TechSpot

[Closed] Tidserv activity infection

By Interloper
Oct 22, 2011
  1. Good Evening,

    I am helping my friend clean his computer. Norton is running and updating and providing warnings for Tidserv and Tidserv Activity 2. For 12 hours the system would only start in safe mode, but recently started in normal mode albeit slowly.

    Specs:
    win xp pro, sp3, pentium 4, 3 gig ram

    Here are the logs:


    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8002

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/22/2011 5:10:51 PM
    mbam-log-2011-10-22 (17-10-51).txt

    Scan type: Quick scan
    Objects scanned: 232200
    Time elapsed: 4 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 3
    Files Infected: 23

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\program files\relevantknowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\start menu\Programs\relevantknowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500 (Backdoor.Bot) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\Virginia\application data\Adobe\plugs\kb10985625.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Virginia\application data\Adobe\plugs\kb10985640.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Virginia\application data\Adobe\plugs\kb10985734.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Virginia\application data\Adobe\plugs\kb10986984.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Virginia\application data\Adobe\plugs\kb10987015.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\program files\relevantknowledge\rloci.bin (Spyware.MarketScore) -> Quarantined and deleted successfully.
    c:\program files\relevantknowledge\rlservice.exe (Spyware.MarketScore) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\start menu\Programs\relevantknowledge\about relevantknowledge.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\start menu\Programs\relevantknowledge\privacy policy and user license agreement.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\start menu\Programs\relevantknowledge\Support.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\aliases.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\control.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\full.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\fullname.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\instsrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\mirc.ico (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\mirc.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\popups.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\remote.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\servers.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\users.ini (Backdoor.Bot) -> Quarantined and deleted successfully.





    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-10-22 17:19:11
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD7500AAKS-00RBA0 rev.30.04G30
    Running: 42ekyy6v.exe; Driver: C:\DOCUME~1\admin\LOCALS~1\Temp\uftdqpob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)

    ---- EOF - GMER 1.0.15 ----




    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by admin at 17:22:45 on 2011-10-22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2299 [GMT -7:00]
    .
    AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Security Suite *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    mSearchAssistant =
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\admin\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll
    LSP: mswsock.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 68.87.76.182 68.87.78.134
    TCP: Interfaces\{C38CB511-45A7-4ED1-9786-644068C85E21} : DhcpNameServer = 68.87.76.182 68.87.78.134
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath -
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-7-12 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-7-12 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20111014.001\BHDrvx86.sys [2011-10-14 818808]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-12-11 214664]
    R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2007-11-26 14336]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-7-12 136312]
    R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.1.0.29\ccsvchst.exe [2011-7-12 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20111021.030\IDSXpx86.sys [2011-10-22 356280]
    R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2007-11-26 8832]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20111021.034\NAVENG.SYS [2011-10-22 86136]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20111021.034\NAVEX15.SYS [2011-10-22 1576312]
    S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2005-11-24 2944]
    S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2005-11-24 3168]
    S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2005-11-24 39552]
    S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2005-11-24 60416]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-12-11 79816]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-12-11 35272]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-12-11 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-12-11 40552]
    .
    =============== Created Last 30 ================
    .
    2011-10-23 00:01:21 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes
    2011-10-23 00:01:14 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-10-23 00:01:11 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-23 00:01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-22 23:44:26 -------- d-----w- c:\documents and settings\admin\local settings\application data\IsolatedStorage
    2011-10-22 23:43:59 -------- d-----w- c:\documents and settings\admin\local settings\application data\HP
    2011-10-22 23:37:40 -------- d-----w- c:\documents and settings\admin\local settings\application data\Google
    2011-10-22 23:37:13 -------- d-----w- c:\documents and settings\admin\local settings\application data\Deployment
    2011-10-22 23:35:54 -------- d-sh--w- c:\documents and settings\admin\PrivacIE
    2011-10-22 02:23:01 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-10-22 02:17:05 17234 ----a-w- C:\cc_20111021_191654.reg
    2011-10-15 00:15:06 -------- d-----w- c:\program files\VideoLAN
    2011-10-12 02:04:08 -------- d-----w- c:\program files\uTorrent
    2011-09-24 22:23:38 138906 ----a-w- C:\cc_20110924_152330.reg
    2011-09-24 22:19:45 -------- d-----w- c:\program files\CCleaner
    .
    ==================== Find3M ====================
    .
    2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-21 06:06:18 1409 ----a-w- c:\windows\QTFont.for
    2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2006-10-03 00:28:43 19666504 -c--a-w- c:\program files\QuickTimeInstaller.exe
    .
    ============= FINISH: 17:24:06.15 ===============




    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/24/2005 1:14:39 PM
    System Uptime: 10/22/2011 5:12:32 PM (0 hours ago)
    .
    Motherboard: Intel Corporation | | D915GAV
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | J2E1 | 3200/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 699 GiB total, 456.437 GiB free.
    D: is FIXED (NTFS) - 298 GiB total, 290.46 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    .
    ĀµTorrent
    3ivx MPEG-4 5.0.3 (remove only)
    Adobe Acrobat 5.0
    Adobe After Effects 6.5
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Audition 1.5
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Device Central CS3
    Adobe Encore DVD 1.5
    Adobe ExtendScript Toolkit 2
    Adobe Flash CS3
    Adobe Flash CS3 Professional
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 9 Plugin
    Adobe Flash Video Encoder
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS
    Adobe Premiere Pro 1.5
    Adobe Reader 9.4.6
    Adobe Setup
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    ATI HydraVision
    Bonjour
    Brother MFL Pro Suite
    BufferChm
    CA Nonprofit Forms
    Canon Camera Access Library
    Canon Digital Camera Solution Disk 40-46 Software Starter Guide
    CANON iMAGE GATEWAY Task for ZoomBrowser EX
    Canon Internet Library for ZoomBrowser EX
    Canon MOV Decoder
    Canon MOV Encoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon Personal Printing Guide
    Canon ScanGear Starter
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities MyCamera
    Canon Utilities MyCamera DC
    Canon Utilities PhotoStitch
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    CCleaner
    Compatibility Pack for the 2007 Office system
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    CP_Package_Basic1
    CP_Panorama1Config
    Creative Memories Memory Manager 2
    Creative Memories StoryBook Creator Plus
    Critical Update for Windows Media Player 11 (KB959772)
    CueTour
    Destinations
    DeviceFunctionQFolder
    DeviceManagementQFolder
    Digital Video
    DocProc
    DocumentViewer
    DocumentViewerQFolder
    Drive Manager
    eSupportQFolder
    Evolve Reach RN Studyware
    EZ Calendar (remove only)
    ffvfw (uninstall only)
    FlipShare
    FullDPAppQFolder
    Google Chrome
    GoToAssist Corporate
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    hp deskjet 990c series
    hp deskjet 990c series (Remove only)
    HP Document Viewer 5.3
    HP Image Zone 5.3
    HP Imaging Device Functions 5.3
    HP Scanjet 4800 series
    HP Software Update
    HP Solution Center & Imaging Support Tools 5.3
    hpg4850
    hpg4850QFolder
    HPProductAssistant
    InstallIQ Updater
    InstantShareDevices
    Intel(R) PRO Network Adapters and Drivers
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1
    Live 6.0.10
    Macromedia Dreamweaver MX
    Macromedia Dreamweaver MX 2004
    Macromedia Extension Manager
    Macromedia Fireworks MX 2004
    Macromedia Flash MX 2004
    Macromedia FreeHand MXa
    Macromedia HomeSite+
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Professional
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.0.19)
    MSN Music Assistant
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    muvee Plugin 1.0
    Nero 7 Ultra Edition
    Norton Security Suite
    OGA Notifier 2.0.0048.0
    PanoStandAlone
    PaperPort 6.5
    PDF Settings
    PhotoGallery
    Picasa 3
    Quicken 2004
    QuickTime
    RandMap
    RealPlayer
    Realtek High Definition Audio Driver
    Scan
    ScannerCopy
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Encoder (KB2447961)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SkinsHP1
    SolutionCenter
    Sonic_PrimoSDK
    TopStyle Lite (Version 3.0)
    Total Commander (Remove or Repair)
    Ulead Photo Express 5 SE
    Ulead SmartSaver 3.0 Full Version
    Ulead VideoStudio 8.0 SE DVD
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB978506)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VLC media player 1.1.10
    WebFldrs XP
    WebReg
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Encoder 9 Series
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinZip
    XMLinst
    XVID Codec Installation
    .
    ==== Event Viewer Messages From Past Week ========
    .
    10/22/2011 9:47:37 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    10/22/2011 9:47:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 eeCtrl Fips IntelIde intelppm IPSec mfehidk MRxSmb NetBIOS NetBT ohci1394 RasAcd Rdbss SRTSPX SymIRON SYMTDI Tcpip
    10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: A device attached to the system is not functioning.
    10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/22/2011 9:47:30 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    10/22/2011 4:41:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
    10/22/2011 4:37:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    10/22/2011 11:41:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    10/21/2011 8:07:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    10/21/2011 7:16:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 eeCtrl Fips IntelIde intelppm mfehidk ohci1394 SRTSPX SymIRON SYMTDI
    10/21/2011 7:15:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    10/19/2011 12:15:14 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
    10/19/2011 1:05:15 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    10/19/2011 1:05:03 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'serial.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    10/17/2011 2:20:20 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the FlipShare Service service.
    10/17/2011 12:14:05 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 0013208D3CEF has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    10/15/2011 1:03:22 PM, error: Service Control Manager [7024] - The Messenger service terminated with service-specific error 2270 (0x8DE).
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help you help your friend, but will make a suggestion first: Did you consider having your friend register on TechSpot and get firsthand help? Both the registration and the help are free!

    If you choose not to do that, take heed that I ask questions and if the computer isn't in your hands, we will be going back and forth.
    =================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    To begin with, your description of "providing warnings for Tidserv and Tidserv Activity 2" may be this:
    [​IMG]

    [​IMG]

    Notice the wording at the top of the alert is slightly different. Both say "No action Required" and both have the option to "Stop notifying me" and both refer to the HTTPS tidserv Request. This is something that has upset many Norton users.

    Do either of these look familiar?
    ==============================
    What concerns me more is the number of Backdoor.Bot in the Recycler. When a file is sent to the Recycle Bin and then deleted, it's actually still in the system. The deletions go to the Recycler, which is a protected system folder. So even though Mbam says 'quarantined' those files have a special way they have to be removed- and it doesn't always work.
    --------------
    Please read through this. There is no way to know how long this was active in the system, whether the system has been compromised and whether it may still be on the system!
    What is a Backdoor.bot?
    And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:
    1. Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
    2. Data theft (e.g. retrieving passwords or credit card information)
    3. Installation of software, including third-party malware
    4. Downloading or uploading of files on the user's computer
    5. Modification or deletion of files
    6. Keystroke logging
    7. Watching the user's screen
    8. Wasting the computer's storage space
    9. Crashing the computer

    Being advised of this, would you rather consider a reformat/reinstall instead of an attempt to clean which may not find or remove all if it's code?
    ==============================
    This system is not in very good shape
    There are 7 outdated versions of Java on the system. All of them are vulnerabilities to the system. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
    Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    =======================================
    The Java cache has to be emptied:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    ======================================
    McAfee Security is on the system and should be removed: It's okay to change the AV and FW, but the previous one has to be Uninstall: McAfee Removal
    ======================================
     
  3. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Heya,

    Thanks for the quick reply. I am here with my laptop and the afflicted desktop next to me so I can do any operations we need on the computer.

    The messages you provided aren't familiar. I have included a pic of the message that norton displays. Although this notice pops up, the norton 'control center' says the system is secure. I attempted a preliminary cleaning yesterday using trendmicro online scanner, ccleaner, FixTDSS, GMER. Norton still displays its message and the system is quite slow. The system is unstable right now but is at least booting in normal mode.

    Is a clean install of a newer operating system a more efficient solution? I would prefer to avoid this to minimize data loss during migration.

    Thanks for your time,
    Matt
     
  4. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Oops couldn't post the image there. Anyways, it is a systray popup saying "Threat requiring manual removal detected: System infected: Tidserv Activity 2"
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please remove FixTDSS. Don't run any other scans unless I direct you to do so.

    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ===============================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ====================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  6. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Heya Bobbye,

    I was able to complete each step outlined above. The log from Combofix is below. The Eset scan didn't get any hits and no log was produced. What's next?
    -Matt



    ComboFix 11-10-25.04 - admin 10/25/2011 13:42:38.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2599 [GMT -7:00]
    Running from: c:\documents and settings\admin\My Documents\Downloads\ComboFix.exe
    AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
    c:\documents and settings\Karen\Application Data\PriceGong
    c:\documents and settings\Karen\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Karen\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\Steve\Application Data\PriceGong
    c:\documents and settings\Steve\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Steve\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\Steve\WINDOWS
    c:\documents and settings\Virginia\g2mdlhlpx.exe
    c:\documents and settings\Virginia\GoToAssistDownloadHelper.exe
    c:\documents and settings\Virginia\timeseal.exe
    c:\documents and settings\Virginia\WINDOWS
    c:\windows\$NtUninstallKB25808$
    c:\windows\$NtUninstallKB25808$\1342122799\@
    c:\windows\$NtUninstallKB25808$\1342122799\bckfg.tmp
    c:\windows\$NtUninstallKB25808$\1342122799\cfg.ini
    c:\windows\$NtUninstallKB25808$\1342122799\Desktop.ini
    c:\windows\$NtUninstallKB25808$\1342122799\keywords
    c:\windows\$NtUninstallKB25808$\1342122799\kwrd.dll
    c:\windows\$NtUninstallKB25808$\1342122799\L\bogeilhu
    c:\windows\$NtUninstallKB25808$\1342122799\U\00000001.@
    c:\windows\$NtUninstallKB25808$\1342122799\U\00000002.@
    c:\windows\$NtUninstallKB25808$\1342122799\U\00000004.@
    c:\windows\$NtUninstallKB25808$\1342122799\U\80000000.@
    c:\windows\$NtUninstallKB25808$\1342122799\U\80000004.@
    c:\windows\$NtUninstallKB25808$\1342122799\U\80000032.@
    c:\windows\$NtUninstallKB25808$\1458569901
    c:\windows\help\tours\htmltour\unlock_playing.htm
    c:\windows\isRS-000.tmp
    c:\windows\pkunzip.pif
    c:\windows\pkzip.pif
    c:\windows\system32\d3d9caps.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-25 20:01 . 2011-10-25 20:01 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-10-25 20:01 . 2011-10-25 20:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-23 00:01 . 2011-10-23 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-10-23 00:01 . 2011-10-23 00:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-23 00:01 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-22 23:32 . 2011-10-22 23:35 -------- d-----w- c:\documents and settings\admin
    2011-10-22 02:23 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-10-22 02:17 . 2011-10-22 02:17 17234 ----a-w- C:\cc_20111021_191654.reg
    2011-10-19 19:38 . 2011-10-19 19:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-10-15 00:15 . 2011-10-15 00:15 -------- d-----w- c:\program files\VideoLAN
    2011-10-12 02:04 . 2011-10-12 02:04 -------- d-----w- c:\program files\uTorrent
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-25 20:23 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
    2011-10-25 20:01 . 2007-06-13 18:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-24 22:23 . 2011-09-24 22:23 138906 ----a-w- C:\cc_20110924_152330.reg
    2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-21 06:06 . 2011-08-21 06:06 1409 ----a-w- c:\windows\QTFont.for
    2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2006-10-03 00:28 . 2006-10-03 00:28 19666504 -c--a-w- c:\program files\QuickTimeInstaller.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-10 196608]
    "RTHDCPL"="RTHDCPL.EXE" [2005-05-05 14396416]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-11-25 106560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2010-06-30 19:17 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
    path=c:\documents and settings\Steve\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
    backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2011-09-24 22:12 136176 ----atw- c:\documents and settings\Virginia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-02-01 07:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\symds.sys [7/12/2011 11:04 AM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\symefa.sys [7/12/2011 11:04 AM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111014.001\BHDrvx86.sys [10/14/2011 4:10 PM 818808]
    R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [11/26/2007 4:49 PM 14336]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\ironx86.sys [7/12/2011 11:04 AM 136312]
    R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [7/12/2011 11:03 AM 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/27/2011 7:19 PM 105592]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20111022.030\IDSXpx86.sys [10/25/2011 12:38 PM 356280]
    R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [11/26/2007 4:49 PM 8832]
    S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [11/24/2005 2:17 PM 2944]
    S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [11/24/2005 2:18 PM 3168]
    S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [11/24/2005 2:17 PM 39552]
    S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [11/24/2005 2:17 PM 60416]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
    .
    2011-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3725260815-963639892-2888137882-1006Core.job
    - c:\documents and settings\Virginia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-24 22:12]
    .
    2011-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3725260815-963639892-2888137882-1006UA.job
    - c:\documents and settings\Virginia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-24 22:12]
    .
    2011-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3725260815-963639892-2888137882-1014Core.job
    - c:\documents and settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-22 23:37]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 68.87.76.182 68.87.78.134
    FF - ProfilePath -
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-36733702.sys
    SafeBoot-MCODS
    MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
    AddRemove-PaperPort 6.5 - c:\drivers\brothers 4800 drivers\Config\DeIsL1.isu
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-25 14:10
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
    "Version"=hex:51,3b,4c,86,24,05,fb,9c,c7,04,c6,8f,c3,e9,c5,d9,9f,2e,48,53,39,
    39,2b,35,00,69,e7,c2,f3,d0,66,4c,a0,78,03,51,6a,b3,a9,10,08,00,7e,13,11,f0,\
    .
    [HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
    "Version"=hex:51,3b,4c,86,24,05,fb,9c,c7,04,c6,8f,c3,e9,c5,d9,9f,2e,48,53,39,
    39,2b,35,00,69,e7,c2,f3,d0,66,4c,a0,78,03,51,6a,b3,a9,10,08,00,7e,13,11,f0,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(728)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
    .
    - - - - - - - > 'explorer.exe'(2924)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\brss01a.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
    .
    **************************************************************************
    .
    Completion time: 2011-10-25 14:14:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-10-25 21:14
    .
    Pre-Run: 489,807,851,520 bytes free
    Post-Run: 490,291,630,080 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - BE9BA8004A4CDD696A34B65797AAAE4F
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Lots of unnecessary processes on the startup menu! They will need to be unchecked later. Good to hear Eset was clean.

    If I had a penny for every PriceGong removal I see in Combofix, I would be on a cruise somewhere! Stay away from anything that sounds too good- because it isn't.

    I'm shutting down now, but will set up some script for you to run through Combofix in the morning. Plan on one of the removals being "c:\\Program Files\\uTorrent.
    ============================
    Let's check this out:
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
     
  8. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Bonjour,

    CKScanner says:

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\documents and settings\virginia\desktop\joes music\kanye west complete discography (itunes edition) [theleak]\live album\late orchestration - live at abbey road (2006)\03 crack music (feat. game).m4a
    c:\documents and settings\virginia\desktop\joes music\kanye west complete discography (itunes edition) [theleak]\studio albums\late registration (2005)\08 crack music (feat. game).m4a
    c:\documents and settings\virginia\my documents\ableton\presets\audio effects\vinyl distortion\crack.adv
    c:\documents and settings\virginia\my documents\my buisness\ginger\pesticides\crack grass.doc
    c:\software\adobe photoshop cs\crack.zip
    c:\transfer data\ginger\ginger\pesticides\crack grass.doc
    scanner sequence 3.FN.11.HWAPUJ
    ----- EOF -----
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your friend has pirated several programs. One of them, Adobe Photoshop CS3 has a cost in the $600 range.

    Music for iTunes from the Kanye West Complete Discography has also been pirated.
    I can't identify the "pesticide crack doc, but it's interesting to note that is appears as a download to Virginia's account with a subsequest 'transfer' to 'ginger's account.
    ======================================
    Please note: To continue support, the pirated downloads must be removed. You can run the script below, then run the CK scan again:
    ======================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    C:\cc_20111021_191654.reg
    C:\cc_20110924_152330.reg
    DDS::
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    Folder::
    c:\program files\uTorrent
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    RegLock:
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
    "Version"=hex:51,3b,4c,86,24,05,fb,9c,c7,04,c6,8f,c3,e9,c5,d9,9f,2e,48,53,3 9,
    39,2b,35,00,69,e7,c2,f3,d0,66,4c,a0,78,03,51,6a,b3,a9,10,08,00,7e,13,11,f0, \
    [HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
    "Version"=hex:51,3b,4c,86,24,05,fb,9c,c7,04,c6,8f,c3,e9,c5,d9,9f,2e,48,53,3 9,
    39,2b,35,00,69,e7,c2,f3,d0,66,4c,a0,78,03,51,6a,b3,a9,10,08,00,7e,13,11,f0, \
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
     
  10. Interloper

    Interloper TS Rookie Topic Starter Posts: 28

    Thanks for your help Bobbye. I'm not comfortable removing programs from someone else's system so I will pass on this last set of instructions. Has the primary issue been addressed? It is faster and more stable already.

    -Matt
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Matt, the primary issue was addressed. I don't know if it was resolved. But I do not support piracy.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...