Jump to content

backdoor.tidserv!inf infection


spek
 Share

Recommended Posts

The system is infected with backdoor.tidserv!inf. Symantec caught it and stated that it removed it, but I am still getting issues such as crazy pop-ups and the system freezes. Below is the dds.txt, and I have also attached the other two logs and the latest MBAM result as you suggested:

DDS (Ver_09-12-01.01) - NTFSx86

Run by 2877admin at 9:48:52.32 on Tue 01/26/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1128 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: McAfee Host Intrusion Prevention Firewall *disabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\ActivIdentity\ActivClient\accoca.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Audit Manager\AuditManagerService.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\Dantz\Client\Remotsvc.exe

C:\Program Files\Dantz\Client\retroclient.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\Program Files\McAfee\Policy Auditor Agent\PASysTray.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"

mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"

mRun: [McAfee Policy Auditor Tray Icon] "c:\program files\mcafee\policy auditor agent\PASysTray.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238707288109

DPF: {66D845A0-C3BB-45AD-807C-9BFEAF20EF2C} - hxxps://ocs.spawar.navy.mil/content/static/ecm/activex/Enable_Edit_In_Place.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1238762297339&h=70fd89b0bfddd98990fbb5f36ca17ed0/&filename=jinstall-6u13-windows-i586-jc.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\progra~1\common~1\sapsha~1\system\SAPHTMLP.DLL

Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\progra~1\common~1\sapsha~1\system\SAPHTMLP.DLL

Notify: ackpbsc - c:\windows\system32\ackpbsc.dll

Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-12-22 342672]

R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2008-5-13 198184]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-11-23 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-11-23 108392]

R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2009-6-25 1489984]

R2 McAfeeAuditManager;McAfee Audit Manager Service;c:\program files\mcafee\audit manager\AuditManagerService.exe [2009-4-15 151552]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-3-10 103744]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-12-22 70728]

R2 Retrospect Client;Retrospect Client;c:\program files\dantz\client\RemotSvc.exe [2009-4-3 53248]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-11-23 2477304]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-22 102448]

R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2009-12-22 44680]

R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2009-12-22 110384]

R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2009-12-22 38200]

R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2009-12-22 35584]

R3 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2009-12-22 35696]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100125.051\NAVENG.SYS [2010-1-26 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100125.051\NAVEX15.SYS [2010-1-26 1323568]

S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2009-12-22 44680]

S3 FVWNBDVAN;FVWNBDVAN;c:\docume~1\admini~1\locals~1\temp\FVWNBDVAN.exe [2010-1-25 383872]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

=============== Created Last 30 ================

2010-01-26 14:47:38 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-01-26 14:39:22 39766 ----a-w- c:\windows\system32\api_hook_list.dat

2010-01-26 14:31:38 39816 ----a-w- c:\windows\system32\HIPIS0e011aa.dll

2010-01-26 13:53:34 0 d-----w- c:\program files\Trend Micro

2010-01-26 12:29:01 0 d-----w- c:\docume~1\admini~1\applic~1\IObit

2010-01-26 12:15:17 0 d-----w- c:\program files\IObit

2010-01-25 21:18:16 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-01-25 21:18:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-25 21:18:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-25 21:18:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-25 21:18:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-25 18:11:13 0 d-----w- c:\windows\pss

2010-01-25 11:53:28 617472 ----a-w- c:\windows\system32\advapi32.dll

2010-01-18 19:25:35 541184 ----a-w- C:\Slide for Bruce.ppt

2010-01-01 22:11:20 5358080 ----a-w- C:\7%.pps

2009-12-31 19:28:23 0 d-----w- C:\MDT

==================== Find3M ====================

2010-01-25 16:55:17 114371 ----a-w- c:\windows\system32\nvModes.dat

2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe

2009-12-22 17:58:17 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-12-22 17:58:17 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-12-22 17:58:17 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-12-22 17:58:17 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-11-23 18:30:12 89600 ----a-w- c:\windows\system32\atl71.dll

2009-11-23 18:30:12 87368 ----a-w- c:\windows\system32\FwsVpn.dll

2009-11-23 18:30:12 625032 ----a-w- c:\windows\system32\SymNeti.dll

2009-11-23 18:30:12 242056 ----a-w- c:\windows\system32\SymRedir.dll

2009-11-23 18:30:12 107848 ----a-w- c:\windows\system32\SymVPN.dll

2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll

2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll

============= FINISH: 9:50:41.57 ===============

Thank you for any assistance with this!

ark.zip

mbam_log_2010_01_26__09_26_07_.txt

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.