[Inactive] Could someone please assist me with a http tidsev request

[Chassa]

Hello All,

I know I'm in a good place here.

I have a serious problem with my computer. I've tried several (thought to be) virus killers, but none have been effective. I have Norton Anti Virus which has helped in blocking the hyjacking somewhat but I need to get rid of this thing.

My computer's been acting crazy! It freezes in the middle of my work, it redirects me to pages I haven't searched for and don't want to see, it boots up very slow, then my windows freeze and it takes me at least an hour to shut my computer down properly.

Anyway, Norton Anti Virus has detected http tidserv request, a trojan hyjacker. That's exactly what this virus does, it hyjacks my computer! Windows even pop up for no apparent reason. I really need to kill this thing!

Any suggestions on malware removal would be much appreciated! Thank you!

 

[Bobbye]

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[Chassa]

Hi Bobbye,
Thank you for helping me. I truly appreciate it! That went amazingly smoother than I expected. Here's the first log. I will follow the other directions on the 8 steps and get back with you on the next two logs as well. Again, thank you!

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4368

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/1/2010 9:16:53 AM
mbam-log-2010-08-01 (09-16-53).txt

Scan type: Quick scan
Objects scanned: 8357
Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Bobbye]

Norton Anti Virus has detected http tidserv request, a trojan hyjacker.
Look at both of the Alert images below. The content of the 'Activity' box is different.

#1 is incoming traffic:

#2 is outgoing. Which are you seeing?

Courtesy Norton Community.

 

[Chassa]

Bobbye,

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-01 12:33:57
Windows 5.1.2600 Service Pack 3
Running: gqhiezkl.exe; Driver: C:\DOCUME~1\Marvin\LOCALS~1\Temp\fgndyfog.sys


---- System - GMER 1.0.15 ----

SSDT 82CFC4F8 ZwAlertResumeThread
SSDT 82CFC5B8 ZwAlertThread
SSDT 82811798 ZwAllocateVirtualMemory
SSDT 82DD40E8 ZwAssignProcessToJobObject
SSDT 82D0CD98 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEC6E0210]
SSDT 82DA4180 ZwCreateMutant
SSDT 82F4F190 ZwCreateSymbolicLinkObject
SSDT 82F4ABA8 ZwCreateThread
SSDT 82DD41C8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEC6E0490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEC6E09F0]
SSDT 82D61798 ZwDuplicateObject
SSDT 828B87F8 ZwFreeVirtualMemory
SSDT 82DA4270 ZwImpersonateAnonymousToken
SSDT 82CFC418 ZwImpersonateThread
SSDT 82CE6E90 ZwLoadDriver
SSDT 828B8718 ZwMapViewOfSection
SSDT 82DA40A0 ZwOpenEvent
SSDT 82864300 ZwOpenProcess
SSDT 82808058 ZwOpenProcessToken
SSDT 82DD1150 ZwOpenSection
SSDT 82D63710 ZwOpenThread
SSDT 82F4F260 ZwProtectVirtualMemory
SSDT 82D99758 ZwResumeThread
SSDT 82833588 ZwSetContextThread
SSDT 82833668 ZwSetInformationProcess
SSDT 82DD4008 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEC6E0C40]
SSDT 82DD1230 ZwSuspendProcess
SSDT 82D99838 ZwSuspendThread
SSDT 82CFA3D0 ZwTerminateProcess
SSDT 82D99918 ZwTerminateThread
SSDT 828B8638 ZwUnmapViewOfSection
SSDT 828116C8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 98 804E2704 4 Bytes CALL 44D10449
.text ntoskrnl.exe!_abnormal_termination + 15C 804E27C8 1 Byte [98]
.text ntoskrnl.exe!_abnormal_termination + 240 804E28AC 1 Byte [50]
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[784] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[784] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1500] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1500] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1500] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1500] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1500] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01AD000A
.text C:\WINDOWS\System32\svchost.exe[1500] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00AF000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


I'm going to look at the anti virus on Norton to see which one it is.

 

[Chassa]

Bobbye,

It is #2, but of course with a different IP.

 

[Chassa]

Bobbye,

I had one problem while I was running this program. I was trying to temporarily disable the Norton Anti Virus, but I think because I disabled it a couple of times already within a short time period, they somehow prevented me from being able to do it again. I couldn't get into the settings. Crazy, isn't it?! Please let me know if the program was still able to read.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Marvin at 14:47:35.65 on Sun 08/01/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.150 [GMT -7:00]

AV: Norton AntiVirus Online *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Marvin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Windows Internet Explorer provided by Qwest
uDefault_Page_URL = hxxp://qwest.live.com
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.7.0.12\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [QwestTouchPointAgent] "c:\program files\qwest\desktop\QwestTouchPointAgent.exe" /autostart
mRun: [QuickCare] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QuickCare
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
StartupFolder: c:\docume~1\marvin\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: &Search
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: google.com\www
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280405844452
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1107000.00c\symds.sys [2010-7-28 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1107000.00c\symefa.sys [2010-7-28 173104]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-7-29 911680]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\bashdefs\20100709.001\BHDrvx86.sys [2010-7-9 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1107000.00c\cchpx86.sys [2010-7-28 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1107000.00c\ironx86.sys [2010-7-28 116784]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-7-29 2480048]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.7.0.12\ccsvchst.exe [2010-7-28 126392]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\qwest\quickcare\bin\sprtsvc.exe [2010-7-27 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\qwest\quickcare\bin\tgsrvc.exe [2010-7-27 185640]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-7-29 160704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-28 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\ipsdefs\20100730.001\IDSXpx86.sys [2010-7-31 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\virusdefs\20100801.003\NAVENG.SYS [2010-8-1 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.5.0.127\definitions\virusdefs\20100801.003\NAVEX15.SYS [2010-8-1 1362608]
S0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys --> c:\windows\system32\drivers\avgarkt.sys [?]
S1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\avgarcln.sys --> c:\windows\system32\drivers\AvgArCln.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-26 136176]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2008-9-1 92550]

=============== Created Last 30 ================

2010-08-01 17:24:18 0 d-----w- c:\docume~1\marvin\applic~1\Tific
2010-07-30 09:57:28 0 d-----w- c:\program files\Trend Micro
2010-07-30 00:42:38 0 d-----w- c:\docume~1\marvin\applic~1\Malwarebytes
2010-07-29 23:52:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-29 23:52:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-29 23:52:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-29 23:52:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-29 22:19:49 160704 ----a-w- c:\windows\system32\drivers\afcdp.sys
2010-07-29 22:17:49 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2010-07-29 22:17:11 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-07-29 22:16:14 166272 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-07-28 07:26:36 0 d-sh--w- c:\documents and settings\marvin\PrivacIE
2010-07-28 07:12:51 0 d-sh--w- c:\documents and settings\marvin\IETldCache
2010-07-28 07:08:14 216266 ----a-w- c:\windows\WLIcon.ico
2010-07-28 06:51:32 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-07-28 06:51:31 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-07-28 06:41:10 0 d-----w- c:\program files\common files\SupportSoft
2010-07-28 06:36:36 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-07-28 06:36:36 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-28 06:36:36 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-07-28 06:36:36 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-28 06:36:35 0 d-----w- c:\program files\Symantec
2010-07-28 06:36:35 0 d-----w- c:\program files\common files\Symantec Shared
2010-07-28 06:33:57 0 d-----w- c:\windows\system32\drivers\NAV
2010-07-28 06:33:39 0 d-----w- c:\program files\Norton AntiVirus
2010-07-28 06:33:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-07-28 06:33:21 0 d-----w- c:\program files\NortonInstaller
2010-07-28 06:33:21 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-07-28 06:22:49 0 d-----w- c:\program files\Qwest
2010-07-28 06:01:00 0 d-----w- c:\program files\Eusing Free Registry Cleaner
2010-07-28 05:52:40 0 d-----w- c:\docume~1\marvin\applic~1\Uniblue
2010-07-26 19:12:19 0 d-----w- C:\SpeedItup-Checkup
2010-07-26 18:51:01 737280 ----a-w- c:\windows\iun6002.exe
2010-07-26 18:50:58 0 d-----w- C:\spywarebegone
2010-07-26 18:50:55 170 ----a-w- c:\windows\spywarebegone-fullversion-installed.html
2010-07-26 17:45:24 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-26 17:08:55 0 d-----w- C:\ProgramData
2010-07-26 17:08:55 0 d-----w- c:\program files\Angle Interactive
2010-07-26 10:05:29 96512 ----a-w- c:\windows\system32\drivers\mqzkbvtn.sys
2010-07-26 07:28:43 0 d-----w- c:\docume~1\marvin\applic~1\Error Fix
2010-07-26 07:27:31 0 d-----w- c:\program files\Error Fix
2010-07-26 07:25:47 0 d-----w- c:\program files\Downloaded Installers
2010-07-26 07:15:14 0 d-----w- c:\windows\system32\MpEngineStore
2010-07-26 07:08:42 172 ----a-w- c:\windows\system32\MRT.INI
2010-07-25 22:38:19 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-25 22:37:50 0 d-----w- c:\program files\Angel Writer
2010-07-25 22:37:49 0 d-----w- c:\program files\RoughDraft
2010-07-25 22:36:19 0 d-----w- c:\program files\SigmaTel
2010-07-25 22:36:12 0 d-----w- c:\program files\yWriter5
2010-07-25 22:33:03 0 d-----w- c:\windows\XSxS
2010-07-25 22:33:03 0 d-----w- c:\program files\Xenocode
2010-07-25 22:07:42 0 d-----w- c:\docume~1\marvin\applic~1\Hotbar(2)
2010-07-25 21:36:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Toolbar4
2010-07-25 21:35:48 0 d-----w- c:\program files\Search Toolbar
2010-07-25 21:30:28 0 d-----w- c:\program files\MyWebSearch(2)
2010-07-25 17:45:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-25 17:08:54 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2010-07-25 16:11:38 16384 ---ha-w- C:\SZKGFS.dat
2010-07-25 16:05:47 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-25 16:02:56 0 d-----w- c:\program files\common files\iS3
2010-07-25 16:02:55 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-25 12:26:06 882 ----a-w- c:\windows\RegSDImport.xml
2010-07-25 12:26:06 879 ----a-w- c:\windows\RegISSImport.xml
2010-07-25 12:26:05 131 ----a-w- c:\windows\IDB.zip
2010-07-25 12:26:04 1152444 ----a-w- c:\windows\UDB.zip
2010-07-25 12:24:45 0 d-----w- c:\program files\Spyware Doctor
2010-07-25 12:24:45 0 d-----w- c:\program files\common files\PC Tools
2010-07-25 10:46:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-15 16:29:32 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-15 00:14:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Qwest

==================== Find3M ====================

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll

============= FINISH: 14:50:42.39 ===============

 

[Chassa]

Hi Bobbye,

I finished all of the steps. Please let me know if there's additional I should do. My computer is still slow starting up, shutting down and continues to freeze. Thank you.

 

[Bobbye]

I see that- I'm checking the logs now. In the meantime, please go ahead and run the following: NOTE: Norton should be disabled for both:
(Images courtesy rev_Olie)
NORTON ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a

sign.

• right-click it -> chose "Disable Auto-Protect."
• select a duration of 5 hours (this assures no interference with the cleanup of your pc)
• click "Ok."
• a popup will warn that protection will now be disabled and the sign will now look like this:
  

You succesfully disabled the Norton Antivirus Guard.
SYMANTEC ENDPOINT PROTECTION
Right click on the icon in the taskbar notification area & select "Disable Symantec EndPoint Protection".

======================================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
==========================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.(OK to attach this one)

Remove this from the Trusted Zone: Trusted Zone: google.com\www
Control Panel> Internet Options> Security tab> click on Trusted Zone> Sites> highlight and delete this site.

 

[Chassa]

I'm finished running combo fix...

Bobbye,

Had a little trouble running the combo fix, but I think I worked it out fine. I'm getting ready to download the anti virus you suggested now.


View attachment ComboFix.txt

 

[Chassa]

Here's the attachment...

Hi Bobbye,

I hope this is the right attachment! Please let me know if it isn't.

In addition, I was informed by Norton Anti Virus that I have 2 Backdoor.Tidserv!Infections that require "manual removal"View attachment Eset.txt. Please let me know what I should do about those. Thank you. I will keep checking back to hear from you.

Sincerely,

Chassa

 

[Bobbye]

After I see the online scan, I check it and the Combofix log and see what needs to be done. I will not be able to do it tonight, so take your time, run the scan. I know what Norton is telling you-- it's telling everyone who has the program the same thing! Apparently they put an update in that is making these alerts popup. When the screen comes up again, click on the Stop Notifying Me button.

 

[Chassa]

Bobbye,

That is fine. I understand if your unable to work on this tonight. You have a good evening. I will check back again.

Thank you,
Chassa

 

[Broni]

Message from Bobbye:

Due to family matters that require my time and efforts, I am unable to continue helping with malware cleaning at this time. If and when these matters are resolved, I will return to the board.

Since the only other helper in the Virus and Malware forum is Broni, I will ask him to pickup the open threads I have going, if and when he can.

========================================================================

How is your computer doing at the moment?

Please, uninstall Ask.com as it's considered as an adware.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\SZKGFS.dat


Folder::
c:\documents and settings\Marvin\Application Data\Uniblue
c:\program files\MyWebSearch(2)
c:\documents and settings\All Users\Application Data\SITEguard
c:\program files\Common Files\iS3
c:\documents and settings\All Users\Application Data\STOPzilla!


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt