HOW TO REMOVE W32.TIDSERV VIRUS

View previous topic View next topic Go down

Solved HOW TO REMOVE W32.TIDSERV VIRUS

Post by jiangyiming on Sun Dec 21, 2008 3:39 am

i tried using my norton 360 to remove the virus , but it will still come back when i on my com the next day.what should i do?
here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:41 AM, on 12/21/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\V0470Mon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:\Program Files\TENCENT\SSPlus\SAddr.dll
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\SSPlus\SAddr.dll
O2 - BHO: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:\PROGRA~1\TENCENT\SSPlus\SSup.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: GougouToolbarBHO - {ACDC15CD-B675-4C7C-86E9-CA92F2DF2896} - C:\Program Files\Thunder Network\GouGouToolbar\GougouToolBarHelper_now.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.415.1646\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: 1?1?1????? - {D5DC8911-DCD3-49CE-AE95-8AD512F2D280} - C:\Program Files\Thunder Network\GouGouToolbar\GougouToolBar.1.0.0.20.(284).dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: QQToolbar - {29CF293A-1E7D-4069-9E11-E39698D0AF95} - C:\Program Files\Tencent\QQToolbar\IEBar.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [EmpoweringTechnology] C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe boot
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\SSPlus\Stup.exe
O4 - HKLM\..\Run: [V0470Mon.exe] C:\Windows\V0470Mon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O8 - Extra context menu item: &Download by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Do&wnload selected by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [TBH] ???D??????
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {F3E70CEA-956E-49CC-B444-73AFE593AD7F} (XPPlayer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9898A29-D1B4-4E0A-B2B3-4FB4AEDAEF56}: NameServer = 85.255.116.156;85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C27995-B772-4E20-A006-85A65AA2B3DE}: NameServer = 85.255.116.156;85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.156;85.255.112.21
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.156;85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.156;85.255.112.21
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Partner Service - Google Inc. - c:\programdata\partner\partner.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 12967 bytes

jiangyiming
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2008-12-21
OS : window vista

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by Belahzur on Sun Dec 21, 2008 1:23 pm

1. Download this file - [You must be registered and logged in to see this link.]
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by jiangyiming on Sun Dec 21, 2008 2:55 pm

i tried to click on to the combo.fix,but it says looking for virus in chinese and auto removing the virus if found.then it found some files and auto remove it and restart my com.no log was given.

jiangyiming
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2008-12-21
OS : window vista

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by Belahzur on Sun Dec 21, 2008 3:17 pm

Hello.
Is there a log in either of these two places.

C:\combofix.txt
C:\combofix\combofix.txt

If you can find it, post it please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by jiangyiming on Mon Dec 22, 2008 4:03 pm

the web says the posted msg is too big , so i have to post the log seperately.
ComboFix 08-12-20.05 - yiming 2008-12-22 23:49:30.4 - NTFSx86

执行位置: c:\tddownload\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\autorun.inf
c:\program files\TENCENT\SSPlus\SAddr.dll
c:\program files\TENCENT\SSPlus\SData.dat
c:\program files\TENCENT\SSPlus\SPlus.dll
c:\program files\TENCENT\SSPlus\stdtbh.dat
C:\resycled
c:\resycled\boot.com
c:\users\yiming\AppData\Local\Microsoft\Windows\Temporary Internet Files\ijjistarter_verinfo.dat
c:\users\yiming\AppData\Local\Microsoft\Windows\Temporary Internet Files\ijjistarter2.exe
c:\users\yiming\AppData\Roaming\.#
c:\windows\system32\drivers\msqpdxnbcbcrrx.sys
c:\windows\system32\msqpdxwqsctmei.dll
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS


((((((((((((((((((((((((( 2008-11-22 至 2008-12-22 的新的档案 )))))))))))))))))))))))))))))))
.

2008-12-22 16:00 . 2008-12-22 16:01 324,127,516 --a------ c:\windows\MEMORY.DMP
2008-12-22 09:06 . 2008-12-22 09:06 d-------- C:\GameGuard
2008-12-21 21:32 . 2008-12-21 21:32 d-------- c:\users\All Users\NexonTW
2008-12-21 21:32 . 2008-12-21 21:32 d-------- c:\programdata\NexonTW
2008-12-21 16:36 . 2008-12-22 15:23 d-------- c:\program files\Gamania
2008-12-21 11:12 . 2008-12-21 11:12 d-------- c:\program files\Trend Micro
2008-12-20 20:55 . 2008-12-20 20:55 d-------- c:\users\yiming\AppData\Roaming\NPLUTO Corporation
2008-12-20 20:27 . 2008-12-21 22:55 d-------- c:\program files\DriftCity
2008-12-20 18:17 . 2008-12-20 18:17 d-------- c:\windows\System32\N360_BACKUP
2008-12-20 17:44 . 2008-12-20 17:44 d-------- c:\users\yiming\AppData\Roaming\Desktopicon
2008-12-20 17:44 . 2008-12-20 17:44 d-------- c:\program files\Unlocker
2008-12-20 13:35 . 2008-12-20 13:35 d-------- c:\program files\Neffy
2008-12-19 21:26 . 2003-07-19 14:17 5,174 --a------ c:\windows\System32\nppt9x.vxd
2008-12-19 21:26 . 2005-01-03 05:43 4,682 --a------ c:\windows\System32\npptNT2.sys
2008-12-19 21:25 . 2008-12-19 21:25 d-------- c:\program files\Common Files\INCA Shared
2008-12-19 21:17 . 2008-12-20 21:51 d--h----- c:\users\yiming\AppData\Roaming\ijjigame
2008-12-19 21:16 . 2008-06-17 19:28 710,064 --a------ c:\windows\System32\ijjiSetup.exe
2008-12-19 21:14 . 2008-12-19 21:14 d-------- c:\program files\NHN USA
2008-12-19 21:14 . 2008-04-23 14:02 157,152 --a------ c:\windows\System32\PubPlugin.dll
2008-12-19 21:14 . 2008-06-11 23:01 58,800 --a------ c:\windows\System32\ijjiPlugin2.dll
2008-12-19 21:11 . 2008-12-19 21:11 d-------- C:\ijji
2008-12-19 17:17 . 2008-12-19 17:17 d-------- c:\program files\Bethesda Softworks
2008-12-19 17:14 . 2008-12-19 17:14 d-------- c:\windows\System32\xlive
2008-12-19 11:16 . 2008-12-19 11:16 192,512 --a------ c:\windows\off-road-uninst.exe
2008-12-19 11:15 . 2008-12-19 13:33 d-------- c:\program files\Acer GameZone Online
2008-12-19 10:31 . 2008-12-19 10:31 d-------- c:\users\All Users\InterAction studios
2008-12-19 10:31 . 2008-12-19 10:31 d-------- c:\programdata\InterAction studios
2008-12-18 13:01 . 2008-12-18 13:01 d-------- c:\program files\Combined Community Codec Pack
2008-12-18 11:29 . 2008-12-18 11:29 d-------- c:\users\yiming\AppData\Roaming\Talkback
2008-12-18 11:29 . 2008-12-18 11:29 25 --a------ c:\windows\cdplayer.ini
2008-12-18 11:29 . 2008-12-18 11:29 0 --a------ c:\windows\nsreg.dat
2008-12-18 11:27 . 2008-12-18 11:27 d-------- c:\program files\Real
2008-12-18 11:27 . 2008-12-18 11:27 d-------- c:\program files\Common Files\xing shared
2008-12-18 11:27 . 2008-12-18 11:27 d-------- c:\program files\Common Files\Real
2008-12-18 08:24 . 2008-12-18 08:24 d-------- c:\users\yiming\AppData\Roaming\GrabPro
2008-12-18 08:10 . 2008-12-21 11:12 d-------- C:\Downloads
2008-12-18 08:08 . 2008-12-21 22:37 d-------- c:\users\yiming\AppData\Roaming\Orbit
2008-12-18 08:08 . 2008-12-21 15:33 d-------- c:\program files\Orbitdownloader
2008-12-17 13:04 . 2008-12-17 13:04 d-------- c:\users\All Users\Electronic Arts
2008-12-17 13:04 . 2008-12-17 13:04 d-------- c:\programdata\Electronic Arts
2008-12-17 08:38 . 2008-12-17 08:38 5,612 --a------ c:\windows\System32\ealregsnapshot1.reg
2008-12-15 14:40 . 2008-12-15 14:40 d-------- c:\users\yiming\AppData\Roaming\QQUpdate
2008-12-15 14:07 . 2008-12-15 14:07 d-------- c:\users\yiming\AppData\Roaming\CyberLink
2008-12-15 10:09 . 2008-12-15 10:09 d--hs---- c:\windows\ftpcache
2008-12-15 09:55 . 2008-12-22 23:42 d-------- C:\TDDOWNLOAD
2008-12-15 09:35 . 2008-12-15 09:35 22,328 --a------ c:\users\yiming\AppData\Roaming\PnkBstrK.sys
2008-12-15 08:25 . 2008-12-04 14:43 34 --a------ c:\windows\System32\readme.bat
2008-12-14 19:38 . 2008-05-27 02:54 81,704 --a------ c:\windows\System32\drivers\WSVD.sys
2008-12-14 19:37 . 2008-12-14 19:37 d-------- C:\EGIS_Drive
2008-12-14 12:53 . 2008-12-14 12:53 d-------- c:\users\yiming\AppData\Roaming\muvee Technologies
2008-12-14 12:49 . 2008-12-14 12:58 d-------- c:\users\All Users\Creative
2008-12-14 12:49 . 2008-12-14 12:58 d-------- c:\programdata\Creative
2008-12-14 12:47 . 2000-05-22 16:58 647,872 --------- c:\windows\System32\Mscomct2.ocx
2008-12-14 12:47 . 2006-10-06 14:17 53,248 --------- c:\windows\Ctregrun.exe
2008-12-14 12:47 . 2003-06-12 23:25 7,062 --a------ c:\windows\System32\audiopid.vxd
2008-12-14 12:44 . 2008-12-14 12:44 d-------- c:\users\yiming\AppData\Roaming\InstallShield
2008-12-14 12:44 . 2008-12-14 12:44 d-------- c:\users\All Users\muvee Technologies
2008-12-14 12:44 . 2008-12-14 12:44 d-------- c:\programdata\muvee Technologies
2008-12-14 12:44 . 2008-12-14 12:44 d-------- c:\program files\muvee Technologies
2008-12-14 12:44 . 2008-12-14 12:44 d-------- c:\program files\Common Files\muvee Technologies
2008-12-14 12:44 . 2006-08-30 07:10 158,456 --------- c:\windows\System32\pxwma.dll
2008-12-14 12:44 . 2006-05-16 11:54 36,864 --a------ c:\windows\System32\Mfc42loc.dll
2008-12-14 12:44 . 2006-08-30 07:10 36,528 --------- c:\windows\System32\drivers\PxHelp20.sys
2008-12-14 12:44 . 2006-08-30 07:10 2,560 --------- c:\windows\System32\drivers\cdralw2k.sys
2008-12-14 12:44 . 2006-08-30 07:10 2,432 --------- c:\windows\System32\drivers\cdr4_xp.sys
2008-12-14 12:43 . 2008-12-14 12:43 d-------- c:\program files\SightSpeed
2008-12-14 12:38 . 2008-12-14 12:52 d-------- c:\users\yiming\AppData\Roaming\Creative
2008-12-14 12:33 . 2008-12-14 12:47 d-------- c:\program files\Creative
2008-12-14 11:20 . 2008-12-14 11:20 d-------- c:\users\All Users\Messenger Plus!
2008-12-14 11:20 . 2008-12-14 11:20 d-------- c:\programdata\Messenger Plus!
2008-12-14 11:14 . 2008-12-14 11:14 d-------- c:\program files\MSXML 4.0
2008-12-14 10:42 . 2008-12-14 10:42 d-------- c:\program files\Messenger Plus! Live
2008-12-14 08:54 . 2008-12-14 08:54 d-------- C:\QQDownload
2008-12-14 08:10 . 2008-12-14 08:10 d-------- c:\users\yiming\Option
2008-12-14 00:35 . 2008-12-16 17:54 d-------- c:\users\yiming\AppData\Roaming\Command & Conquer 3 Tiberium Wars
2008-12-14 00:34 . 2008-12-14 00:34 dr-h----- c:\users\yiming\AppData\Roaming\SecuROM
2008-12-14 00:34 . 2008-12-14 14:37 98,304 --a------ c:\windows\system32CmdLineExt.dll
2008-12-14 00:19 . 2008-10-22 09:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-14 00:14 . 2008-11-01 09:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-14 00:14 . 2008-10-16 10:23 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-12-14 00:14 . 2008-10-16 12:47 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-14 00:14 . 2008-06-26 11:29 303,616 --a------ c:\windows\System32\wmpeffects.dll
2008-12-14 00:14 . 2008-11-01 11:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-14 00:12 . 2008-10-29 14:29 2,927,104 --a------ c:\windows\explorer.exe
2008-12-14 00:11 . 2008-12-21 08:40 d-------- c:\program files\Electronic Arts
2008-12-14 00:10 . 2008-09-18 12:54 3,601,976 --a------ c:\windows\System32\ntkrnlpa.exe
2008-12-14 00:10 . 2008-09-18 12:54 3,549,752 --a------ c:\windows\System32\ntoskrnl.exe
2008-12-14 00:10 . 2008-10-21 13:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-12-14 00:10 . 2008-04-10 13:12 738,304 --a------ c:\windows\System32\inetcomm.dll
2008-12-14 00:09 . 2008-09-10 11:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-12-14 00:02 . 2008-12-14 00:02 d-------- c:\windows\System32\qqedit
2008-12-14 00:02 . 2008-12-14 00:02 d-------- c:\users\yiming\AppData\Roaming\tencent
2008-12-14 00:02 . 2008-12-14 00:04 d-------- c:\users\yiming\AppData\Roaming\QQ
2008-12-14 00:02 . 2008-12-15 14:43 d-------- c:\users\All Users\Tencent
2008-12-14 00:02 . 2008-12-15 14:43 d-------- c:\programdata\Tencent
2008-12-14 00:02 . 2008-12-14 00:02 d-------- c:\program files\Microsoft.NET
2008-12-14 00:01 . 2008-12-14 08:59 d-------- c:\program files\Tencent
2008-12-14 00:00 . 2008-12-14 00:00 dr-h----- C:\MSOCache
2008-12-13 23:58 . 2008-12-13 23:58 d-------- c:\windows\PCHEALTH
2008-12-13 23:58 . 2008-12-14 00:01 d-------- c:\program files\Windows Live Toolbar
2008-12-13 23:58 . 2008-12-13 23:58 d-------- c:\program files\Windows Live Favorites
2008-12-13 23:57 . 2008-12-13 23:58 d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-12-13 23:56 . 2008-12-13 23:56 d-------- c:\users\All Users\WLInstaller
2008-12-13 23:56 . 2008-12-13 23:56 d-------- c:\programdata\WLInstaller
2008-12-13 23:56 . 2008-12-13 23:58 d-------- c:\program files\Windows Live
2008-12-13 23:44 . 2008-12-13 23:44 d----c--- c:\windows\System32\DRVSTORE
2008-12-13 23:44 . 2008-12-13 23:44 d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 23:44 . 2008-12-13 23:44 d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 23:44 . 2008-04-17 13:12 107,368 --a------ c:\windows\System32\GEARAspi.dll
2008-12-13 23:44 . 2008-04-17 13:12 15,464 --a------ c:\windows\System32\drivers\GEARAspiWDM.sys
2008-12-13 23:33 . 2008-12-14 08:16 d-------- c:\users\yiming\funshion
2008-12-13 23:33 . 2008-12-13 23:33 d-------- c:\program files\Funshion Online
2008-12-13 23:33 . 2008-04-26 16:26 891,448 --a------ c:\windows\System32\drivers\tcpip.sys.do
2008-12-13 23:33 . 2008-12-22 23:37 28 --a------ c:\windows\funshionplugin2.INI
2008-12-13 23:28 . 2008-12-22 23:47 6,719 --a------ c:\windows\System32\cid_store.dat
2008-12-13 23:28 . 2008-12-22 23:47 26 --a------ c:\windows\System32\xlhcc.dat
2008-12-13 23:25 . 2008-12-13 23:25 d-------- c:\users\All Users\Thunder Network
2008-12-13 23:25 . 2008-12-13 23:25 d-------- c:\programdata\Thunder Network
2008-12-13 23:25 . 2008-12-13 23:25 d-------- c:\program files\Thunder Network
2008-12-13 23:25 . 2008-12-13 23:25 d-------- c:\program files\Common Files\Thunder Network
2008-12-13 23:25 . 2008-12-13 23:25 20 --a------ c:\windows\System32\pub_store.dat
2008-12-13 23:20 . 2008-12-14 00:29 d-------- c:\program files\Norton 360
2008-12-13 23:19 . 2008-12-17 10:38 d-------- c:\program files\Symantec
2008-12-13 23:19 . 2008-12-17 10:38 123,952 --a------ c:\windows\System32\drivers\SYMEVENT.SYS
2008-12-13 23:19 . 2008-12-17 10:38 10,671 --a------ c:\windows\System32\drivers\SYMEVENT.CAT

jiangyiming
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2008-12-21
OS : window vista

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by jiangyiming on Mon Dec 22, 2008 4:03 pm

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 07:23 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-19 03:15 --------- d-----w c:\program files\Common Files\Oberon Media
2008-12-17 00:38 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-15 06:07 --------- d-----w c:\programdata\CyberLink
2008-12-14 04:51 --------- d-----w c:\programdata\Microsoft Help
2008-12-14 03:14 --------- d-----w c:\program files\Microsoft Works
2008-12-13 16:28 --------- d-----w c:\program files\Windows Mail
2008-12-13 15:08 --------- d-----w c:\programdata\McAfee
2008-12-13 15:06 --------- d-----w c:\programdata\SiteAdvisor
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-09-30 08:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2008-06-30 05:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
2006-10-11 08:04 61,036 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 48,742 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 29,313 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-01 09:43 36,864 ----a-w c:\program files\mozilla firefox\components\NsThunderLoader.dll
2006-10-11 08:05 41,082 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-01 09:43 53,248 ----a-w c:\program files\mozilla firefox\components\ThunderComponent.dll
2006-10-11 08:04 166,510 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2008-12-13 22:44 157168 --a------ c:\programdata\Partner\partner.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACDC15CD-B675-4C7C-86E9-CA92F2DF2896}]
2008-11-10 16:35 77824 --a------ c:\program files\Thunder Network\GouGouToolbar\GougouToolBarHelper_now.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D5DC8911-DCD3-49CE-AE95-8AD512F2D280}"= "c:\program files\Thunder Network\GouGouToolbar\GougouToolBar.1.0.0.20.(284).dll" [2008-11-12 647168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 08:52 121392 --a------ c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-06-03 319488]
"EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-06-03 319488]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-05-21 204908]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-01 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-01 92704]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-13 24064]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"stup.exe"="c:\progra~1\TENCENT\SSPlus\Stup.exe" [2008-06-05 79680]
"V0470Mon.exe"="c:\windows\V0470Mon.exe" [2007-04-12 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-18 185872]
"Thunder"="c:\program files\Thunder Network\Thunder\Thunder.exe" [2008-12-01 50640]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-19 c:\windows\RtHDVCpl.exe]
"eRecoveryService"="" [BU]

c:\users\yiming\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
腾讯QQ.lnk - c:\program files\Tencent\QQ\QQ.exe [2008-11-28 2012568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= c:\progra~1\ACERAR~1\ACERVI~1\Kernel\Burner\MKDMP3Enc.ACM
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
--a------ 2008-04-26 12:36 28672 c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager]
--------- 2007-05-02 10:30 151552 c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Funshion]
--a------ 2008-10-30 17:55 2772992 c:\program files\Funshion Online\Funshion\Funshion.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

jiangyiming
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2008-12-21
OS : window vista

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by jiangyiming on Mon Dec 22, 2008 4:04 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{210B88CA-09E5-47C5-9166-EAF7EC176E4A}"= c:\program files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{1F5328F0-B38B-46C9-96EF-A00B2511E4CA}"= c:\program files\Acer Arcade Live\Acer DV Magician\Acer DV Magician.exe:Acer DV Magician
"{3648DB37-9D68-4487-8EA4-6F59DC548735}"= c:\program files\Acer Arcade Live\Acer SlideShow DVD\Acer SlideShow DVD.exe:Acer SlideShow DVD
"{C7DD2045-E4A7-469F-9C11-D5557951EBF8}"= c:\program files\Acer Arcade Live\Acer VideoMagician\Acer VideoMagician.exe:Acer VideoMagician
"{57C4E51B-D67A-4515-ACFF-15A2E578932A}"= c:\program files\Acer Arcade Live\Acer DVDivine\Acer DVDivine.exe:Acer DVDivine
"{15BE8BF9-609E-4DEA-8996-C2F5E24295B9}"= c:\program files\Acer Arcade Live\Acer HomeMedia\Acer HomeMedia.exe:Acer HomeMedia
"{BE9C810D-606C-44CE-9E78-DD5E4062F1AD}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Acer HomeMedia Connect.exe:Acer HomeMedia Connect
"{07819B53-79A1-48E2-B383-DD0E63D76CFD}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.EXE:Acer HomeMedia Connect Service
"{D4D269EB-1338-47A5-ACBA-DE3ECB184337}"= c:\program files\Acer Arcade Live\Acer HomeMedia Trial Creator\Acer HomeMedia Trial Creator.exe:Acer HomeMedia Trial Creator
"{5B95D59D-B837-42B8-AEEF-4DE3C3A6412D}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{F355D7D3-8DFC-4488-A983-CA014BD28579}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{BCEF6C1A-E1DA-4070-AF26-F877DD3B99B7}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{944E3412-906E-4314-AEC5-A541B54F8EFC}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{C0929984-9130-478C-804C-8FF5F72564C9}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{E48A1A53-7502-4BC1-A2C2-960C91181268}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{ED2F031F-E2C0-4649-BFB2-83448EF4FA8E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{222E371C-C824-45B4-A820-AB3D5133B08B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0A7F808A-1B92-4A58-BD24-E2F613C129A3}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{32554FE8-B5C0-40F3-9C78-76689BE97B10}"= c:\program files\Electronic Arts\Command & Conquer 3\RetailExe\1.0\cnc3game.dat:Command & Conquer 3 Tiberium Wars
"TCP Query User{EEBFE3E4-0131-429E-B2FB-0104291A25DB}c:\\users\\yiming\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:c:\users\yiming\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"UDP Query User{EA4A0A0C-E6ED-41D8-9A83-F3E13E12C1BB}c:\\users\\yiming\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:c:\users\yiming\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"TCP Query User{F2E2BD23-57B2-4804-92D8-FFB9E758197A}c:\\program files\\funshion online\\funshion\\funshion.exe"= UDP:c:\program files\funshion online\funshion\funshion.exe:Funshion
"UDP Query User{84E5977D-9D00-4D80-880F-E0C534ED7048}c:\\program files\\funshion online\\funshion\\funshion.exe"= TCP:c:\program files\funshion online\funshion\funshion.exe:Funshion
"TCP Query User{BC29CDAE-9ED3-432C-895B-3250918EBE49}c:\\program files\\tencent\\qq\\qq.exe"= UDP:c:\program files\tencent\qq\qq.exe:QQ
"UDP Query User{3194553E-9EED-4B1B-A763-9FBE9AF65BF0}c:\\program files\\tencent\\qq\\qq.exe"= TCP:c:\program files\tencent\qq\qq.exe:QQ
"{87A7DF63-1DA7-4164-ADC8-8A8E165758AD}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{11AD08F2-548C-47D6-9B0D-8ED70BF3C0C6}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{B73B55AB-0E1A-479D-8746-502B3BFB2905}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{7201600B-E442-455B-B671-4CEEE908C6DD}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{250F5BD3-967E-435F-8EE8-8B0314217C72}c:\\users\\yiming\\documents\\cod 5\\rld-cod5\\codwaw.exe"= UDP:c:\users\yiming\documents\cod 5\rld-cod5\codwaw.exe:codwaw.exe
"UDP Query User{A1B5BBED-3400-4C79-A23B-C505DD11F182}c:\\users\\yiming\\documents\\cod 5\\rld-cod5\\codwaw.exe"= TCP:c:\users\yiming\documents\cod 5\rld-cod5\codwaw.exe:codwaw.exe
"TCP Query User{E8C220B9-7EC6-4561-9BD0-6962AC425322}c:\\users\\yiming\\documents\\cod 5\\rld-cod5\\setup\\data\\codwaw.exe"= UDP:c:\users\yiming\documents\cod 5\rld-cod5\setup\data\codwaw.exe:codwaw.exe
"UDP Query User{079381CB-9AE4-4329-BC5D-6CF20E91BAC3}c:\\users\\yiming\\documents\\cod 5\\rld-cod5\\setup\\data\\codwaw.exe"= TCP:c:\users\yiming\documents\cod 5\rld-cod5\setup\data\codwaw.exe:codwaw.exe
"TCP Query User{056D1A8F-5713-42EA-A772-5CA79D433E7B}c:\\program files\\sightspeed\\sightspeed.exe"= UDP:c:\program files\sightspeed\sightspeed.exe:SightSpeed
"UDP Query User{794A9A69-C650-45FE-BCF7-618ED2F28007}c:\\program files\\sightspeed\\sightspeed.exe"= TCP:c:\program files\sightspeed\sightspeed.exe:SightSpeed
"TCP Query User{6FDAD21E-7B8E-4796-BE22-6A67B6F7DB29}c:\\program files\\orbitdownloader\\orbitnet.exe"= UDP:c:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"UDP Query User{5AE60518-E07A-4453-9DF0-61C85F4045D2}c:\\program files\\orbitdownloader\\orbitnet.exe"= TCP:c:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"TCP Query User{2F8DAC3B-FA06-47AF-8871-DCA90D92D2E9}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{8326DE75-4E0A-492E-A204-EB9FB0968770}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{DBF954F0-D5B6-46E4-94E0-426DC594109B}c:\\program files\\electronic arts\\command & conquer 3\\retailexe\\1.9\\cnc3game.dat"= UDP:c:\program files\electronic arts\command & conquer 3\retailexe\1.9\cnc3game.dat:Command and Conquer 3 Tiberium Wars?
"UDP Query User{E393D8BF-7D24-455D-9F10-54C0976A6BAF}c:\\program files\\electronic arts\\command & conquer 3\\retailexe\\1.9\\cnc3game.dat"= TCP:c:\program files\electronic arts\command & conquer 3\retailexe\1.9\cnc3game.dat:Command and Conquer 3 Tiberium Wars?
"{5C8CAB65-4800-4091-BFCD-BE19F6633433}"= Disabled:UDP:c:\program files\Thunder Network\Thunder\Program\Thunder5.exe:Thunder
"{C05E454D-F8A3-4A38-8D8D-0B21830E858E}"= Disabled:TCP:c:\program files\Thunder Network\Thunder\Program\Thunder5.exe:Thunder
"{0CF728F8-FEED-4FAD-B2F8-BB1E4DCEC7C1}"= UDP:c:\users\yiming\AppData\Local\Temp\PurpleBean.exe:PurpleBean.exe
"{5859573F-2055-4E4C-8FE5-E5FA1E8A89F7}"= TCP:c:\users\yiming\AppData\Local\Temp\PurpleBean.exe:PurpleBean.exe
"TCP Query User{CEE1D708-E0EA-4BCF-851C-25AFB204754C}c:\\ijji\\english\\u_sf\\soldierfront.exe"= UDP:c:\ijji\english\u_sf\soldierfront.exe:soldierfront
"UDP Query User{851EEEFB-0437-41CE-903B-68661C9BE96C}c:\\ijji\\english\\u_sf\\soldierfront.exe"= TCP:c:\ijji\english\u_sf\soldierfront.exe:soldierfront
"TCP Query User{76D1E84D-E2EC-4689-AA1E-52BD174EBBC7}c:\\program files\\tencent\\qq\\qqupdatecenter.exe"= UDP:c:\program files\tencent\qq\qqupdatecenter.exe:QQUpdate
"UDP Query User{099CB1A2-406A-40AE-9F70-CF396ADDDE55}c:\\program files\\tencent\\qq\\qqupdatecenter.exe"= TCP:c:\program files\tencent\qq\qqupdatecenter.exe:QQUpdate
"TCP Query User{817F71EE-856C-4B40-A8F9-41A6CDC4398A}c:\\ijji\\english\\u_skid.exe"= UDP:c:\ijji\english\u_skid.exe:
"UDP Query User{02249E3E-3F1A-4F72-AFCA-19ECF7DFBA9F}c:\\ijji\\english\\u_skid.exe"= TCP:c:\ijji\english\u_skid.exe:
"TCP Query User{9A8117A3-D2B7-471E-AB40-656562517449}c:\\program files\\driftcity\\driftcity.exe"= UDP:c:\program files\driftcity\driftcity.exe:DriftCity
"UDP Query User{F9286C12-E7E9-429D-8056-8435209BB0DE}c:\\program files\\driftcity\\driftcity.exe"= TCP:c:\program files\driftcity\driftcity.exe:DriftCity
"TCP Query User{1949FB48-0B09-4377-8ACD-A6F5A2B22971}c:\\program files\\gamania\\counter-strike online\\bin\\cstrike-online.exe"= UDP:c:\program files\gamania\counter-strike online\bin\cstrike-online.exe:Counter-Strike Online
"UDP Query User{BCDDACA8-692A-4BF8-AD1F-9B752D8E0275}c:\\program files\\gamania\\counter-strike online\\bin\\cstrike-online.exe"= TCP:c:\program files\gamania\counter-strike online\bin\cstrike-online.exe:Counter-Strike Online
"{B1BC8159-4E39-46CE-B4D5-F9C712EF116A}"= UDP:c:\program files\Gamania\Counter-Strike Online\Bin\NMService.exe:Nexon Messenger Core
"{DF186BA9-7F4B-48C6-86F9-A1A25EFFFECB}"= TCP:c:\program files\Gamania\Counter-Strike Online\Bin\NMService.exe:Nexon Messenger Core
"{D4105FE0-DE6D-4A51-8B3F-4A7CCCC18B86}"= UDP:c:\program files\Gamania\TalesWeaver\InphaseNXD.EXE:Talesweaver InphaseNXD.exe
"{BFF26620-AD1B-4B93-AFA1-EB077466CAAC}"= TCP:c:\program files\Gamania\TalesWeaver\InphaseNXD.EXE:Talesweaver InphaseNXD.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSfsu.exe"= c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Program Files\\Acer\\Empowering Technology\\eDataSecurity\\x86\\encryption.exe"= c:\program files\Acer\Empowering Technology\eDataSecurity\x86\encryption.exe:*:Enabled:encryption
"c:\\Program Files\\Acer\\Empowering Technology\\eDataSecurity\\x86\\decryption.exe"= c:\program files\Acer\Empowering Technology\eDataSecurity\x86\decryption.exe:*:Enabled:decryption
"c:\\Program Files\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSMgr.exe"= c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe:*:Enabled:eDSMgr
"c:\\Program Files\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDStbmngr.exe"= c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe:*:Enabled:eDStbmngr
"c:\\Program Files\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSfsu.exe"= c:\program files\Acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Program Files\\Acer\\Empowering Technology\\eDataSecurity\\x64\\encryption.exe"= c:\program files\Acer\Empowering Technology\eDataSecurity\x64\encryption.exe:*:Enabled:encryption
"c:\\Program Files\\Acer\\Empowering Technology\\eDataSecurity\\x64\\decryption.exe"= c:\program files\Acer\Empowering Technology\eDataSecurity\x64\decryption.exe:*:Enabled:decryption
"c:\\Program Files\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSMgr.exe"= c:\program files\Acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe:*:Enabled:eDSMgr
"c:\\Program Files\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDStbmngr.exe"= c:\program files\Acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe:*:Enabled:eDStbmngr
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"= c:\program files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"= c:\program files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit

R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081220.001\IDSvix86.sys [2008-12-21 270384]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;"c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe" [2008-08-17 269448]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;"c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe" [2008-03-04 16384]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-08-17 24576]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-19 149352]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-26 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-26 131072]
R3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-13 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-13 99376]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [2008-08-17 338432]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
S2 EraserSvc10824;Symantec Eraser Service;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-19 149352]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-13 24064]
S3 Partner Service;Partner Service;"c:\programdata\partner\partner.exe" [2008-12-13 110576]
S3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\system32\DRIVERS\V0470Vid.sys [2008-12-14 146368]
S3 WSVD;WSVD;\??\c:\windows\system32\drivers\WSVD.sys [2008-12-14 81704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b476755-58b8-11db-95cd-806e6f6e6963}]
\shell\AutoRun\command - F:\autorun.exe

*Newly Created Service* - COMHOST
.
计划任务 文件夹 里的内容

2008-12-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{65F8A3D2-4C22-4A33-9633-73167EAEEC45} - (no file)

jiangyiming
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2008-12-21
OS : window vista

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by jiangyiming on Mon Dec 22, 2008 4:04 pm

.
------- 而外的扫描 -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: 1??????? - c:\program files\Thunder Network\Thunder\Program\GetUrl.htm
IE: 1????????2?′? - c:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
IE: 使用迅雷下载 - c:\program files\Thunder Network\Thunder\Program\GetUrl.htm
IE: 使用迅雷下载全部链接 - c:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
IE: 添加到QQ表情 - c:\program files\Tencent\QQ\AddEmotion.htm
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe -

c:\windows\System32\mfc42.dll - c:\windows\System32\npeUninstLang_nps.xml
c:\windows\System32\npeUninst_nps.xml
c:\windows\System32\npeUninstaller.exe
c:\windows\System32\npesLauncher.exe
c:\windows\System32\nps_jpn.ini
c:\windows\System32\nps_eng.ini
c:\windows\System32\nps_kor.ini
c:\windows\System32\npcopyv.exe
c:\windows\System32\npdownv.exe
c:\windows\System32\nps.ocx
O16 -: {4C68DACE-E6BC-4650-9C7E-D036720CA729}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\nps.inf

c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\NeffyLauncher.inf
FF - ProfilePath - c:\users\yiming\AppData\Roaming\Mozilla\Firefox\Profiles\8ycdoo75.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.useragent.contentlocale", "chrome://navigator-region/locale/region.properties");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.tabs.warnOnCloseOther", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.tabs.loadGroup", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.tabs.loadOnNewTab", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.windows.loadOnNewWindow", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.HTMLDocument.open.get", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.Components", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document.get", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.resizable", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.max-connections", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.max-connections-per-server", 8);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.max-persistent-connections-per-server", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.max-persistent-connections-per-proxy", 4);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.accept.default", "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.dns.ipv4OnlyDomains", ".doubleclick.net");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.standard-url.encode-utf8", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.warnAboutImages", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3p", "ffffaaaa");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ime.password.onFocus.dontCare", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ime.password.onBlur.dontCare", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.default_personal_cert", "Select Automatically");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.warn_entering_secure", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.warn_leaving_secure", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.warn_submit_insecure", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.OCSP.enabled", 0);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ui.enable", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.nagTimer.download", 86400);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.nagTimer.restart", 1800);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.url", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.getMoreExtensionsURL", "http://%LOCALE%.add-ons.mozilla.com/%LOCALE%/%APP%/%VERSION%/extensions/");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.getMoreThemesURL", "http://%LOCALE%.add-ons.mozilla.com/%LOCALE%/%APP%/%VERSION%/themes/");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage", "resource:/browserconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.order.Yahoo.1", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.order.Yahoo.2", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.order.Yahoo", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.disable_window_open_feature.location", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.item.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.item.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.item.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.item.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.item.cookies", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.item.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.item.siteprefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.item.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.cookie.enableForCurrentSessionOnly", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("alerts.height", 50);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.SignonFileName", "signons.txt");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.warn_entering_secure.show_once", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.warn_leaving_secure.show_once", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.warn_submit_insecure.show_once", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&mozver={moz:version}-{moz:buildid}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&mozver={moz:version}-{moz:buildid}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.EULA.2.accepted", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.EULA.version", 2);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-22 23:51:08
Windows 6.0.6001 Service Pack 1 NTFS

扫描被隐藏的进程。。。 ...

扫描被隐藏的启动组。。。

扫描被隐藏的文件。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'Explorer.exe'(5804)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
完成时间: 2008-12-22 23:52:38
ComboFix-quarantined-files.txt 2008-12-22 15:52:35

Pre-Run: 83,959,959,552 bytes free
Post-Run: 83,926,241,280 bytes free

478 --- E O F --- 2008-12-14 04:53:14

jiangyiming
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2008-12-21
OS : window vista

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by Belahzur on Mon Dec 22, 2008 4:35 pm

Hello.
Is this a chinese OS?

Did you install QQ games and QQ products? QQ is sometimes installed by malware, but not always.

If you install QQ, then no problem.
If you didn't install QQ, then please uninstall it.

Log looks good aside from that, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by jiangyiming on Wed Dec 24, 2008 1:01 am

hey,
but my anti virus just found a backdoor.tidserv while trying to produce a log using combo.fix.

jiangyiming
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2008-12-21
OS : window vista

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by Belahzur on Wed Dec 24, 2008 1:18 am

Probably a leftover, please answer my questions.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by jiangyiming on Wed Dec 24, 2008 3:55 pm

this is not a chi os,i just change the system locale to chi so that my system will be able to read chi words.ya,i installed qq.

jiangyiming
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2008-12-21
OS : window vista

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by Belahzur on Wed Dec 24, 2008 4:04 pm

Okay.
Now lets hunt down the leftovers of tdss.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by jiangyiming on Thu Dec 25, 2008 8:31 am

hey,here is the log:

Malwarebytes' Anti-Malware 1.31
Database version: 1543
Windows 6.0.6001 Service Pack 1

12/25/2008 4:27:23 PM
mbam-log-2008-12-25 (16-27-23).txt

Scan type: Quick Scan
Objects scanned: 47004
Time elapsed: 2 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\ProgramData\Partner\partner.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{86676e13-d6d8-4652-9fcf-f2047f1fb000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\kt_bho.kettlebho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\kt_bho.kettlebho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partner service (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\partner service (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\partner service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stup.exe (Adware.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\Partner\partner.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\SSPlus\Stup.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\Partner\partner.exe (Trojan.Agent) -> Quarantined and deleted successfully.

jiangyiming
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2008-12-21
OS : window vista

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by Belahzur on Thu Dec 25, 2008 11:25 am

Okay, that's cleared some stuff.
What problems remain? Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by jiangyiming on Thu Dec 25, 2008 12:33 pm

thx alot,no more problem,not for now! MERRY CHRISMAS!!!

jiangyiming
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2008-12-21
OS : window vista

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by jiangyiming on Fri Dec 26, 2008 12:48 pm

thx a lot,everything seems to be working just fine.

jiangyiming
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2008-12-21
OS : window vista

View user profile

Back to top Go down

Solved Re: HOW TO REMOVE W32.TIDSERV VIRUS

Post by Doctor Inferno on Sat Jan 24, 2009 10:30 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum