Inactive Help on fixing the Backdoor.Tidserv.I!inf

[Snowbred]

once again another person with this messed up virus thanks for any help.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/30/2010 9:28:15 AM
mbam-log-2010-10-30 (09-28-15).txt

Scan type: Quick scan
Objects scanned: 126157
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.242,93.188.160.52 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{61129d1f-35fa-495a-bd4a-d7c81180a9af}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.242,93.188.160.52 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{73c8c644-3857-4a27-aecc-7af88aa9a68a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.242,93.188.160.52 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-30 10:24:21
Windows 5.1.2600 Service Pack 3
Running: g1n2z1z4.exe; Driver: C:\DOCUME~1\Jo\LOCALS~1\Temp\uxloapow.sys


---- System - GMER 1.0.15 ----

SSDT 89845A98 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\Drivers\OEM13Afx.sys entry point in "init" section [0xA6BD5310]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1956] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A4A35D20

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----



DDS (Ver_10-10-21.02) - NTFSx86
Run by Jo at 10:25:23.37 on Sat 10/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2296 [GMT -10:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r211990\stacsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\OEM13Mon.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Jo\Desktop\malware removal tools\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OEM13Mon.exe] c:\windows\OEM13Mon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253663956484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jo\applic~1\mozilla\firefox\profiles\19594ws6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20101011031126421&tb_oid=11-10-2010&tb_mrud=11-10-2010
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20101011031126421&tb_oid=11-10-2010&tb_mrud=11-10-2010&query=
FF - component: c:\documents and settings\jo\application data\mozilla\firefox\profiles\19594ws6.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\jo\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2010-5-26 74752]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-9-3 112512]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101029.003\naveng.sys [2010-10-29 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101029.003\navex15.sys [2010-10-29 1371184]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-9-3 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-9-3 41760]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [2009-9-3 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-9-3 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-9-3 235840]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2010-5-26 6144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

=============== Created Last 30 ================

2010-10-30 19:15:15 -------- d-----w- c:\docume~1\jo\applic~1\Malwarebytes
2010-10-30 19:15:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-30 19:15:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-30 19:15:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-30 19:15:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-29 08:43:06 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-10-29 08:43:06 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-10-11 03:11:28 -------- d-----w- c:\program files\AIM Toolbar
2010-10-11 03:11:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\AIM Toolbar
2010-10-11 03:11:26 -------- d-----w- c:\program files\common files\Software Update Utility
2010-10-11 03:11:18 -------- d-----w- c:\docume~1\jo\locals~1\applic~1\AIM
2010-10-11 03:11:17 -------- d-----w- c:\docume~1\jo\locals~1\applic~1\AOL
2010-10-11 03:11:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\AIM
2010-10-11 03:11:08 -------- d-----w- c:\program files\AIM
2010-10-11 03:11:07 -------- d-----w- c:\program files\common files\AOL

==================== Find3M ====================

2010-08-10 15:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 15:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 10:25:35.23 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-21.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/22/2009 12:37:24 PM
System Uptime: 10/30/2010 9:30:07 AM (1 hours ago)

Motherboard: Dell Inc. | | 0T052J
Processor: Intel(R) Core(TM)2 Duo CPU T6670 @ 2.20GHz | U2E1 | 2194/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 261.285 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) WiFi Link 5100 AGN
Device ID: PCI\VEN_8086&DEV_4232&SUBSYS_13218086&REV_00\4&492937F&0&00E2
Manufacturer: Intel Corporation
Name: Intel(R) WiFi Link 5100 AGN
PNP Device ID: PCI\VEN_8086&DEV_4232&SUBSYS_13218086&REV_00\4&492937F&0&00E2
Service: NETw5x32

==== System Restore Points ===================

RP118: 8/18/2010 8:38:05 PM - System Checkpoint
RP119: 8/20/2010 2:34:51 PM - Installed REA's TESTware for the PRAXIS Elementary Ed 0014
RP120: 8/24/2010 12:27:09 PM - Installed QuickTime
RP121: 8/29/2010 10:08:39 PM - System Checkpoint
RP122: 9/6/2010 6:09:43 PM - System Checkpoint
RP123: 9/6/2010 7:16:33 PM - Installed ActivSoftware
RP124: 9/16/2010 6:00:52 PM - Installed eBook: Elementary Education Content Knowledge Practice
RP125: 9/16/2010 6:00:59 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP126: 9/20/2010 8:17:02 PM - System Checkpoint
RP127: 9/22/2010 8:46:38 PM - System Checkpoint
RP128: 9/25/2010 1:28:07 PM - System Checkpoint
RP129: 10/10/2010 9:22:08 AM - System Checkpoint
RP130: 10/17/2010 1:22:39 PM - System Checkpoint
RP131: 10/21/2010 7:23:26 PM - System Checkpoint
RP132: 10/24/2010 8:58:28 PM - System Checkpoint
RP133: 10/25/2010 9:48:12 PM - System Checkpoint
RP134: 10/27/2010 6:57:40 AM - System Checkpoint
RP135: 10/28/2010 7:16:56 AM - System Checkpoint
RP136: 10/29/2010 7:30:43 AM - System Checkpoint
RP137: 10/30/2010 7:32:33 AM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
ActivDriver x86 v5.5
ActivInspire Core Resources (ENU) v1
ActivInspire Help (USA) v1
ActivInspire HWR Resources (ENU) v1
ActivInspire v1
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Advanced Audio FX Engine
Advanced Video FX Engine
AIM 7
AIM Toolbar
AiO_Scan_CDA
AiOSoftwareNPI
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avery Wizard 3.1
Bejeweled Twist 1.0
Bonjour
BufferChm
C3100
c3100_Help
Choice Guard
CustomerResearchQFolder
Dell Support Center
Dell Touchpad
Dell Video Chat
Dell Webcam Center
Dell Webcam Manager
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
Download Updater (AOL LLC)
eBook: Elementary Education Content Knowledge Practice Test
eSupportQFolder
Fax_CDA
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
ImgBurn
Insaniquarium Deluxe 1.1
InstantShareDevicesMFC
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless WiFi Software
iTunes
Java(TM) 6 Update 13
Junk Mail filter update
Laptop Integrated Webcam Driver (1.01.01.0529)
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.12)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
Nero 7 Demo
NewCopy_CDA
nLite 1.4.9.1
OCR Software by I.R.I.S 7.0
PanoStandAlone
PowerDVD DX
ProductContextNPI
QuickTime
REA's TESTware for the PRAXIS Elementary Ed 0014
Readme
Safari
Scan
ScannerCopy
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Skype Toolbars
Skype™ 4.2
SolutionCenter
Sonic CinePlayer Decoder Pack
Status
Symantec AntiVirus
Synaptics Pointing Device Driver
Toolbox
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb979895)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
WIDCOMM Bluetooth Software
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Presentation Foundation
Windows Search 4.0
WMV to AVI DIVX MP4 MPEG RMVB Converter 1.7.9
XML Paper Specification Shared Components Pack 1.0
XPS Annotator 1.22
Yahoo! BrowserPlus

==== Event Viewer Messages From Past Week ========

10/28/2010 12:01:07 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0022FB9FC868. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
10/27/2010 6:38:47 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\afd.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5657.
10/27/2010 6:38:33 AM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the AFD service which failed to start because of the following error: Access is denied.
10/27/2010 6:38:33 AM, error: Service Control Manager [7000] - The AFD service failed to start due to the following error: Access is denied.
10/27/2010 6:38:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD
10/27/2010 6:38:16 AM, error: Service Control Manager [7024] - The Bonjour Service service terminated with service-specific error 4294967295 (0xFFFFFFFF).
10/27/2010 6:38:16 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
10/27/2010 6:38:16 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
10/27/2010 6:38:16 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A socket operation encountered a dead network.
10/27/2010 6:38:16 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952450
10/27/2010 6:38:16 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/27/2010 6:38:16 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/27/2010 6:35:59 AM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
10/27/2010 11:28:43 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
10/27/2010 11:14:02 PM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
10/27/2010 11:13:24 PM, error: Dhcp [1002] - The IP address lease 192.168.1.27 for the Network Card with network address 0022FB9FC868 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/26/2010 10:27:50 AM, error: Dhcp [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 0022FB9FC868 has been denied by the DHCP server 128.171.1.50 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

 

[Bobbye]

Good Morning and welcome to TechSpot. I'll help with the malware. Please understand that the more information I have, the better I can help you: the only thing you have in common with all the other members reporting this malware is that you have Norton for the AV. I'll explain that later.

1. Why do you think you have the Backdoor.Tidserv.I!inf malware infection?
2. No matter hat you do, it won't go away- is that correct?
3. Norton continues to advise you of having this- it that correct?
4. Are you searches being redirected to the wrong site?
5. Are you having a problem getting an internet connection?

==================================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

=============================================
Please print these directions out as you will need them to follow the steps:
You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer. Run MBAM again.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

=====================================
Please post the answers to my questions and the logs from the scans in your next reply.

 

[Snowbred]

Bobbye,

thanks for your quick response.

do i need to do the DNS flush from all my comps or just the infected one?

here are my results

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/31/2010 8:34:48 AM
mbam-log-2010-10-31 (08-34-48).txt

Scan type: Quick scan
Objects scanned: 125954
Time elapsed: 2 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1675d4f084d59442a58aafaa53074375
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-31 06:15:39
# local_time=2010-10-31 08:15:39 (-1000, Hawaiian Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=69799
# found=1
# cleaned=0
# scan_time=1149
C:\WINDOWS\system32\spool\prtprocs\w32x86\xG931kUO.dll Win32/Qhost.OCQ trojan 00000000000000000000000000000000 I


oh great Qhost now what?

 

[Bobbye]

Aloha. Sigh! You'll still be tucked under the covers now,but after you get up and have your breakfast, please tell me: "Why do you think you have the Backdoor.Tidserv.I!inf malware infection?"

Eset show the Win32/Qhost.OCQ Trojan. Win32.Qhost is a family of Trojan horses that primarily replace or alter the HOSTS file in which corresponding IP addresses and names of remote computers , so we move that entry:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  :Files 
  C:\WINDOWS\system32\spool\prtprocs\w32x86\xG931kUO.dll
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=========================================
Follow with download of ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
==========================================
About the DNS Flush: If you have computers networked, they should each be check for the DNSChanger- if present, their DNS should also be flushed. If not, flushing this system and resetting the router should be adequate.

I will have you replace the host files also.

 

[Snowbred]

Norton kept popping up telling me i had the backdoor virus but now it seems to be gone(magic i guess) well it at least has not popped up since i posted this site. you guys are good (hehehe)

i have to go to work now i will do the rest when i get home.

 

[Snowbred]

thanks for all your help i will post results later

 

[Bobbye]

Norton will report this even if it's in the Restore points, Recycle Bin or Recycler. It may not still be active in the system. But it should be removed from any of the places I mentioned.

Norton also has an Alert screen when it blocks this intrusion attempt. It fools a lot of people into thinking they have it and most don't realize they have the option of clicking on Stop notifying me Alert

 

[Snowbred]

Bobbye,

here is the OTmovit log, but i tried running combofix and the first time it was 3-4min in the computer blue-screened, the second time the whole thing just froze. what would you recommend keep trying or?

All processes killed
========== PROCESSES ==========
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\spool\prtprocs\w32x86\xG931kUO.dll
C:\WINDOWS\system32\spool\prtprocs\w32x86\xG931kUO.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Jo
->Temp folder emptied: 1475682 bytes
->Temporary Internet Files folder emptied: 85731 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 27962850 bytes
->Flash cache emptied: 991 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 28.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 11022010_181212

Files moved on Reboot...

Registry entries deleted on Reboot...

 

[Bobbye]

Before you do this step:
[4]. Double click combofix.exe & follow the prompts to run.
Right click on combofix.exe> rename> change to snowbred.exe.
Now try to run the program.

A reminder that you will need to update Java(TM) 6 Update 13 -> -> Java(TM) 6 Update 22, then uninstall the old version in Add/Remove Programs. Here is link to update: Java Updates

 

[Snowbred]

Bobbye,
I updated java, could not find any old ones to uninstall.
When I run combo fix it get passed stage 50 says something about a log then blue screens I ran it 3 times. What do you recommend. Does it matter if I am using wireless for my Internet. It does not look like it disconnects it from the Internet.

Thanks

 

[Bobbye]

Did you rename the combofix.exe file to snowbred.exe as instructed?

If you did and it still won run, please run the following:

• Download the file TDSSKiller.zip and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.
• Double click TDSSKiller.exe to start the scan
• Wait for the scan and disinfection process to be over.
  [o] The utility outputs a list of detected objects with description.
  [o]The utility automatically selects an action (Cure or Delete) for malicious objects.
  [o]The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  
• Select the action Quarantine to quarantine detected objects.
• The default quarantine folder is in the system disk root folder, e.g.:C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result.

It is necessary to reboot the PC after the disinfection is over.

 

[Snowbred]

i did rename the file and it still froze.
i ran tdskiller and here is what it output
[InfectedObject]
Type: Service
Name: ialm
Type: Kernel driver (0x1)
Start: Demand (0x3)
ImagePath: system32\DRIVERS\igxpmp32.sys
Suspicious states: Forged file;

[InfectedFile]
Type: Raw image
Src: C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
md5: a65214c4625d25b9817bbc06c60416db

[InfectedFile]
Type: Api image
Src: C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
md5: 66a685b05066683621920bc14a45cfe8

is this the info you needed from the tdskiller?

what should i do now?

 

[Bobbye]

This is only part of the TDSSKiller program. You need to continue with this step:

This is where you stopped: [o] The utility outputs a list of detected objects with description.
You need to continue with these steps:

• 
  [o]The utility automatically selects an action (Cure or Delete) for malicious objects.
  [o]The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
• The default quarantine folder is in the system disk root folder, e.g.:C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result.

============================================
The problem files, igxpmp32.sys (Intel Graphics Miniport Driver) belongs to the Intel Graphics Accelerator Drivers for Windows NT(R) by Intel Corporation (www.intel.com). If you look at the Post #1>2010/10/20 16:01:38.0191 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
here: http://forums.malwarebytes.org/index.php?showtopic=65466

IF you still have a problem producing the full log, do this:
Go to Start ->Run. Type/Copy and Paste the following text into the prompt:

[B]"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v[/B]

• This will have the program write a detailed log
• The screen will resemble this black screen:

• If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
• After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
• A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
• Follow the prompts and attach the report to your next reply.