[Closed] Tidserv activity infection

Status
Not open for further replies.
I

Interloper

Posts: 28   +0
Good Evening,

I am helping my friend clean his computer. Norton is running and updating and providing warnings for Tidserv and Tidserv Activity 2. For 12 hours the system would only start in safe mode, but recently started in normal mode albeit slowly.

Specs:
win xp pro, sp3, pentium 4, 3 gig ram

Here are the logs:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8002

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/22/2011 5:10:51 PM
mbam-log-2011-10-22 (17-10-51).txt

Scan type: Quick scan
Objects scanned: 232200
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\relevantknowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Virginia\application data\Adobe\plugs\kb10985625.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Virginia\application data\Adobe\plugs\kb10985640.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Virginia\application data\Adobe\plugs\kb10985734.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Virginia\application data\Adobe\plugs\kb10986984.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Virginia\application data\Adobe\plugs\kb10987015.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\relevantknowledge\rloci.bin (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\program files\relevantknowledge\rlservice.exe (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\about relevantknowledge.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\privacy policy and user license agreement.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\relevantknowledge\Support.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\aliases.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\control.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\full.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\fullname.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\instsrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\mirc.ico (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\mirc.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\popups.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\remote.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\servers.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\users.ini (Backdoor.Bot) -> Quarantined and deleted successfully.





GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-22 17:19:11
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD7500AAKS-00RBA0 rev.30.04G30
Running: 42ekyy6v.exe; Driver: C:\DOCUME~1\admin\LOCALS~1\Temp\uftdqpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)

---- EOF - GMER 1.0.15 ----




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by admin at 17:22:45 on 2011-10-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2299 [GMT -7:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\admin\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.87.76.182 68.87.78.134
TCP: Interfaces\{C38CB511-45A7-4ED1-9786-644068C85E21} : DhcpNameServer = 68.87.76.182 68.87.78.134
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-7-12 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-7-12 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20111014.001\BHDrvx86.sys [2011-10-14 818808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-12-11 214664]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2007-11-26 14336]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-7-12 136312]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.1.0.29\ccsvchst.exe [2011-7-12 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20111021.030\IDSXpx86.sys [2011-10-22 356280]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2007-11-26 8832]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20111021.034\NAVENG.SYS [2011-10-22 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20111021.034\NAVEX15.SYS [2011-10-22 1576312]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2005-11-24 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2005-11-24 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2005-11-24 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2005-11-24 60416]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-12-11 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-12-11 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-12-11 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-12-11 40552]
.
=============== Created Last 30 ================
.
2011-10-23 00:01:21 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes
2011-10-23 00:01:14 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-23 00:01:11 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-23 00:01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-22 23:44:26 -------- d-----w- c:\documents and settings\admin\local settings\application data\IsolatedStorage
2011-10-22 23:43:59 -------- d-----w- c:\documents and settings\admin\local settings\application data\HP
2011-10-22 23:37:40 -------- d-----w- c:\documents and settings\admin\local settings\application data\Google
2011-10-22 23:37:13 -------- d-----w- c:\documents and settings\admin\local settings\application data\Deployment
2011-10-22 23:35:54 -------- d-sh--w- c:\documents and settings\admin\PrivacIE
2011-10-22 02:23:01 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-22 02:17:05 17234 ----a-w- C:\cc_20111021_191654.reg
2011-10-15 00:15:06 -------- d-----w- c:\program files\VideoLAN
2011-10-12 02:04:08 -------- d-----w- c:\program files\uTorrent
2011-09-24 22:23:38 138906 ----a-w- C:\cc_20110924_152330.reg
2011-09-24 22:19:45 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-21 06:06:18 1409 ----a-w- c:\windows\QTFont.for
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2006-10-03 00:28:43 19666504 -c--a-w- c:\program files\QuickTimeInstaller.exe
.
============= FINISH: 17:24:06.15 ===============




.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/24/2005 1:14:39 PM
System Uptime: 10/22/2011 5:12:32 PM (0 hours ago)
.
Motherboard: Intel Corporation | | D915GAV
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | J2E1 | 3200/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 699 GiB total, 456.437 GiB free.
D: is FIXED (NTFS) - 298 GiB total, 290.46 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
µTorrent
3ivx MPEG-4 5.0.3 (remove only)
Adobe Acrobat 5.0
Adobe After Effects 6.5
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 1.5
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Device Central CS3
Adobe Encore DVD 1.5
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 Plugin
Adobe Flash Video Encoder
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS
Adobe Premiere Pro 1.5
Adobe Reader 9.4.6
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HydraVision
Bonjour
Brother MFL Pro Suite
BufferChm
CA Nonprofit Forms
Canon Camera Access Library
Canon Digital Camera Solution Disk 40-46 Software Starter Guide
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon ScanGear Starter
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Compatibility Pack for the 2007 Office system
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Panorama1Config
Creative Memories Memory Manager 2
Creative Memories StoryBook Creator Plus
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
Digital Video
DocProc
DocumentViewer
DocumentViewerQFolder
Drive Manager
eSupportQFolder
Evolve Reach RN Studyware
EZ Calendar (remove only)
ffvfw (uninstall only)
FlipShare
FullDPAppQFolder
Google Chrome
GoToAssist Corporate
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp deskjet 990c series
hp deskjet 990c series (Remove only)
HP Document Viewer 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Scanjet 4800 series
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
hpg4850
hpg4850QFolder
HPProductAssistant
InstallIQ Updater
InstantShareDevices
Intel(R) PRO Network Adapters and Drivers
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Live 6.0.10
Macromedia Dreamweaver MX
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash MX 2004
Macromedia FreeHand MXa
Macromedia HomeSite+
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.19)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
muvee Plugin 1.0
Nero 7 Ultra Edition
Norton Security Suite
OGA Notifier 2.0.0048.0
PanoStandAlone
PaperPort 6.5
PDF Settings
PhotoGallery
Picasa 3
Quicken 2004
QuickTime
RandMap
RealPlayer
Realtek High Definition Audio Driver
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SkinsHP1
SolutionCenter
Sonic_PrimoSDK
TopStyle Lite (Version 3.0)
Total Commander (Remove or Repair)
Ulead Photo Express 5 SE
Ulead SmartSaver 3.0 Full Version
Ulead VideoStudio 8.0 SE DVD
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.1.10
WebFldrs XP
WebReg
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip
XMLinst
XVID Codec Installation
.
==== Event Viewer Messages From Past Week ========
.
10/22/2011 9:47:37 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/22/2011 9:47:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 eeCtrl Fips IntelIde intelppm IPSec mfehidk MRxSmb NetBIOS NetBT ohci1394 RasAcd Rdbss SRTSPX SymIRON SYMTDI Tcpip
10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: A device attached to the system is not functioning.
10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/22/2011 4:41:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
10/22/2011 4:37:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
10/22/2011 11:41:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
10/21/2011 8:07:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/21/2011 7:16:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 eeCtrl Fips IntelIde intelppm mfehidk ohci1394 SRTSPX SymIRON SYMTDI
10/21/2011 7:15:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/19/2011 12:15:14 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
10/19/2011 1:05:15 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
10/19/2011 1:05:03 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'serial.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
10/17/2011 2:20:20 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the FlipShare Service service.
10/17/2011 12:14:05 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 0013208D3CEF has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/15/2011 1:03:22 PM, error: Service Control Manager [7024] - The Messenger service terminated with service-specific error 2270 (0x8DE).
.
==== End Of File ===========================
 
Welcome to TechSpot! I'll help you help your friend, but will make a suggestion first: Did you consider having your friend register on TechSpot and get firsthand help? Both the registration and the help are free!

If you choose not to do that, take heed that I ask questions and if the computer isn't in your hands, we will be going back and forth.
=================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
To begin with, your description of "providing warnings for Tidserv and Tidserv Activity 2" may be this:
original


original


Notice the wording at the top of the alert is slightly different. Both say "No action Required" and both have the option to "Stop notifying me" and both refer to the HTTPS tidserv Request. This is something that has upset many Norton users.

Do either of these look familiar?
==============================
What concerns me more is the number of Backdoor.Bot in the Recycler. When a file is sent to the Recycle Bin and then deleted, it's actually still in the system. The deletions go to the Recycler, which is a protected system folder. So even though Mbam says 'quarantined' those files have a special way they have to be removed- and it doesn't always work.
--------------
Please read through this. There is no way to know how long this was active in the system, whether the system has been compromised and whether it may still be on the system!
What is a Backdoor.bot?
This is a piece of malware that has worm, downloader, backdoor, keylogger and spy ability. It may arrive on a system after being exploited by a copy of the worm, residing on an infected machine in the network. After execution, the malware will inject a piece of code in kernel mode (by gaining access to \Device\PhysicalMemory). It will make a copy of itself inside c:\windows\fonts\unwise_.exe (hidden), execute it and continue execution there. The original file it will then be deleted. The worm will register itself as a service under the name: Windows Hosts Controller, and setting the information to "Enables Windows Host Controller Service. This service cannot be stopped." discouraging users from deleting it.
- The worm has the ability to spread via:
o USB drives; when it detects a new drive, it will make a fresh copy of itself, on the USB drive in the following directory:
Recycler\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx\file-name.exe. It will also create an autorun.inf file that will point to the new copy.
Click to expand...
And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:
  1. Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
  2. Data theft (e.g. retrieving passwords or credit card information)
  3. Installation of software, including third-party malware
  4. Downloading or uploading of files on the user's computer
  5. Modification or deletion of files
  6. Keystroke logging
  7. Watching the user's screen
  8. Wasting the computer's storage space
  9. Crashing the computer

Being advised of this, would you rather consider a reformat/reinstall instead of an attempt to clean which may not find or remove all if it's code?
==============================
This system is not in very good shape
There are 7 outdated versions of Java on the system. All of them are vulnerabilities to the system. The best way to handle that is to run the following: Note: I do not want this log!

Please download JavaRa and unzip it to your desktop.

Important!***Please close any instances of Internet Explorer before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
=======================================
The Java cache has to be emptied:
To clear the Java Plug-in cache:

  • [1]. Click Start > Control Panel.
    [2]. Double-click the Java icon in the control panel.
    java.png
    The Java Control Panel appears.
    plugin_cache1.jpg

    [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
    plugin_cache2.jpg

    [4] Click Delete Files.The Delete Temporary Files dialog box appears.
    plugin_cache3.jpg

    [5]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [6]. Click Apply> OK on Temporary Files Settings window.
Images courtesy java.com
======================================
McAfee Security is on the system and should be removed: It's okay to change the AV and FW, but the previous one has to be Uninstall: McAfee Removal
======================================
 
Heya,

Thanks for the quick reply. I am here with my laptop and the afflicted desktop next to me so I can do any operations we need on the computer.

The messages you provided aren't familiar. I have included a pic of the message that norton displays. Although this notice pops up, the norton 'control center' says the system is secure. I attempted a preliminary cleaning yesterday using trendmicro online scanner, ccleaner, FixTDSS, GMER. Norton still displays its message and the system is quite slow. The system is unstable right now but is at least booting in normal mode.

Is a clean install of a newer operating system a more efficient solution? I would prefer to avoid this to minimize data loss during migration.

Thanks for your time,
Matt
 
Oops couldn't post the image there. Anyways, it is a systray popup saying "Threat requiring manual removal detected: System infected: Tidserv Activity 2"
 
Please remove FixTDSS. Don't run any other scans unless I direct you to do so.

  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
===============================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
====================================
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
 
Heya Bobbye,

I was able to complete each step outlined above. The log from Combofix is below. The Eset scan didn't get any hits and no log was produced. What's next?
-Matt



ComboFix 11-10-25.04 - admin 10/25/2011 13:42:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2599 [GMT -7:00]
Running from: c:\documents and settings\admin\My Documents\Downloads\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Karen\Application Data\PriceGong
c:\documents and settings\Karen\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Karen\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Steve\Application Data\PriceGong
c:\documents and settings\Steve\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Steve\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Steve\WINDOWS
c:\documents and settings\Virginia\g2mdlhlpx.exe
c:\documents and settings\Virginia\GoToAssistDownloadHelper.exe
c:\documents and settings\Virginia\timeseal.exe
c:\documents and settings\Virginia\WINDOWS
c:\windows\$NtUninstallKB25808$
c:\windows\$NtUninstallKB25808$\1342122799\@
c:\windows\$NtUninstallKB25808$\1342122799\bckfg.tmp
c:\windows\$NtUninstallKB25808$\1342122799\cfg.ini
c:\windows\$NtUninstallKB25808$\1342122799\Desktop.ini
c:\windows\$NtUninstallKB25808$\1342122799\keywords
c:\windows\$NtUninstallKB25808$\1342122799\kwrd.dll
c:\windows\$NtUninstallKB25808$\1342122799\L\bogeilhu
c:\windows\$NtUninstallKB25808$\1342122799\U\00000001.@
c:\windows\$NtUninstallKB25808$\1342122799\U\00000002.@
c:\windows\$NtUninstallKB25808$\1342122799\U\00000004.@
c:\windows\$NtUninstallKB25808$\1342122799\U\80000000.@
c:\windows\$NtUninstallKB25808$\1342122799\U\80000004.@
c:\windows\$NtUninstallKB25808$\1342122799\U\80000032.@
c:\windows\$NtUninstallKB25808$\1458569901
c:\windows\help\tours\htmltour\unlock_playing.htm
c:\windows\isRS-000.tmp
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))
.
.
2011-10-25 20:01 . 2011-10-25 20:01 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-10-25 20:01 . 2011-10-25 20:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-23 00:01 . 2011-10-23 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-23 00:01 . 2011-10-23 00:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-23 00:01 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-22 23:32 . 2011-10-22 23:35 -------- d-----w- c:\documents and settings\admin
2011-10-22 02:23 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-22 02:17 . 2011-10-22 02:17 17234 ----a-w- C:\cc_20111021_191654.reg
2011-10-19 19:38 . 2011-10-19 19:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-10-15 00:15 . 2011-10-15 00:15 -------- d-----w- c:\program files\VideoLAN
2011-10-12 02:04 . 2011-10-12 02:04 -------- d-----w- c:\program files\uTorrent
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-25 20:23 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-25 20:01 . 2007-06-13 18:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-24 22:23 . 2011-09-24 22:23 138906 ----a-w- C:\cc_20110924_152330.reg
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-21 06:06 . 2011-08-21 06:06 1409 ----a-w- c:\windows\QTFont.for
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2006-10-03 00:28 . 2006-10-03 00:28 19666504 -c--a-w- c:\program files\QuickTimeInstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-10 196608]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-05 14396416]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-11-25 106560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-06-30 19:17 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
path=c:\documents and settings\Steve\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-09-24 22:12 136176 ----atw- c:\documents and settings\Virginia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 07:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\symds.sys [7/12/2011 11:04 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\symefa.sys [7/12/2011 11:04 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111014.001\BHDrvx86.sys [10/14/2011 4:10 PM 818808]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [11/26/2007 4:49 PM 14336]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\ironx86.sys [7/12/2011 11:04 AM 136312]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [7/12/2011 11:03 AM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/27/2011 7:19 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20111022.030\IDSXpx86.sys [10/25/2011 12:38 PM 356280]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [11/26/2007 4:49 PM 8832]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [11/24/2005 2:17 PM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [11/24/2005 2:18 PM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [11/24/2005 2:17 PM 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [11/24/2005 2:17 PM 60416]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3725260815-963639892-2888137882-1006Core.job
- c:\documents and settings\Virginia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-24 22:12]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3725260815-963639892-2888137882-1006UA.job
- c:\documents and settings\Virginia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-24 22:12]
.
2011-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3725260815-963639892-2888137882-1014Core.job
- c:\documents and settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-22 23:37]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 68.87.76.182 68.87.78.134
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-36733702.sys
SafeBoot-MCODS
MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
AddRemove-PaperPort 6.5 - c:\drivers\brothers 4800 drivers\Config\DeIsL1.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-25 14:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:51,3b,4c,86,24,05,fb,9c,c7,04,c6,8f,c3,e9,c5,d9,9f,2e,48,53,39,
39,2b,35,00,69,e7,c2,f3,d0,66,4c,a0,78,03,51,6a,b3,a9,10,08,00,7e,13,11,f0,\
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:51,3b,4c,86,24,05,fb,9c,c7,04,c6,8f,c3,e9,c5,d9,9f,2e,48,53,39,
39,2b,35,00,69,e7,c2,f3,d0,66,4c,a0,78,03,51,6a,b3,a9,10,08,00,7e,13,11,f0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(2924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RTHDCPL.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2011-10-25 14:14:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-25 21:14
.
Pre-Run: 489,807,851,520 bytes free
Post-Run: 490,291,630,080 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - BE9BA8004A4CDD696A34B65797AAAE4F
 
Lots of unnecessary processes on the startup menu! They will need to be unchecked later. Good to hear Eset was clean.

If I had a penny for every PriceGong removal I see in Combofix, I would be on a cruise somewhere! Stay away from anything that sounds too good- because it isn't.

I'm shutting down now, but will set up some script for you to run through Combofix in the morning. Plan on one of the removals being "c:\\Program Files\\uTorrent.
============================
Let's check this out:
Download CKScanner and save to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • When the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
 
Bonjour,

CKScanner says:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\virginia\desktop\joes music\kanye west complete discography (itunes edition) [theleak]\live album\late orchestration - live at abbey road (2006)\03 crack music (feat. game).m4a
c:\documents and settings\virginia\desktop\joes music\kanye west complete discography (itunes edition) [theleak]\studio albums\late registration (2005)\08 crack music (feat. game).m4a
c:\documents and settings\virginia\my documents\ableton\presets\audio effects\vinyl distortion\crack.adv
c:\documents and settings\virginia\my documents\my buisness\ginger\pesticides\crack grass.doc
c:\software\adobe photoshop cs\crack.zip
c:\transfer data\ginger\ginger\pesticides\crack grass.doc
scanner sequence 3.FN.11.HWAPUJ
----- EOF -----
 
Your friend has pirated several programs. One of them, Adobe Photoshop CS3 has a cost in the $600 range.

Music for iTunes from the Kanye West Complete Discography has also been pirated.
I can't identify the "pesticide crack doc, but it's interesting to note that is appears as a download to Virginia's account with a subsequest 'transfer' to 'ginger's account.
======================================
Please note: To continue support, the pirated downloads must be removed. You can run the script below, then run the CK scan again:
======================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
C:\cc_20111021_191654.reg
C:\cc_20110924_152330.reg
DDS::
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Folder::
c:\program files\uTorrent
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
RegLock:
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:51,3b,4c,86,24,05,fb,9c,c7,04,c6,8f,c3,e9,c5,d9,9f,2e,48,53,3 9,
39,2b,35,00,69,e7,c2,f3,d0,66,4c,a0,78,03,51,6a,b3,a9,10,08,00,7e,13,11,f0, \
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:51,3b,4c,86,24,05,fb,9c,c7,04,c6,8f,c3,e9,c5,d9,9f,2e,48,53,3 9,
39,2b,35,00,69,e7,c2,f3,d0,66,4c,a0,78,03,51,6a,b3,a9,10,08,00,7e,13,11,f0, \
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
 
Thanks for your help Bobbye. I'm not comfortable removing programs from someone else's system so I will pass on this last set of instructions. Has the primary issue been addressed? It is faster and more stable already.

-Matt
 
Norton is running and updating and providing warnings for Tidserv and Tidserv Activity 2. For 12 hours the system would only start in safe mode, but recently started in normal mode albeit slowly.
Click to expand...

Has the primary issue been addressed?
Click to expand...

Matt, the primary issue was addressed. I don't know if it was resolved. But I do not support piracy.

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
786
uber_beetle
uber_beetle
A
Microsoft breaks users' PCs again with latest Windows 11 update
Replies
19
Views
380
trparky
T
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back