WiredWX Hobby Weather ToolsLog in

 


Backdoor.Tidserv , Tidserv.32

2 posters

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
4oD
Acer eDataSecurity Management 1.00.26
Acer eLock Management
Acer Empowering Technology framework
Acer eNet Management
Acer ePerformance Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer OrbiCam Driver
Acer OrbiCam Software
Ad-Aware
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
AGEIA PhysX v7.05.05
Apple Mobile Device Support
Apple Software Update
ArcSoft TotalMedia 3
BBC iPlayer Download Manager
Bonjour
Camera RAW Plug-In for EPSON Creativity Suite
CC_ccProxyExt
ccCommon
ccPxyCore
Compatibility Pack for the 2007 Office system
Counter-Strike: Source
Critical Update for Windows Media Player 11 (KB959772)
CX4300_5500_DX4400 manual
Daily Star Sci-Fi Saturday
DawnOfWar
Dell Color Printer 725
DirectX Media Runtime 5.1
Drv
DVBT Application
EAX(tm) Unified (SHELL)
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
FoxyTunes for Firefox
Futuremark SystemInfo
GOM Player
Google Earth
HDAUDIO Soft Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB909667)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB918005)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Solution Center 7.0
HP Update
Intel(R) PROSet/Wireless Software
Internet Worm Protection
IsoBuster 2.3
iTunes
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 11
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Launch Manager
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
mCore
Media Center Extender
Media Center Extender
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
mMHouse
MobileMe Control Panel
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.16)
mPfMgr
mProSafe
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
mWlsSafe
mXML
NAVShortcut
Norton AntiSpam
Norton AntiVirus 2006
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Internet Security
Norton Internet Security
Norton Personal Firewall
Norton Personal Firewall
Norton Personal Firewall
Norton Protection Center
Norton WMI Update
Norton WMI Update
NTI Backup NOW! 4.5
NTI CD & DVD-Maker
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
OpenOffice.org Installer 1.0
PowerDVD
PowerProducer
Project64 1.6
Quake III Arena
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Sky Broadband
Skype™️ 3.8
Sonic Encoders
SPBBC
SpeechRedist
SPORE™️ Creature Creator Trial Edition
Spotify
SPSS 16.0 for Windows
Steam(TM)
Symantec
Symantec KB-DocID:2003093015493306
Synaptics Pointing Device Driver
System Requirements Lab
Team Fortress 2
TRUST MI-3500X WIRELESS MOUSE
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Ventrilo Client
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VoIP Phone Charger
Warhammer Online - Age of Reckoning
WIDCOMM Bluetooth Software
WinAce Archiver
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Vista Upgrade Advisor
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
WinUAE 1.5.3

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
Also, i used two USB sticks while i had this virus. My bad, hehe

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Adobe Reader 7.0
  • J2SE Runtime Environment 5.0 Update 11
  • Java(TM) 6 Update 11
  • Java(TM) 6 Update 5
  • Java(TM) 6 Update 7
  • Java(TM) SE Runtime Environment 6 Update 1
  • Viewpoint Media Player

The USB sticks may be infected and need to be cleaned, otherwise they will re-infect this machine, and infect other machines if we don't clean them.

Please download USBNoRisk to your Desktop and run it by double clicking the program's icon.

  1. Wait a couple of seconds for initial scan to finish.
  2. Connect BOTH of your USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds.
  3. After all the devices are scanned, right click in the Monitor tab, and choose "Save log". That will open the log in Notepad. Please copy and paste the log into this thread.
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
Thanks alot for the help so far! Im gonna have to retreat till tomorrow now, its 12am here and i need some sleep, again, thanks!

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
Ah, same timezone as me then. Smile...

Cya in the morning, if I manage to get on before the Formula 1 race. LMBO or ROFL

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
Hi again!
Thats strange, just caught a bit of it myself, hehe.

Heres the log from USBNoRisk:

USBNoRisk 2.1 by bobby

Started at 09/05/2009 14:18:00

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {e8c82450-ced8-11db-9631-806d6172696f}
D: {e8c82451-ced8-11db-9631-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------

No blocked files found on C:
autorun.inf found on C:
----------------------------------------
File C:\autorun.inf renamed successfully

Content of C:\autorun.inf.blocked
----------------------------------------
[autorun]
;jypymkfdrihswrdgrtwqroowlwpbzzwffpopobegvovxbamxkesisfwgkrmymloihgqu
shellexecute="RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com c:\"
;uehswmqxjwmsrzxytyvpaqjcctoipgcxdjzaotxhmfqygnlcyiyliatwwoqzgnyskewrjails
shell\Open\command="RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com c:\"
;mzjiuimohgvmgwxniivus
shell=Open
----------------------------------------

No mountpoint found for C:
No mountpoint found for e8c82450-ced8-11db-9631-806d6172696f
----------------------------------------

No blocked files found on D:
autorun.inf found on D:
----------------------------------------
File D:\autorun.inf renamed successfully

Content of D:\autorun.inf.blocked
----------------------------------------
[autorun]
;brgszpciintgodsklghvmurxkotkpbdxbeqalaouskifyelvmykvlpjatftiaolxjulsxukglekszgiknsnsgpdsje
shellexecute="RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com d:\"
;chawxrdjztjzvbnqzafjpnggejgmrrvaxzhitemmhbrlxuoqtobfztomczlkdzcftshdiuzrwwtstuxvqltjrrt
shell\Open\command="RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com d:\"
;dsgaojlsfrzsljcuxcagkneycvfyxxktvtguszuwgffvzjuchscrdlmuumpnwefypadkdfcyubcocrt
shell=Open
----------------------------------------

No mountpoint found for D:
No mountpoint found for e8c82451-ced8-11db-9631-806d6172696f
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 09/05/2009 14:18:25

Scanning for connected USB mass storage...
----------------------------------------
F: {9a87ac5c-38a8-11de-99b6-0018de262313}
Added F:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on F:
----------------------------------------
No Autorun.inf files found on F:
Sanitized mountpoint for 9a87ac5c-38a8-11de-99b6-0018de262313
----------------------------------------

No Desktop.ini files found on F:
----------------------------------------

No mimics found on drive F:
========================================

========================================
Removed F:
========================================


New device connected at 09/05/2009 14:19:28

Scanning for connected USB mass storage...
----------------------------------------
G: {c3e785ca-d0ba-11db-9641-0018de262313}
Added G:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on G:
----------------------------------------
No Autorun.inf files found on G:
Sanitized mountpoint for c3e785ca-d0ba-11db-9641-0018de262313
----------------------------------------

No Desktop.ini files found on G:
----------------------------------------

No mimics found on drive G:
========================================

========================================
Removed G:
========================================

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
Hello.
USBNoRisk has stopped the autorun files from working, so we can delete them now.

Please open USBNoRisk again, we need to use a custom script to delete the malicious autorun.inf files.

  1. When USBNoRisk opens, go into the Script tab, and insert the bolded script below.


    {e8c82450-ced8-11db-9631-806d6172696f}
    delete: C:\autorun.inf.blocked
    delete: C:\RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com
    protect:
    {e8c82451-ced8-11db-9631-806d6172696f}
    delete: D:\autorun.inf.blocked
    delete: D:\RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com
    protect:



  2. Then press the Run Script button.
  3. Copy and paste the report back here.

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
USBNoRisk 2.1 by bobby

Started at 09/05/2009 15:04:13

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {e8c82450-ced8-11db-9631-806d6172696f}
D: {e8c82451-ced8-11db-9631-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------

Blocked file found: C:\autorun.inf.blocked
----------------------------------------
Content of C:\autorun.inf.blocked
----------------------------------------
[autorun]
;jypymkfdrihswrdgrtwqroowlwpbzzwffpopobegvovxbamxkesisfwgkrmymloihgqu
shellexecute="RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com c:\"
;uehswmqxjwmsrzxytyvpaqjcctoipgcxdjzaotxhmfqygnlcyiyliatwwoqzgnyskewrjails
shell\Open\command="RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com c:\"
;mzjiuimohgvmgwxniivus
shell=Open
----------------------------------------

No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for e8c82450-ced8-11db-9631-806d6172696f
----------------------------------------

Blocked file found: D:\autorun.inf.blocked
----------------------------------------
Content of D:\autorun.inf.blocked
----------------------------------------
[autorun]
;brgszpciintgodsklghvmurxkotkpbdxbeqalaouskifyelvmykvlpjatftiaolxjulsxukglekszgiknsnsgpdsje
shellexecute="RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com d:\"
;chawxrdjztjzvbnqzafjpnggejgmrrvaxzhitemmhbrlxuoqtobfztomczlkdzcftshdiuzrwwtstuxvqltjrrt
shell\Open\command="RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com d:\"
;dsgaojlsfrzsljcuxcagkneycvfyxxktvtguszuwgffvzjuchscrdlmuumpnwefypadkdfcyubcocrt
shell=Open
----------------------------------------

No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for e8c82451-ced8-11db-9631-806d6172696f
----------------------------------------

========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
e8c82450-ced8-11db-9631-806d6172696f
Drive letter for GUID: C:
SectionStart = 1
SectionEnd = 4
Delete: C:\autorun.inf.blocked > Done!
Delete: C:\RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com > File does not exist!
----------------------------------------
Protect C:
----------------------------------------
FAT32 root: autorun.inf found. Doing magic...
Magic is done
----------------------------------------

e8c82451-ced8-11db-9631-806d6172696f
Drive letter for GUID: D:
SectionStart = 5
SectionEnd = 8
Delete: D:\autorun.inf.blocked > Done!
Delete: D:\RECYCLER\S-9-0-68-100032238-100025344-100031571-6371.com > File does not exist!
----------------------------------------
Protect D:
----------------------------------------
FAT32 root: autorun.inf found. Doing magic...
Magic is done
----------------------------------------

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
Okay, that's the autorun infection gone. One more scan to do and we'll see what this says.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
  • Double click DDS.scr to run
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
DDS (Ver_09-03-16.01) - FAT32x86
Run by Tom at 15:27:17.70 on 09/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1471 [GMT 1:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
SVCHOST.EXE
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Acer\VoIP Phone Charger\voip phone charger.exe
C:\Program Files\Trust\MI-3500X WIRELESS MOUSE\Mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\TMController.exe
C:\Program Files\DVBT Application\Schedule_d.exe
C:\Program Files\Kontiki\KHost.exe
C:\DOCUME~1\Tom\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Documents and Settings\Tom\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sky.com
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.sky.com
mDefault_Page_URL = hxxp://home.bt.yahoo.com
mSearch Page =
mStart Page = hxxp://home.bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\yahoo!\nav\NavShExt.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: []
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [LogitechCameraAssistant] c:\program files\acer\orbicam\CameraAssistant.exe
mRun: [LogitechVideo[inspector]] c:\program files\acer\orbicam\InstallHelper.exe /inspect
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [voip phone charger] "c:\program files\acer\voip phone charger\voip phone charger.exe"
mRun: [FLMOFFICE4DMOUSE] c:\program files\trust\mi-3500x wireless mouse\Mouse32a.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TM Control] c:\windows\system32\TMController.exe
mRun: [HiDTV Control]
mRun: [Schedule_d] "c:\program files\dvbt application\Schedule_d.exe"
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunServices: [DJSNetCN] c:\program files\common files\symantec shared\DJSNETCN.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tmmoni~1.lnk - c:\program files\arcsoft\totalmedia 3\TMMonitor.exe

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\tom\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173812171828
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\9lvp5ctl.default\
FF - prefs.js: browser.search.selectedEngine - eBay.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://home.bt.yahoo.com/
FF - component: c:\documents and settings\tom\application data\mozilla\firefox\profiles\9lvp5ctl.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\tom\application data\mozilla\firefox\profiles\9lvp5ctl.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32dsw.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppl3260.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-7 64160]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
R1 SAVRT;SAVRT;c:\program files\yahoo!\nav\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\yahoo!\nav\Savrtpel.sys [2005-8-26 53896]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-17 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-9-17 202088]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-17 169576]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2007-3-10 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2007-3-10 78208]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\yahoo!\nav\NAVAPSVC.EXE [2006-4-14 139888]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-6-30 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-1-14 4010]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-19 1174152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-6-8 101936]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-6-19 1097728]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090508.003\NAVENG.Sys [2009-5-8 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090508.003\NavEx15.Sys [2009-5-8 876144]
R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2005-9-13 4392]
S3 DrmCAudio;DrmCAudio;c:\windows\system32\drivers\DrmCAudio.sys [2009-4-27 23096]
S3 DrmCVideo;DrmCVideo;c:\windows\system32\drivers\DrmCVideo.sys [2009-4-27 3768]
S3 DVBT_Loader;DVB-T Adapter firmware loader;c:\windows\system32\drivers\DVBT_Loader.sys [2009-1-23 44800]
S3 GenDTV;DVB-T receiver Driver;c:\windows\system32\drivers\Geniausb.sys [2009-1-23 84992]
S3 krdpdre;krdpdre;c:\docume~1\tom\locals~1\temp\krdpdre.sys [2004-4-12 31744]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-3-10 32512]
S3 SAVScan;Symantec AVScan;c:\program files\yahoo!\nav\SAVScan.exe [2005-8-26 198368]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-4-27 16640]

=============== Created Last 30 ================

2009-05-09 15:05 0 -------- C:\autorun.inf
2009-05-09 14:20 --d----- C:\USBNoRisk
2009-05-08 23:30 --d----- c:\docume~1\tom\applic~1\Malwarebytes
2009-05-08 23:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-08 23:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-08 23:30 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-08 23:30 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-07 14:20 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-07 11:54 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-07 11:53 --d-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-07 11:53 --d----- c:\program files\Lavasoft
2009-05-06 23:51 --d----- c:\windows\pss
2009-05-05 15:51 --d----- c:\docume~1\tom\applic~1\Spotify
2009-05-05 15:51 --d----- c:\program files\Spotify
2009-05-04 21:32 60,928 a------- c:\documents and settings\tom\jbfmod.dll
2009-05-04 21:32 161,280 a------- c:\documents and settings\tom\fmod.dll
2009-05-04 21:17 51,200 a--sh--- c:\windows\system32\wewomesu.exe
2009-04-27 19:13 16,640 a------- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2009-04-27 18:48 --d----- C:\Converted
2009-04-27 18:46 23,096 a------- c:\windows\system32\drivers\DrmCAudio.sys
2009-04-27 18:46 3,768 a------- c:\windows\system32\drivers\DrmCVideo.sys

==================== Find3M ====================

2009-03-21 15:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 15:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 15:00 284,160 a------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-04 14:14 47,032 a------- c:\docume~1\tom\applic~1\GDIPFONTCACHEV1.DAT
2009-03-03 00:27 1,499,136 a------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 22:44 3,067,904 a------- c:\windows\system32\dllcache\mshtml.dll
2009-02-19 10:50 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2009-02-10 18:31 453,120 a------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 11:01 728,576 a------- c:\windows\system32\lsasrv.dll
2009-02-09 11:01 728,576 a------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 11:01 617,984 a------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 11:01 617,984 a------- c:\windows\system32\advapi32.dll
2009-02-09 11:01 473,088 a------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 11:01 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 11:01 401,408 a------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 11:01 715,264 a------- c:\windows\system32\ntdll.dll
2009-02-09 11:01 715,264 a------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 10:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 10:19 1,846,272 a------- c:\windows\system32\dllcache\win32k.sys
2008-06-12 14:18 5,887 a------- c:\program files\install.log
2008-05-30 18:50 140,408 a------- c:\documents and settings\tom\Hold.dat
2007-03-10 01:32 40 a------- c:\documents and settings\tom\language.dat
2009-02-07 10:46 87,040 a--sh--- c:\windows\system32\duyojaye.dll
2009-02-05 10:35 50,176 a--sh--- c:\windows\system32\zobirawa.dll
2009-02-04 21:17 51,200 a--sh--- c:\windows\system32\fuguyelo.exe
2009-02-05 10:35 79,872 a--sh--- c:\windows\system32\momejigo.dll
2009-02-06 13:47 80,384 a--sh--- c:\windows\system32\lugapeda.dll
2009-02-07 10:46 78,848 a--sh--- c:\windows\system32\kikububu.dll

============= FINISH: 15:28:01.17 ===============

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :services
    krdpdre

    :files
    c:\windows\system32\wewomesu.exe
    c:\windows\system32\duyojaye.dll
    c:\windows\system32\zobirawa.dll
    c:\windows\system32\fuguyelo.exe
    c:\windows\system32\momejigo.dll
    c:\windows\system32\lugapeda.dll
    c:\windows\system32\kikububu.dll
    C:\USBNoRisk

    :commands
    [emptytemp]
    [reboot]


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
========== SERVICES/DRIVERS ==========

Service\Driver krdpdre deleted successfully.
========== FILES ==========
c:\windows\system32\wewomesu.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\duyojaye.dll
c:\windows\system32\duyojaye.dll NOT unregistered.
c:\windows\system32\duyojaye.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\zobirawa.dll
c:\windows\system32\zobirawa.dll NOT unregistered.
c:\windows\system32\zobirawa.dll moved successfully.
c:\windows\system32\fuguyelo.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\momejigo.dll
c:\windows\system32\momejigo.dll NOT unregistered.
c:\windows\system32\momejigo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\lugapeda.dll
c:\windows\system32\lugapeda.dll NOT unregistered.
c:\windows\system32\lugapeda.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\kikububu.dll
c:\windows\system32\kikububu.dll NOT unregistered.
c:\windows\system32\kikububu.dll moved successfully.
C:\USBNoRisk moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Tom\LOCALS~1\Temp\RtkBtMnt.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Tom\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Tom\LOCALS~1\Temp\JET55F6.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Tom\LOCALS~1\Temp\~DF51FB.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Tom\LOCALS~1\Temp\Perflib_Perfdata_bbc.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Tom\LOCALS~1\Temp\etilqs_jxXGz22EOul5ckU8iMke scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_a0c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2a8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_8d0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\XUL.mfl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05092009_154844

Files moved on Reboot...
C:\DOCUME~1\Tom\LOCALS~1\Temp\RtkBtMnt.exe moved successfully.
C:\DOCUME~1\Tom\LOCALS~1\Temp\hpodvd09.log moved successfully.
File C:\DOCUME~1\Tom\LOCALS~1\Temp\JET55F6.tmp not found!
C:\DOCUME~1\Tom\LOCALS~1\Temp\~DF51FB.tmp moved successfully.
File C:\DOCUME~1\Tom\LOCALS~1\Temp\Perflib_Perfdata_bbc.dat not found!
File C:\DOCUME~1\Tom\LOCALS~1\Temp\etilqs_jxXGz22EOul5ckU8iMke not found!
File C:\WINDOWS\temp\Perflib_Perfdata_a0c.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_2a8.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_8d0.dat moved successfully.
C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\XUL.mfl moved successfully.
C:\Documents and Settings\Tom\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvp5ctl.default\urlclassifier3.sqlite moved successfully.

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
We can remove OTMoveIt now.

  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
Upon startup i get the error message titled RUNDLL: error loading C:\windows\system32\duyojaye.dll the specified module cannot be found.

Otherwise it seems ok, the adverts caused by the virus have gone, and my CPU usage is back down to 9-15%

descriptionBackdoor.Tidserv , Tidserv.32 - Page 2 EmptyRe: Backdoor.Tidserv , Tidserv.32

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum