WiredWX Hobby Weather ToolsLog in

 


Backdoor.tidserv!inf -- Big Trouble

3 posters

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
Ok, I think I found it (different path---documents and settings\kevin klein\local settings\temp)

All I see are files that begin with DF...

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
yup, I seem them--I think this one is gone--like I said I see files in there--but all begin with DF. Nothing in there looking like tdssde33.tmp

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
Would it be wise for me to now enable system restore (I disabled it before running the Norton System scan)?

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
Ah, good. The tdss file is gone. Smile...
Yes, you can enable it, this will also create a new restore point for you.

Rehide your hidden files by doing this.

Reconfigure Windows XP to hide hidden files:

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.

    Under the Hidden files and folders heading select "Do not show hidden files and folders".
  • Press the "Apply to all folders" button.
  • Click Yes to confirm. Click OK.


What problems remain?

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
Good question. I'll run another full system scan and see if anything pops up. But you have been an INCREDIBLE HELP--and I Thank You!

So in the end--what sort of garbage did I pick up on my PC?

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
Luckily, the full tdssserv rootkit didn't get onto your machine, just a temp file of it.
I'm have to get offline now. If Norton picks up the bloodhound exploit, don't worry, it's not a major issue.

I'll probably be offline by the time Norton is done, so just post here and I'll see it tomorrow night. Smile...

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
Thanks again--any reason for an additional Hijack This log? Or am I more or less in the clear?

Much gratitude!

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
Nope, yout last log was clean. Smile...

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
Norton scan was clean--however I noticed these problems are now in quarantine--any need to delete them? They each indicate files and registry locations of affected areas. Are these files and registry entries still potentially problematic? Would it be helpful for you to see them?

I'll now reboot and turn ststem restore back on.

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
One more thing (sorry)--
In following the paths of the above file and registry locations (of my quarantined items) I did happen to come across a few more tdss files (in Windows\System32\ ). Are these TDSS files a threat? I have 3 of them in this folder. Anywhere else I ought to check?

Thanks--

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
as follows:

At C:\WINDOWS\SYSTEM32 --

TDSSdxcp.dll
TDSSkkai
TDSSmtve

at Documents and Settings\Kevin Klein
TDSSkkai

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
Hello.
Just leftovers of the rootkit, the main driver for them isn't present otherwise you'd have more problems. Smile...


  • Download combofix from here, use the top links - combofix.exe
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Backdoor.tidserv!inf -- Big Trouble - Page 3 RcAuto1

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes

    Backdoor.tidserv!inf -- Big Trouble - Page 3 Whatnext

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
seem to be having trouble with ComboFix--but trying here...
So I DID have the rootkit after all? Perhaps Norton got rid of it before it showed up in the HijackThis log??

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
combo fix is nearly done (preparing a log) but it just occured to me that I had already turned system restore back on and enabled tea timer--

Will this interfere with Combo fix??

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
Combofix log as follows:

ComboFix 08-11-24.03 - Kevin Klein 2008-11-25 9:02:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.191 [GMT -6:00]
Running from: c:\documents and settings\Kevin Klein\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.

2008-11-24 23:02 . 2008-11-24 23:02 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-24 23:02 . 2008-11-24 23:02 d-------- c:\documents and settings\Kevin Klein\Application Data\Malwarebytes
2008-11-24 23:02 . 2008-11-24 23:02 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-24 23:02 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-24 23:02 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-11-24 21:22 . 2008-11-24 21:25 d-------- c:\windows\LastGood.Tmp
2008-11-24 18:59 . 2008-11-24 18:58 410,976 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-11-24 18:59 . 2008-11-24 18:58 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2008-11-12 21:29 . 2008-10-24 05:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-11-12 21:27 . 2008-09-04 11:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-10 15:41 . 2008-11-10 15:55 d-------- c:\program files\DivX
2008-10-29 20:13 . 2008-10-29 20:13 d-------- c:\program files\Windows Media Connect 2
2008-10-29 20:10 . 2008-10-29 20:10 d-------- c:\windows\SYSTEM32\LogFiles
2008-10-29 20:10 . 2008-10-29 20:11 d-------- c:\windows\SYSTEM32\DRIVERS\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 15:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-25 14:58 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-25 03:08 --------- d-----w c:\program files\Norton SystemWorks
2008-11-25 01:02 --------- d-----w c:\program files\Java
2008-11-24 22:10 --------- d-----w c:\program files\Privacy Guardian
2008-11-17 13:08 --------- d-----w c:\program files\Norton Personal Firewall
2008-11-13 05:43 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 02:44 --------- d-----w c:\program files\FinePixViewer
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-15 16:34 337,408 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-13 18:06 --------- d-----w c:\program files\WinAce
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\SYSTEM32\DivXCodecVersionChecker.exe
2008-09-23 23:46 245,408 ----a-w c:\windows\SYSTEM32\unicows.dll
2008-09-19 21:57 120,056 ------w c:\windows\SYSTEM32\pxcpyi64.exe
2008-09-19 21:57 118,520 ------w c:\windows\SYSTEM32\pxinsi64.exe
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\DLLCACHE\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-08-27 08:24 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-08-22 18:28 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082220080823\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-24 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client.lnk - c:\program files\2Wire 802.11g Wireless\PRISMCFG.exe [2005-10-11 335979]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" /startup
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" /APPLY
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"igfxpers"=c:\windows\system32\igfxpers.exe
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"REGSHAVE"=c:\program files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"RegistryMechanic"=
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 BCMNTIO;BCMNTIO;\??\c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2005-01-03 3744]
R2 MAPMEM;MAPMEM;\??\c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2005-01-03 3904]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\DRIVERS\WlanUIG.sys [2005-10-11 347648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce75fd4c-3dec-11dc-82f7-98c4808f77e0}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mystearnsandfoster.com/
.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-22 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (HENRIETTA-Hilary Klein).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-11-22 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Kevin Klein.job
- c:\progra~1\NORTON~1\NORTON~3\Navw32.exe [2007-05-23 11:13]

2008-11-24 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2005-10-05 22:02]

2008-11-25 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-03 20:20]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Kevin Klein\Application Data\Mozilla\Firefox\Profiles\8go5dk1d.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 09:07:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\SYSTEM32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton SystemWorks\Norton GoBack\GBPoll.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton SystemWorks\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMNTOR.EXE
c:\progra~1\NORTON~1\NORTON~2\NPROTECT.EXE
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\progra~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-11-25 9:14:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-25 15:14:26

Pre-Run: 16,523,575,296 bytes free
Post-Run: 16,381,468,672 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

206 --- E O F --- 2008-11-13 04:05:54

descriptionSolvedRe: Backdoor.tidserv!inf -- Big Trouble

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum