Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Backdoor.Tidserv!inf detected by virus scanner

  • This topic is locked This topic is locked
17 replies to this topic

#1 Ozkarian


  • Members
  • 9 posts
  • Local time:08:16 AM

Posted 14 June 2010 - 11:38 AM

Hi, and thanks in advance,
A few days ago I started having problems with extra tabs opening to spam sites in Firefox. At the same time Norton (AV gamer edition) started blocking intrusion attempts.
I was able to find and remove the trojan using Malwarebytes AM, but after the restart Norton reported 'Backdoor.Tidserv!inf detected by virus scanner' and reported 'manual removal required'.
The Symantec help page suggests using my Windows XP CD and Recovery Console to replace the infected file(s); unfortunately I'm a student and don't have my original windows install CDs here with me.
I have way too much music and documents on my hard drive to effectively back it all up and reformat so anything you can do to help me locate and remove the backdoor would be immensely appreciated.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Oscar at 11:28:49.35 on Sun 06/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2673 [GMT -7:00]

AV: Norton AntiVirus Gaming Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Norton AntiVirus\Engine\\ccSvcHst.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Norton AntiVirus\Engine\\ccSvcHst.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\mozilla firefox\firefox.exe
C:\Documents and Settings\Oscar\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Flash and Media Capture Helper: {e8803722-a7f5-45c5-b39a-a8b244486ec2} - c:\program files\metaproducts flash & media capture\FMCapt.dll
TB: Flash and Media Capture Bar: {650eb965-8a1d-41c9-a941-0578f5cfc569} - c:\program files\metaproducts flash & media capture\FMCapt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [UVS12 Preload] c:\program files\corel\corel videostudio 12\uvPL.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\oscar\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
IE: Save &image with Flash and Media Capture - c:\program files\metaproducts flash & media capture\FMCapt.dll/saveimg.htm
IE: Save &media files with Flash and Media Capture - c:\program files\metaproducts flash & media capture\FMCapt.dll/savemedia.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {F6F76DF4-FD65-4DE7-942F-4BD5DE9B1C6B} - {B3DA38C9-7C7B-4C32-8A65-8745B3B6085E} - c:\program files\metaproducts flash & media capture\FMCapt.dll
Trusted Zone: aol.com\free
Trusted Zone: uoregon.edu\www.cs
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225386705516
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230018119250
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\oscar\applic~1\mozilla\firefox\profiles\2dkgumc7.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-25 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-26 207792]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-2-10 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-2-10 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-2-10 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100604.004\IDSXpx86.sys [2010-6-10 331640]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1291544]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\\ccSvcHst.exe [2010-2-10 117640]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2000-6-6 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2001-9-3 19534]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100610.003\NAVENG.SYS [2010-6-10 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100610.003\NAVEX15.SYS [2010-6-10 1347504]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-12-1 119296]
S2 gupdate1ca09b287aaf67c;Google Update Service (gupdate1ca09b287aaf67c);c:\program files\google\update\GoogleUpdate.exe [2009-7-20 133104]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 kbeepm;kbeepm;\??\c:\docume~1\oscar\locals~1\temp\kbeepm.sys --> c:\docume~1\oscar\locals~1\temp\kbeepm.sys [?]

=============== Created Last 30 ================

2010-06-13 02:19:04 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-13 02:18:45 0 d--h--w- c:\windows\$hf_mig$
2010-06-12 22:33:47 0 d-sha-r- C:\cmdcons
2010-06-12 22:26:12 98816 ----a-w- c:\windows\sed.exe
2010-06-12 22:26:12 77312 ----a-w- c:\windows\MBR.exe
2010-06-12 22:26:12 256512 ----a-w- c:\windows\PEV.exe
2010-06-12 22:26:12 161792 ----a-w- c:\windows\SWREG.exe
2010-06-12 09:45:29 0 d-----w- c:\docume~1\oscar\applic~1\Malwarebytes
2010-06-12 09:45:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-12 09:45:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-12 09:45:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-12 09:45:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 05:54:52 0 d--h--w- c:\windows\PIF
2010-05-17 18:08:12 0 d-----w- c:\docume~1\oscar\applic~1\Free Mp3 Wma Ogg Converter

==================== Find3M ====================

2010-05-13 05:27:03 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58:04 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-29 05:19:26 36915 ----a-w- c:\windows\DIIUnin.dat
2010-03-16 23:34:09 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2008-03-03 04:45:06 594432 ----a-w- c:\program files\install.msi
2003-07-17 02:26:58 448640 ----a-w- c:\windows\inf\EL2K_N64.sys
2003-07-17 02:22:10 147328 ----a-w- c:\windows\inf\EL2K_XP.sys
2003-06-03 07:47:54 147328 ----a-w- c:\windows\inf\EL2K_2K.sys

============= FINISH: 11:29:42.23 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:16 PM

Posted 19 June 2010 - 04:25 AM

Hi Ozkarian,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum and apologies for the delay. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer.

#3 Ozkarian

  • Topic Starter

  • Members
  • 9 posts
  • Local time:08:16 AM

Posted 19 June 2010 - 05:27 PM

Sure, that's no problem.
I'll have to do some word processing but other than that I won't need to add any new programs.

I haven't seen any more spam tabs in Firefox, but the backdoor is still listed as an unresolved security threat in Norton.

Thanks again

#4 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:16 PM

Posted 20 June 2010 - 09:17 AM

It seems Combofix is run. I need to see the ComboFix.txt from the first run. Please copy/paste the log of the first run located at C:\Qoobox\combofixX.txt where X is a number. Please post the log with the highest number.

#5 Ozkarian

  • Topic Starter

  • Members
  • 9 posts
  • Local time:08:16 AM

Posted 20 June 2010 - 03:03 PM

I've attached the highest digit ComboFix txt file.
I also noticed there was a txt file called Quarantined Files and thought that might be important info too so I attached that log as well.
Hope this helps.

Attached Files

#6 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:16 PM

Posted 20 June 2010 - 03:12 PM

Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

#7 Ozkarian

  • Topic Starter

  • Members
  • 9 posts
  • Local time:08:16 AM

Posted 20 June 2010 - 04:31 PM

Malwarebytes reported that it didn't find any malicious objects.
Here's the log file:

Malwarebytes' Anti-Malware 1.46

Database version: 4219

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/20/2010 2:21:24 PM
mbam-log-2010-06-20 (14-21-24).txt

Scan type: Quick scan
Objects scanned: 137069
Time elapsed: 9 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:16 PM

Posted 20 June 2010 - 04:38 PM

  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:

    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate fix.bat on the desktop. It should look like this:
    • In Windows XP: Double-click to run it. In Windows Vista: Right-click to run it as administrator.
    • A window flashes, this is normal.

  2. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  3. Please run DDS and attach both the logs to your reply.

#9 Ozkarian

  • Topic Starter

  • Members
  • 9 posts
  • Local time:08:16 AM

Posted 20 June 2010 - 05:28 PM

I followed your instructions and the two logs were generated just fine by I now have no internet connectivty.
The wireless signal from the modemis still active because I can access these forums using my phone's wireless.
My computer is not wireless however and connects directly to the modem. Under my network connection details my IP address and subnet mask info is all zeros. I tried repairing the connection and restarting my computer but the address is still listed as invalid.

#10 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:16 PM

Posted 20 June 2010 - 05:39 PM

Do you have a flash drive to transfer the logs?
Also tell me if you have a router and if you have a boadband/cable connection and not a Dial up connection.

If not please do those parts that will be done and leave the others for now. Like the TeaTimer part you can so the first part and lease the ResetTeaTimer.exe part for now.
  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. Make sure of the LAN settings:

    In Internet Explorer:

    Go to Tools => Internet Options => click on the Connections tab, then click on LAN Settings. The following items should be unchecked:
    • Automatically detect settings
    • Use a proxy server for your LAN

    In Firefox:

    Open Firefox. Go Tools -> Options -> Advanced -> click on the Network Tab, then click Settings.
    Select the radio button that says No Proxy. Click Ok.

  3. Make sure the following setting is set as it is supposed to be set:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection (usually Local Area Connection) and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.
    • Reboot and tell me about your connection.

#11 Ozkarian

  • Topic Starter

  • Members
  • 9 posts
  • Local time:08:16 AM

Posted 20 June 2010 - 06:52 PM

I disabled the tea timer in Spybot tools.
My firefox and newtork settings were just as you described.
I do have a flashdrive but when I tried to use my roomates computer to post the logs and get the resetteattimer.exe,
I discovered the wireless isn't functioning for them either. I tried resetting the router but still have the no connectivity icon in my system tray. I double checked and my phone is running off the cellular signal, not my wireless afterall.

I called my Internet provider but they're closed for the day.

Edited by Ozkarian, 20 June 2010 - 07:01 PM.

#12 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:16 PM

Posted 20 June 2010 - 07:08 PM

Either the router was hijacked or one of the computers were sending span due to infection and in those case the ISP truns off the connection. In the latter case the connection will be restore later on.
  1. Please read this: Malware Silently Alters Wireless Router Settings

  2. Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  3. Then reset your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"

  4. This is the difficult part.
    First get to the routers server. To do that open Internet Explorer and type http:\\ (or the number assigned to your router server) in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

#13 Ozkarian

  • Topic Starter

  • Members
  • 9 posts
  • Local time:08:16 AM

Posted 20 June 2010 - 07:22 PM

OK, got my internet connection back and ran the ResetTeaTimer.exe.
Just a small window popped u p and had me press any key, then reported it had finished.
Here are the logs from earlier.

Thanks again

Attached Files

#14 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:16 PM

Posted 20 June 2010 - 07:36 PM

How did you get your connection back?
  1. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

  2. Now run a full scan with Norton and tell me if it found any threads. If yes pleas give the path to the file.

#15 Ozkarian

  • Topic Starter

  • Members
  • 9 posts
  • Local time:08:16 AM

Posted 21 June 2010 - 12:25 AM

Norton did not find any threats this time.
It found a few tracking cookies which it resolved automatically.

I restored the internet connection by powering off my system and resetting the modem(including disconnecting the battery) and then resetting the airport device my roommate uses for the laptop.
At that point the laptop reestablished the connection using its network key. Then I powered my PC up and it detected the network as usual. We changed the password afterward.

I read the article you posted and interestingly enough just before I started having the original problems I had updated my divx player and codecs. I was a little suspicious of the timing then and uninstalled all my divx before I made this post.

Edited by Ozkarian, 21 June 2010 - 12:35 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users