backdoor.Tidserv!inf

jhooga

jhooga

New Member
how on earth do i get rid of this. when i did a scan using symantec 5 of these popped up with no way to repair. So i did a malwarebytes scan and it caught nothing. How do i get rid of it???
 
Please post the logs from the following procedure.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If you continue to experience problems after doing this, please post a HijackThis log by doing the following:

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log
 
Here is the hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:38 PM, on 6/21/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\Program Files\MSN\Toolbar\3.0.1125.0\mstbsvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ateamnet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy.angels.angelsbb.com:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-21-606747145-854245398-725345543-1692\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'PLissy')
O4 - HKUS\S-1-5-21-606747145-854245398-725345543-1692\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'PLissy')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ateamnet
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1195586470562
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - https://forms.dm.mlbam.com/forms/jinitiator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = angels.angelsbb.com
O17 - HKLM\Software\..\Telephony: DomainName = angels.angelsbb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = angels.angelsbb.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 4997 bytes
 
Can you please post the malwarebytes log? I need to make sure you are running the latest definitions for it. As I don't see anything bad in your log, please run the following.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
here is the combofix log
ComboFix 10-06-21.01 - PLissy 06/21/2010 13:58:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.394 [GMT -7:00]
Running from: c:\documents and settings\plissy\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\plissy\Local Settings\Temporary Internet Files\'10 Sched Mon-Sun_11 21 09 _Carpino.pdf - Adobe Reader
c:\documents and settings\plissy\Local Settings\Temporary Internet Files\2010 Mini Plans
c:\documents and settings\plissy\Local Settings\Temporary Internet Files\2010 Ticket Pricing Final 11-19-09
c:\documents and settings\plissy\Local Settings\Temporary Internet Files\2010MiniColor.pdf - Adobe Reader
c:\documents and settings\plissy\Local Settings\Temporary Internet Files\2010MiniColor.pdf
c:\documents and settings\plissy\Local Settings\Temporary Internet Files\e
c:\windows\system32\smtp.ocx
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://abb-catcher
.
((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.

2010-06-21 20:44 . 2010-06-21 20:44 -------- d-----w- c:\program files\Trend Micro
2010-06-21 18:00 . 2010-06-21 18:00 -------- d-----w- c:\documents and settings\plissy\Application Data\Malwarebytes
2010-06-21 17:59 . 2010-06-21 17:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-21 17:59 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-21 17:59 . 2010-06-21 17:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-21 17:59 . 2010-06-21 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-21 17:59 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 14:39 . 2007-11-20 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-06 16:42 . 2007-11-20 19:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-06 16:41 . 2007-11-20 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-06 16:40 . 2007-11-20 19:17 -------- d-----w- c:\program files\Symantec
2010-05-06 16:40 . 2010-05-06 16:40 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-06 16:40 . 2010-05-06 16:40 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-06 16:40 . 2010-05-06 16:40 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-06 16:40 . 2010-05-06 16:40 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-12 16267776]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-07 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-07 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-07 137752]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2008-12-04 24576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-10 115560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2008-12-4 393216]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2008-12-2 31744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-854245398-725345543-1609\Scripts\Logon\0\0]
"Script"=\\angels.angelsbb.com\SysVol\angels.angelsbb.com\scripts\IS.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-854245398-725345543-1692\Scripts\Logon\0\0]
"Script"=\\angels.angelsbb.com\SysVol\angels.angelsbb.com\scripts\Angels1.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-854245398-725345543-2295\Scripts\Logon\0\0]
"Script"=\\angels.angelsbb.com\SysVol\angels.angelsbb.com\scripts\IS.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 mstbsvc;MSN Toolbar Setup;c:\program files\MSN\Toolbar\3.0.1125.0\mstbsvc.exe [2/9/2009 9:33 PM 104784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 4:11 PM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [9/10/2009 11:10 AM 23888]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-20 16:58]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://ateamnet/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = web-proxy.angels.angelsbb.com:8080
uInternet Settings,ProxyOverride = events;ateamnet;workflows;abb-*;ana-*;*.majorleaguebaseball.com;172.31.1.*;10.*;192.168.*;owa.angelsbb.com;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - \\Abb-reliever\MSApps\OFFICE~2\FILES\PFILES\MSOFFICE\OFFICE11\EXCEL.EXE/3000
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxps://forms.dm.mlbam.com/forms/jinitiator/jinit.exe
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 14:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-06-21 14:12:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-21 21:12

Pre-Run: 64,777,957,376 bytes free
Post-Run: 65,324,158,976 bytes free

- - End Of File - - 307B98060004680F350F190652BD51FB

and malwarebytes log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/21/2010 1:55:05 PM
mbam-log-2010-06-21 (13-55-05).txt

Scan type: Quick scan
Objects scanned: 152632
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
You are not running the latest definitions for malwarebytes. Please open Malwarebytes and click on the update tab, click on check for updates and let it update. Then rescan your system and post the log. The latest version is 4222 your running 4052
 
i just tried to update malwarebytes and when i did it told me update failed to contact malwarebytes administrator for support
 
did it give you an error code like 732? Download and run rkill.scr and DO NOT reboot your system. After running rkill try updating malwarebytes again.
 
all right i will try tomorrow morning when that computer becomes available to me again. I will repost first thing
 
so i ended up disabling system restore and running a scan that way using symantec and it worked great. no more trojan. then just re-enabled system restore its perfect
 
You must log in or register to reply here.
Back
Top