Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Backdoor.Tidserv inf removal!


  • This topic is locked This topic is locked

#16
12rounds

12rounds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
soz I been busy past few days. I just ran the kaspersky it had 2 threats and 7 infections son of B! IE closed (or i might've clicked it accidently) at 93% after 4 hours... i will run it tomorrow and should have the logs by then. Hope you can stay patient.
  • 0

Advertisements


#17
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay, no worries, thanks for keeping me updated. :D
  • 0

#18
12rounds

12rounds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
finally, a 7 hour scan found alot but.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, October 16, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, October 14, 2010 23:19:07
Records in database: 4190562
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 147127
Threats found: 3
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 07:20:17


File name / Threat / Threats count
C:\Documents and Settings\Administrator\Desktop\LFS\LFS_S2Z_KeyFileGen.exe Infected: Trojan.Win32.Refroso.bxqs 1
C:\Documents and Settings\Administrator\Desktop\MSN SCRIPT HACK BY MAATT95\What Target Installs\borat.plsc Infected: Backdoor.JS.Agent.a 1
C:\Documents and Settings\Administrator\Desktop\MSN SCRIPT HACK BY MAATT95\What You Install\Msn Hacker (2).plsc Infected: Backdoor.JS.Agent.a 1
C:\Documents and Settings\Administrator\Desktop\MSN SCRIPT HACK BY MAATT95\What You Install\Msn Hacker.plsc Infected: Backdoor.JS.Agent.a 1
C:\Documents and Settings\Administrator\My Documents\My Received Files\Msn Blacklisted(1).plsc Infected: Backdoor.JS.Agent.a 1
C:\Documents and Settings\Administrator\My Documents\My Received Files\Msn Blacklisted.plsc Infected: Backdoor.JS.Agent.a 1
C:\Documents and Settings\Administrator\My Documents\My Received Files\mypiks.plsc Infected: Backdoor.JS.Agent.a 1
C:\Program Files\Messenger Plus! Live\Scripts\Avast 2.2 Protection Windows Live Messenger ©\huhu_ctrl.js Infected: Backdoor.JS.Agent.a 1
C:\Program Files\Messenger Plus! Live\Scripts\Controler 1.33\Controler 1.33.js Infected: Backdoor.JS.Agent.a 1
C:\Program Files\Messenger Plus! Live\Scripts\Pirates contacts\Pirater les contacts.js Infected: Backdoor.JS.Agent.a 1
C:\Qoobox\Quarantine\C\Program Files\Zwunzi\zwunzi.dll.vir Infected: not-a-virus:AdWare.Win32.Zwangi.hi 1

Selected area has been scanned.
  • 0

#19
12rounds

12rounds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Norton 360
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 21
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.4
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````
  • 0

#20
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

I don't know what is in this folder here: C:\Documents and Settings\Administrator\Desktop\MSN SCRIPT HACK BY MAATT95 but if you don't need it then I suggest you get rid of it.

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :Services
    :OTL
    
    :Reg
    
    :Files
    C:\Documents and Settings\Administrator\Desktop\LFS\LFS_S2Z_KeyFileGen.exe
    C:\Documents and Settings\Administrator\Desktop\MSN SCRIPT HACK BY MAATT95\What Target Installs\borat.plsc
    C:\Documents and Settings\Administrator\Desktop\MSN SCRIPT HACK BY MAATT95\What You Install\Msn Hacker (2).plsc
    C:\Documents and Settings\Administrator\Desktop\MSN SCRIPT HACK BY MAATT95\What You Install\Msn Hacker.plsc
    C:\Documents and Settings\Administrator\My Documents\My Received Files\Msn Blacklisted(1).plsc
    C:\Documents and Settings\Administrator\My Documents\My Received Files\Msn Blacklisted.plsc
    C:\Documents and Settings\Administrator\My Documents\My Received Files\mypiks.plsc
    C:\Program Files\Messenger Plus! Live\Scripts\Avast 2.2 Protection Windows Live Messenger ©\huhu_ctrl.js
    C:\Program Files\Messenger Plus! Live\Scripts\Controler 1.33\Controler 1.33.js
    C:\Program Files\Messenger Plus! Live\Scripts\Pirates contacts\Pirater les contacts.js
    C:\Qoobox\Quarantine\C\Program Files\Zwunzi\zwunzi.dll.vir
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:


How are things running?
  • 0

#21
12rounds

12rounds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
i removed that folder before the otl fix btw.

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\Administrator\Desktop\LFS\LFS_S2Z_KeyFileGen.exe moved successfully.
File\Folder C:\Documents and Settings\Administrator\Desktop\MSN SCRIPT HACK BY MAATT95\What Target Installs\borat.plsc not found.
File\Folder C:\Documents and Settings\Administrator\Desktop\MSN SCRIPT HACK BY MAATT95\What You Install\Msn Hacker (2).plsc not found.
File\Folder C:\Documents and Settings\Administrator\Desktop\MSN SCRIPT HACK BY MAATT95\What You Install\Msn Hacker.plsc not found.
C:\Documents and Settings\Administrator\My Documents\My Received Files\Msn Blacklisted(1).plsc moved successfully.
C:\Documents and Settings\Administrator\My Documents\My Received Files\Msn Blacklisted.plsc moved successfully.
C:\Documents and Settings\Administrator\My Documents\My Received Files\mypiks.plsc moved successfully.
C:\Program Files\Messenger Plus! Live\Scripts\Avast 2.2 Protection Windows Live Messenger ©\huhu_ctrl.js moved successfully.
C:\Program Files\Messenger Plus! Live\Scripts\Controler 1.33\Controler 1.33.js moved successfully.
C:\Program Files\Messenger Plus! Live\Scripts\Pirates contacts\Pirater les contacts.js moved successfully.
C:\Qoobox\Quarantine\C\Program Files\Zwunzi\zwunzi.dll.vir moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 117503806 bytes
->Temporary Internet Files folder emptied: 235576646 bytes
->Java cache emptied: 194737 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 4718 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 833388 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 338.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 10162010_132814

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PRUPRC26\like[1].htm not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PRUPRC26\xd_proxy[1].htm not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\9KQSQ9SJ\page__st__15[1].htm not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_8c.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_948.dat moved successfully.

Registry entries deleted on Reboot...
  • 0

#22
12rounds

12rounds

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Ever since this backdoor thing, my comps been going pretty slow, like id have to wait till the webpage loads for about 10 sec then be able click on something on it. And i dont think after that otl its been really resolved.
  • 0

#23
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Remove Program
If you don't use these programs then I suggest you remove them:
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
  • Google Toolbar for Internet Explorer
  • Ask Toolbar
  • blinkx Remote Toolbar
  • Browser Defender 2.0.6.15
  • Spyware Doctor 7.0



Please download JkDefrag by Jeroen Kessels
  • Unzip the program to a folder.
  • Reboot to release most of the files in use.
  • Double Click JkDefrag.exe to run the program.
Note: Everything is done automatically the moment you run JkDefrag.exe



Any change in how things are running?
  • 0

#24
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP