Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[SID 23621] system infected: tidserv activity detected


  • This topic is locked This topic is locked

#1
Applegreen

Applegreen

    New Member

  • Member
  • Pip
  • 4 posts
Dear Forum,

Last week I got a trojan virus detected when scanning with Symantec. Also there were loads of pop ups from Symantec advising about traffic from different IP's being blocked. Antivirus couldn't fix the problem but now it is like gone. Scanning with Symantec and Malwarebytes and nothing comes up.
BUT I am having the below syntoms since:

- Pop up with message message [SID 23621] system infected: tidserv activity detected few times, mainly when opening Explorer browser
- Windows Update is not working on my computer
- Explorer is running VERY slow and hungs up a lot

I've seen some topics handling this problem, but every solution was different and therefore I opened this new topic.

Thanks in advance for your time and any help with this issue.
Applegreen
  • 0

Advertisements


#2
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
:)


I've seen some topics handling this problem, but every solution was different and therefore I opened this new topic.

Correct call. Each computer is unique and therefore everyone should create a new topic for their issue. You should NEVER ever follow instructions laid out to another computer as that could cause more trouble.

Step 1.
DDS:

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post


Step 2.
GMER:

Download GMER Rootkit Scanner from here or here.

  • Extract the contents of the zipped file to desktop.
  • Disable your onboard Anti Virus and any other Active protection programs you have installed. If you are unsure how to do this, see this link.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please note:

If (and only if) there are problems using gmer as indicated above, run the scan with ONLY the Sections and C drive boxes ticked.

Posted Image
Click the image to enlarge it

  • Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click the gmer.exe file.
  • The program will begin to run, and perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No, then select ONLY the Sections and C drive boxes. Click on Scan and wait for it to finish.
  • Click on the Save button, and save the log file somewhere you can easily find it, such as your desktop, and attach it in reply


Step 3.
Things I would like to see in your reply:

  • The content of DDS.txt from step 1 pasted in
  • The file Attach.txt from step 1 attached.
  • The log from gmer in step 2 attached.

  • 0

#3
Applegreen

Applegreen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi heir, first of all thanks a million for your quick reply and help. Here below are the things you were looking for.
Looking forward for your next instructions.
Applegreen

DDS.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User2 at 15:42:34.53 on 17/05/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2021.1420 [GMT 1:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
\\2k8server\profiles\User2\Desktop\dds.scr
C:\Program Files\UltraVNC\winvnc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ie/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=7e36849a000000000000002264b41c42&tlver=1.4.19.19&affID=17162
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: winmm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-2-28 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-12-23 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-12-23 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-12-23 1831024]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2011-2-8 1590216]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-9 105592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-1-23 36608]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110516.040\NAVENG.SYS [2011-5-17 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110516.040\NAVEX15.SYS [2011-5-17 1393144]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2010-10-20 11520]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2011-1-18 23888]
.
=============== Created Last 30 ================
.
2011-05-17 09:11:37 118784 ----a-w- c:\windows\system32\chg.exe
2011-05-13 11:11:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-13 11:11:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-13 11:11:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-12 13:01:41 -------- d-----w- c:\docume~1\user2\applic~1\SPE
2011-04-26 11:28:11 -------- d-----w- c:\windows\system32\NtmsData
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3500620AS rev.HP12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A54D6F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a553a10]; MOV EAX, [0x8a553a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A598AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006f[0x8A659DD8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A66D030]
\Driver\atapi[0x8A659530] -> IRP_MJ_CREATE -> 0x8A54D6F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A54D53B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:43:47.94 ===============

Attached Files


  • 0

#4
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Is this a workcomputer?
  • 0

#5
Applegreen

Applegreen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
It is indeed
  • 0

#6
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
In that case you should contact your IT-department and have them handle this.

This is cause they might have set some settings on purpose that I might change. That wouldn't be good. I can't take that risk.

The computer has a nasty Rootkit-infection
The computer is also connected to a network. Please unplug it from the network immediately.
  • 0

#7
Applegreen

Applegreen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I understand your point heir. In fact I contacted them last week when I got the virus detected but no action was taken, that is why I decided to join the forum and look for help.
Thanks anyway for your time and help
  • 0

#8
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

I understand your point heir. In fact I contacted them last week when I got the virus detected but no action was taken,

Let them know you been here and give them a link to this topic, it might help them solving the issue.
  • 0

#9
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP