unable to remove backdoor.tidserv!inf virus

View previous topic View next topic Go down

unable to remove backdoor.tidserv!inf virus

Post by boshnosh on 8th June 2010, 9:35 pm

Hello,

I'm not too knowledgeable with computers so please have patience with me.

Last week, I received a message from my symantec anti-virus stating that the backdoor.tidserv!inf virus had to be removed manually. I did download malwarebytes' anti malware, scanned and removed infected files. Here is the log:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4170

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/5/2010 2:06:49 PM
mbam-log-2010-06-05 (14-06-49).txt

Scan type: Quick scan
Objects scanned: 143181
Time elapsed: 15 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USERSoftwareavsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREavsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Unfortunately, the backdoor.tidserv!inf virus is still on my computer. Any help is appreciated. Thanks in advance! Smile

boshnosh
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-06-07
OS OS : windows xp
Points Points : 23898
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by Belahzur on 8th June 2010, 11:58 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by boshnosh on 9th June 2010, 7:38 am

Hi,

OTL.txt log:

OTL logfile created on: 6/9/2010 2:58:01 AM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:Documents and SettingsErinDesktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 494.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:WINDOWS | %ProgramFiles% = C:Program Files
Drive C: | 139.24 Gb Total Space | 110.87 Gb Free Space | 79.63% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D53B64L1
Current User Name: Erin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/09 02:54:43 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:Documents and SettingsErinDesktopOTL.exe
PRC - [2010/02/26 00:36:21 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:Program FilesNorton Security SuiteEngine3.8.0.41ccSvcHst.exe
PRC - [2009/09/01 11:02:06 | 000,024,576 | ---- | M] (Creative Technology Ltd.) -- C:WINDOWSOA012Mon.exe
PRC - [2009/07/22 10:22:54 | 000,623,984 | ---- | M] (Dell) -- C:Program FilesBattery MeterBTMeter.exe
PRC - [2009/06/03 15:46:38 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:Program FilesDell Support Centerbinsprtcmd.exe
PRC - [2009/06/03 15:46:38 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:Program FilesDell Support Centerbinsprtsvc.exe
PRC - [2009/05/27 16:24:54 | 000,247,080 | ---- | M] (Dell) -- C:Program FilesWSEDWSED.exe
PRC - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe
PRC - [2009/02/23 10:03:06 | 000,320,808 | ---- | M] (Compal Electronics, Inc) -- C:Program FilesCapsLKNotifyCapsLKNotify.exe
PRC - [2008/06/12 01:09:58 | 000,542,096 | ---- | M] (Adobe Systems Incorporated) -- C:Program FilesAdobeReader 9.0ReaderAdobeCollabSync.exe
PRC - [2008/05/26 23:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:Program FilesWindows Desktop SearchWindowsSearch.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:WINDOWSexplorer.exe


========== Modules (SafeList) ==========

MOD - [2010/06/09 02:54:43 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:Documents and SettingsErinDesktopOTL.exe
MOD - [2010/02/26 00:36:05 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:Program FilesNorton Security SuiteEngine3.8.0.41asOEHook.dll
MOD - [2008/04/14 07:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:WINDOWSsystem32msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (0109201267162477mcinstcleanup) McAfee Application Installer Cleanup (0109201267162477)
SRV - [2010/02/26 00:36:21 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:Program FilesNorton Security SuiteEngine3.8.0.41ccSvcHst.exe -- (N360)
SRV - [2010/02/16 09:39:44 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:Program FilesCitrixGoToAssist514g2aservice.exe -- (GoToAssist)
SRV - [2009/06/03 15:46:38 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:Program FilesDell Support Centerbinsprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe -- (SeaPort)


========== Driver Services (SafeList) ==========

DRV - [2010/05/28 14:33:19 | 000,331,640 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:Documents and SettingsAll UsersApplication DataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsIPSDefs20100604.004IDSXpx86.sys -- (IDSxpx86)
DRV - [2010/05/26 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:Program FilesCommon FilesSymantec SharedEENGINEeeCtrl.sys -- (eeCtrl)
DRV - [2010/05/26 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:Program FilesCommon FilesSymantec SharedEENGINEEraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/10 03:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:Documents and SettingsAll UsersApplication DataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsVirusDefs20100608.032NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/10 03:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:Documents and SettingsAll UsersApplication DataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortonDefinitionsVirusDefs20100608.032NAVENG.SYS -- (NAVENG)
DRV - [2010/02/26 00:36:35 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversSYMEVENT.SYS -- (SymEvent)
DRV - [2010/02/26 00:36:25 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:WINDOWSSystem32DriversN360308000.029SYMTDI.SYS -- (SYMTDI)
DRV - [2010/02/26 00:36:24 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:WINDOWSsystem32driversN360308000.029SYMEFA.SYS -- (SymEFA)
DRV - [2010/02/26 00:36:24 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:WINDOWSSystem32DriversN360308000.029SRTSP.SYS -- (SRTSP)
DRV - [2010/02/26 00:36:24 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:WINDOWSSystem32DriversN360308000.029SYMFW.SYS -- (SYMFW)
DRV - [2010/02/26 00:36:24 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:WINDOWSsystem32driversN360308000.029SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/26 00:36:24 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversSymIM.sys -- (SymIMMP)
DRV - [2010/02/26 00:36:24 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:WINDOWSsystem32driversSymIM.sys -- (SymIM)
DRV - [2010/02/26 00:36:24 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:WINDOWSSystem32DriversN360308000.029SYMNDIS.SYS -- (SYMNDIS)
DRV - [2010/02/26 00:36:24 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:WINDOWSSystem32DriversN360308000.029SYMIDS.SYS -- (SYMIDS)
DRV - [2010/02/26 00:36:23 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:WINDOWSSystem32DriversN360308000.029ccHPx86.sys -- (ccHP)
DRV - [2010/02/26 00:36:23 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:WINDOWSSystem32DriversN360308000.029BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/09/01 11:05:42 | 000,134,144 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversOA012Afx.sys -- (OA012Afx)
DRV - [2009/09/01 11:05:04 | 000,272,256 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversOA012Vid.sys -- (OA012Vid)
DRV - [2009/09/01 11:04:06 | 000,133,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversOA012Ufd.sys -- (OA012Ufd)
DRV - [2009/03/15 17:49:28 | 000,208,304 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversSynTP.sys -- (SynTP)
DRV - [2009/03/15 17:48:00 | 000,162,816 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversRtsUStor.sys -- (RSUSBSTOR)
DRV - [2009/03/15 17:44:18 | 000,120,064 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversRtenicxp.sys -- (RTLE8023xp)
DRV - [2009/03/15 16:32:18 | 005,032,448 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversRtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/03/15 16:32:08 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:WINDOWSsystem32driversMonfilt.sys -- (Monfilt)
DRV - [2009/03/15 16:31:54 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:WINDOWSsystem32driversAmbfilt.sys -- (Ambfilt)
DRV - [2009/03/12 12:36:38 | 000,143,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversCtClsFlt.sys -- (CtClsFlt)
DRV - [2009/02/15 16:34:40 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversigxpmp32.sys -- (ialm)
DRV - [2009/01/06 18:53:14 | 001,391,104 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32driversBCMWL5.SYS -- (BCM43XX)
DRV - [2008/11/04 21:24:58 | 000,014,248 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | Boot | Running] -- C:WINDOWSsystem32DRIVERSEMSC.SYS -- (EMSC)
DRV - [2008/04/14 07:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSamdagp.sys -- (amdagp)
DRV - [2008/04/14 07:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSsisagp.sys -- (sisagp)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:WINDOWSsystem32drivershdaudbus.sys -- (HDAudBus)
DRV - [2007/05/09 12:53:42 | 000,029,056 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:WINDOWSsystem32driversACFDCP32.sys -- (dgcfltr)
DRV - [2007/04/26 16:45:14 | 000,086,784 | R--- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:WINDOWSsystem32driversACFVA32.sys -- (acfva)
DRV - [2007/03/15 18:07:34 | 000,012,672 | R--- | M] (Conexant) [Kernel | Auto | Running] -- C:WINDOWSsystem32driversACFSDK32.sys -- (mdmxsdk)
DRV - [2001/08/17 21:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSsparrow.sys -- (Sparrow)
DRV - [2001/08/17 21:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSsym_u3.sys -- (sym_u3)
DRV - [2001/08/17 21:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSsym_hi.sys -- (sym_hi)
DRV - [2001/08/17 21:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSsymc8xx.sys -- (symc8xx)
DRV - [2001/08/17 21:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSsymc810.sys -- (symc810)
DRV - [2001/08/17 20:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSultra.sys -- (ultra)
DRV - [2001/08/17 20:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSql12160.sys -- (ql12160)
DRV - [2001/08/17 20:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSql1080.sys -- (ql1080)
DRV - [2001/08/17 20:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSql1280.sys -- (ql1280)
DRV - [2001/08/17 20:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSdac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 20:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSmraid35x.sys -- (mraid35x)
DRV - [2001/08/17 20:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSasc.sys -- (asc)
DRV - [2001/08/17 20:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSasc3550.sys -- (asc3550)
DRV - [2001/08/17 20:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERSaliide.sys -- (AliIde)
DRV - [2001/08/17 20:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:WINDOWSsystem32DRIVERScmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLMSOFTWAREMicrosoftInternet ExplorerSearch,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLMSOFTWAREMicrosoftInternet ExplorerSearch,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKLMSOFTWAREMicrosoftInternet ExplorerSearch,Start Page = [You must be registered and logged in to see this link.]

IE - HKCUSOFTWAREMicrosoftInternet ExplorerMain,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKCUSOFTWAREMicrosoftInternet ExplorerMain,Search Page = [You must be registered and logged in to see this link.]
IE - HKCUSOFTWAREMicrosoftInternet ExplorerMain,Start Page = [You must be registered and logged in to see this link.]
IE - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings: "ProxyEnable" = 0

FF - HKLMsoftwaremozillaFirefoxExtensions\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:Documents and SettingsAll UsersApplication DataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NortoncoFFPlgn [2010/04/25 19:45:47 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:WINDOWSsystem32driversetchosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:Program FilesNorton Security SuiteEngine3.8.0.41CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:Program FilesNorton Security SuiteEngine3.8.0.41IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:Program FilesMicrosoftSearch Enhancement PackSearch HelperSEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:Program FilesWindows LiveToolbarwltcore.dll (Microsoft Corporation)
O3 - HKLM..Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:Program FilesWindows LiveToolbarwltcore.dll (Microsoft Corporation)
O3 - HKLM..Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:Program FilesNorton Security SuiteEngine3.8.0.41CoIEPlg.dll (Symantec Corporation)
O3 - HKCU..ToolbarWebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:Program FilesWindows LiveToolbarwltcore.dll (Microsoft Corporation)
O3 - HKCU..ToolbarWebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:Program FilesNorton Security SuiteEngine3.8.0.41CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..Run: [Alcmtr] C:WINDOWSALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..Run: [BTMeter] C:Program FilesBattery MeterBTMeter.exe (Dell)
O4 - HKLM..Run: [CapsLKNotify] C:Program FilesCapsLKNotifyCapsLKNotify.exe (Compal Electronics, Inc)
O4 - HKLM..Run: [dellsupportcenter] C:Program FilesDell Support Centerbinsprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..Run: [OA012Mon] C:WINDOWSOA012Mon.exe (Creative Technology Ltd.)
O4 - HKLM..Run: [WSED] C:Program FilesWSEDWSED.exe (Dell)
O4 - HKCU..Run: [Adobe Reader Synchronizer] c:Program FilesAdobeReader 9.0ReaderAdobeCollabSync.exe (Adobe Systems Incorporated)
O4 - Startup: C:Documents and SettingsAll UsersStart MenuProgramsStartupWindows Search.lnk = C:Program FilesWindows Desktop SearchWindowsSearch.exe (Microsoft Corporation)
O6 - HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer: HonorAutoRunSetting = 1
O7 - HKCUSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O17 - HKLMSystemCCSServicesTcpipParameters: DhcpNameServer = 192.168.2.1
O18 - ProtocolHandlersymres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:Program FilesNorton Security SuiteEngine3.8.0.41CoIEPlg.dll (Symantec Corporation)
O18 - ProtocolHandlerwlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:Program FilesWindows LiveMailmailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:WINDOWSexplorer.exe (Microsoft Corporation)
O20 - WinlogonNotifyGoToAssist: DllName - C:Program FilesCitrixGoToAssist514G2AWinLogon.dll - C:Program FilesCitrixGoToAssist514g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - WinlogonNotifyigfxcui: DllName - igfxdev.dll - C:WINDOWSSystem32igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:WINDOWSWebWallpaperBliss.bmp
O24 - Desktop BackupWallPaper: C:WINDOWSWebWallpaperBliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:Program FilesWindows Desktop SearchMsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 20:45:49 | 000,000,000 | ---- | M] () - C:AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2{d3f274d1-16c4-11df-952a-701a04a8b7cd}Shell - "" = AutoRun
O33 - MountPoints2{d3f274d1-16c4-11df-952a-701a04a8b7cd}ShellAutoRun - "" = Auto&Play
O33 - MountPoints2{d3f274d1-16c4-11df-952a-701a04a8b7cd}ShellAutoRuncommand - "" = D:setup.exe -- File not found
O33 - MountPoints2DShell - "" = AutoRun
O33 - MountPoints2DShellAutoRun - "" = Auto&Play
O33 - MountPoints2DShellAutoRuncommand - "" = D:setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM..comfile [open] -- "%1" %*
O35 - HKLM..exefile [open] -- "%1" %*
O37 - HKLM...com [@ = comfile] -- "%1" %*
O37 - HKLM...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/09 02:56:43 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:Documents and SettingsErinDesktopOTL.exe
[2010/06/05 13:36:43 | 000,000,000 | ---D | C] -- C:Documents and SettingsErinApplication DataMalwarebytes
[2010/06/05 13:36:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:WINDOWSSystem32driversmbamswissarmy.sys
[2010/06/05 13:36:27 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:WINDOWSSystem32driversmbam.sys
[2010/06/05 13:36:27 | 000,000,000 | ---D | C] -- C:Documents and SettingsAll UsersApplication DataMalwarebytes
[2010/06/05 13:36:26 | 000,000,000 | ---D | C] -- C:Program FilesMalwarebytes' Anti-Malware
[2010/06/04 23:01:59 | 000,000,000 | ---D | C] -- C:Documents and SettingsErinLocal SettingsApplication DataSymantec
[2010/06/03 02:53:49 | 000,000,000 | ---D | C] -- C:Documents and SettingsNetworkServiceApplication DataMacromedia
[2010/06/03 02:53:30 | 000,000,000 | ---D | C] -- C:Documents and SettingsNetworkServiceApplication DataAdobe
[2010/05/17 21:16:30 | 000,000,000 | ---D | C] -- C:Documents and SettingsErinApplication DataWindows Live Writer
[2010/05/17 21:16:30 | 000,000,000 | ---D | C] -- C:Documents and SettingsErinMy DocumentsMy Weblog Posts
[2010/05/17 21:16:21 | 000,000,000 | ---D | C] -- C:Documents and SettingsErinLocal SettingsApplication DataWindows Live Writer
[1 C:WINDOWSSystem32*.tmp files -> C:WINDOWSSystem32*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/09 02:54:43 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:Documents and SettingsErinDesktopOTL.exe
[2010/06/08 23:49:41 | 000,553,238 | ---- | M] () -- C:WINDOWSSystem32PerfStringBackup.INI
[2010/06/08 23:49:41 | 000,464,078 | ---- | M] () -- C:WINDOWSSystem32perfh009.dat
[2010/06/08 23:49:41 | 000,079,188 | ---- | M] () -- C:WINDOWSSystem32perfc009.dat
[2010/06/08 23:45:33 | 000,000,006 | -H-- | M] () -- C:WINDOWStasksSA.DAT
[2010/06/08 23:45:27 | 000,002,048 | --S- | M] () -- C:WINDOWSbootstat.dat
[2010/06/08 23:45:11 | 1063,702,528 | -HS- | M] () -- C:hiberfil.sys
[2010/06/08 19:12:30 | 004,456,448 | -H-- | M] () -- C:Documents and SettingsErinNTUSER.DAT
[2010/06/08 19:12:24 | 000,000,178 | -HS- | M] () -- C:Documents and SettingsErinntuser.ini
[2010/06/07 02:10:40 | 004,298,974 | -H-- | M] () -- C:Documents and SettingsErinLocal SettingsApplication DataIconCache.db
[2010/06/05 13:36:33 | 000,000,698 | ---- | M] () -- C:Documents and SettingsAll UsersDesktopMalwarebytes' Anti-Malware.lnk
[2010/05/27 03:00:49 | 000,001,374 | ---- | M] () -- C:WINDOWSimsins.BAK
[2010/05/20 11:08:26 | 000,019,968 | ---- | M] () -- C:Documents and SettingsErinMy DocumentsEmail titles.doc
[2010/05/20 11:08:15 | 000,107,008 | ---- | M] () -- C:Documents and SettingsErinMy DocumentsRe.doc
[2010/05/13 16:00:23 | 000,019,968 | ---- | M] () -- C:Documents and SettingsErinMy DocumentsTO whom it may concern.doc
[2010/05/10 15:59:54 | 000,139,264 | ---- | M] () -- C:Documents and SettingsErinMy DocumentsCheckpoint 1.doc
[1 C:WINDOWSSystem32*.tmp files -> C:WINDOWSSystem32*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/05 13:36:33 | 000,000,698 | ---- | C] () -- C:Documents and SettingsAll UsersDesktopMalwarebytes' Anti-Malware.lnk
[2010/06/04 23:05:38 | 1063,702,528 | -HS- | C] () -- C:hiberfil.sys
[2010/05/20 11:08:25 | 000,019,968 | ---- | C] () -- C:Documents and SettingsErinMy DocumentsEmail titles.doc
[2010/05/20 11:08:14 | 000,107,008 | ---- | C] () -- C:Documents and SettingsErinMy DocumentsRe.doc
[2010/05/13 16:00:22 | 000,019,968 | ---- | C] () -- C:Documents and SettingsErinMy DocumentsTO whom it may concern.doc
[2010/05/10 15:59:53 | 000,139,264 | ---- | C] () -- C:Documents and SettingsErinMy DocumentsCheckpoint 1.doc
[2010/03/15 13:32:02 | 000,000,376 | ---- | C] () -- C:WINDOWSODBC.INI
[2009/12/21 03:20:26 | 000,147,456 | ---- | C] () -- C:WINDOWSSystem32igfxCoIn_v4926.dll
[2009/12/21 03:16:05 | 000,001,155 | ---- | C] () -- C:WINDOWSSystem32OEMINFO.INI
[2009/12/21 02:06:24 | 000,000,061 | ---- | C] () -- C:WINDOWSsmscfg.ini
[2009/12/21 01:47:04 | 000,577,536 | ---- | C] () -- C:WINDOWSSystem32EMSC.DLL
[2009/12/21 01:45:51 | 000,143,360 | ---- | C] () -- C:WINDOWSSystem32preflib.dll
[2009/12/21 01:45:49 | 000,753,664 | ---- | C] () -- C:WINDOWSSystem32bcm1xsup.dll
[2008/04/25 20:42:57 | 000,001,793 | ---- | C] () -- C:WINDOWSSystem32fxsperf.ini
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:WINDOWSSystem32idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:WINDOWSSystem32gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:WINDOWSSystem32gthrctr.ini
< End of report >

Extras.txt log:

OTL Extras logfile created on: 6/9/2010 2:58:01 AM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:Documents and SettingsErinDesktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 494.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:WINDOWS | %ProgramFiles% = C:Program Files
Drive C: | 139.24 Gb Total Space | 110.87 Gb Free Space | 79.63% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D53B64L1
Current User Name: Erin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINESOFTWAREClasses]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINESOFTWAREClassesshell[command]command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:Program FilesMicrosoft OfficeOFFICE11msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:Program FilesMicrosoft OfficeOFFICE11msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%system32rundll32.exe %SystemRoot%system32shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoring]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringAhnlabAntiVirus]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringKasperskyAntiVirus]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringMcAfeeAntiVirus]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringMcAfeeFirewall]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringPandaAntiVirus]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringPandaFirewall]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringSophosAntiVirus]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringSymantecAntiVirus]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringSymantecFirewall]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringTinyFirewall]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringTrendAntiVirus]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringTrendFirewall]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringZoneLabsFirewall]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileGloballyOpenPortsList]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfileAuthorizedApplicationsList]
"C:Program FilesWindows LiveMessengerwlcsdk.exe" = C:Program FilesWindows LiveMessengerwlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:Program FilesWindows LiveSyncWindowsLiveSync.exe" = C:Program FilesWindows LiveSyncWindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
"C:Program FilesDell Video ChatDellVideoChat.exe" = C:Program FilesDell Video ChatDellVideoChat.exe:*:Enabled:Dell Video Chat -- (Dell Inc. and SightSpeed Inc.)
"C:Program FilesWindows LiveMessengerwlcsdk.exe" = C:Program FilesWindows LiveMessengerwlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:Program FilesWindows LiveSyncWindowsLiveSync.exe" = C:Program FilesWindows LiveSyncWindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{053E51D3-885D-425C-9586-EA5183C4C688}" = Function Keys
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 16
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{543A4F31-9590-416A-A621-42CEB4C6A694}" = Battery Meter
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90578106-70AF-4198-B9DE-1924FA83B03A}" = CapsLKNotify
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E6CB6126-D120-4FB5-9D1B-E2E19003E66C}" = WSED
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FEF06E73-A519-4510-8CF3-B66041B91D8A}" = EMSC
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Broadcom 802.11 Application" = Dell Wireless WLAN Card Utility
"CNXT_MODEM_USB_ACF" = Conexant USB D400 V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative OA012" = Integrated Webcam Driver (1.05.01.0820)
"Dell Video Chat" = Dell Video Chat
"Dell Webcam Central" = Dell Webcam Central
"GoToAssist" = GoToAssist 8.0.0.514
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"InstallShield_{543A4F31-9590-416A-A621-42CEB4C6A694}" = Battery Meter
"InstallShield_{90578106-70AF-4198-B9DE-1924FA83B03A}" = CapsLKNotify
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"N360" = Norton Security Suite
"SynTPDeinstKey" = Dell Touchpad
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinLiveSuite_Wave3" = Windows Live Essentials
"World of Warcraft" = World of Warcraft
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/3/2010 11:28:13 AM | Computer Name = D53B64L1 | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 6/3/2010 10:07:14 PM | Computer Name = D53B64L1 | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 6/4/2010 10:37:04 AM | Computer Name = D53B64L1 | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 6/4/2010 9:31:40 PM | Computer Name = D53B64L1 | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 6/4/2010 10:27:10 PM | Computer Name = D53B64L1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The server name or address could not be resolved

Error - 6/4/2010 10:27:16 PM | Computer Name = D53B64L1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 6/5/2010 12:04:06 AM | Computer Name = D53B64L1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The server name or address could not be resolved

Error - 6/5/2010 12:04:16 AM | Computer Name = D53B64L1 | Source = Application Error | ID = 1000
Description = Faulting application mcui32.exe, version 16.8.0.41, faulting module
symhtml.dll, version 3.8.0.2, fault address 0x000281fc.

Error - 6/7/2010 3:04:14 AM | Computer Name = D53B64L1 | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 6/9/2010 3:49:01 AM | Computer Name = D53B64L1 | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

[ System Events ]
Error - 6/4/2010 10:26:38 PM | Computer Name = D53B64L1 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 6/4/2010 10:26:38 PM | Computer Name = D53B64L1 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 6/4/2010 10:26:38 PM | Computer Name = D53B64L1 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 6/4/2010 10:26:38 PM | Computer Name = D53B64L1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP
SRTSPX
SYMTDI
Tcpip

Error - 6/5/2010 12:04:35 AM | Computer Name = D53B64L1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 6/5/2010 12:04:45 AM | Computer Name = D53B64L1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 6/6/2010 1:30:21 AM | Computer Name = D53B64L1 | Source = PSched | ID = 14103
Description = QoS [Adapter {AB7AEF80-79DB-488B-B66E-0CEDDB3E8F63}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 6/6/2010 8:52:10 PM | Computer Name = D53B64L1 | Source = PSched | ID = 14103
Description = QoS [Adapter {AB7AEF80-79DB-488B-B66E-0CEDDB3E8F63}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 6/8/2010 3:47:12 AM | Computer Name = D53B64L1 | Source = PSched | ID = 14103
Description = QoS [Adapter {AB7AEF80-79DB-488B-B66E-0CEDDB3E8F63}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 6/8/2010 12:47:11 PM | Computer Name = D53B64L1 | Source = PSched | ID = 14103
Description = QoS [Adapter {AB7AEF80-79DB-488B-B66E-0CEDDB3E8F63}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.


< End of report >

boshnosh
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-06-07
OS OS : windows xp
Points Points : 23898
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by Belahzur on 9th June 2010, 10:59 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 9
    Java(TM) 6 Update 16

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe that you downloaded to install the newest version.

Then download and install [You must be registered and logged in to see this link.]

Run another MBAM scan, see if Tidserv is still hanging around?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by boshnosh on 10th June 2010, 6:42 am

Hello.

I removed the two programs you mentioned. I installed Adobe reader 9.3.2 and updated Java as you requested as well as ran another MBAM scan. Here is the quick scan log:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4170

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/10/2010 2:03:24 AM
mbam-log-2010-06-10 (02-03-24).txt

Scan type: Quick scan
Objects scanned: 142108
Time elapsed: 16 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

According to Norton, it looks like Tidserv is still hanging around.

boshnosh
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-06-07
OS OS : windows xp
Points Points : 23898
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by Belahzur on 10th June 2010, 9:02 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by boshnosh on 11th June 2010, 7:21 am

Hello.

Here are the results from Combofix:

ComboFix 10-06-10.03 - Erin 06/11/2010 1:24.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.395 [GMT -5:00]
Running from: c:\documents and settings\Erin\Desktop\Combo-Fix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Erin\GoToAssistDownloadHelper.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-11 01:38 . 2010-06-11 01:38 -------- d-----w- c:\windows\LastGood
2010-06-10 06:35 . 2010-06-10 06:35 503808 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-777a412b-n\msvcp71.dll
2010-06-10 06:35 . 2010-06-10 06:35 499712 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-777a412b-n\jmc.dll
2010-06-10 06:35 . 2010-06-10 06:35 348160 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-777a412b-n\msvcr71.dll
2010-06-10 06:35 . 2010-06-10 06:35 61440 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6de5e2ec-n\decora-sse.dll
2010-06-10 06:35 . 2010-06-10 06:35 12800 ----a-w- c:\documents and settings\Erin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6de5e2ec-n\decora-d3d.dll
2010-06-10 06:34 . 2010-06-10 06:34 -------- d-----w- c:\program files\Common Files\Java
2010-06-10 06:34 . 2010-06-10 06:34 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-10 06:34 . 2010-06-10 06:34 -------- d-----w- c:\program files\Java
2010-06-05 18:36 . 2010-06-05 18:36 -------- d-----w- c:\documents and settings\Erin\Application Data\Malwarebytes
2010-06-05 18:36 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-05 18:36 . 2010-06-05 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-05 18:36 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-05 18:36 . 2010-06-05 18:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-05 04:01 . 2010-06-05 04:01 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\Symantec
2010-06-05 02:04 . 2010-06-05 02:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-03 07:53 . 2010-06-03 07:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-30 03:36 . 2010-05-30 03:36 -------- d-sh--w- c:\documents and settings\welcome\PrivacIE
2010-05-30 03:36 . 2010-05-30 03:36 -------- d-----w- c:\documents and settings\welcome\Application Data\Windows Search
2010-05-18 02:16 . 2010-05-18 02:16 -------- d-----w- c:\documents and settings\Erin\Application Data\Windows Live Writer
2010-05-18 02:16 . 2010-05-18 02:16 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\Windows Live Writer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 06:42 . 2009-12-21 06:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-09 20:10 . 2010-02-12 23:37 -------- d-----w- c:\program files\World of Warcraft
2010-06-04 08:49 . 2009-12-21 07:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-11 12:16 . 2010-02-27 11:48 742 ----a-w- c:\documents and settings\Erin\Application Data\wklnhst.dat
2010-04-07 08:53 . 2010-02-11 04:56 36032 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 06:53 . 2009-12-21 06:53 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-02-16 14:39 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/21/2009 1:47 AM 14248]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/26/2010 8:36 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/26/2010 8:36 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/26/2010 8:36 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [6/9/2010 12:56 AM 331640]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/26/2010 8:35 AM 117640]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [12/21/2009 1:52 AM 143840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 9:43 PM 102448]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [12/21/2009 3:20 AM 134144]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [12/21/2009 3:20 AM 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [12/21/2009 3:20 AM 272256]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [12/21/2009 3:20 AM 162816]
S2 0109201267162477mcinstcleanup;McAfee Application Installer Cleanup (0109201267162477);c:\docume~1\ERINBR~1\LOCALS~1\Temp\010920~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ERINBR~1\LOCALS~1\Temp\010920~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [2/11/2010 9:49 PM 86784]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/21/2009 3:20 AM 1684736]
S3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [2/11/2010 9:49 PM 29056]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-11 01:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"=""c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe" /s "N360" /m "c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1268)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-06-11 01:34:44
ComboFix-quarantined-files.txt 2010-06-11 06:34

Pre-Run: 118,432,722,944 bytes free
Post-Run: 118,691,188,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DCAAFD44C9AEC92CA910262030C1D78E

I ran a quick scan and for some reason under the unresolved security risks, it shows the tidserv and the date 6/4/10. It shows that 1 file & 1 browser cache is infected and the details: c:\system volume information\_restore{64534b76-601-4598-8429-4df73c537af3}\rp44\a0019613.sys Is this an error on Norton's part and my computer is actually virus-free or is this stubborn thing still lingering around? Sorry if I'm being a worry wart Smile lol but I wanted to give you this information in case tidserv is still on my computer. I truly appreciate you for helping me with this issue.

boshnosh
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-06-07
OS OS : windows xp
Points Points : 23898
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by Belahzur on 11th June 2010, 12:38 pm

Hello.
That's just System Restore point, we'll flush that now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by boshnosh on 12th June 2010, 2:12 am

Hello.

Here is the log from ESET:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=62a9f743476073488c32ada47e8b8df5
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-12 02:28:04
# local_time=2010-06-11 09:28:04 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3589 16777189 80 100 2964355 12117390 0 0
# compatibility_mode=5121 16777214 0 7 8215161 28309367 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=52068
# found=0
# cleaned=0
# scan_time=1844

For whatever reason, something told me to view the system restore on my computer and "Turn off System Restore" was checked. Shouldn't this be on (unchecked)? Is that why the system restore point is showing on Norton? If that is the case, do I need to redo anything?

boshnosh
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-06-07
OS OS : windows xp
Points Points : 23898
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by Belahzur on 12th June 2010, 9:30 pm

Hello.
Yep, turn System Restore back on.

Okay, how is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by boshnosh on 12th June 2010, 10:13 pm

Hello.

My machine is running fine, but tidserv is still showing up as an unresolved security risk. :/ I followed all of your instructions closely so I don't understand why it wasn't removed. Should I be concerned about this?

boshnosh
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-06-07
OS OS : windows xp
Points Points : 23898
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by Belahzur on 13th June 2010, 12:54 am

Where is it located on the machine?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by boshnosh on 13th June 2010, 4:14 am

Okay, I meant to say that Norton is showing that the tidserv has affected 1 file & 1 browser cache. Under details, it shows this:

c:\system volume information\_restore{64534b76-601-4598-8429-4df73c537af3}\rp44\a0019613.sys

Norton is showing this as an unresolved security risk. I know you said that it was just the system restore point and gave me instructions on how to flush it, but for some reason it is still there. I didn't realize my system restore was off the entire time so I'm not sure if that would make a difference or not.

I'm not trying to be difficult--I promise. Smile

boshnosh
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-06-07
OS OS : windows xp
Points Points : 23898
# Likes # Likes : 0

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by Belahzur on 13th June 2010, 2:44 pm

Hello.
Turn System restore off and press okay, then turn it back on and press okay.

That should flush the system restore point.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: unable to remove backdoor.tidserv!inf virus

Post by boshnosh on 13th June 2010, 6:56 pm

Good day. Smile

I followed the instructions with system restore. Same old thing with Norton, but I'm just going to ignore that. lol Smile I won't bother you anymore about it. Smile With all the steps that were taken, everything seems clean, my machine is running smoothly so no worries on my end as far as I'm concerned. I just want to thank you so much for your help. I truly appreciate your time and patience. I'm a newbie to this and you put me at ease and walked me through each step. So many thanks to you Smile and GeekPolice. Big Grin You guys are awesome! Smile

boshnosh
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-06-07
OS OS : windows xp
Points Points : 23898
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum