WiredWX Hobby Weather ToolsLog in

 


Backdoor.Tidserv!inf

2 posters

descriptionBackdoor.Tidserv!inf EmptyBackdoor.Tidserv!inf

more_horiz
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:04 PM, on 12/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Documents and Settings\Kristina\Desktop\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://portal.utoronto.ca/webapps/portal/frameset.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557da53-a1e2-488f-be8d-d42e8c4954b2} - (no file)
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [bejemuvage] Rundll32.exe "C:\WINDOWS\system32\yosohede.dll",s
O4 - HKLM\..\Run: [b40d3049] rundll32.exe "C:\WINDOWS\system32\jurekogi.dll",b
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: Post-it®️ Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://glamour52queen.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - https://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170087512609
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://glamour52queen.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL c:\windows\system32\niwalezu.dll c:\windows\system32\bepimagi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 17455 bytes

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Hi! Yesterday when I turned on my computer, symantec came up telling me I had this virus and that it was unable to delete, quarantine, etc and the only action that could be taken was to leave it alone. However, it keeps popping up every 1-2min, and the list keeps building saying the same thing over and over again. It's making my computer run really slowly and I am afraid it might do something to it, even though when I googled it, it said it was a low-risk threat.

I found where the file is located ( C:\WINDOWS\system32\drivers\atapi.sys) but I don't want to delete/touch anything since I really don't know what I am doing. Also, I saw you have solved the same problem before at one point, but I don't know whether to follow that solution or not, so I decided to post.

I would really appreciate it if you could help me! If I should just follow the solution of the other person (http://www.geekpolice.net/virus-spyware-malware-removal-f11/nortons-found-backdoortidservinf-t4200.htm#19678), then just say the word!

Thank you!!

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Also, I just saw that the instructions were specifically for that particular user so I guess I shall wait for your reply Smile...

Once again, thank you very much for any help you might give me!

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    Backdoor.Tidserv!inf CF_download_FF

    Backdoor.Tidserv!inf CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Backdoor.Tidserv!inf Cf410

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Backdoor.Tidserv!inf Cf510

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Thank you for your response. Sorry it took me so long to run this. Here is the log I got from Combo-fix.

Also, should I do anything else now?
My symantec seems to have de-disabled itself. I also had spybot SD but to be honest, I didn't even know it was there until I followed the instructions to disable stuff. It's not there anymore, so should I re-enable it and if so, where can I find it?

Thanks again for all you help!!

ComboFix 09-12-11.05 - Kristina 12/13/2009 0:59.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.319 [GMT -5:00]
Running from: c:\documents and settings\Kristina\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\abuzamut.ini
c:\windows\system32\ajotoses.ini
c:\windows\system32\asiteres.ini
c:\windows\system32\edahiros.ini
c:\windows\system32\efugokos.ini
c:\windows\system32\emefisis.ini
c:\windows\system32\etiyenow.ini
c:\windows\system32\fabuyoju.dll
c:\windows\system32\fodawago.dll
c:\windows\system32\ifobehel.ini
c:\windows\system32\igokeruj.ini
c:\windows\system32\igukofem.ini
c:\windows\system32\ijutasay.ini
c:\windows\system32\iyayikay.ini
c:\windows\system32\iyezuvag.ini
c:\windows\system32\jimikesu.dll
c:\windows\system32\jofahapi.dll
c:\windows\system32\kejefuru.dll
c:\windows\system32\ligalijo.dll
c:\windows\system32\medilile.dll
c:\windows\system32\mefokugi.dll
c:\windows\system32\memezori.dll
c:\windows\system32\mubodigi.dll
c:\windows\system32\nakonaze.dll
c:\windows\system32\ofosojay.ini
c:\windows\system32\ohujabot.ini
c:\windows\system32\sokodewu.dll
c:\windows\system32\sorihade.dll
c:\windows\system32\ujoyubaf.ini
c:\windows\system32\upufosad.ini
c:\windows\system32\usekimij.ini
c:\windows\system32\woneyite.dll
c:\windows\system32\yasatuji.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 )))))))))))))))))))))))))))))))
.

