1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

[Inactive] Could someone please assist me with a http tidsev request

By Chassa ยท 13 replies
Jul 30, 2010
  1. Hello All,

    I know I'm in a good place here.

    I have a serious problem with my computer. I've tried several (thought to be) virus killers, but none have been effective. I have Norton Anti Virus which has helped in blocking the hyjacking somewhat but I need to get rid of this thing.

    My computer's been acting crazy! It freezes in the middle of my work, it redirects me to pages I haven't searched for and don't want to see, it boots up very slow, then my windows freeze and it takes me at least an hour to shut my computer down properly.

    Anyway, Norton Anti Virus has detected http tidserv request, a trojan hyjacker. That's exactly what this virus does, it hyjacks my computer! Windows even pop up for no apparent reason. I really need to kill this thing!

    Any suggestions on malware removal would be much appreciated! Thank you!
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. Chassa

    Chassa TS Rookie Topic Starter

    Hi Bobbye,
    Thank you for helping me. I truly appreciate it! That went amazingly smoother than I expected. Here's the first log. I will follow the other directions on the 8 steps and get back with you on the next two logs as well. Again, thank you!

    Malwarebytes' Anti-Malware 1.46

    Database version: 4368

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    8/1/2010 9:16:53 AM
    mbam-log-2010-08-01 (09-16-53).txt

    Scan type: Quick scan
    Objects scanned: 8357
    Time elapsed: 5 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Norton Anti Virus has detected http tidserv request, a trojan hyjacker.
    Look at both of the Alert images below. The content of the 'Activity' box is different.

    #1 is incoming traffic:

    #2 is outgoing. Which are you seeing?

    Courtesy Norton Community.
  5. Chassa

    Chassa TS Rookie Topic Starter


    GMER - http://www.gmer.net
    Rootkit scan 2010-08-01 12:33:57
    Windows 5.1.2600 Service Pack 3
    Running: gqhiezkl.exe; Driver: C:\DOCUME~1\Marvin\LOCALS~1\Temp\fgndyfog.sys

    ---- System - GMER 1.0.15 ----

    SSDT 82CFC4F8 ZwAlertResumeThread
    SSDT 82CFC5B8 ZwAlertThread
    SSDT 82811798 ZwAllocateVirtualMemory
    SSDT 82DD40E8 ZwAssignProcessToJobObject
    SSDT 82D0CD98 ZwConnectPort
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEC6E0210]
    SSDT 82DA4180 ZwCreateMutant
    SSDT 82F4F190 ZwCreateSymbolicLinkObject
    SSDT 82F4ABA8 ZwCreateThread
    SSDT 82DD41C8 ZwDebugActiveProcess
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEC6E0490]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEC6E09F0]
    SSDT 82D61798 ZwDuplicateObject
    SSDT 828B87F8 ZwFreeVirtualMemory
    SSDT 82DA4270 ZwImpersonateAnonymousToken
    SSDT 82CFC418 ZwImpersonateThread
    SSDT 82CE6E90 ZwLoadDriver
    SSDT 828B8718 ZwMapViewOfSection
    SSDT 82DA40A0 ZwOpenEvent
    SSDT 82864300 ZwOpenProcess
    SSDT 82808058 ZwOpenProcessToken
    SSDT 82DD1150 ZwOpenSection
    SSDT 82D63710 ZwOpenThread
    SSDT 82F4F260 ZwProtectVirtualMemory
    SSDT 82D99758 ZwResumeThread
    SSDT 82833588 ZwSetContextThread
    SSDT 82833668 ZwSetInformationProcess
    SSDT 82DD4008 ZwSetSystemInformation
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEC6E0C40]
    SSDT 82DD1230 ZwSuspendProcess
    SSDT 82D99838 ZwSuspendThread
    SSDT 82CFA3D0 ZwTerminateProcess
    SSDT 82D99918 ZwTerminateThread
    SSDT 828B8638 ZwUnmapViewOfSection
    SSDT 828116C8 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 98 804E2704 4 Bytes CALL 44D10449
    .text ntoskrnl.exe!_abnormal_termination + 15C 804E27C8 1 Byte [98]
    .text ntoskrnl.exe!_abnormal_termination + 240 804E28AC 1 Byte [50]
    ? SYMDS.SYS The system cannot find the file specified. !
    ? SYMEFA.SYS The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[784] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\Explorer.EXE[784] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
    .text C:\WINDOWS\System32\svchost.exe[1500] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
    .text C:\WINDOWS\System32\svchost.exe[1500] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
    .text C:\WINDOWS\System32\svchost.exe[1500] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
    .text C:\WINDOWS\System32\svchost.exe[1500] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
    .text C:\WINDOWS\System32\svchost.exe[1500] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01AD000A
    .text C:\WINDOWS\System32\svchost.exe[1500] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00AF000A

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

    ---- EOF - GMER 1.0.15 ----

    I'm going to look at the anti virus on Norton to see which one it is.
  6. Chassa

    Chassa TS Rookie Topic Starter


    It is #2, but of course with a different IP.
  7. Chassa

    Chassa TS Rookie Topic Starter


    I had one problem while I was running this program. I was trying to temporarily disable the Norton Anti Virus, but I think because I disabled it a couple of times already within a short time period, they somehow prevented me from being able to do it again. I couldn't get into the settings. Crazy, isn't it?! Please let me know if the program was still able to read.

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Marvin at 14:47:35.65 on Sun 08/01/2010
    Internet Explorer: 7.0.5730.13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.150 [GMT -7:00]

    AV: Norton AntiVirus Online *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton AntiVirus\Engine\\ccSvcHst.exe
    C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
    C:\Program Files\Norton AntiVirus\Engine\\ccSvcHst.exe
    C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
    C:\Documents and Settings\Marvin\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uWindow Title = Windows Internet Explorer provided by Qwest
    uDefault_Page_URL = hxxp://qwest.live.com
    uInternet Settings,ProxyOverride = <local>
    mWinlogon: Userinit=c:\windows\system32\userinit.exe
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\\IPSBHO.DLL
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
    mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
    mRun: [QwestTouchPointAgent] "c:\program files\qwest\desktop\QwestTouchPointAgent.exe" /autostart
    mRun: [QuickCare] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QuickCare
    mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
    mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
    StartupFolder: c:\docume~1\marvin\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    IE: &Search
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: google.com\www
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280405844452
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: igfxcui - igfxsrvc.dll

    ============= SERVICES / DRIVERS ===============

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1107000.00c\symds.sys [2010-7-28 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1107000.00c\symefa.sys [2010-7-28 173104]
    R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-7-29 911680]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\bashdefs\20100709.001\BHDrvx86.sys [2010-7-9 691248]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1107000.00c\cchpx86.sys [2010-7-28 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1107000.00c\ironx86.sys [2010-7-28 116784]
    R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-7-29 2480048]
    R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\\ccsvchst.exe [2010-7-28 126392]
    R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\qwest\quickcare\bin\sprtsvc.exe [2010-7-27 206120]
    R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\qwest\quickcare\bin\tgsrvc.exe [2010-7-27 185640]
    R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-7-29 160704]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-28 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\ipsdefs\20100730.001\IDSXpx86.sys [2010-7-31 331640]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\virusdefs\20100801.003\NAVENG.SYS [2010-8-1 85424]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\virusdefs\20100801.003\NAVEX15.SYS [2010-8-1 1362608]
    S0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys --> c:\windows\system32\drivers\avgarkt.sys [?]
    S1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\avgarcln.sys --> c:\windows\system32\drivers\AvgArCln.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-26 136176]
    S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2008-9-1 92550]

    =============== Created Last 30 ================

    2010-08-01 17:24:18 0 d-----w- c:\docume~1\marvin\applic~1\Tific
    2010-07-30 09:57:28 0 d-----w- c:\program files\Trend Micro
    2010-07-30 00:42:38 0 d-----w- c:\docume~1\marvin\applic~1\Malwarebytes
    2010-07-29 23:52:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-29 23:52:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-07-29 23:52:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-29 23:52:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-29 22:19:49 160704 ----a-w- c:\windows\system32\drivers\afcdp.sys
    2010-07-29 22:17:49 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
    2010-07-29 22:17:11 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
    2010-07-29 22:16:14 166272 ----a-w- c:\windows\system32\drivers\snapman.sys
    2010-07-28 07:26:36 0 d-sh--w- c:\documents and settings\marvin\PrivacIE
    2010-07-28 07:12:51 0 d-sh--w- c:\documents and settings\marvin\IETldCache
    2010-07-28 07:08:14 216266 ----a-w- c:\windows\WLIcon.ico
    2010-07-28 06:51:32 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-07-28 06:51:31 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
    2010-07-28 06:41:10 0 d-----w- c:\program files\common files\SupportSoft
    2010-07-28 06:36:36 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
    2010-07-28 06:36:36 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
    2010-07-28 06:36:36 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-07-28 06:36:36 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-07-28 06:36:35 0 d-----w- c:\program files\Symantec
    2010-07-28 06:36:35 0 d-----w- c:\program files\common files\Symantec Shared
    2010-07-28 06:33:57 0 d-----w- c:\windows\system32\drivers\NAV
    2010-07-28 06:33:39 0 d-----w- c:\program files\Norton AntiVirus
    2010-07-28 06:33:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
    2010-07-28 06:33:21 0 d-----w- c:\program files\NortonInstaller
    2010-07-28 06:33:21 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
    2010-07-28 06:22:49 0 d-----w- c:\program files\Qwest
    2010-07-28 06:01:00 0 d-----w- c:\program files\Eusing Free Registry Cleaner
    2010-07-28 05:52:40 0 d-----w- c:\docume~1\marvin\applic~1\Uniblue
    2010-07-26 19:12:19 0 d-----w- C:\SpeedItup-Checkup
    2010-07-26 18:51:01 737280 ----a-w- c:\windows\iun6002.exe
    2010-07-26 18:50:58 0 d-----w- C:\spywarebegone
    2010-07-26 18:50:55 170 ----a-w- c:\windows\spywarebegone-fullversion-installed.html
    2010-07-26 17:45:24 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-26 17:08:55 0 d-----w- C:\ProgramData
    2010-07-26 17:08:55 0 d-----w- c:\program files\Angle Interactive
    2010-07-26 10:05:29 96512 ----a-w- c:\windows\system32\drivers\mqzkbvtn.sys
    2010-07-26 07:28:43 0 d-----w- c:\docume~1\marvin\applic~1\Error Fix
    2010-07-26 07:27:31 0 d-----w- c:\program files\Error Fix
    2010-07-26 07:25:47 0 d-----w- c:\program files\Downloaded Installers
    2010-07-26 07:15:14 0 d-----w- c:\windows\system32\MpEngineStore
    2010-07-26 07:08:42 172 ----a-w- c:\windows\system32\MRT.INI
    2010-07-25 22:38:19 0 d-----w- c:\windows\system32\wbem\Repository
    2010-07-25 22:37:50 0 d-----w- c:\program files\Angel Writer
    2010-07-25 22:37:49 0 d-----w- c:\program files\RoughDraft
    2010-07-25 22:36:19 0 d-----w- c:\program files\SigmaTel
    2010-07-25 22:36:12 0 d-----w- c:\program files\yWriter5
    2010-07-25 22:33:03 0 d-----w- c:\windows\XSxS
    2010-07-25 22:33:03 0 d-----w- c:\program files\Xenocode
    2010-07-25 22:07:42 0 d-----w- c:\docume~1\marvin\applic~1\Hotbar(2)
    2010-07-25 21:36:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Toolbar4
    2010-07-25 21:35:48 0 d-----w- c:\program files\Search Toolbar
    2010-07-25 21:30:28 0 d-----w- c:\program files\MyWebSearch(2)
    2010-07-25 17:45:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-07-25 17:08:54 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
    2010-07-25 16:11:38 16384 ---ha-w- C:\SZKGFS.dat
    2010-07-25 16:05:47 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
    2010-07-25 16:02:56 0 d-----w- c:\program files\common files\iS3
    2010-07-25 16:02:55 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
    2010-07-25 12:26:06 882 ----a-w- c:\windows\RegSDImport.xml
    2010-07-25 12:26:06 879 ----a-w- c:\windows\RegISSImport.xml
    2010-07-25 12:26:05 131 ----a-w- c:\windows\IDB.zip
    2010-07-25 12:26:04 1152444 ----a-w- c:\windows\UDB.zip
    2010-07-25 12:24:45 0 d-----w- c:\program files\Spyware Doctor
    2010-07-25 12:24:45 0 d-----w- c:\program files\common files\PC Tools
    2010-07-25 10:46:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-15 16:29:32 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-15 00:14:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Qwest

    ==================== Find3M ====================

    2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll

    ============= FINISH: 14:50:42.39 ===============
  8. Chassa

    Chassa TS Rookie Topic Starter

    Hi Bobbye,

    I finished all of the steps. Please let me know if there's additional I should do. My computer is still slow starting up, shutting down and continues to freeze. Thank you.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I see that- I'm checking the logs now. In the meantime, please go ahead and run the following: NOTE: Norton should be disabled for both:
    (Images courtesy rev_Olie)
    Please navigate to the system tray on the bottom right hand corner and look for a [​IMG] sign.
    • right-click it -> chose "Disable Auto-Protect."
    • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
    • click "Ok."
    • a popup will warn that protection will now be disabled and the sign will now look like this: [​IMG]
    You succesfully disabled the Norton Antivirus Guard.
    Right click on the icon in the taskbar notification area & select "Disable Symantec EndPoint Protection".
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.(OK to attach this one)

    Remove this from the Trusted Zone: Trusted Zone: google.com\www
    Control Panel> Internet Options> Security tab> click on Trusted Zone> Sites> highlight and delete this site.
  10. Chassa

    Chassa TS Rookie Topic Starter

    I'm finished running combo fix...


    Had a little trouble running the combo fix, but I think I worked it out fine. I'm getting ready to download the anti virus you suggested now.

    View attachment ComboFix.txt
  11. Chassa

    Chassa TS Rookie Topic Starter

    Here's the attachment...

    Hi Bobbye,

    I hope this is the right attachment! Please let me know if it isn't.

    In addition, I was informed by Norton Anti Virus that I have 2 Backdoor.Tidserv!Infections that require "manual removal" View attachment Eset.txt . Please let me know what I should do about those. Thank you. I will keep checking back to hear from you.


  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    After I see the online scan, I check it and the Combofix log and see what needs to be done. I will not be able to do it tonight, so take your time, run the scan. I know what Norton is telling you-- it's telling everyone who has the program the same thing! Apparently they put an update in that is making these alerts popup. When the screen comes up again, click on the Stop Notifying Me button.
  13. Chassa

    Chassa TS Rookie Topic Starter


    That is fine. I understand if your unable to work on this tonight. You have a good evening. I will check back again.

    Thank you,
  14. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    Message from Bobbye:


    How is your computer doing at the moment?

    Please, uninstall Ask.com as it's considered as an adware.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    c:\documents and settings\Marvin\Application Data\Uniblue
    c:\program files\MyWebSearch(2)
    c:\documents and settings\All Users\Application Data\SITEguard
    c:\program files\Common Files\iS3
    c:\documents and settings\All Users\Application Data\STOPzilla!
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...