also @ TechSpot: Microsoft wants Xbox to be the entertainment hub for all your devices

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Active] Backdoor.tidserv blocking access to task manager and Internet connection

Discussion in 'Virus and Malware Removal' started by Aspinxtreem, Oct 5, 2010.

Thread Status:
Not open for further replies.
Page 3 of 3

  1. Bobbye Helper on the Fringe

    Well you need to get rid of calling all these accounts 'admin'! And giving a second person the administrative privileges makes a malware writer very happy because then he has 2 Administrative account to infect. And the elevated privileges allow for access to more of the system.

    Get the accounts down to one Administrator and other as Guest. Check the information on this site for help: http://support.microsoft.com/kb/281140

    About Selective Startup and the msconfig utility:
    WLTRAY is the Dell Wireless WLAN Card Wireless Network Tray Applet.
    My computers are all Dell. I have a Service named WLAN keeper which I have set to Manual. I think you have confused the Services with the Startup entries. These are 2 different sets of processes that contribute to making the OS work.

    The only processes that have to be on Startup are: Antivirus program, third party firewall if using one, touchpad if on a laptop and network process is using something like Network Magic. All other processes can be unchecked. And you must stay in Selective Startup to retain the changes.

    I put my systems in Selective Startup about the second day I have the computer I stay that way. My desktop has been on it for 7 years!

    Whether you have the backdoor on the system now or not really isn't you issue- the issue is that the operating system is not set up correctly. It might be best to do a reformat/reinstall and let the accounts go back to where you can manage them correctly and where the Services are running on the Startup menu.

    I would also recommend that you get a basic reference book for Windows XP and see how the system should be set up.
    Bobbye, Oct 28, 2010
    #41

  2. Aspinxtreem Newcomer, in training

    Hi Bobbye,

    Thank you for your help. I'm sorry for the delay - I have been out of town for work and didn't have my infected computer with me. Hopefully this information will help!!

    I got rid of all accounts except for one admin and one guest.

    When I referring to my list of services, I meant the list in services.msc. As you mentioned, I went to blackviper.com and set the services in services.msc to the suggested "Safe" mode for my operating system.

    I am staying in Selective Startup mode. Under "Startup", there are only three boxes checked, as you suggested.

    My system came with Windows XP already installed, so I don't have a Windows XP disc. Also, if I were to reinstall, that would delete all of my files, correct? I have many things I would like to get off my computer but don't want to backup if there is a chance the infection could sneak into the backed up files. Is there a way to avoid this?

    Lastly, after deleting the additional accounts, I reran some of the steps above. I will attach the reports below.

    Hope you had a great weekend. Thank you!!
    Aspinxtreem, Nov 7, 2010
    #42

  3. Aspinxtreem Newcomer, in training

    I ran a Malwarebytes scan. The log is below.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4826

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    11/7/2010 6:30:49 PM
    mbam-log-2010-11-07 (18-30-49).txt

    Scan type: Quick scan
    Objects scanned: 146964
    Time elapsed: 7 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\KOO9RV9K4Z (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\SMH2B46TDP (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Emily\Application Data\srsf.bat (Malware.Trace) -> Quarantined and deleted successfully.
    Aspinxtreem, Nov 7, 2010
    #43

  4. Aspinxtreem Newcomer, in training

    I also reran ComboFix. The log is below.

    ComboFix 10-11-07.07 - Emily 11/07/2010 19:50:56.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.509 [GMT -5:00]
    Running from: E:\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Emily\GoToAssistDownloadHelper.exe
    c:\documents and settings\Emily\Local Settings\Application Data\{14C897A7-AE77-42F5-B0E2-F08D28D92FE1}
    c:\documents and settings\Emily\Local Settings\Application Data\{14C897A7-AE77-42F5-B0E2-F08D28D92FE1}\chrome.manifest
    c:\documents and settings\Emily\Local Settings\Application Data\{14C897A7-AE77-42F5-B0E2-F08D28D92FE1}\chrome\content\_cfg.js
    c:\documents and settings\Emily\Local Settings\Application Data\{14C897A7-AE77-42F5-B0E2-F08D28D92FE1}\chrome\content\overlay.xul
    c:\documents and settings\Emily\Local Settings\Application Data\{14C897A7-AE77-42F5-B0E2-F08D28D92FE1}\install.rdf

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-08 to 2010-11-08 )))))))))))))))))))))))))))))))
    .

    2010-11-08 00:06 . 2010-11-08 00:06 14808 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2010-11-08 00:06 . 2010-11-08 00:06 718296 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2010-10-22 02:36 . 2010-10-22 02:36 -------- d-----w- c:\program files\Trend Micro
    2010-10-15 02:54 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-15 02:54 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-15 02:54 . 2010-10-15 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-10 15:57 . 2010-10-10 15:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-10-10 15:47 . 2010-10-10 15:47 -------- dc----w- C:\_OTM
    2010-10-10 02:28 . 2004-08-04 10:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
    2010-10-10 02:01 . 2010-10-10 02:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-10-10 00:36 . 2010-10-10 00:36 -------- d-----w- c:\program files\ESET
    2010-10-09 17:38 . 2010-10-09 17:38 -------- d-----w- c:\program files\Intel
    2010-10-09 17:35 . 2009-10-07 19:01 457 ----a-w- c:\windows\system32\vcredist_x86.bat
    2010-10-09 17:35 . 2009-10-07 19:01 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
    2010-10-09 17:35 . 2009-10-07 19:01 155648 ----a-w- c:\windows\system32\bcmwlapi.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-10-12_02.15.04 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2004-08-04 10:00 . 2010-10-09 17:38 68558 c:\windows\system32\perfc009.dat
    + 2004-08-04 10:00 . 2010-11-08 00:00 68558 c:\windows\system32\perfc009.dat
    + 2004-08-04 10:00 . 2010-11-08 00:00 435828 c:\windows\system32\perfh009.dat
    - 2004-08-04 10:00 . 2010-10-09 17:38 435828 c:\windows\system32\perfh009.dat
    + 2010-10-18 04:46 . 2009-10-07 19:01 2649216 c:\windows\system32\ReinstallBackups\0018\DriverFiles\BCMWL5.SYS
    - 2010-10-10 02:17 . 2009-10-07 19:01 2649216 c:\windows\system32\ReinstallBackups\0018\DriverFiles\BCMWL5.SYS
    + 2009-07-10 00:57 . 2010-10-15 13:05 35385288 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Zinio DLM"="c:\program files\Zinio\ZinioReader.exe" [2009-07-21 2707526]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
    2010-04-11 03:38 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2005-09-09 05:18 57344 ----a-w- c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
    2009-01-08 12:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boingo Wi-Fi]
    2010-10-06 04:57 2179 -c--a-w- c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
    2009-10-07 19:01 2498560 ----a-w- c:\windows\system32\WLTRAY.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    2006-07-20 00:26 52896 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
    2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
    2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-01-19 14:14 7401472 ----a-w- c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
    2006-01-19 14:14 73728 ----a-w- c:\windows\system32\nvhotkey.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-01-19 14:14 1519616 ----a-w- c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2006-03-24 22:30 282624 ----a-w- c:\windows\stsystra.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-04-01 04:05 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    2006-09-28 01:33 125168 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
    2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "PlugPlay"=2 (0x2)
    "Netman"=2 (0x2)
    "CryptSvc"=2 (0x2)
    "AudioSrv"=2 (0x2)
    "aspnet_state"=3 (0x3)
    "AppMgmt"=3 (0x3)
    "Apple Mobile Device"=2 (0x2)
    "ALG"=3 (0x3)
    "ADVService"=2 (0x2)
    "AdobeActiveFileMonitor4.0"=2 (0x2)
    "ACDaemon"=3 (0x3)
    "xmlprov"=3 (0x3)
    "WZCSVC"=2 (0x2)
    "wuauserv"=2 (0x2)
    "wscsvc"=2 (0x2)
    "WmiApSrv"=3 (0x3)
    "Wmi"=3 (0x3)
    "WmdmPmSN"=3 (0x3)
    "wltrysvc"=2 (0x2)
    "winmgmt"=2 (0x2)
    "WebClient"=2 (0x2)
    "W32Time"=2 (0x2)
    "VSS"=3 (0x3)
    "UPS"=3 (0x3)
    "upnphost"=2 (0x2)
    "TlntSvr"=3 (0x3)
    "Themes"=2 (0x2)
    "TermService"=3 (0x3)
    "TapiSrv"=3 (0x3)
    "SysmonLog"=3 (0x3)
    "Symantec AntiVirus"=2 (0x2)
    "SwPrv"=3 (0x3)
    "stisvc"=3 (0x3)
    "SSDPSRV"=3 (0x3)
    "srservice"=2 (0x2)
    "Spooler"=2 (0x2)
    "SNDSrvc"=2 (0x2)
    "ShellHWDetection"=2 (0x2)
    "SharedAccess"=2 (0x2)
    "SENS"=2 (0x2)
    "seclogon"=2 (0x2)
    "Schedule"=2 (0x2)
    "SCardSvr"=3 (0x3)
    "SamSs"=2 (0x2)
    "RSVP"=3 (0x3)
    "RemoteRegistry"=2 (0x2)
    "RemoteAccess"=3 (0x3)
    "RDSessMgr"=3 (0x3)
    "RasMan"=3 (0x3)
    "RasAuto"=3 (0x3)
    "ProtectedStorage"=2 (0x2)
    "PolicyAgent"=2 (0x2)
    "odserv"=2 (0x2)
    "NtmsSvc"=3 (0x3)
    "NtLmSsp"=3 (0x3)
    "Nla"=2 (0x2)
    "Netlogon"=3 (0x3)
    "NetDDEdsdm"=3 (0x3)
    "NetDDE"=3 (0x3)
    "MSIServer"=2 (0x2)
    "mnmsrvc"=3 (0x3)
    "Messenger"=2 (0x2)
    "LmHosts"=2 (0x2)
    "lanmanworkstation"=2 (0x2)
    "lanmanserver"=2 (0x2)
    "helpsvc"=2 (0x2)
    "EventSystem"=3 (0x3)
    "Eventlog"=2 (0x2)
    "ERSvc"=2 (0x2)
    "Dnscache"=2 (0x2)
    "dmserver"=3 (0x3)
    "dmadmin"=3 (0x3)
    "Dhcp"=2 (0x2)
    "DefWatch"=2 (0x2)
    "COMSysApp"=3 (0x3)
    "ClipSrv"=3 (0x3)
    "ccSetMgr"=2 (0x2)
    "ccEvtMgr"=2 (0x2)
    "Browser"=2 (0x2)
    "BITS"=3 (0x3)
    "Alerter"=3 (0x3)
    "TrkWks"=2 (0x2)
    "SavRoam"=2 (0x2)
    "MSDTC"=3 (0x3)
    "HTTPFilter"=3 (0x3)
    "FastUserSwitchingCompatibility"=3 (0x3)
    "CiSvc"=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/17/2009 2:13 AM 64160]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/1/2010 7:06 PM 102448]
    R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [3/18/2009 11:19 AM 73368]
    S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [12/18/2009 11:13 AM 20480]
    S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [12/18/2009 11:12 AM 174720]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 2:43 PM 32408]
    S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]
    S4 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [3/18/2009 11:19 AM 139264]
    S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - HIDSERV

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:38]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyServer =
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: amicillc.com\matters
    Trusted Zone: ontrackinview.com\connect
    Trusted Zone: xerox-xls.com\matters
    DPF: {3F777025-3835-4117-B9FA-5E5230669310} - hxxps://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
    FF - ProfilePath - c:\documents and settings\Emily\Application Data\Mozilla\Firefox\Profiles\hdb9te0t.default\
    FF - prefs.js: browser.startup.homepage - nyt.com
    FF - plugin: c:\documents and settings\Emily\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Csaperiwedok - c:\windows\WMSvasri.dll



    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    Completion time: 2010-11-07 19:55:46
    ComboFix-quarantined-files.txt 2010-11-08 00:55
    ComboFix2.txt 2010-10-26 04:01
    ComboFix3.txt 2010-10-22 02:29
    ComboFix4.txt 2010-10-12 02:17

    Pre-Run: 26,167,693,312 bytes free
    Post-Run: 26,166,464,512 bytes free

    - - End Of File - - 7E165B8ADC23BF8620AC2347BAF13843
    Aspinxtreem, Nov 7, 2010
    #44

  5. Aspinxtreem Newcomer, in training

    And finally, my HiJackThis log.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:04:09 PM, on 11/7/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Zinio\ZinioReader.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://connect.ontrackinview.com
    O16 - DPF: {3F777025-3835-4117-B9FA-5E5230669310} (Dataflight FYI Reviewer Control) - https://law.lexisnexis.com/resources/fyi/dataflight_fyi.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {971127BB-259F-48C2-BD75-5F97A3331551} (Microsoft RDP Client Control (redist)) - http://connect.ontrackinview.com/msrdp.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: DW WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 4835 bytes
    Aspinxtreem, Nov 7, 2010
    #45

  6. Bobbye Helper on the Fringe

    I am trying to figure out why all the Services show like this:
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "PlugPlay"=2 (0x2)
    "Netman"=2 (0x2)
    "CryptSvc"=2 (0x2)
    "AudioSrv"=2 (0x2)
    "aspnet_state"=3 (0x3)
    "AppMgmt"=3 (0x3)
    and on d o with all the other services. These are what you see with the run services.msc. They just shouldn't be broken out like this from the Registry. I'm asking someone else to look at it- again!
    .
    Bobbye, Nov 8, 2010
    #46

  7. Aspinxtreem Newcomer, in training

    Thank you!!
    Aspinxtreem, Nov 8, 2010
    #47

  8. Bobbye Helper on the Fringe

    Okay- we ut our heads together and decided that there is nothing 'wrong' with the Services showing this way, as long as they are all legit, which they are!!

    These would be work-related?
    Trusted Zone: amicillc.com\matters
    Trusted Zone: ontrackinview.com\connect
    Trusted Zone: xerox-xls.com\matters

    It always concerns me when there are sites in the Trusted Zone. None 'need' to be there and unless there is an intranet established, security is lower there and it can be a risk.

    Only one entry to remove in HJT:
    Please reopen HijackThis to 'do system scan only.' Please check each of the following, if present:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings,ProxyServer =

    Close HJT and click on "Fix Checked."
    ===================================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any more questions. To help stay safe:
    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Bobbye, Nov 8, 2010
    #48

  9. Aspinxtreem Newcomer, in training

    Yes, these are all work-related sites.

    That entry was present and I fixed it with HJT.

    This is all set.


    Lastly, I'm sorry this is such a pain... I am still unable to access the internet. Because I am not able to get online, I still have to download the files you suggested from a working computer and onto a thumb drive. My infected computer wasn't recognizing my thumb drive, so I opened "services.msc" to see if anything was disabled. Unfortunately, all but a few services were again disabled. It is completely random.

    I followed this guide to set the services settings yesterday - to "Safe" mode:
    http://www.blackviper.com/WinXPx64/servicecfg.htm

    All of the services are set to disabled upon reboot except:
    -DCOM Service Process (set to automatic and started)
    -IMAPI CD Burning (set to manual)
    -InstallDriver Table (set to manual)
    -Net.Tcp Port Sharing (set to automatic and started)
    -Remote Procedure Call (set to automatic and started)
    -Remote Procedure Call Locator (set to manual)
    -Windows User Mode Driver Framework (set to automatic and started)
    Aspinxtreem, Nov 8, 2010
    #49

  10. Bobbye Helper on the Fringe

    I need for you to try something please- none of the Services you said are running are included in the Registry list of Services I was concerned about.

    Please set a System Restore point. Name it service test> then do the following:

    I want you to deliberately set these Services to either Automatic or Manual- it doesn't matter, then reboot the computer. If they have gotten disabled again, then I know how to fix them.

    Alerter
    AudioSrv
    HTTPFilter
    EventSystem
    PlugPlay
    Spooler

    If you need help setting the System Restore: Click on All Programs> Accessories> System Tools> System Restore> Check Create a new restore point> next> name it services test> next> let it set .
    Bobbye, Nov 11, 2010
    #50
Page 3 of 3
Thread Status:
Not open for further replies.