2009-12-12 03:12 . 2009-12-12 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-12-12 03:11 . 2009-12-12 03:11 -------- d-----w- c:\program files\McAfee Security Scan
2009-12-12 02:51 . 2009-12-12 02:55 -------- d-----w- c:\documents and settings\Kristina\.SunDownloadManager
2009-11-21 05:38 . 2009-11-21 05:38 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-21 05:37 . 2009-11-21 05:37 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-11-21 05:36 . 2009-11-21 05:36 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-11-21 05:35 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-21 05:34 . 2009-11-21 05:34 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-21 05:28 . 2009-11-21 05:37 -------- d-----w- c:\program files\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-13 05:51 . 2008-01-07 01:31 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-12 03:25 . 2009-06-14 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-12 03:18 . 2006-09-05 21:33 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-12 03:13 . 2009-06-14 03:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-12 03:09 . 2009-06-14 03:41 -------- d-----w- c:\program files\NOS
2009-12-12 02:57 . 2006-08-24 09:31 -------- d-----w- c:\program files\Java
2009-12-02 00:43 . 2009-12-12 03:09 34496 ----a-w- c:\documents and settings\Kristina\Application Data\Mozilla\Firefox\Profiles\3s6t1t3y.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-12-02 00:43 . 2009-12-12 03:09 25936 ----a-w- c:\documents and settings\Kristina\Application Data\Mozilla\Firefox\Profiles\3s6t1t3y.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-12-01 03:25 . 2007-09-15 20:34 130958 ----a-w- c:\windows\hpoins12.dat
2009-11-26 03:40 . 2008-05-04 22:55 -------- d-----w- c:\documents and settings\Kristina\Application Data\uTorrent
2009-11-21 05:37 . 2008-03-10 03:29 -------- d-----w- c:\program files\Windows Live
2009-11-20 11:08 . 2009-06-14 03:43 38784 ----a-w- c:\documents and settings\Kristina\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-16 03:25 . 2007-09-15 21:04 -------- d-----w- c:\documents and settings\Kristina\Application Data\Image Zone Express
2007-10-12 18:22 . 2007-10-12 18:22 5258907 ----a-w- c:\program files\ApexDC++_1.0.0_Beta4_setup.exe
2009-05-27 04:24 . 2006-09-02 00:42 56 -csh--r- c:\windows\system32\C25B9998A4.sys
2008-09-04 05:21 . 2008-09-04 05:21 64053 --sha-w- c:\windows\system32\fatalofi.dll.tmp
2008-09-04 05:21 . 2008-09-04 05:21 64053 --sha-w- c:\windows\system32\fetolabo.dll.tmp
2008-09-02 17:23 . 2008-09-02 17:23 64052 --sha-w- c:\windows\system32\fivajubu.dll.tmp
2008-08-25 18:34 . 2008-08-25 18:34 61952 --sha-w- c:\windows\system32\gikosiha.dll.tmp
2008-08-25 18:34 . 2008-08-25 18:34 61952 --sha-w- c:\windows\system32\gopafusa.dll.tmp
2009-05-27 04:24 . 2006-09-02 00:42 1786 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-04 16:41 . 2008-09-04 16:41 64565 --sha-w- c:\windows\system32\lawariko.dll.tmp
2008-09-06 00:39 . 2008-09-06 00:39 64586 --sha-w- c:\windows\system32\mehuyilu.dll.tmp
2008-08-25 18:34 . 2008-08-25 18:34 61952 --sha-w- c:\windows\system32\muyinepa.dll.tmp
2008-09-02 17:23 . 2008-09-02 17:23 64052 --sha-w- c:\windows\system32\nuvameje.dll.tmp
2008-09-06 00:39 . 2008-09-06 00:39 64586 --sha-w- c:\windows\system32\pabozoje.dll.tmp
2008-09-06 00:39 . 2008-09-06 00:39 64586 --sha-w- c:\windows\system32\serorezu.dll.tmp
2008-09-04 16:41 . 2008-09-04 16:41 64565 --sha-w- c:\windows\system32\suzezufu.dll.tmp
2008-09-04 05:21 . 2008-09-04 05:21 64053 --sha-w- c:\windows\system32\zumupobi.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-03-07 3558136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2006-11-07 1121280]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-24 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
Post-itr Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 06:12 483328 -c--a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-08-22 14:52 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-04-06 19:58 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 -c--a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2006-08-24 09:49 169984 -c--a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2004-04-12 01:15 290816 -c----w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-08-24 09:40 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 21:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 -c--a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 16:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ApexDC++\\ApexDC.exe"=
"c:\\Program Files\\McAfee.com\\Shared\\mghtml.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Symantec AntiVirus\\VPTray.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"=
"c:\\Program Files\\McAfee.com\\Personal Firewall\\MpfAgent.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"=
"c:\\Program Files\\Dell\\QuickSet\\quickset.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\SPBBC\\SPBBCSvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/1/2009 7:43 AM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
------- Supplementary Scan -------
.
uStart Page = https://portal.utoronto.ca/webapps/portal/frameset.jsp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kristina\Application Data\Mozilla\Firefox\Profiles\3s6t1t3y.default\
FF - prefs.js: browser.startup.homepage - hxxps://portal.utoronto.ca/webapps/portal/frameset.jsp
FF - plugin: c:\documents and settings\Kristina\Application Data\Mozilla\Firefox\Profiles\3s6t1t3y.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{1557da53-a1e2-488f-be8d-d42e8c4954b2} - (no file)
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
HKLM-Run-bejemuvage - c:\windows\system32\yosohede.dll
HKLM-Run-b40d3049 - c:\windows\system32\jurekogi.dll
AddRemove-HijackThis - c:\documents and settings\Kristina\Desktop\HijackThis.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-13 01:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-12-13 01:20:20
ComboFix-quarantined-files.txt 2009-12-13 06:20

Pre-Run: 7,491,411,968 bytes free
Post-Run: 8,106,889,216 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 259C8E671584817829838298F17F3BA9

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Also, if it was successful, what should I do with hijackthis and Combo-Fix? Should I delete them?

