weeb Posted May 3, 2010 ID:243978 Share Posted May 3, 2010 Norton identified the following Trojan horse Backdoor.Tidserv.I!inf which I do not know how to remove. I am having trouble with some occasional pop-ups and something is consuming my Ram memory cache causing the computer to crash when surfing the web. Here is my most recent mbam logMalwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4062Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187025/3/2010 12:33:31 PMmbam-log-2010-05-03 (12-33-31).txtScan type: Quick scanObjects scanned: 134300Time elapsed: 27 minute(s), 20 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)any help you can provide will be greatly appreciated Link to post Share on other sites More sharing options...
kahdah Posted May 3, 2010 ID:243983 Share Posted May 3, 2010 Hello weebWelcome to Malwarebytes.=====================Please download OTH.scr to your desktop.Download OTL to your desktop.Double click the OTH file and select Kill All Processes, your desktop will go blankThen select Start OTL OTL will now run When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Under Custom scan's and fixes section paste in the below in boldnetsvcs%SYSTEMDRIVE%\*.exe/md5starteventlog.dllscecli.dllnetlogon.dllcngaudit.dllsceclt.dllntelogon.dlllogevent.dlliaStor.sysnvstor.sysatapi.sysIdeChnDr.sysviasraid.sysAGP440.sysvaxscsi.sysnvatabus.sysviamraid.sysnvata.sysnvgts.sysiastorv.sysViPrt.syseNetHook.dllahcix86.sysKR10N.sysnvstor32.sysahcix86s.sysnvrd32.sys symmpi.sysadp3132.sysmv61xx.sysnvraid.sys /md5stop%systemroot%\*. /mp /sCREATERESTOREPOINT%systemroot%\system32\*.dll /lockedfiles%systemroot%\Tasks\*.job /lockedfiles%systemroot%\system32\drivers\*.sys /lockedfiles%systemroot%\System32\config\*.sav %systemroot%\system32\drivers\*.sys /90Check the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.====================Download the following GMER Rootkit Scanner from HereDownload the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on RunIt may take a minute to load and become available.If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKEDIAT/EATDrives/Partition other than Systemdrive (typically only C:\ should be checked)Show All (don't miss this one)Then click the Scan button & wait for it to finish.Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.Save it where you can easily find it, such as your desktop**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entriesClick OK and quit the GMER program.Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.Post that log in your next reply. Link to post Share on other sites More sharing options...
weeb Posted May 6, 2010 Author ID:245628 Share Posted May 6, 2010 Sorry it has taken me so long to reply. I could not run OTL if I killed all processes first so I ran OTL without killing all processes first. I did not save the first GMR file so I had to run it again. I have attached the files. I am sorry if I have made things more difficult.Extras.TxtOTL.Txtark.txt Link to post Share on other sites More sharing options...
kahdah Posted May 6, 2010 ID:245779 Share Posted May 6, 2010 Looking at your system now, one or more of the identified infections is a backdoor Trojan\Rootkit.If this computer is ever used for on-line banking, I suggest you do the following immediately:1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.====================Download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Link to post Share on other sites More sharing options...
weeb Posted May 6, 2010 Author ID:245972 Share Posted May 6, 2010 Here is the combo-fix logCombo_fix_log.txt_562010.txt Link to post Share on other sites More sharing options...
kahdah Posted May 7, 2010 ID:246243 Share Posted May 7, 2010 Update Run MalwarebytesPlease update\run Malwarebytes' Anti-Malware.Double Click the Malwarebytes Anti-Malware icon to run the application.Click on the update tab then click on Check for updates.If an update is found, it will download and install the latest version.Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.=====* Go here to run an online scannner from ESET.Note: You will need to use Internet explorer for this scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activex control to installClick StartCheck next options: Remove found threats and Scan unwanted applications.Click ScanWait for the scan to finishUse notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txtCopy and paste that log as a reply to this topic Link to post Share on other sites More sharing options...
weeb Posted May 7, 2010 Author ID:246376 Share Posted May 7, 2010 Here is my latest mbam and eset logs Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4074Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187025/7/2010 8:29:07 AMmbam-log-2010-05-07 (08-29-07).txtScan type: Quick scanObjects scanned: 132143Time elapsed: 20 minute(s), 43 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\44\5473416c-34c3017e a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantinedC:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\52\e649f74-76bdf991 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantinedC:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\i8042prt.sys.vir Win32/Patched.EQ trojan deleted - quarantined Link to post Share on other sites More sharing options...
kahdah Posted May 7, 2010 ID:246488 Share Posted May 7, 2010 Looks good let me know of any remaining issues.Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply. Link to post Share on other sites More sharing options...
weeb Posted May 8, 2010 Author ID:246703 Share Posted May 8, 2010 Every thing seems to be runnning well. I have attached the log you requested. I really appreciate your help. thank you so much.OTL.Txt_05072010.txt Link to post Share on other sites More sharing options...
kahdah Posted May 8, 2010 ID:246709 Share Posted May 8, 2010 You are welcome =======Cleanup======= Click START then RUN Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.======Next======Double click on OTL to run it.Click on the Cleanup button at the top.You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.This will remove itself and other tools we may have used.======================Clear out infected System Restore points======================Then we need to reset your System Restore points.The link below shows how to do this.How to Turn On and Turn Off System Restore in Windows XPhttp://support.microsoft.com/kb/310405/en-usIf you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual Delete\uninstall anything else that we have used that is leftover.=====================================After that your all set. The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes. If your computer is slow Is a tutorial on what you can do if your computer is slow.File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc... Link to post Share on other sites More sharing options...
weeb Posted May 8, 2010 Author ID:246807 Share Posted May 8, 2010 I have followed all your instructions. Everything seems to be working well. Once again, I want to thank you for all your help Link to post Share on other sites More sharing options...
kahdah Posted May 8, 2010 ID:246808 Share Posted May 8, 2010 You are welcome Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 8, 2010 ID:246816 Share Posted May 8, 2010 Glad we could help. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts