delivery;c:\ca\unicenter\sd\bin\SDServ.exe [2003-6-23 32768]
R2 SWMSVC;Asset Management SW Meter Agent;c:\program files\ca\unicenter asset management\agents\SWMSvc.exe [2004-1-14 24576]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2009-7-15 121416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-3 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-12-21 80384]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100603.005\naveng.sys [2010-6-3 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100603.005\navex15.sys [2010-6-3 1347504]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [2009-3-31 190080]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2009-5-4 148096]
S1 a52043ac;a52043ac;c:\windows\system32\drivers\a52043ac.sys --> c:\windows\system32\drivers\a52043ac.sys [?]
S1 fqmxeqzb;fqmxeqzb;\??\c:\windows\system32\drivers\fqmxeqzb.sys --> c:\windows\system32\drivers\fqmxeqzb.sys [?]
S2 ripeelihv;ripeelihv;c:\windows\system32\svchost.exe -k netsvcs [1979-12-31 14336]
S3 CA_LIC_CLNT;CA-License Client;c:\windows\LIC98RMT.exe [2002-9-29 73728]
S3 CA_LIC_SRVR;CA-License Server;c:\windows\LIC98RMTD.exe [2002-9-29 73728]
S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi9.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI9.sys [?]
S3 RCSpyDDML;RCSpyDDML;c:\windows\system32\drivers\RCSpyMP.sys [2004-12-6 14336]
S4 RasCheck;RAS Checking Service;c:\windows\system32\rascheck.exe [2006-12-21 57344]

============== File Associations ===============

VBSFile=c:\windows\notepad.exe "%1" %*

=============== Created Last 30 ================

2010-06-03 19:11:26 0 d-----w- c:\program files\Trend Micro
2010-06-03 16:05:05 0 d-----w- d:\docume~1\User~1\applic~1\AT&T
2010-06-03 16:03:51 28288 ----a-w- c:\windows\system32\drivers\swmsflt.sys
2010-06-03 16:00:03 0 d-----w- c:\program files\common files\Motorola Shared
2010-06-03 15:59:14 0 d-----w- c:\program files\common files\Research In Motion
2010-06-03 15:58:26 0 d-----w- d:\docume~1\alluse~1\applic~1\AT&T
2010-06-03 15:58:26 0 d-----w- c:\program files\AT&T
2010-06-03 15:54:28 0 d-----w- d:\docume~1\User~1\applic~1\Sierra Wireless
2010-06-03 15:54:28 0 d-----w- c:\program files\Sierra Wireless Inc
2010-06-03 15:21:17 0 d-----w- c:\windows\SoftwareDistribution.old

==================== Find3M ====================

2010-06-03 20:06:05 512240 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-06-03 20:06:05 38148128 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-01-27 21:22:05 35636 --sha-w- c:\windows\system32\kkQYxGgh.ini2

============= FINISH: 15:39:20.09 ===============


Thank you for helping!

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:01 AM

Posted 05 June 2010 - 09:42 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:01 AM

Posted 17 June 2010 - 08:27 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users