TechSpot

Cannot get online after Backdoor.Tidserv!inf removal

Inactive
By jadler
Jul 16, 2010
  1. I finally got the dreaded Backdoor.Tidserv!inf off a coworker's laptop (running XP Home w/ SP3). Cannot get online with IE. Yesterday I managed to get Firefox loaded and COULD get on with that. In trying to get IE to work something happened and now neither will let me surf in normal mode. I've deleted network devices and allowed Windows to reload those drivers. I CAN surf on either browser while in Safe Mode with networking. Machine has Norton 360 on it. I am not a huge Norton fan. Should I try uninstalling that?
     
  2. Broni

    Broni Malware Annihilator Posts: 47,616   +267

  3. jadler

    jadler TS Rookie Topic Starter

    Results

    I had already run Malwarebytes a few times to clean up junk. I usually keep running that until I get 0 problems. Norton 360 runs on this laptop and still found the Backdoor virus or malware. I ran Hitman or something to clear that. Still cannot get online. And the machine seems to run slowly. Programs take a long time to boot (altho, it is not my machine, so I don't know how it was before all of this). Here are the Malwarebytes logs; I'll post the other requested logs in another reply:

    Malwarebytes (I'll copy in the 2 that gave some results other than 0):

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4313

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/14/2010 12:26:32 PM
    mbam-log-2010-07-14 (12-26-32).txt

    Scan type: Quick scan
    Objects scanned: 140690
    Time elapsed: 1 hour(s), 1 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 20
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{eca3e63b-2d45-2cad-efb1-65fd6c346935} (Adware.LoudMo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\AppDataLow\HavingFunOnline (Adware.BHO.FL) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\KwinzySrch (Adware.Zwangi) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwinzySrch (Adware.Zwangi) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\KwinzySrch (Adware.Zwangi) -> Quarantined and deleted successfully.
    C:\Program Files\KwinzySrch (Adware.Zwangi) -> Quarantined and deleted successfully.

    Files Infected:
    (No malicious items detected)

    2nd Malware log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4313

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/14/2010 4:27:06 PM
    mbam-log-2010-07-14 (16-27-06).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 244314
    Time elapsed: 3 hour(s), 50 minute(s), 13 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1616\A0449899.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    ===========
     
  4. jadler

    jadler TS Rookie Topic Starter

    Here is the GMER log

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-07-16 13:02:29
    Windows 5.1.2600 Service Pack 3
    Running: 9ffo0cdl.exe; Driver: C:\DOCUME~1\Cindy\LOCALS~1\Temp\axlyypow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  5. jadler

    jadler TS Rookie Topic Starter

    Here is the DDS log

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Cindy at 16:16:16.06 on Fri 07/16/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.133 [GMT -4:00]

    AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
    C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Cindy\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    uURLSearchHooks: H - No File
    mURLSearchHooks: H - No File
    mWinlogon: Userinit=c:\windows\system32\Userinit.exe
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - No File
    TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {0C8413C1-FAD1-446C-8584-BE50576F863E} - No File
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
    Trusted Zone: ltbmedia.com\vpn
    DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
    DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D27CDB70-AE6D-11cf-96B8-444553540000} -
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {9024CA5D-A3C0-4284-8B34-110F66656DD0} = 68.87.64.146
    Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\cindy\applic~1\mozilla\firefox\profiles\f7f2xzef.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 5577
    FF - prefs.js: network.proxy.type - 1
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {233A5C05-6A75-4FAF-B1B0-AB872EE2C6B1} - c:\documents and settings\cindy\local settings\application data\{233A5C05-6A75-4FAF-B1B0-AB872EE2C6B1}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2008-9-28 16855]
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-7-13 218592]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-22 310320]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-22 259632]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-22 482432]
    R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100715.001\IDSXpx86.sys [2010-7-16 331640]
    R1 SymSMR120;SMR Utility Service 1.2.0;c:\windows\system32\drivers\SymSMR120.SYS [2010-7-13 58928]
    R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-7-13 112592]
    R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-22 117640]
    R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~2\norton~1\NPROTECT.EXE [2008-9-25 95600]
    R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-4-8 1251720]
    R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2008-9-28 21808]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-11 102448]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100715.053\NAVENG.SYS [2010-7-16 85424]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100715.053\NAVEX15.SYS [2010-7-16 1362608]
    S3 Bipmerv;Bipmerv; [x]
    S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
    S3 DSCVc;Video Capture;c:\windows\system32\drivers\CoachVc.sys [2008-9-28 44256]
    S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-7-13 366840]
    S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-7-13 1142224]
    S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2008-2-4 20504]

    =============== Created Last 30 ================

    2010-07-15 17:00:13 368 ----a-w- c:\windows\system32\.crusader
    2010-07-15 16:34:31 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-07-15 16:28:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-07-15 16:28:15 0 d-----w- c:\program files\Hitman Pro 3.5
    2010-07-14 15:11:50 0 d-----w- c:\docume~1\cindy\applic~1\Malwarebytes
    2010-07-14 14:42:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-14 14:42:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-14 14:42:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-14 14:42:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-07-14 02:12:07 46640 ----a-w- c:\windows\system32\msln.exe
    2010-07-13 14:16:46 2882 ----a-w- c:\windows\system32\drivers\SymSMR120.dat
    2010-07-13 14:16:43 58928 ----a-w- c:\windows\system32\drivers\SymSMR120.SYS
    2010-07-13 13:05:34 767952 ----a-w- c:\windows\BDTSupport.dll
    2010-07-13 13:05:31 882 ----a-w- c:\windows\RegSDImport.xml
    2010-07-13 13:05:31 879 ----a-w- c:\windows\RegISSImport.xml
    2010-07-13 13:05:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
    2010-07-13 13:05:31 131 ----a-w- c:\windows\IDB.zip
    2010-07-13 13:05:30 1152444 ----a-w- c:\windows\UDB.zip
    2010-07-13 13:05:29 165840 ----a-w- c:\windows\PCTBDRes.dll
    2010-07-13 13:05:29 1652688 ----a-w- c:\windows\PCTBDCore.dll
    2010-07-13 13:04:32 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
    2010-07-13 13:04:32 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2010-07-13 13:04:12 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
    2010-07-13 13:04:08 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2010-07-13 13:04:08 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
    2010-07-13 13:04:08 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2010-07-13 13:02:53 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
    2010-07-13 13:02:53 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2010-07-13 13:01:24 0 d-----w- c:\program files\common files\PC Tools
    2010-07-13 13:01:23 0 d-----w- c:\program files\Spyware Doctor
    2010-07-13 13:01:23 0 d-----w- c:\docume~1\cindy\applic~1\PC Tools
    2010-07-13 13:01:23 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
    2010-07-07 00:53:47 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
    2010-07-07 00:48:05 0 d-----w- C:\Netgear
    2010-06-25 00:42:12 0 d-----w- c:\docume~1\cindy\applic~1\Skinux
    2010-06-24 23:53:23 0 d-----w- c:\docume~1\alluse~1\applic~1\ArcSoft
    2010-06-24 23:24:29 62976 ------w- c:\windows\system32\dllcache\cdrom.sys
    2010-06-24 23:24:25 465920 ------w- c:\windows\system32\imapi2fs.dll
    2010-06-24 23:24:25 465920 ------w- c:\windows\system32\dllcache\imapi2fs.dll
    2010-06-24 23:24:23 317952 ------w- c:\windows\system32\imapi2.dll
    2010-06-24 23:24:23 317952 ------w- c:\windows\system32\dllcache\imapi2.dll

    ==================== Find3M ====================

    2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
    2008-01-04 03:14:09 56 -csh--r- c:\windows\system32\F22B7D43FD.sys
    2008-01-04 03:14:09 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2008-10-06 23:50:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100620081007\index.dat
    2008-11-18 13:56:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111820081119\index.dat

    ============= FINISH: 16:17:19.40 ===============
     
  6. jadler

    jadler TS Rookie Topic Starter

    Attach log

    Too big to fit--I'm attaching.
     

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 47,616   +267

    Thank you :)

    1. Click Start>Run (Start>"Start search" in Vista).

    2. Type in (or copy and paste):

    cmd /c ping google.com>%temp%\$.$&notepad %temp%\$.$

    and press Enter.

    3. Notepad will open.

    4. Copy all text in Notepad ([Ctrl-A], then [Ctrl-C]), and then post it (paste = [Ctrl-V]) in your next reply.

    =====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. jadler

    jadler TS Rookie Topic Starter

    Re: Backdoor

    Log too big. Attaching. Right after running CF, I could surf on IE, but not Firefox. I rebooted that machine--now neither will surf.

    Here is the CF quarantine log:

    2010-07-19 20:34:23 . 2010-07-19 20:34:23 912 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-WebCyberCoach_wtrb.reg.dat
    2010-07-19 20:33:10 . 2010-07-19 20:33:10 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E}.reg.dat
    2010-07-19 20:33:09 . 2010-07-19 20:33:09 197 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E}.reg.dat
    2010-07-19 20:18:22 . 2010-07-19 20:18:22 7,291 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
    2010-07-19 19:01:00 . 2010-07-19 20:00:45 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
    2009-04-15 16:09:26 . 2009-04-15 16:09:27 61,224 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Cindy\GoToAssistDownloadHelper.exe.vir
    2006-11-23 14:53:25 . 2006-08-08 02:00:12 61,440 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
    2005-12-19 02:54:27 . 2005-12-19 02:54:44 1,171 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\xpsp1hfm.log.vir
    2005-07-14 20:28:02 . 2005-07-14 20:28:02 365 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf.vir
     

    Attached Files:

    • log.txt
      File size:
      22 KB
      Views:
      3
  9. Broni

    Broni Malware Annihilator Posts: 47,616   +267

    Please, always follow ALL instructions.
    You didn't give me results from "ping" result.
     
  10. jadler

    jadler TS Rookie Topic Starter

    Ping Results

    Sorry. It was the end of a long day of triple-tasking. I can ping Google. Cannot get there through browsers.



    Pinging google.com [72.14.204.103] with 32 bytes of data:



    Reply from 72.14.204.103: bytes=32 time=23ms TTL=53

    Reply from 72.14.204.103: bytes=32 time=22ms TTL=53

    Reply from 72.14.204.103: bytes=32 time=19ms TTL=53

    Reply from 72.14.204.103: bytes=32 time=20ms TTL=53



    Ping statistics for 72.14.204.103:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 19ms, Maximum = 23ms, Average = 21ms
     
  11. jadler

    jadler TS Rookie Topic Starter

    Fixed it!

    I uninstalled Norton 360. That seemed to be the culprit prohibiting browser surfing. I'm not fond of Norton products in the first place and will recommend other programs to my friends to use. Thanks for your help.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,616   +267

    I'm glad to see, removing Norton brought your browsers back to normal.
    However, MBAM and Combofix showed, your computer was/is also infected.
    I strongly suggest, we continue cleaning process.
    Let me know.
     
  13. jadler

    jadler TS Rookie Topic Starter

    Follow up

    Thanks for following up. I probably did not include the 2 final MBAM scans that show 0 problems. I did mention that I run that program until I get no malware found results. Once I had uninstalled Norton, the whole system seemed to run better and could surf. I sent it home with the co-worker. Can you tell me what you saw in ComboFix to get rid of? I must confess, I find that log file a little hard to read. I will pass along the info to the end-user or ask them to bring the laptop back to me. Appreciate your help immensely!
     
  14. Broni

    Broni Malware Annihilator Posts: 47,616   +267

    Combofix removed couple bad entries and there is more....


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
    c:\windows\system32\F22B7D43FD.sys
    c:\windows\system32\diskchk.sys
    
    
    Driver::
    Bipmerv
    diskchk
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  15. Broni

    Broni Malware Annihilator Posts: 47,616   +267

    Are you still out there?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.