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Hello.
Not just yet.

Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    c:\windows\system32\fatalofi.dll.tmp
    c:\windows\system32\fetolabo.dll.tmp
    c:\windows\system32\fivajubu.dll.tmp
    c:\windows\system32\gikosiha.dll.tmp
    c:\windows\system32\gopafusa.dll.tmp
    c:\windows\system32\KGyGaAvL.sys
    c:\windows\system32\lawariko.dll.tmp
    c:\windows\system32\mehuyilu.dll.tmp
    c:\windows\system32\muyinepa.dll.tmp
    c:\windows\system32\nuvameje.dll.tmp
    c:\windows\system32\pabozoje.dll.tmp
    c:\windows\system32\serorezu.dll.tmp
    c:\windows\system32\suzezufu.dll.tmp
    c:\windows\system32\zumupobi.dll.tmp


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Here it is:
Also, before and after reboot, auto protect came up several times to tell me: Trojan.Vundo was found.
It says it's been cleaned and access allowed, and several times, over and over again.


========== FILES ==========
File move failed. c:\windows\system32\fatalofi.dll.tmp scheduled to be moved on reboot.
File move failed. c:\windows\system32\fetolabo.dll.tmp scheduled to be moved on reboot.
File move failed. c:\windows\system32\fivajubu.dll.tmp scheduled to be moved on reboot.
File move failed. c:\windows\system32\gikosiha.dll.tmp scheduled to be moved on reboot.
File move failed. c:\windows\system32\gopafusa.dll.tmp scheduled to be moved on reboot.
c:\windows\system32\KGyGaAvL.sys moved successfully.
File move failed. c:\windows\system32\lawariko.dll.tmp scheduled to be moved on reboot.
File move failed. c:\windows\system32\mehuyilu.dll.tmp scheduled to be moved on reboot.
File move failed. c:\windows\system32\muyinepa.dll.tmp scheduled to be moved on reboot.
File move failed. c:\windows\system32\nuvameje.dll.tmp scheduled to be moved on reboot.
File move failed. c:\windows\system32\pabozoje.dll.tmp scheduled to be moved on reboot.
File move failed. c:\windows\system32\serorezu.dll.tmp scheduled to be moved on reboot.
File move failed. c:\windows\system32\suzezufu.dll.tmp scheduled to be moved on reboot.
File move failed. c:\windows\system32\zumupobi.dll.tmp scheduled to be moved on reboot.

OTM by OldTimer - Version 3.1.2.2 log created on 12132009_214951

Files moved on Reboot...
File c:\windows\system32\fatalofi.dll.tmp not found!
File c:\windows\system32\fetolabo.dll.tmp not found!
File c:\windows\system32\fivajubu.dll.tmp not found!
File c:\windows\system32\gikosiha.dll.tmp not found!
File c:\windows\system32\gopafusa.dll.tmp not found!
File c:\windows\system32\lawariko.dll.tmp not found!
File c:\windows\system32\mehuyilu.dll.tmp not found!
File c:\windows\system32\muyinepa.dll.tmp not found!
File c:\windows\system32\nuvameje.dll.tmp not found!
File c:\windows\system32\pabozoje.dll.tmp not found!
File c:\windows\system32\serorezu.dll.tmp not found!
File c:\windows\system32\suzezufu.dll.tmp not found!
File c:\windows\system32\zumupobi.dll.tmp not found!

Registry entries deleted on Reboot...

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Hi, it's back!

Symantec showed the same msg as before:

Scan type: Auto-Protect Scan
Event: Risk Found!
Risk: Backdoor.Tidserv!inf
File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP764\A0130353.sys
Location: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP764
Computer: KRYSTAL
User: KRYSTAL\SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Monday, December 14, 2009 12:20:49 AM

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Don't worry about that, they will be removed at the end.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Hi! I uninstalled combo-fix! Everything seems to be fine, it's not slow and nothing has popped up at all. I would say it's like nothing ever happened!

Does this mean it's all fixed?

I checked back into C:\WINDOWS\system32\drivers\atapi.sys which it originally said the problem was, and the atapi.sys file is still there, but I don't know whether it should or shouldn't be, or what it is so I'm assuming since nothing is popping up, it's fine now?

Thanks Big Grin:D

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Hello.

DO NOT delete atapi.sys, it's an essential Windows component file. [Not that you could delete easily, it's protected by Windows]

This should be fine now.

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Ok, thanks Smile...

So should I delete hijackthis and otm?

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
Yes, delete those.

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
thanks again!!!

descriptionBackdoor.Tidserv!inf EmptyRe: Backdoor.Tidserv!inf

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum