WiredWX Hobby Weather ToolsLog in

 


descriptionSolvedbackdoor.tidserv!inf virus reported from norton

more_horiz
Hi,

Norton scan is showing system is infected with backdoor virus and not able to delete the temp file too saying its in use.
Here are the info on hijack this log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:16 AM, on 12/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\AMIT PIPLANI\Application Data\Mozilla\Profiles\default\fh6843y7.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.idesitv.com/livetv.ocx
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10156 bytes

descriptionSolvedRe: backdoor.tidserv!inf virus reported from norton

more_horiz
Hello.
Nothing harmful showing in the log, I see you have turned some items off at startup via msconfig.



  • Download combofix from here, use the top links - combofix.exe
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    backdoor.tidserv!inf virus reported from norton Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes

    backdoor.tidserv!inf virus reported from norton Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionSolvedRe: backdoor.tidserv!inf virus reported from norton

more_horiz
ComboFix 08-12-01.03 - Amit Piplani 2008-12-02 18:17:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.376 [GMT -5:00]
Running from: c:\documents and settings\Amit Piplani.PC139818592325\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Amit Piplani\Application Data\.rdr.ini
c:\documents and settings\Sonal Piplani\Application Data\.rdr.ini
c:\windows\IE4 Error Log.txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-02 08:36 . 2008-12-02 08:49 d-------- c:\windows\LastGood
2008-12-02 03:43 . 2008-12-02 08:55 d-------- c:\windows\system32\CatRoot_bak
2008-12-02 03:43 . 2008-09-15 06:57 1,846,016 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-02 03:43 . 2008-08-28 05:04 333,056 --------- c:\windows\system32\dllcache\srv.sys
2008-12-02 03:43 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-02 03:43 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-02 03:43 . 2008-08-14 04:51 138,368 --------- c:\windows\system32\dllcache\afd.sys
2008-12-02 03:39 . 2006-12-06 23:14 2,330,624 --------- c:\windows\system32\dllcache\wmvcore.dll
2008-12-02 03:39 . 2008-09-04 11:42 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-02 03:39 . 2008-04-11 13:50 683,520 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-02 03:39 . 2008-10-24 06:10 453,632 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-02 03:39 . 2008-10-15 11:57 332,800 --------- c:\windows\system32\dllcache\netapi32.dll
2008-12-02 03:39 . 2008-05-01 09:30 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-02 03:38 . 2008-05-08 07:28 202,752 --------- c:\windows\system32\dllcache\rmcast.sys
2008-12-02 01:14 . 2008-12-02 01:14 d-------- c:\program files\Trend Micro
2008-12-02 00:20 . 2008-12-02 00:39 d-------- C:\NSS
2008-12-01 18:42 . 2008-12-02 00:13 d-------- c:\program files\Norton 360 Premier Edition
2008-12-01 18:41 . 2008-12-01 18:57 d-------- c:\program files\Symantec
2008-12-01 18:41 . 2008-12-01 18:58 d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-01 18:41 . 2008-12-01 18:57 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-01 18:41 . 2008-12-01 18:57 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-28 21:40 . 2008-11-28 21:40 d-------- c:\documents and settings\NetworkService\Application Data\Webroot
2008-11-28 17:38 . 2008-11-28 17:38 d-------- c:\documents and settings\All Users\Symantec Temporary Files
2008-11-28 13:42 . 2008-11-28 13:42 d-------- c:\windows\system32\N360_BACKUP
2008-11-28 13:31 . 2008-11-28 13:31 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 13:20 . 2008-12-01 19:06 d-------- c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Symantec
2008-11-28 13:16 . 2008-11-28 13:16 d-------- c:\program files\Windows Sidebar
2008-11-28 13:13 . 2008-12-01 18:57 10,671 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-28 13:13 . 2008-12-01 18:57 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-11-18 19:51 . 2008-12-01 17:36 d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-13 19:15 . 2008-11-13 19:15 d-------- c:\documents and settings\Amit Piplani.PC139818592325\WINDOWS
2008-11-13 19:15 . 1999-11-10 08:16 200,192 --a------ c:\windows\RRM46.pls
2008-11-13 19:15 . 1999-11-10 08:16 188,960 --a------ c:\windows\system32\WINGDE.DLL
2008-11-13 19:15 . 1999-11-10 08:16 92,208 --a------ c:\windows\system32\WING.DLL
2008-11-13 19:15 . 1999-11-10 08:16 12,800 --a------ c:\windows\system32\WING32.DLL
2008-11-13 19:15 . 1999-11-10 08:16 6,736 --a------ c:\windows\system32\WINGDIB.DRV
2008-11-13 19:15 . 1999-11-10 08:16 5,024 --a------ c:\windows\system32\WINGPAL.WND
2008-11-13 19:10 . 2008-11-13 19:10 d-------- c:\windows\BBSTORE
2008-11-12 09:55 . 2002-01-05 05:18 84,992 --a------ c:\windows\system32\atl70.dll
2008-11-04 17:07 . 2008-11-04 17:08 d-------- c:\documents and settings\Amit Piplani.PC139818592325\.SunDownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 23:21 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-02 17:59 --------- d-----w c:\program files\lx_cats
2008-12-02 17:58 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\AdobeUM
2008-12-01 21:17 --------- d-----w c:\program files\brighter child
2008-11-19 00:52 --------- d-----w c:\program files\Google
2008-11-14 00:15 --------- d-----w c:\program files\The Learning Company
2008-11-14 00:10 --------- d-----w c:\program files\NZRVR
2008-11-14 00:10 --------- d-----w c:\program files\Connection Wizard
2008-11-12 14:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-01 01:55 --------- d-----w c:\program files\NetBeans 6.0.1
2008-11-01 01:55 --------- d-----w c:\program files\glassfish-v2ur1
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 19:04 --------- d-----w c:\program files\Vongo
2008-10-23 19:00 --------- d-----w c:\documents and settings\Gargee Piplani\Application Data\Webroot
2008-10-23 19:00 --------- d-----w c:\documents and settings\Gargee Piplani\Application Data\FaxCtr
2008-10-19 23:42 --------- d-----w c:\program files\Microsoft Money 2006
2008-10-19 23:29 --------- d-----w c:\program files\Java
2008-10-18 15:50 --------- d-----w c:\program files\GemMaster
2008-10-18 15:50 --------- d-----w c:\program files\ESPNMotion
2008-10-18 15:40 --------- d-----w c:\program files\Yahoo!
2008-10-16 22:19 --------- d-----w c:\program files\QuickTime
2008-10-16 22:19 --------- d-----w c:\program files\Common Files\Apple
2008-10-16 22:18 --------- d-----w c:\program files\Apple Software Update
2008-10-16 22:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-16 22:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-14 21:57 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\FaxCtr
2008-10-09 10:18 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\TVU Networks
2008-10-09 10:18 --------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks
2008-10-09 10:11 --------- d-----w c:\program files\Common Files\NSV
2008-10-08 00:24 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-04 15:14 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Sonic
2008-10-04 15:13 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Leadertech
2008-10-03 01:15 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Yahoo!
2008-10-02 23:31 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\WildTangent
2008-10-02 23:31 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2008-10-02 23:29 --------- d-----w c:\program files\WildTangent
2008-10-02 23:23 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-10-02 14:00 --------- d-----w c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Netscape
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-30 00:51 90,112 ----a-w c:\windows\DUMP2e43.tmp
2008-09-30 00:49 90,112 ----a-w c:\windows\DUMP375b.tmp
2008-09-28 17:59 164 ----a-w C:\install.dat
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2007-12-25 01:01 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-03-06 23:16 836 ----a-w c:\documents and settings\Amit Piplani\Application Data\ViewerApp.dat
2006-12-27 18:30 17,172,599 ----a-w c:\documents and settings\Sonal Piplani\setup_blazemp.exe
2006-07-09 01:00 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-11 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-22 185896]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 286720]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 290816]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 5367608]
"MsmqIntCert"="mqrt.dll" [2004-08-10 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-03-14 73728]

c:\documents and settings\Amit Piplani\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-03-14 73728]

c:\documents and settings\Gargee Piplani\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-03-14 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-07-25 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-07-25 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-01 99376]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]

*Newly Created Service* - COMHOST
*Newly Created Service* - EHRECVR
*Newly Created Service* - EHSCHED
*Newly Created Service* - MCRDSVC
*Newly Created Service* - PROCEXP90
.
.

descriptionSolvedRe: backdoor.tidserv!inf virus reported from norton

more_horiz
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Amit Piplani.PC139818592325\Application Data\Mozilla\Firefox\Profiles\sik3ue7i.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 18:20:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\AMITPI~1.PC1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308)
c:\windows\system32\WRLogonNTF.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2008-12-02 18:23:31
ComboFix-quarantined-files.txt 2008-12-02 23:23:23

Pre-Run: 22,631,108,608 bytes free
Post-Run: 22,658,134,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

218 --- E O F --- 2008-12-02 09:08:02

descriptionSolvedRe: backdoor.tidserv!inf virus reported from norton

more_horiz
Looks okay, what problems remain?

descriptionSolvedRe: backdoor.tidserv!inf virus reported from norton

more_horiz
Since this issue appears, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

descriptionSolvedRe: backdoor.tidserv!inf virus reported from norton

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum