Tidserv virus + plus google search redirects

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Sun 04 Jul 2010, 9:27 am

Hi,

I need help removing this virus from my comp please, I have read many posts and well it looks like this requires professional help is why im here.

I have WinXP HE SP3. I also have Synmantec Internet Security 17.7.0.12 and this will only keep telling me a request for Tidserv.inf is blocked.

My computer seems to run slow when I use Explorer or locks up, when I use Firefox it seems to be okay which leads me to believe that the Explorer is infected some how.

I also run MALWARBYTES and detects nothing, oh yes when I run Symantec it always finds 20 infected files and says it fixes but they keep coming up.

Thank You for your time
MW2

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by Belahzur on Sun 04 Jul 2010, 10:04 am

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Sun 04 Jul 2010, 7:39 pm

OTL logfile created on: 7/4/2010 1:33:21 AM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Moms\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 85.00 Mb Available Physical Memory | 17.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 47.86 Gb Total Space | 5.32 Gb Free Space | 11.12% Space Free | Partition Type: NTFS
Drive D: | 8.01 Gb Total Space | 0.96 Gb Free Space | 11.94% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-09DEDAFE33
Current User Name: Moms
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/04 01:23:07 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Moms\My Documents\Downloads\OTL.exe
PRC - [2010/02/25 17:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe
PRC - [2009/08/05 05:51:16 | 001,626,112 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/12/23 21:44:26 | 000,491,606 | ---- | M] () -- C:\Program Files\HPQ\Shared\HpqToaster.exe
PRC - [2005/11/10 22:03:52 | 000,036,975 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
PRC - [2005/09/24 09:42:32 | 000,475,136 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hp\Digital Imaging\bin\hpqimzone.exe
PRC - [2005/08/11 16:30:30 | 000,618,496 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
PRC - [2005/08/11 16:30:30 | 000,081,920 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [1997/08/19 00:00:00 | 000,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE


========== Modules (SafeList) ==========

MOD - [2010/07/04 01:23:07 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Moms\My Documents\Downloads\OTL.exe
MOD - [2010/05/13 22:35:01 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\asoehook.dll
MOD - [2009/07/12 00:02:02 | 000,653,120 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\microsoft.vc90.crt\msvcr90.dll
MOD - [2009/07/12 00:02:00 | 000,569,664 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\microsoft.vc90.crt\msvcp90.dll
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========


========== Driver Services (SafeList) ==========


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "[You must be registered and logged in to see this link.]
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\IPSFFPlgn\ [2010/06/26 10:32:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\coFFPlgn\ [2010/06/25 10:31:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/24 20:22:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/24 20:22:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Components: C:\Program Files\Netscape\Netscape Browser\Components [2010/05/21 15:00:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Plugins: C:\Program Files\Netscape\Netscape Browser\Plugins [2010/06/22 18:43:02 | 000,000,000 | ---D | M]

[2010/06/21 13:19:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moms\Application Data\Mozilla\Extensions
[2010/06/21 13:19:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Moms\Application Data\Mozilla\Firefox\Profiles\npar0hin.default\extensions
[2010/07/02 11:06:13 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/19 17:58:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2008/03/24 20:21:00 | 002,889,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

O1 HOSTS File: ([2004/08/04 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ipsbho.dll (Symantec Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows (R) Server 2003 DDK provider)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\CREATOR\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\RSDUpdater.exe.lnk = C:\WINDOWS\explorer.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Moms\Start Menu\Programs\StartUp\Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Digicode.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Digicode.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 22:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/04 01:23:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\My Documents\Downloads
[2010/07/02 12:20:47 | 000,000,000 | ---D | C] -- C:\word docs
[2010/06/26 17:32:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Application Data\Malwarebytes
[2010/06/26 17:27:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Application Data\Sun
[2010/06/25 18:55:58 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/06/25 14:16:17 | 000,361,904 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symtdi.sys
[2010/06/25 14:16:17 | 000,339,504 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symtdiv.sys
[2010/06/25 14:16:16 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symds.sys
[2010/06/25 14:16:16 | 000,173,104 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symefa.sys
[2010/06/25 14:16:15 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\srtspx.sys
[2010/06/25 14:16:14 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\srtsp.sys
[2010/06/25 14:16:13 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\ironx86.sys
[2010/06/25 14:16:12 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\cchpx86.sys
[2010/06/25 14:12:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS\1107000.00C
[2010/06/25 10:31:30 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/06/25 10:31:30 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/06/25 10:31:30 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/06/25 10:29:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS
[2010/06/25 10:29:40 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security
[2010/06/25 10:29:39 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2010/06/25 10:15:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2010/06/25 10:15:13 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010/06/25 10:15:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2010/06/25 10:02:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton
[2010/06/25 10:02:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2010/06/25 07:16:17 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/25 07:16:09 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/24 18:24:59 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Moms\PrivacIE
[2010/06/22 18:51:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2010/06/22 18:40:43 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2010/06/22 18:35:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2010/06/22 18:33:54 | 000,000,000 | RH-D | C] -- C:\MSOCache
[2010/06/22 12:09:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/06/22 12:09:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/06/21 16:39:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Application Data\Macromedia
[2010/06/21 16:39:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Application Data\Adobe
[2010/06/21 14:38:54 | 000,405,504 | R--- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\EKIJ5000MON.dll
[2010/06/21 14:37:12 | 000,126,976 | R--- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\EKIJCOINST05.dll
[2010/06/21 13:59:05 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/06/21 13:59:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/06/21 13:57:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kodak
[2010/06/21 13:47:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\kodak
[2010/06/21 13:46:58 | 000,087,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wiafbdrv.dll
[2010/06/21 13:19:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Local Settings\Application Data\Mozilla
[2010/06/21 13:19:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Application Data\Mozilla
[2010/06/21 13:16:05 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Moms\IETldCache
[2010/06/21 13:15:57 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Moms\Application Data\Microsoft
[2010/06/21 13:15:57 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Moms\SendTo
[2010/06/21 13:15:57 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Moms\Recent
[2010/06/21 13:15:57 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Moms\Application Data
[2010/06/21 13:15:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Moms\Start Menu
[2010/06/21 13:15:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Moms\My Documents\My Videos
[2010/06/21 13:15:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Moms\My Documents\My Pictures
[2010/06/21 13:15:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Moms\My Documents\My Music
[2010/06/21 13:15:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Moms\My Documents
[2010/06/21 13:15:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Moms\Favorites
[2010/06/21 13:15:57 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Moms\Cookies
[2010/06/21 13:15:57 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Moms\Templates
[2010/06/21 13:15:57 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Moms\PrintHood
[2010/06/21 13:15:57 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Moms\NetHood
[2010/06/21 13:15:57 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Moms\Local Settings
[2010/06/21 13:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Application Data\Symantec
[2010/06/21 13:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Local Settings\Application Data\Microsoft
[2010/06/21 13:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Local Settings\Application Data\IsolatedStorage
[2010/06/21 13:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Application Data\Intuit
[2010/06/21 13:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Application Data\Identities
[2010/06/21 13:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Local Settings\Application Data\HP
[2010/06/21 13:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Local Settings\Application Data\Google
[2010/06/21 13:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Desktop
[2010/06/21 13:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Local Settings\Application Data\BVRP Software
[2010/06/21 13:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Local Settings\Application Data\ApplicationHistory
[2010/06/21 13:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moms\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
[2010/06/07 19:30:02 | 000,000,000 | ---D | C] -- C:\Program Files\MPC HomeCinema
[2010/06/07 19:29:33 | 000,000,000 | ---D | C] -- C:\Program Files\Citrix
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[17 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/04 01:30:57 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/04 01:30:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/04 01:30:51 | 526,503,936 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/03 14:19:34 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/02 14:53:02 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\Moms\NTUSER.DAT
[2010/07/02 14:53:02 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Moms\ntuser.ini
[2010/07/02 10:54:40 | 000,000,313 | ---- | M] () -- C:\hpqp.ini
[2010/07/02 10:54:27 | 000,000,039 | ---- | M] () -- C:\XP_TV.ini
[2010/07/01 08:47:58 | 000,005,133 | -H-- | M] () -- C:\ffastun.ffa
[2010/07/01 08:47:57 | 000,532,480 | -H-- | M] () -- C:\ffastun.ffo
[2010/07/01 08:47:44 | 004,493,312 | -H-- | M] () -- C:\ffastun0.ffx
[2010/07/01 08:47:44 | 002,007,040 | -H-- | M] () -- C:\ffastun.ffl
[2010/06/29 11:53:05 | 000,443,380 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/29 11:53:05 | 000,383,822 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/29 11:53:05 | 000,054,010 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/25 18:11:50 | 000,001,973 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2010/06/25 18:11:15 | 000,606,852 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\Cat.DB
[2010/06/25 10:31:30 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/06/25 10:31:30 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/06/25 10:31:30 | 000,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/06/25 10:31:30 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/06/24 18:11:42 | 000,103,056 | ---- | M] () -- C:\Documents and Settings\Moms\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/06/22 18:55:17 | 000,372,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/22 18:37:32 | 000,000,552 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/21 13:16:59 | 000,000,127 | ---- | M] () -- C:\Documents and Settings\Moms\Local Settings\Application Data\fusioncache.dat
[2010/06/21 13:16:17 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\Moms\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/06/21 13:16:12 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\Moms\Desktop\Windows Media Player.lnk
[2010/06/10 17:22:55 | 000,000,761 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
[2010/06/10 17:19:51 | 000,000,736 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
[2010/06/07 19:30:06 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Media Player Classic - Home Cinema.lnk
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[17 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/28 23:28:03 | 526,503,936 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/25 18:11:06 | 000,606,852 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\Cat.DB
[2010/06/25 14:16:17 | 000,007,787 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symnetv.cat
[2010/06/25 14:16:17 | 000,001,473 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symnetv.inf
[2010/06/25 14:16:17 | 000,001,445 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symnet.inf
[2010/06/25 14:16:16 | 000,007,873 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symefa.cat
[2010/06/25 14:16:16 | 000,007,425 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symds.cat
[2010/06/25 14:16:16 | 000,007,368 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symnet.cat
[2010/06/25 14:16:16 | 000,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symefa.inf
[2010/06/25 14:16:16 | 000,002,793 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\symds.inf
[2010/06/25 14:16:15 | 000,007,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\srtspx.cat
[2010/06/25 14:16:15 | 000,001,388 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\srtspx.inf
[2010/06/25 14:16:14 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\srtsp.cat
[2010/06/25 14:16:14 | 000,001,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\srtsp.inf
[2010/06/25 14:16:12 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\iron.cat
[2010/06/25 14:16:12 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\iron.inf
[2010/06/25 14:16:11 | 000,007,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\cchpx86.cat
[2010/06/25 14:16:11 | 000,001,754 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\cchpx86.inf
[2010/06/25 14:12:06 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\isolate.ini
[2010/06/25 10:31:30 | 000,007,443 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/06/25 10:31:30 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/06/25 10:31:18 | 000,001,973 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2010/06/21 13:16:12 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\Moms\Desktop\Windows Media Player.lnk
[2010/06/21 13:15:58 | 000,001,765 | ---- | C] () -- C:\Documents and Settings\Moms\Application Data\Microsoft\Internet Explorer\Quick Launch\Netscape Browser.lnk
[2010/06/21 13:15:58 | 000,001,632 | ---- | C] () -- C:\Documents and Settings\Moms\Desktop\3 Month Trial AOL Music Now.lnk
[2010/06/21 13:15:58 | 000,000,992 | ---- | C] () -- C:\Documents and Settings\Moms\Desktop\Help and Support.lnk
[2010/06/21 13:15:58 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\Moms\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/06/21 13:15:58 | 000,000,663 | ---- | C] () -- C:\Documents and Settings\Moms\Application Data\Microsoft\Internet Explorer\Quick Launch\HP Rhapsody.lnk
[2010/06/21 13:15:58 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Moms\Local Settings\Application Data\fusioncache.dat
[2010/06/21 13:15:58 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Moms\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2010/06/21 13:15:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Moms\Local Settings\Application Data\DSwitch.txt
[2010/06/21 13:15:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Moms\Local Settings\Application Data\AtStart.txt
[2010/06/21 13:15:57 | 000,053,248 | -H-- | C] () -- C:\Documents and Settings\Moms\ntuser.dat.LOG
[2010/06/21 13:15:57 | 000,001,703 | ---- | C] () -- C:\Documents and Settings\Moms\Start Menu\Programs\StartUp\Vongo Tray.lnk
[2010/06/21 13:15:57 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Moms\ntuser.ini
[2010/06/21 13:15:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Moms\Local Settings\Application Data\QSwitch.txt
[2010/06/21 13:15:56 | 001,310,720 | -H-- | C] () -- C:\Documents and Settings\Moms\NTUSER.DAT
[2010/06/18 16:29:34 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/10 17:47:51 | 000,005,133 | -H-- | C] () -- C:\ffastun.ffa
[2010/06/10 17:47:47 | 000,532,480 | -H-- | C] () -- C:\ffastun.ffo
[2010/06/10 17:47:44 | 004,493,312 | -H-- | C] () -- C:\ffastun0.ffx
[2010/06/10 17:22:56 | 002,007,040 | -H-- | C] () -- C:\ffastun.ffl
[2010/06/10 17:19:51 | 000,000,736 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
[2010/06/10 17:19:40 | 000,000,761 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
[2010/06/07 19:30:06 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Media Player Classic - Home Cinema.lnk
[2009/01/09 09:42:08 | 000,001,043 | ---- | C] () -- C:\WINDOWS\_ISENV31.INI
[2009/01/09 08:53:04 | 000,000,419 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2008/07/11 22:59:55 | 000,000,492 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/09/02 13:14:39 | 000,000,027 | ---- | C] () -- C:\WINDOWS\SmartAudio.INI
[2007/01/24 22:30:15 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/05/09 06:19:58 | 000,000,166 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/05/09 06:16:56 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/05/09 05:57:54 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/05/09 05:54:12 | 000,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/03/27 10:00:36 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/03/27 09:20:24 | 000,000,945 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/03/27 09:17:12 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/12/02 11:09:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/04 07:59:44 | 000,005,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\viaide.sys
[1997/08/19 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/08/19 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Sun 04 Jul 2010, 7:42 pm

I forgot to mention I have two accounts on the computer, "dads" & "moms" does this matter?

The scans are from "moms" account.

Thank You
MW2


Last edited by ModernWarfare2 on Mon 05 Jul 2010, 7:13 am; edited 3 times in total

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Sun 04 Jul 2010, 7:49 pm

OTL Extras logfile created on: 7/4/2010 1:33:21 AM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Moms\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 85.00 Mb Available Physical Memory | 17.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 47.86 Gb Total Space | 5.32 Gb Free Space | 11.12% Space Free | Partition Type: NTFS
Drive D: | 8.01 Gb Total Space | 0.96 Gb Free Space | 11.94% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-09DEDAFE33
Current User Name: Moms
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- File not found
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\WINDOWS\system32\winver.exe" = C:\WINDOWS\system32\winver.exe:*:Enabled:winver -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{09D8492A-C8E2-421E-927D-46800FB327A3}" = Wireless Home Network Setup
"{1CB34CE9-0E6B-493F-BB66-3425E5DF76E5}" = CP_CalendarTemplates1
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23B35809-5E4A-4F14-8332-1CDEDDFAC089}" = CP_Package_Variety2
"{24BEBF2E-73F3-4599-840B-EDC612CCDD0D}" = Destinations
"{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v. 1.3.1249.0
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{286F29AF-0BE2-4D5F-AB17-B7631A810553}" = muvee autoProducer 4.5
"{2A548002-9042-4083-A270-B67473DE1073}" = SkinsHP1
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.00 E2
"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}" = Unload
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FE0CFAB-584A-4AA5-B8CD-C32284CFA308}" = RandMap
"{4041C245-7099-4C96-9738-5EBC23827B3C}" = BufferChm
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 E1
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 2.1
"{47D2103B-FD51-4017-9C20-DD408B17D726}" = Office 2003 Trial Assistant
"{494D17B5-3369-4905-8C4B-80C972C5E0FF}" = CP_Panorama1Config
"{4DA4012B-39AF-48c2-B23B-A4D570D233A6}" = cp_LightScribeConfig
"{522D1D79-9C0A-4361-91F8-2AFF8EC6C2E1}" = CP_Package_Variety1
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{54F0998F-73C8-4b51-8286-FE903C231BED}" = cp_PosterPrintConfig
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6815FCDD-401D-481E-BA88-31B4754C2B46}" = Macromedia Flash Player 8
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{766633B3-1AFA-44B6-A3FC-1DE991CD9C52}" = CP_Package_Basic1
"{79F8E1D4-36C1-439C-95FA-F695050B5B07}" = Sonic_PrimoSDK
"{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}" = TIPCI
"{80AE27BA-B0ED-4288-A8B9-D8194BCF4115}" = cp_UpdateProjectsConfig
"{869C3062-4745-4949-B6C9-98AF24D89030}" = PhotoGallery
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D4ABB0C-F60B-44A6-956C-A4A63D5495C9}" = CueTour
"{A01FC76F-CC09-4658-9E37-5C2F635EE708}" = TourSetup
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{AEF7A12C-CD9B-4773-8AD1-6916138CA7EA}" = SmartAudio
"{B11E71BA-498C-42D4-9F1A-9D7A89D9DA61}" = CP_AtenaShokunin1Config
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B57F2FF0-5A25-4332-B503-4592B370C02F}" = CP_Package_Variety3
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{BBD3BF67-5B89-4CBB-BA58-5818ED5F3290}" = cp_OnlineProjectsConfig
"{BC96BBA7-C634-460E-AD18-A0A994213F80}" = HP User Guides--System Recovery
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D755C7A3-C03E-4460-8C00-AC6E55505FB5}" = LightScribe 1.4.74.1
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E74E3D81-773B-4DCF-B706-50236F80BD81}" = HP User Guides 0019
"{FC8D25A7-FF1B-41BB-BB3B-9A06C0A60AE0}" = InstantShareDevices
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_CPL30A5m" = HDAUDIO Soft Data Fax Modem with SmartCP
"Excel" = Microsoft Excel 97
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.3
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.5
"HP Imaging Device Functions" = HP Imaging Device Functions 6.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.0
"HP Rhapsody" = HP Rhapsody
"ie8" = Windows Internet Explorer 8
"InstallShield_{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"InstallShield_{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Money2006b" = Microsoft Money 2006
"Mozilla Firefox (3.5.10)" = Mozilla Firefox (3.5.10)
"Netscape Browser" = Netscape Browser (remove only)
"NIS" = Norton Internet Security
"PROR" = Microsoft Office Professional 2007
"PROSet" = Intel(R) PRO Network Connections Drivers
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Uninstall_is1" = Uninstall 1.0.0.1
"Veetle TV" = Veetle TV 0.9.17
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"Word8.0" = Microsoft Word 97

========== Last 10 Event Log Errors ==========

Error: Unable to start EventLog service!

< End of report >

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by Belahzur on Mon 05 Jul 2010, 11:21 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Tue 06 Jul 2010, 7:26 am

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4278

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/5/2010 12:18:33 PM
mbam-log-2010-07-05 (12-18-33).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 271693
Time elapsed: 2 hour(s), 52 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\d6Wl1X26.exe (Backdoor.Sinowal) -> No action taken.

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by Belahzur on Tue 06 Jul 2010, 8:10 am

Hello.
Did you remove the file it found?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Tue 06 Jul 2010, 10:32 am

Hi Belahzur,

it says it did but the Tidserv request is still coming up on Norton.


???

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Tue 06 Jul 2010, 2:25 pm

I just ran a complete scan again, says no virus or files infected found, but immediately after completed, the Tidserv virus request came threw again on Norton, saying it blocked the attempt.

The computer on "moms" account seems to be running much better no lock ups at the moment.

Still confused about the blocks though.

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by Belahzur on Wed 07 Jul 2010, 2:09 am

Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Wed 07 Jul 2010, 4:15 am

ComboFix 10-07-05.03 - Moms 07/06/2010 9:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.141 [GMT -7:00]
Running from: c:\documents and settings\Moms\My Documents\Downloads\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\xpsp1hfm.log

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
Infected copy of c:\windows\system32\DRIVERS\viaide.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.

2010-07-06 16:41 . 2008-04-13 18:40 5376 ----a-w- c:\windows\system32\drivers\viaide.sys
2010-07-06 16:41 . 2008-04-13 18:40 5376 ----a-w- c:\windows\system32\dllcache\viaide.sys
2010-07-04 08:50 . 2010-07-04 08:50 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-02 19:20 . 2010-07-06 15:21 -------- d-----w- C:\word docs
2010-06-29 03:28 . 2010-06-29 03:28 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-27 00:32 . 2010-06-27 00:32 -------- d-----w- c:\documents and settings\Moms\Application Data\Malwarebytes
2010-06-26 01:55 . 2010-06-26 01:55 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-25 17:31 . 2010-06-25 17:31 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-25 17:31 . 2010-06-25 17:31 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-25 17:31 . 2010-06-25 17:31 -------- d-----w- c:\program files\Symantec
2010-06-25 17:29 . 2010-06-26 01:11 -------- d-----w- c:\windows\system32\drivers\NIS
2010-06-25 17:29 . 2010-06-25 17:29 -------- d-----w- c:\program files\Norton Internet Security
2010-06-25 17:29 . 2010-06-25 17:29 -------- d-----w- c:\program files\Windows Sidebar
2010-06-25 17:15 . 2010-06-25 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-06-25 17:15 . 2010-06-25 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-25 17:15 . 2010-06-25 17:15 -------- d-----w- c:\program files\NortonInstaller
2010-06-25 17:02 . 2010-06-25 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-25 14:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-25 14:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-25 01:24 . 2010-06-25 01:24 -------- d-sh--w- c:\documents and settings\Moms\PrivacIE
2010-06-23 01:40 . 2010-06-23 01:40 -------- d-----w- c:\program files\Microsoft.NET
2010-06-23 01:35 . 2010-06-23 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-23 01:33 . 2010-06-23 01:33 -------- d-----r- C:\MSOCache
2010-06-22 19:09 . 2010-06-25 20:12 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-22 19:09 . 2010-06-25 20:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-21 21:39 . 2009-08-05 12:51 192512 ----a-r- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
2010-06-21 21:38 . 2009-08-05 12:51 405504 ----a-r- c:\windows\system32\EKIJ5000MON.dll
2010-06-21 21:37 . 2009-08-05 12:51 126976 ----a-r- c:\windows\system32\EKIJCOINST05.dll
2010-06-21 20:59 . 2010-06-21 20:59 -------- d-----w- c:\program files\Bonjour
2010-06-21 20:59 . 2010-06-21 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-21 20:57 . 2010-06-21 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-06-21 20:47 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-21 20:47 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-21 20:47 . 2010-06-21 20:47 -------- d-----w- c:\windows\system32\kodak
2010-06-21 20:46 . 2001-08-18 05:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-06-21 20:46 . 2001-08-18 05:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-06-21 20:46 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-21 20:46 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-21 20:44 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-06-21 20:44 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-06-21 20:19 . 2010-06-21 20:19 -------- d-----w- c:\documents and settings\Moms\Local Settings\Application Data\Mozilla
2010-06-18 23:29 . 2010-07-06 15:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-08 02:30 . 2010-06-08 02:30 -------- d-----w- c:\program files\MPC HomeCinema
2010-06-08 02:29 . 2010-06-08 02:29 -------- d-----w- c:\program files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 19:19 . 2010-05-15 23:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-25 17:43 . 2006-05-09 13:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-25 17:31 . 2010-06-25 17:31 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-25 17:31 . 2010-06-25 17:31 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-25 01:11 . 2010-06-21 20:15 103056 ----a-w- c:\documents and settings\Moms\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-23 01:43 . 2006-05-09 12:55 -------- d-----w- c:\program files\Microsoft Works
2010-06-21 20:16 . 2010-06-21 20:15 127 ----a-w- c:\documents and settings\Moms\Local Settings\Application Data\fusioncache.dat
2010-06-02 16:38 . 2006-03-27 16:17 86939 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-02 16:04 . 2006-05-09 12:57 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-05-23 06:36 . 2010-05-23 06:36 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-05-23 06:36 . 2010-05-23 06:36 -------- d-----w- c:\program files\DVDVideoSoft
2010-05-21 22:31 . 2010-05-21 22:31 1708 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_Presario V5000 (EZ431UA#ABA)_YN_0Pres_QCND63204VW_E413900001_46_I30A8_SHP_V56.38_BF.15_T060613_WXH2_L409_M503_J60_7Intel_8Celeron M 410_91.46_#100521_N14E44311_(EZ431UA#ABA)_XMOBILE_CN10_Z_2F.15.MRK
2010-05-21 22:25 . 2006-05-09 10:35 -------- d-----w- c:\program files\HPQ
2010-05-21 22:02 . 2006-05-09 13:19 -------- d-----w- c:\program files\Quickensetup
2010-05-21 22:02 . 2006-05-09 13:20 -------- d-----w- c:\program files\Quicken
2010-05-21 22:00 . 2006-05-09 13:35 -------- d-----w- c:\program files\NetWaiting
2010-05-21 22:00 . 2006-05-09 13:17 -------- d-----w- c:\program files\music_now
2010-05-21 22:00 . 2006-05-09 12:55 -------- d-----w- c:\program files\MSN Encarta Plus
2010-05-21 21:59 . 2006-05-09 13:19 -------- d-----w- c:\program files\Microsoft Office Trial Wizard
2010-05-21 21:58 . 2006-05-09 12:54 -------- d-----w- c:\program files\Microsoft Money 2006
2010-05-21 21:58 . 2006-05-09 13:22 -------- d-----w- c:\program files\HP Rhapsody
2010-05-21 21:56 . 2006-05-09 10:35 -------- d-----w- c:\program files\Hewlett-Packard
2010-05-21 21:56 . 2006-05-09 13:16 -------- d-----w- c:\program files\Google
2010-05-21 21:56 . 2006-05-09 12:46 -------- d-----w- c:\program files\CONEXANT
2010-05-21 21:55 . 2006-05-09 10:35 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-05-21 21:55 . 2006-05-09 10:35 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-05-21 21:55 . 2006-05-09 13:20 -------- d-----w- c:\program files\Common Files\Palo Alto Software
2010-05-21 21:55 . 2006-05-09 13:24 -------- d-----w- c:\program files\Common Files\LightScribe
2010-05-21 21:51 . 2010-06-29 03:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2010-05-21 21:51 . 2010-06-21 20:15 -------- d-----w- c:\documents and settings\Moms\Application Data\Symantec
2010-05-21 21:51 . 2010-05-21 22:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2010-05-21 21:51 . 2010-06-29 03:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit
2010-05-21 21:51 . 2010-06-21 20:15 -------- d-----w- c:\documents and settings\Moms\Application Data\Intuit
2010-05-21 21:51 . 2010-05-21 22:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intuit
2010-05-21 21:51 . 2006-05-09 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-05-18 11:12 . 2010-04-27 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-05-18 10:30 . 2010-04-29 00:44 179 ----a-w- C:\handle.dat
2010-05-18 01:52 . 2010-05-18 01:53 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-05-18 01:50 . 2010-05-18 01:50 -------- d-----w- c:\program files\STOPzilla!
2010-05-18 01:29 . 2010-05-16 16:34 -------- d-----w- c:\program files\RegScrubXP
2010-05-17 17:53 . 2008-04-19 04:10 -------- d-----w- c:\program files\QuickTime
2010-05-17 17:05 . 2010-04-27 21:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData
2010-05-17 16:57 . 2010-04-23 19:37 112 ----a-w- c:\documents and settings\All Users\Application Data\wa4rGu0l.dat
2010-05-16 00:41 . 2010-05-16 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-16 00:41 . 2010-05-16 00:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-16 00:40 . 2010-05-16 00:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-15 23:43 . 2010-05-15 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-14 00:17 . 2010-05-14 00:17 -------- d-----w- c:\program files\Trend Micro
2010-05-10 04:39 . 2007-01-25 05:35 -------- d-----w- c:\program files\Trillian
2010-05-10 04:16 . 2006-09-04 21:46 -------- d-----w- c:\program files\EPSON
2010-05-10 04:16 . 2009-12-21 00:46 -------- d-----w- c:\program files\DivX
2010-05-10 04:06 . 2009-01-09 15:50 -------- d-----w- c:\program files\Canon
2010-05-10 04:05 . 2010-05-10 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2010-04-27 23:01 . 2010-04-27 23:01 12718080 ---ha-w- C:\SZKGFS.dat
2008-04-19 04:16 . 2008-04-19 04:16 23700784 ----a-w- c:\program files\QuickTimeInstaller.exe
2008-04-19 03:55 . 2008-04-19 03:55 6039048 ----a-w- c:\program files\Firefox Setup 2.0.0.14.exe
.
Code:
<pre>
c:\program files\ACD Systems\ACDSee\CAMDET~1 .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Alltel\GoBoingo\AlltelWifi .exe
c:\program files\AT&T\Communication Manager\ATTCM .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
c:\program files\Hp\Digital Imaging\bin\hpqSRMon .exe
c:\program files\Hp\HP Software Update\HPWuSchd2 .exe
c:\program files\Hp\QuickPlay\QPService .exe
c:\program files\HPQ\Default Settings\cpqset .exe
c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
c:\program files\QuickTime\qttask                              .exe
c:\program files\QuickTime\qttask                            .exe
c:\program files\QuickTime\qttask                            .exe
c:\program files\QuickTime\qttask                          .exe
c:\program files\QuickTime\qttask                          .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4 .exe
c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Yahoo!\Messenger\YahooMessenger .exe
c:\program files\Yahoo!\Search Protection\SearchProtection .exe
c:\windows\CREATOR\Remind_XP .exe
c:\windows\SMINST\RecGuard .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-7-1 113664]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-19 111376]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-19 51984]
RSDUpdater.exe.lnk - c:\windows\explorer.exe [2004-8-4 1033728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [6/25/2010 2:16 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [6/25/2010 2:16 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [6/19/2010 12:46 AM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [6/25/2010 2:16 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [6/25/2010 2:16 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [6/25/2010 2:14 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/25/2010 10:39 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20100706.002\IDSXpx86.sys [7/6/2010 7:40 AM 331640]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Veetle TV - c:\documents and settings\User\Desktop\Veetle\UninstallVeetleTV.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-06 10:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????Z??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"=""c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe" /s "NIS" /m "c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(540)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-06 10:10:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-06 17:10

Pre-Run: 4,956,618,752 bytes free
Post-Run: 5,712,216,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 48B14C61271F6180A27247F76E6162D4

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by Belahzur on Wed 07 Jul 2010, 4:17 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    RenV::
    c:\program files\ACD Systems\ACDSee\CAMDET~1 .exe
    c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
    c:\program files\Alltel\GoBoingo\AlltelWifi .exe
    c:\program files\AT&T\Communication Manager\ATTCM .exe
    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
    c:\program files\Common Files\InstallShield\UpdateService\issch .exe
    c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
    c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
    c:\program files\Hp\Digital Imaging\bin\hpqSRMon .exe
    c:\program files\Hp\HP Software Update\HPWuSchd2 .exe
    c:\program files\Hp\QuickPlay\QPService .exe
    c:\program files\HPQ\Default Settings\cpqset .exe
    c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant .exe
    c:\program files\QuickTime\qttask                              .exe
    c:\program files\QuickTime\qttask                            .exe
    c:\program files\QuickTime\qttask                            .exe
    c:\program files\QuickTime\qttask                          .exe
    c:\program files\QuickTime\qttask                          .exe
    c:\program files\QuickTime\qttask                        .exe
    c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4 .exe
    c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper .exe
    c:\program files\Synaptics\SynTP\SynTPEnh .exe
    c:\program files\Yahoo!\Messenger\YahooMessenger .exe
    c:\program files\Yahoo!\Search Protection\SearchProtection .exe
    c:\windows\CREATOR\Remind_XP .exe
    c:\windows\SMINST\RecGuard .exe

    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Wed 07 Jul 2010, 5:07 am

ComboFix 10-07-06.01 - Moms 07/06/2010 10:49:14.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.187 [GMT -7:00]
Running from: c:\documents and settings\Moms\My Documents\Downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\Moms\My Documents\Downloads\CFscript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.

2010-07-06 16:41 . 2008-04-13 18:40 5376 ----a-w- c:\windows\system32\drivers\viaide.sys
2010-07-06 16:41 . 2008-04-13 18:40 5376 ----a-w- c:\windows\system32\dllcache\viaide.sys
2010-07-04 08:50 . 2010-07-04 08:50 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-02 19:20 . 2010-07-06 15:21 -------- d-----w- C:\word docs
2010-06-29 03:28 . 2010-06-29 03:28 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-29 03:28 . 2006-05-09 13:21 9662 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\ARPPRODUCTICON.exe
2010-06-29 03:28 . 2006-05-09 13:21 65536 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut5_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut4_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut3_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut11_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut1_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 12:54 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{6815FCDD-401D-481E-BA88-31B4754C2B46}\ARPPRODUCTICON.exe
2010-06-27 00:32 . 2010-06-27 00:32 -------- d-----w- c:\documents and settings\Moms\Application Data\Malwarebytes
2010-06-26 01:55 . 2010-06-26 01:55 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-25 17:31 . 2010-06-25 17:31 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-25 17:31 . 2010-06-25 17:31 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-25 17:31 . 2010-06-25 17:31 -------- d-----w- c:\program files\Symantec
2010-06-25 17:29 . 2010-06-26 01:11 -------- d-----w- c:\windows\system32\drivers\NIS
2010-06-25 17:29 . 2010-06-25 17:29 -------- d-----w- c:\program files\Norton Internet Security
2010-06-25 17:29 . 2010-06-25 17:29 -------- d-----w- c:\program files\Windows Sidebar
2010-06-25 17:15 . 2010-06-25 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-06-25 17:15 . 2010-06-25 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-25 17:15 . 2010-06-25 17:15 -------- d-----w- c:\program files\NortonInstaller
2010-06-25 17:02 . 2010-06-25 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-25 14:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-25 14:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-25 01:24 . 2010-06-25 01:24 -------- d-sh--w- c:\documents and settings\Moms\PrivacIE
2010-06-23 01:40 . 2010-06-23 01:40 -------- d-----w- c:\program files\Microsoft.NET
2010-06-23 01:35 . 2010-06-23 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-23 01:33 . 2010-06-23 01:33 -------- d-----r- C:\MSOCache
2010-06-22 19:09 . 2010-06-25 20:12 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-22 19:09 . 2010-06-25 20:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-21 21:39 . 2009-08-05 12:51 192512 ----a-r- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
2010-06-21 21:38 . 2009-08-05 12:51 405504 ----a-r- c:\windows\system32\EKIJ5000MON.dll
2010-06-21 21:37 . 2009-08-05 12:51 126976 ----a-r- c:\windows\system32\EKIJCOINST05.dll
2010-06-21 20:59 . 2010-06-21 20:59 -------- d-----w- c:\program files\Bonjour
2010-06-21 20:59 . 2010-06-21 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-21 20:57 . 2010-06-21 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-06-21 20:47 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-21 20:47 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-21 20:47 . 2010-06-21 20:47 -------- d-----w- c:\windows\system32\kodak
2010-06-21 20:46 . 2001-08-18 05:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-06-21 20:46 . 2001-08-18 05:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-06-21 20:46 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-21 20:46 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-21 20:44 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-06-21 20:44 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-06-21 20:19 . 2010-06-21 20:19 -------- d-----w- c:\documents and settings\Moms\Local Settings\Application Data\Mozilla
2010-06-21 20:16 . 2010-06-21 20:16 -------- d-sh--w- c:\documents and settings\Moms\IETldCache
2010-06-18 23:29 . 2010-07-06 15:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-08 02:30 . 2010-06-08 02:30 -------- d-----w- c:\program files\MPC HomeCinema
2010-06-08 02:29 . 2010-06-08 02:29 -------- d-----w- c:\program files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-06 17:49 . 2008-04-19 04:10 -------- d-----w- c:\program files\QuickTime
2010-07-05 19:19 . 2010-05-15 23:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-25 17:43 . 2006-05-09 13:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-25 17:31 . 2010-06-25 17:31 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-25 17:31 . 2010-06-25 17:31 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-25 01:11 . 2010-06-21 20:15 103056 ----a-w- c:\documents and settings\Moms\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-23 01:43 . 2006-05-09 12:55 -------- d-----w- c:\program files\Microsoft Works
2010-06-21 20:16 . 2010-06-21 20:15 127 ----a-w- c:\documents and settings\Moms\Local Settings\Application Data\fusioncache.dat
2010-06-02 16:38 . 2006-03-27 16:17 86939 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-02 16:04 . 2006-05-09 12:57 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-05-23 06:36 . 2010-05-23 06:36 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-05-23 06:36 . 2010-05-23 06:36 -------- d-----w- c:\program files\DVDVideoSoft
2010-05-21 22:31 . 2010-05-21 22:31 1708 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_Presario V5000 (EZ431UA#ABA)_YN_0Pres_QCND63204VW_E413900001_46_I30A8_SHP_V56.38_BF.15_T060613_WXH2_L409_M503_J60_7Intel_8Celeron M 410_91.46_#100521_N14E44311_(EZ431UA#ABA)_XMOBILE_CN10_Z_2F.15.MRK
2010-05-21 22:25 . 2006-05-09 10:35 -------- d-----w- c:\program files\HPQ
2010-05-21 22:02 . 2006-05-09 13:19 -------- d-----w- c:\program files\Quickensetup
2010-05-21 22:02 . 2006-05-09 13:20 -------- d-----w- c:\program files\Quicken
2010-05-21 22:00 . 2006-05-09 13:35 -------- d-----w- c:\program files\NetWaiting
2010-05-21 22:00 . 2006-05-09 13:17 -------- d-----w- c:\program files\music_now
2010-05-21 22:00 . 2006-05-09 12:55 -------- d-----w- c:\program files\MSN Encarta Plus
2010-05-21 21:59 . 2006-05-09 13:19 -------- d-----w- c:\program files\Microsoft Office Trial Wizard
2010-05-21 21:58 . 2006-05-09 12:54 -------- d-----w- c:\program files\Microsoft Money 2006
2010-05-21 21:58 . 2006-05-09 13:22 -------- d-----w- c:\program files\HP Rhapsody
2010-05-21 21:56 . 2006-05-09 10:35 -------- d-----w- c:\program files\Hewlett-Packard
2010-05-21 21:56 . 2006-05-09 13:16 -------- d-----w- c:\program files\Google
2010-05-21 21:56 . 2006-05-09 12:46 -------- d-----w- c:\program files\CONEXANT
2010-05-21 21:55 . 2006-05-09 10:35 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-05-21 21:55 . 2006-05-09 10:35 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-05-21 21:55 . 2006-05-09 13:20 -------- d-----w- c:\program files\Common Files\Palo Alto Software
2010-05-21 21:55 . 2006-05-09 13:24 -------- d-----w- c:\program files\Common Files\LightScribe
2010-05-21 21:51 . 2010-06-29 03:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2010-05-21 21:51 . 2010-06-21 20:15 -------- d-----w- c:\documents and settings\Moms\Application Data\Symantec
2010-05-21 21:51 . 2010-05-21 22:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2010-05-21 21:51 . 2010-06-29 03:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit
2010-05-21 21:51 . 2010-06-21 20:15 -------- d-----w- c:\documents and settings\Moms\Application Data\Intuit
2010-05-21 21:51 . 2010-05-21 22:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intuit
2010-05-21 21:51 . 2006-05-09 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-05-18 11:12 . 2010-04-27 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-05-18 10:30 . 2010-04-29 00:44 179 ----a-w- C:\handle.dat
2010-05-18 01:52 . 2010-05-18 01:53 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-05-18 01:50 . 2010-05-18 01:50 -------- d-----w- c:\program files\STOPzilla!
2010-05-18 01:29 . 2010-05-16 16:34 -------- d-----w- c:\program files\RegScrubXP
2010-05-17 17:05 . 2010-04-27 21:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData
2010-05-17 16:57 . 2010-04-23 19:37 112 ----a-w- c:\documents and settings\All Users\Application Data\wa4rGu0l.dat
2010-05-16 00:41 . 2010-05-16 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-16 00:41 . 2010-05-16 00:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-16 00:40 . 2010-05-16 00:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-15 23:43 . 2010-05-15 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-14 00:17 . 2010-05-14 00:17 -------- d-----w- c:\program files\Trend Micro
2010-05-10 04:39 . 2007-01-25 05:35 -------- d-----w- c:\program files\Trillian
2010-05-10 04:16 . 2006-09-04 21:46 -------- d-----w- c:\program files\EPSON
2010-05-10 04:16 . 2009-12-21 00:46 -------- d-----w- c:\program files\DivX
2010-05-10 04:06 . 2009-01-09 15:50 -------- d-----w- c:\program files\Canon
2010-05-10 04:05 . 2010-05-10 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2010-04-27 23:01 . 2010-04-27 23:01 12718080 ---ha-w- C:\SZKGFS.dat
2008-04-19 04:16 . 2008-04-19 04:16 23700784 ----a-w- c:\program files\QuickTimeInstaller.exe
2008-04-19 03:55 . 2008-04-19 03:55 6039048 ----a-w- c:\program files\Firefox Setup 2.0.0.14.exe
.
Code:
<pre>
c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
c:\program files\QuickTime\qttask                            .exe
c:\program files\QuickTime\qttask                          .exe
c:\program files\QuickTime\qttask                        .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-7-1 113664]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-19 111376]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-19 51984]
RSDUpdater.exe.lnk - c:\windows\explorer.exe [2004-8-4 1033728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [6/25/2010 2:16 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [6/25/2010 2:16 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [6/19/2010 12:46 AM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [6/25/2010 2:16 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [6/25/2010 2:16 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [6/25/2010 2:14 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/25/2010 10:39 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20100706.002\IDSXpx86.sys [7/6/2010 7:40 AM 331640]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-06 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????Z??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"=""c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe" /s "NIS" /m "c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3672)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2010-07-06 11:05:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-06 18:05
ComboFix2.txt 2010-07-06 17:10

Pre-Run: 5,751,021,568 bytes free
Post-Run: 5,737,562,112 bytes free

- - End Of File - - 40A5EA2E03323D6829E07AC512038FB0

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by Belahzur on Wed 07 Jul 2010, 5:58 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    File::
    c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
    c:\program files\QuickTime\qttask                            .exe
    c:\program files\QuickTime\qttask                          .exe
    c:\program files\QuickTime\qttask                        .exe

    Reboot::
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Wed 07 Jul 2010, 6:29 am

ComboFix 10-07-06.01 - Moms 07/06/2010 12:07:34.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.169 [GMT -7:00]
Running from: c:\documents and settings\Moms\My Documents\Downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\Moms\My Documents\Downloads\CFscript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe"
"c:\program files\QuickTime\qttask .exe"
"c:\program files\QuickTime\qttask .exe"
"c:\program files\QuickTime\qttask .exe"
.

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.

2010-07-06 16:41 . 2008-04-13 18:40 5376 ----a-w- c:\windows\system32\drivers\viaide.sys
2010-07-06 16:41 . 2008-04-13 18:40 5376 ----a-w- c:\windows\system32\dllcache\viaide.sys
2010-07-04 08:50 . 2010-07-04 08:50 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-02 19:20 . 2010-07-06 15:21 -------- d-----w- C:\word docs
2010-06-29 03:28 . 2010-06-29 03:28 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-29 03:28 . 2006-05-09 13:21 9662 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\ARPPRODUCTICON.exe
2010-06-29 03:28 . 2006-05-09 13:21 65536 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut5_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut4_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut3_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut11_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 13:21 61440 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DB7E00C9-6DEF-489A-8112-D8F81614F45A}\NewShortcut1_DB7E00C96DEF489A8112D8F81614F45A.exe
2010-06-29 03:28 . 2006-05-09 12:54 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{6815FCDD-401D-481E-BA88-31B4754C2B46}\ARPPRODUCTICON.exe
2010-06-27 00:32 . 2010-06-27 00:32 -------- d-----w- c:\documents and settings\Moms\Application Data\Malwarebytes
2010-06-26 01:55 . 2010-06-26 01:55 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-25 17:31 . 2010-06-25 17:31 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-25 17:31 . 2010-06-25 17:31 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-25 17:31 . 2010-06-25 17:31 -------- d-----w- c:\program files\Symantec
2010-06-25 17:29 . 2010-06-26 01:11 -------- d-----w- c:\windows\system32\drivers\NIS
2010-06-25 17:29 . 2010-06-25 17:29 -------- d-----w- c:\program files\Norton Internet Security
2010-06-25 17:29 . 2010-06-25 17:29 -------- d-----w- c:\program files\Windows Sidebar
2010-06-25 17:15 . 2010-06-25 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-06-25 17:15 . 2010-06-25 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-25 17:15 . 2010-06-25 17:15 -------- d-----w- c:\program files\NortonInstaller
2010-06-25 17:02 . 2010-06-25 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-25 14:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-25 14:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-25 01:24 . 2010-06-25 01:24 -------- d-sh--w- c:\documents and settings\Moms\PrivacIE
2010-06-23 01:40 . 2010-06-23 01:40 -------- d-----w- c:\program files\Microsoft.NET
2010-06-23 01:35 . 2010-06-23 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-23 01:33 . 2010-06-23 01:33 -------- d-----r- C:\MSOCache
2010-06-22 19:09 . 2010-06-25 20:12 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-22 19:09 . 2010-06-25 20:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-21 21:39 . 2009-08-05 12:51 192512 ----a-r- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
2010-06-21 21:38 . 2009-08-05 12:51 405504 ----a-r- c:\windows\system32\EKIJ5000MON.dll
2010-06-21 21:37 . 2009-08-05 12:51 126976 ----a-r- c:\windows\system32\EKIJCOINST05.dll
2010-06-21 20:59 . 2010-06-21 20:59 -------- d-----w- c:\program files\Bonjour
2010-06-21 20:59 . 2010-06-21 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-21 20:57 . 2010-06-21 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-06-21 20:47 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-21 20:47 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-21 20:47 . 2010-06-21 20:47 -------- d-----w- c:\windows\system32\kodak
2010-06-21 20:46 . 2001-08-18 05:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-06-21 20:46 . 2001-08-18 05:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-06-21 20:46 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-21 20:46 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-21 20:44 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-06-21 20:44 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-06-21 20:19 . 2010-06-21 20:19 -------- d-----w- c:\documents and settings\Moms\Local Settings\Application Data\Mozilla
2010-06-21 20:16 . 2010-06-21 20:16 -------- d-sh--w- c:\documents and settings\Moms\IETldCache
2010-06-18 23:29 . 2010-07-06 15:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-08 02:30 . 2010-06-08 02:30 -------- d-----w- c:\program files\MPC HomeCinema
2010-06-08 02:29 . 2010-06-08 02:29 -------- d-----w- c:\program files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-06 17:49 . 2008-04-19 04:10 -------- d-----w- c:\program files\QuickTime
2010-07-05 19:19 . 2010-05-15 23:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-25 17:43 . 2006-05-09 13:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-25 17:31 . 2010-06-25 17:31 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-25 17:31 . 2010-06-25 17:31 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-25 01:11 . 2010-06-21 20:15 103056 ----a-w- c:\documents and settings\Moms\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-23 01:43 . 2006-05-09 12:55 -------- d-----w- c:\program files\Microsoft Works
2010-06-21 20:16 . 2010-06-21 20:15 127 ----a-w- c:\documents and settings\Moms\Local Settings\Application Data\fusioncache.dat
2010-06-02 16:38 . 2006-03-27 16:17 86939 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-02 16:04 . 2006-05-09 12:57 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-05-23 06:36 . 2010-05-23 06:36 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-05-23 06:36 . 2010-05-23 06:36 -------- d-----w- c:\program files\DVDVideoSoft
2010-05-21 22:31 . 2010-05-21 22:31 1708 --sha-r- c:\windows\system32\drivers\103C_HP_NTBK_Presario V5000 (EZ431UA#ABA)_YN_0Pres_QCND63204VW_E413900001_46_I30A8_SHP_V56.38_BF.15_T060613_WXH2_L409_M503_J60_7Intel_8Celeron M 410_91.46_#100521_N14E44311_(EZ431UA#ABA)_XMOBILE_CN10_Z_2F.15.MRK
2010-05-21 22:25 . 2006-05-09 10:35 -------- d-----w- c:\program files\HPQ
2010-05-21 22:02 . 2006-05-09 13:19 -------- d-----w- c:\program files\Quickensetup
2010-05-21 22:02 . 2006-05-09 13:20 -------- d-----w- c:\program files\Quicken
2010-05-21 22:00 . 2006-05-09 13:35 -------- d-----w- c:\program files\NetWaiting
2010-05-21 22:00 . 2006-05-09 13:17 -------- d-----w- c:\program files\music_now
2010-05-21 22:00 . 2006-05-09 12:55 -------- d-----w- c:\program files\MSN Encarta Plus
2010-05-21 21:59 . 2006-05-09 13:19 -------- d-----w- c:\program files\Microsoft Office Trial Wizard
2010-05-21 21:58 . 2006-05-09 12:54 -------- d-----w- c:\program files\Microsoft Money 2006
2010-05-21 21:58 . 2006-05-09 13:22 -------- d-----w- c:\program files\HP Rhapsody
2010-05-21 21:56 . 2006-05-09 10:35 -------- d-----w- c:\program files\Hewlett-Packard
2010-05-21 21:56 . 2006-05-09 13:16 -------- d-----w- c:\program files\Google
2010-05-21 21:56 . 2006-05-09 12:46 -------- d-----w- c:\program files\CONEXANT
2010-05-21 21:55 . 2006-05-09 10:35 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-05-21 21:55 . 2006-05-09 10:35 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-05-21 21:55 . 2006-05-09 13:20 -------- d-----w- c:\program files\Common Files\Palo Alto Software
2010-05-21 21:55 . 2006-05-09 13:24 -------- d-----w- c:\program files\Common Files\LightScribe
2010-05-21 21:51 . 2010-06-29 03:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2010-05-21 21:51 . 2010-06-21 20:15 -------- d-----w- c:\documents and settings\Moms\Application Data\Symantec
2010-05-21 21:51 . 2010-05-21 22:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2010-05-21 21:51 . 2010-06-29 03:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit
2010-05-21 21:51 . 2010-06-21 20:15 -------- d-----w- c:\documents and settings\Moms\Application Data\Intuit
2010-05-21 21:51 . 2010-05-21 22:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intuit
2010-05-21 21:51 . 2006-05-09 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-05-18 11:12 . 2010-04-27 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-05-18 10:30 . 2010-04-29 00:44 179 ----a-w- C:\handle.dat
2010-05-18 01:52 . 2010-05-18 01:53 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-05-18 01:50 . 2010-05-18 01:50 -------- d-----w- c:\program files\STOPzilla!
2010-05-18 01:29 . 2010-05-16 16:34 -------- d-----w- c:\program files\RegScrubXP
2010-05-17 17:05 . 2010-04-27 21:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData
2010-05-17 16:57 . 2010-04-23 19:37 112 ----a-w- c:\documents and settings\All Users\Application Data\wa4rGu0l.dat
2010-05-16 00:41 . 2010-05-16 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-16 00:41 . 2010-05-16 00:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-16 00:40 . 2010-05-16 00:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-15 23:43 . 2010-05-15 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-14 00:17 . 2010-05-14 00:17 -------- d-----w- c:\program files\Trend Micro
2010-05-10 04:39 . 2007-01-25 05:35 -------- d-----w- c:\program files\Trillian
2010-05-10 04:16 . 2006-09-04 21:46 -------- d-----w- c:\program files\EPSON
2010-05-10 04:16 . 2009-12-21 00:46 -------- d-----w- c:\program files\DivX
2010-05-10 04:06 . 2009-01-09 15:50 -------- d-----w- c:\program files\Canon
2010-05-10 04:05 . 2010-05-10 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2010-04-27 23:01 . 2010-04-27 23:01 12718080 ---ha-w- C:\SZKGFS.dat
2008-04-19 04:16 . 2008-04-19 04:16 23700784 ----a-w- c:\program files\QuickTimeInstaller.exe
2008-04-19 03:55 . 2008-04-19 03:55 6039048 ----a-w- c:\program files\Firefox Setup 2.0.0.14.exe
.
Code:
<pre>
c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
c:\program files\QuickTime\qttask                            .exe
c:\program files\QuickTime\qttask                          .exe
c:\program files\QuickTime\qttask                        .exe
</pre>

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-06 19:19 . 2010-07-06 19:19 16384 c:\windows\temp\Perflib_Perfdata_6bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-7-1 113664]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-19 111376]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-19 51984]
RSDUpdater.exe.lnk - c:\windows\explorer.exe [2004-8-4 1033728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [6/25/2010 2:16 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [6/25/2010 2:16 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [6/19/2010 12:46 AM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [6/25/2010 2:16 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [6/25/2010 2:16 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [6/25/2010 2:14 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/25/2010 10:39 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20100706.002\IDSXpx86.sys [7/6/2010 7:40 AM 331640]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-06 12:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????Z??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"=""c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe" /s "NIS" /m "c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2132)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2010-07-06 12:25:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-06 19:25
ComboFix2.txt 2010-07-06 18:05
ComboFix3.txt 2010-07-06 17:10

Pre-Run: 5,707,509,760 bytes free
Post-Run: 5,694,271,488 bytes free

- - End Of File - - 413D1C63B9097EBDE63285A4A9D97A3A

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by Belahzur on Wed 07 Jul 2010, 6:56 am

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Wed 07 Jul 2010, 9:49 am

Hi Belahzur,

It did a scan found 4 trojans but did not save a log.txt to the folder?

I checked remove and uninstall the viruses.

MW2

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by Belahzur on Wed 07 Jul 2010, 11:37 am

Hello.

Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Wed 07 Jul 2010, 11:52 am

Adobe Flash Player 10 ActiveX
Adobe Reader 6.0.1
Bonjour
Conexant HD Audio
Customer Experience Enhancement
Free Audio CD Burner version 1.3
Free YouTube to MP3 Converter version 3.5
Google Toolbar for Internet Explorer
HDAUDIO Soft Data Fax Modem with SmartCP
HiJackThis
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP DVD Play 2.1
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Quick Launch Buttons 6.00 E2
HP Rhapsody
HP Software Update
HP User Guides 0019
HP User Guides--System Recovery
HP Wireless Assistant 2.00 E1
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
J2SE Runtime Environment 5.0 Update 6
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Media Player Classic - Home Cinema v. 1.3.1249.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Excel 97
Microsoft Money 2006
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Word 97
Microsoft Works
Mozilla Firefox (3.5.10)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 4.5
Netscape Browser (remove only)
NetWaiting
Norton Internet Security
Office 2003 Trial Assistant
Quicken 2006
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SmartAudio
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TourSetup
Uninstall 1.0.0.1
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows XP Service Pack 3
Wireless Home Network Setup

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Thu 08 Jul 2010, 9:47 am

Hi Belahzur,

I know your a busy person and I thank you for your consistent help it is appreciated, I was not sure if we are done?

The Computer seems to be running great at this time, I just don't know until you give it the two thumbs up?

Thank You
MW2

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by Belahzur on Thu 08 Jul 2010, 10:30 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 6.0.1
    J2SE Runtime Environment 5.0 Update 6

Updating Java:

  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 20.
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe that you downloaded to install the newest version.

Then download and install Adobe Reader 9.3.3

How is the machine running now?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Thu 08 Jul 2010, 1:55 pm

Hi Belahzur,

The Machine is running great, I know I probably need to upgrade on memory, and get rid of some mp3's and photos, but it RUNS SO MUCH BETTER I can tell the difference since yesterdays removals.

I wasn't sure if I should download the Mcafee Security Scan Plus?

I will not be renewing Norton Security due to the lack of support, any recommendations?

I will be donating for your SUPERB services!

Thank U
MW2

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by Belahzur on Fri 09 Jul 2010, 1:48 am

I recommend Avira, Norton is such a huge resource hog.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by ModernWarfare2 on Fri 09 Jul 2010, 5:39 am

Belahzur,

Thank You so much for your knowledge and support in order to restore my computer back to its original self.

I have one last question, I do like to use sharing servers to watch movies online is there anyway to protect myself?

Thank you,
MW2

ModernWarfare2

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2010-07-04
Operating System : Windows XP HE SP3

View user profile

Back to top Go down

Re: Tidserv virus + plus google search redirects

Post by Sponsored content Today at 5:52 am


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum