TechSpot

Help on fixing the Backdoor.Tidserv.I!inf

By Snowbred
Oct 31, 2010
  1. once again another person with this messed up virus thanks for any help.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/30/2010 9:28:15 AM
    mbam-log-2010-10-30 (09-28-15).txt

    Scan type: Quick scan
    Objects scanned: 126157
    Time elapsed: 4 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 6
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.242,93.188.160.52 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{61129d1f-35fa-495a-bd4a-d7c81180a9af}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.242,93.188.160.52 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{73c8c644-3857-4a27-aecc-7af88aa9a68a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.242,93.188.160.52 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-30 10:24:21
    Windows 5.1.2600 Service Pack 3
    Running: g1n2z1z4.exe; Driver: C:\DOCUME~1\Jo\LOCALS~1\Temp\uxloapow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 89845A98 ZwConnectPort

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\Drivers\OEM13Afx.sys entry point in "init" section [0xA6BD5310]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\SearchIndexer.exe[1956] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device A4A35D20

    AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----



    DDS (Ver_10-10-21.02) - NTFSx86
    Run by Jo at 10:25:23.37 on Sat 10/30/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2296 [GMT -10:00]

    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\drivers\audio\r211990\stacsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\system32\DRIVERS\o2flash.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\WINDOWS\system32\AESTFltr.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\OEM13Mon.exe
    C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Documents and Settings\Jo\Desktop\malware removal tools\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.live.com
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [OEM13Mon.exe] c:\windows\OEM13Mon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
    mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253663956484
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\jo\applic~1\mozilla\firefox\profiles\19594ws6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20101011031126421&tb_oid=11-10-2010&tb_mrud=11-10-2010
    FF - prefs.js: browser.search.selectedEngine - AOL Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20101011031126421&tb_oid=11-10-2010&tb_mrud=11-10-2010&query=
    FF - component: c:\documents and settings\jo\application data\mozilla\firefox\profiles\19594ws6.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\documents and settings\jo\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
    R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
    R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
    R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2010-5-26 74752]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-9-3 112512]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101029.003\naveng.sys [2010-10-29 86064]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101029.003\navex15.sys [2010-10-29 1371184]
    R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-9-3 51616]
    R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-9-3 41760]
    R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [2009-9-3 141376]
    R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-9-3 7424]
    R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-9-3 235840]
    R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2010-5-26 6144]
    S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
    S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

    =============== Created Last 30 ================

    2010-10-30 19:15:15 -------- d-----w- c:\docume~1\jo\applic~1\Malwarebytes
    2010-10-30 19:15:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-30 19:15:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-30 19:15:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-30 19:15:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-10-29 08:43:06 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2010-10-29 08:43:06 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2010-10-11 03:11:28 -------- d-----w- c:\program files\AIM Toolbar
    2010-10-11 03:11:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\AIM Toolbar
    2010-10-11 03:11:26 -------- d-----w- c:\program files\common files\Software Update Utility
    2010-10-11 03:11:18 -------- d-----w- c:\docume~1\jo\locals~1\applic~1\AIM
    2010-10-11 03:11:17 -------- d-----w- c:\docume~1\jo\locals~1\applic~1\AOL
    2010-10-11 03:11:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\AIM
    2010-10-11 03:11:08 -------- d-----w- c:\program files\AIM
    2010-10-11 03:11:07 -------- d-----w- c:\program files\common files\AOL

    ==================== Find3M ====================

    2010-08-10 15:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-08-10 15:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts

    ============= FINISH: 10:25:35.23 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-21.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/22/2009 12:37:24 PM
    System Uptime: 10/30/2010 9:30:07 AM (1 hours ago)

    Motherboard: Dell Inc. | | 0T052J
    Processor: Intel(R) Core(TM)2 Duo CPU T6670 @ 2.20GHz | U2E1 | 2194/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 298 GiB total, 261.285 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) WiFi Link 5100 AGN
    Device ID: PCI\VEN_8086&DEV_4232&SUBSYS_13218086&REV_00\4&492937F&0&00E2
    Manufacturer: Intel Corporation
    Name: Intel(R) WiFi Link 5100 AGN
    PNP Device ID: PCI\VEN_8086&DEV_4232&SUBSYS_13218086&REV_00\4&492937F&0&00E2
    Service: NETw5x32

    ==== System Restore Points ===================

    RP118: 8/18/2010 8:38:05 PM - System Checkpoint
    RP119: 8/20/2010 2:34:51 PM - Installed REA's TESTware for the PRAXIS Elementary Ed 0014
    RP120: 8/24/2010 12:27:09 PM - Installed QuickTime
    RP121: 8/29/2010 10:08:39 PM - System Checkpoint
    RP122: 9/6/2010 6:09:43 PM - System Checkpoint
    RP123: 9/6/2010 7:16:33 PM - Installed ActivSoftware
    RP124: 9/16/2010 6:00:52 PM - Installed eBook: Elementary Education Content Knowledge Practice
    RP125: 9/16/2010 6:00:59 PM - Installed Microsoft Visual C++ 2005 Redistributable
    RP126: 9/20/2010 8:17:02 PM - System Checkpoint
    RP127: 9/22/2010 8:46:38 PM - System Checkpoint
    RP128: 9/25/2010 1:28:07 PM - System Checkpoint
    RP129: 10/10/2010 9:22:08 AM - System Checkpoint
    RP130: 10/17/2010 1:22:39 PM - System Checkpoint
    RP131: 10/21/2010 7:23:26 PM - System Checkpoint
    RP132: 10/24/2010 8:58:28 PM - System Checkpoint
    RP133: 10/25/2010 9:48:12 PM - System Checkpoint
    RP134: 10/27/2010 6:57:40 AM - System Checkpoint
    RP135: 10/28/2010 7:16:56 AM - System Checkpoint
    RP136: 10/29/2010 7:30:43 AM - System Checkpoint
    RP137: 10/30/2010 7:32:33 AM - System Checkpoint

    ==== Installed Programs ======================

    Acrobat.com
    ActivDriver x86 v5.5
    ActivInspire Core Resources (ENU) v1
    ActivInspire Help (USA) v1
    ActivInspire HWR Resources (ENU) v1
    ActivInspire v1
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9
    Advanced Audio FX Engine
    Advanced Video FX Engine
    AIM 7
    AIM Toolbar
    AiO_Scan_CDA
    AiOSoftwareNPI
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Avery Wizard 3.1
    Bejeweled Twist 1.0
    Bonjour
    BufferChm
    C3100
    c3100_Help
    Choice Guard
    CustomerResearchQFolder
    Dell Support Center
    Dell Touchpad
    Dell Video Chat
    Dell Webcam Center
    Dell Webcam Manager
    Destinations
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    Download Updater (AOL LLC)
    eBook: Elementary Education Content Knowledge Practice Test
    eSupportQFolder
    Fax_CDA
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB949764)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB953955)
    Hotfix for Windows XP (KB954434)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB958347)
    Hotfix for Windows XP (KB959252)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    HP Customer Participation Program 7.0
    HP Imaging Device Functions 7.0
    HP Photosmart Essential
    HP Photosmart, Officejet and Deskjet 7.0.A
    HP Software Update
    HP Solution Center 7.0
    HPPhotoSmartExpress
    HPProductAssistant
    ImgBurn
    Insaniquarium Deluxe 1.1
    InstantShareDevicesMFC
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless WiFi Software
    iTunes
    Java(TM) 6 Update 13
    Junk Mail filter update
    Laptop Integrated Webcam Driver (1.01.01.0529)
    Live! Cam Avatar Creator
    Live! Cam Avatar v1.0
    LiveUpdate 2.6 (Symantec Corporation)
    Malwarebytes' Anti-Malware
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.6.12)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB927977)
    Nero 7 Demo
    NewCopy_CDA
    nLite 1.4.9.1
    OCR Software by I.R.I.S 7.0
    PanoStandAlone
    PowerDVD DX
    ProductContextNPI
    QuickTime
    REA's TESTware for the PRAXIS Elementary Ed 0014
    Readme
    Safari
    Scan
    ScannerCopy
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB978380)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft Office Excel 2007 (KB978382)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB969693)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978706)
    Segoe UI
    Skype Toolbars
    Skype™ 4.2
    SolutionCenter
    Sonic CinePlayer Decoder Pack
    Status
    Symantec AntiVirus
    Synaptics Pointing Device Driver
    Toolbox
    TrayApp
    Unload
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Outlook 2007 Junk Email Filter (kb979895)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951618-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    WebReg
    WIDCOMM Bluetooth Software
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows Presentation Foundation
    Windows Search 4.0
    WMV to AVI DIVX MP4 MPEG RMVB Converter 1.7.9
    XML Paper Specification Shared Components Pack 1.0
    XPS Annotator 1.22
    Yahoo! BrowserPlus

    ==== Event Viewer Messages From Past Week ========

    10/28/2010 12:01:07 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0022FB9FC868. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    10/27/2010 6:38:47 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\afd.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5657.
    10/27/2010 6:38:33 AM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the AFD service which failed to start because of the following error: Access is denied.
    10/27/2010 6:38:33 AM, error: Service Control Manager [7000] - The AFD service failed to start due to the following error: Access is denied.
    10/27/2010 6:38:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD
    10/27/2010 6:38:16 AM, error: Service Control Manager [7024] - The Bonjour Service service terminated with service-specific error 4294967295 (0xFFFFFFFF).
    10/27/2010 6:38:16 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
    10/27/2010 6:38:16 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
    10/27/2010 6:38:16 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A socket operation encountered a dead network.
    10/27/2010 6:38:16 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952450
    10/27/2010 6:38:16 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    10/27/2010 6:38:16 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    10/27/2010 6:35:59 AM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
    10/27/2010 11:28:43 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
    10/27/2010 11:14:02 PM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
    10/27/2010 11:13:24 PM, error: Dhcp [1002] - The IP address lease 192.168.1.27 for the Network Card with network address 0022FB9FC868 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    10/26/2010 10:27:50 AM, error: Dhcp [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 0022FB9FC868 has been denied by the DHCP server 128.171.1.50 (The DHCP Server sent a DHCPNACK message).

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good Morning and welcome to TechSpot. I'll help with the malware. Please understand that the more information I have, the better I can help you: the only thing you have in common with all the other members reporting this malware is that you have Norton for the AV. I'll explain that later.
    1. Why do you think you have the Backdoor.Tidserv.I!inf malware infection?
    2. No matter hat you do, it won't go away- is that correct?
    3. Norton continues to advise you of having this- it that correct?
    4. Are you searches being redirected to the wrong site?
    5. Are you having a problem getting an internet connection?
    ==================================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =============================================
    Please print these directions out as you will need them to follow the steps:
    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    =====================================
    Please post the answers to my questions and the logs from the scans in your next reply.
     
  3. Snowbred

    Snowbred TS Rookie Topic Starter

    Bobbye,

    thanks for your quick response.

    do i need to do the DNS flush from all my comps or just the infected one?

    here are my results

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/31/2010 8:34:48 AM
    mbam-log-2010-10-31 (08-34-48).txt

    Scan type: Quick scan
    Objects scanned: 125954
    Time elapsed: 2 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=1675d4f084d59442a58aafaa53074375
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-31 06:15:39
    # local_time=2010-10-31 08:15:39 (-1000, Hawaiian Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=69799
    # found=1
    # cleaned=0
    # scan_time=1149
    C:\WINDOWS\system32\spool\prtprocs\w32x86\xG931kUO.dll Win32/Qhost.OCQ trojan 00000000000000000000000000000000 I


    oh great Qhost now what?
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Aloha. Sigh! You'll still be tucked under the covers now,but after you get up and have your breakfast, please tell me: "Why do you think you have the Backdoor.Tidserv.I!inf malware infection?"

    Eset show the Win32/Qhost.OCQ Trojan. Win32.Qhost is a family of Trojan horses that primarily replace or alter the HOSTS file in which corresponding IP addresses and names of remote computers , so we move that entry:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files 
      C:\WINDOWS\system32\spool\prtprocs\w32x86\xG931kUO.dll
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =========================================
    Follow with download of ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ==========================================
    About the DNS Flush: If you have computers networked, they should each be check for the DNSChanger- if present, their DNS should also be flushed. If not, flushing this system and resetting the router should be adequate.

    I will have you replace the host files also.
     
  5. Snowbred

    Snowbred TS Rookie Topic Starter

    Norton kept popping up telling me i had the backdoor virus but now it seems to be gone(magic i guess) well it at least has not popped up since i posted this site. you guys are good (hehehe)

    i have to go to work now i will do the rest when i get home.
     
  6. Snowbred

    Snowbred TS Rookie Topic Starter

    thanks for all your help i will post results later
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Norton will report this even if it's in the Restore points, Recycle Bin or Recycler. It may not still be active in the system. But it should be removed from any of the places I mentioned.

    Norton also has an Alert screen when it blocks this intrusion attempt. It fools a lot of people into thinking they have it and most don't realize they have the option of clicking on Stop notifying me Alert
    [​IMG]
     
  8. Snowbred

    Snowbred TS Rookie Topic Starter

    Bobbye,

    here is the OTmovit log, but i tried running combofix and the first time it was 3-4min in the computer blue-screened, the second time the whole thing just froze. what would you recommend keep trying or?

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\spool\prtprocs\w32x86\xG931kUO.dll
    C:\WINDOWS\system32\spool\prtprocs\w32x86\xG931kUO.dll moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Jo
    ->Temp folder emptied: 1475682 bytes
    ->Temporary Internet Files folder emptied: 85731 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 27962850 bytes
    ->Flash cache emptied: 991 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 28.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 11022010_181212

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Before you do this step:
    [4]. Double click combofix.exe & follow the prompts to run.
    Right click on combofix.exe> rename> change to snowbred.exe.
    Now try to run the program.

    A reminder that you will need to update Java(TM) 6 Update 13 -> -> Java(TM) 6 Update 22, then uninstall the old version in Add/Remove Programs. Here is link to update: Java Updates
     
  10. Snowbred

    Snowbred TS Rookie Topic Starter

    Bobbye,
    I updated java, could not find any old ones to uninstall.
    When I run combo fix it get passed stage 50 says something about a log then blue screens I ran it 3 times. What do you recommend. Does it matter if I am using wireless for my Internet. It does not look like it disconnects it from the Internet.

    Thanks
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you rename the combofix.exe file to snowbred.exe as instructed?

    If you did and it still won run, please run the following:
    • Download the file TDSSKiller.zip and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.
    • Double click TDSSKiller.exe to start the scan
    • Wait for the scan and disinfection process to be over.
      [o] The utility outputs a list of detected objects with description.
      [o]The utility automatically selects an action (Cure or Delete) for malicious objects.
      [o]The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
    • The default quarantine folder is in the system disk root folder, e.g.:C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.

    It is necessary to reboot the PC after the disinfection is over.
     
  12. Snowbred

    Snowbred TS Rookie Topic Starter

    i did rename the file and it still froze.
    i ran tdskiller and here is what it output
    [InfectedObject]
    Type: Service
    Name: ialm
    Type: Kernel driver (0x1)
    Start: Demand (0x3)
    ImagePath: system32\DRIVERS\igxpmp32.sys
    Suspicious states: Forged file;

    [InfectedFile]
    Type: Raw image
    Src: C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    md5: a65214c4625d25b9817bbc06c60416db

    [InfectedFile]
    Type: Api image
    Src: C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    md5: 66a685b05066683621920bc14a45cfe8

    is this the info you needed from the tdskiller?

    what should i do now?
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is only part of the TDSSKiller program. You need to continue with this step:

    This is where you stopped: [o] The utility outputs a list of detected objects with description.
    You need to continue with these steps:

    • [o]The utility automatically selects an action (Cure or Delete) for malicious objects.
      [o]The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
    • The default quarantine folder is in the system disk root folder, e.g.:C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    ============================================
    The problem files, igxpmp32.sys (Intel Graphics Miniport Driver) belongs to the Intel Graphics Accelerator Drivers for Windows NT(R) by Intel Corporation (www.intel.com). If you look at the Post #1>2010/10/20 16:01:38.0191 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
    here: http://forums.malwarebytes.org/index.php?showtopic=65466

    IF you still have a problem producing the full log, do this:
    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    [B]"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v[/B]
    
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    [​IMG]
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...