Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Backdoor.tidserv virus

  • This topic is locked This topic is locked
2 replies to this topic

#1 Oncoming


  • Members
  • 1 posts
  • Local time:03:13 PM

Posted 27 October 2010 - 04:36 AM

Hello. Recently I was browsing the internet, when google chrome popped up a security alert and a download confirmation window. Moments later, a blank windows media player screen appeared. I quickly told chrome to discard the download, and shut off the browser. After this nothing adverse happened, and I assumed that the download had been prevented. But when I turned my computer back on the next day, several warning messages appeared. The first was from my symantec antivirus, telling me it could no longer scan my email because my network was configured incorrectly. This appeared twice. Then, more worryingly, another appeared from windows claiming that a vital system file had been replaced by an unknown version and that I should reinsert my windows XP disc. I dont have this disk, and my computer has no CD drive anyway, so I got rid of the window. Then Symantec appeared again, informing me of an infection called "Backdoor.tidserv" residing in C:WINDOWS\System32\drivers\ipsec.sys\, and that attempted cleans and quarantines had both failed. I tried open Google Chrome to look for malware solutions, but it raised "google chrome has encountered a problem and needs to close" message, and then symantec started listing an unidentified web browser as an infection, and confirmed a successful delete of it. I scanned my computer with DDS, and it gave me this readout.

DDS (Ver_10-10-21.02) - NTFSx86 NETWORK
Run by fit0002 at 20:17:13.56 on Wed 27/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1014.610 [GMT 11:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Windows SteadyState\SCTSvc.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
D:\Documents and Settings\Studenttest\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Studenttest\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Studenttest\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Studenttest\Desktop\dds (1).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au
uInternet Connection Wizard,ShellNext = https://portal.unihigh.vic.edu.au/
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\hypercam toolbar\tbcore3.dll
TB: HyperCam Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - c:\program files\hypercam toolbar\tbcore3.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "d:\documents and settings\studenttest\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
uRun: [Registry Helper] "c:\program files\registry helper\RegistryHelper.Exe" /boot
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe
mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [PaperCut MF Client] "c:\program files\papercut mf client\pc-client.exe" /silent
mRun: [Bubble] c:\program files\windows steadystate\Bubble.exe
mRun: [Logoff] c:\program files\windows steadystate\SCTUINotify.exe
mRun: [PWRISOVM.EXE] d:\documents and settings\studenttest\desktop\do not press!\rome total war\poweriso\PWRISOVM.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRunOnce: [WIAWizardMenu] RUNDLL32.EXE c:\windows\system32\sti_ci.dll,WiaCreateWizardMenu
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\studen~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\lenovo\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tuhsla~1.lnk - c:\program files\tuhsstartup\TUHSlaptop.vbs
uPolicies-explorer: ForceStartMenuLogoff = 2 (0x2)
uPolicies-explorer: NoExpandedNewMenu = 0 (0x0)
uPolicies-explorer: Btn_Search = 2 (0x2)
uPolicies-explorer: Btn_Folders = 2 (0x2)
uPolicies-explorer: Btn_Edit = 2 (0x2)
uPolicies-explorer: Btn_Discussions = 2 (0x2)
uPolicies-explorer: Btn_Print = 2 (0x2)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
uPolicies-explorer: NoCommonGroups = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: SpecifyDefaultButtons = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: adobe.com
Trusted Zone: apple.com
Trusted Zone: google.com
Trusted Zone: google.com.au
Trusted Zone: java.com
Trusted Zone: microsoft.com
Trusted Zone: msn.com
Trusted Zone: vic.edu.au\*.unihigh
Trusted Zone: vic.gov.au\*.education
Trusted Zone: vic.gov.au\*.edumail
Trusted Zone: vic.gov.au\*.eduweb
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\studen~1\applic~1\mozilla\firefox\profiles\5zpjkicd.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: d:\documents and settings\studenttest\local settings\application data\google\update\\npGoogleOneClick8.dll
FF - plugin: d:\documents and settings\studenttest\local settings\application data\robloxversions\version-b5dc796702a14251\nproblox.dll
FF - plugin: d:\documents and settings\studenttest\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [2010-10-26 18680]
R2 Windows SteadyState;Windows SteadyState Service;c:\program files\windows steadystate\SCTSvc.exe [2008-5-30 115728]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2010-2-2 9472]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2008-5-28 337280]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2008-5-28 54656]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2008-6-24 191848]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2008-6-24 169320]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [2009-3-26 315392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-23 136176]
S2 Registry Helper Service;Registry Helper Service;c:\program files\registry helper\RegistryHelperService.exe [2010-7-20 83328]
S2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2008-9-30 116664]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2008-9-30 1956792]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-2 1691480]
S3 bpenum;Intel® WiMAX Link Enumerator;c:\windows\system32\drivers\bpenum.sys [2009-2-1 163840]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-13 102448]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100812.002\naveng.sys [2010-8-13 85424]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100812.002\navex15.sys [2010-8-13 1362608]
S3 usbsmi;Lenovo EasyCamera;c:\windows\system32\drivers\SMIksdrv.sys [2010-2-2 169216]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-10-26 11:13:27 -------- d-----w- d:\docume~1\studen~1\applic~1\FixTDSS
2010-10-26 11:13:25 18680 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2010-10-26 07:41:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-26 07:41:22 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-26 07:36:04 -------- d-----w- c:\program files\Bonjour
2010-10-25 05:19:52 0 ----a-w- d:\documents and settings\studenttest\.uc-d1bff469f0df033891be38972544e56e.fit0002.nb-s102-0111.tmp
2010-10-18 08:05:17 -------- d-----w- c:\program files\McAfee Security Scan
2010-10-13 11:02:05 -------- d-----w- c:\program files\Bonjour(2)

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-09 19:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-09 19:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts
2003-05-02 14:02:14 763904 ----a-w- c:\program files\Stop Motion Animator.exe

============= FINISH: 20:18:04.29 ===============

I don't know what it means, but I hope someone else can help me. Thanks.

BC AdBot (Login to Remove)


#2 myrti



  • Malware Study Hall Admin
  • 33,766 posts
  • Gender:Female
  • Location:At home
  • Local time:10:13 PM

Posted 05 November 2010 - 08:12 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 myrti



  • Malware Study Hall Admin
  • 33,766 posts
  • Gender:Female
  • Location:At home
  • Local time:10:13 PM

Posted 15 November 2010 - 06:27 AM

Since it has gone stale, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users