W32.Tidserv

View previous topic View next topic Go down

W32.Tidserv

Post by 10310 on Fri Jan 02, 2009 9:58 pm

I have noticed lately that my computer has been acting up lately so I suspected I had a virus or something. My computer was always freezing up on me at random times after I start it up, which then I would need to manually hold down the power button to shut it off. I ran Norton Internet Security 2006 and did a full system scan and it came up with the W32.Tidserv virus. I've been reading some information about how to remove it but I can't find any helpful information pertaining to my situation. Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:23 PM, on 1/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\713xRMT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\eMPIA\EM2801\emRemote.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\honestech\TV Plus 3.0\TVR 2.0\scheduleTV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Orbitdownloader\orbitnet.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\DISC\DiscStreamHub.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\HP_Administrator\Desktop\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SVRemote] c:\Program Files\SVRemote\TVCardRemote.exe
O4 - HKLM\..\Run: [TV Card Remote Control Applet] C:\WINDOWS\713xRMT.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: emRemote.lnk = C:\Program Files\eMPIA\EM2801\emRemote.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: Scheduler for TomMade.lnk = C:\Program Files\honestech\TV Plus 3.0\TVR 2.0\scheduleTV.exe
O4 - Global Startup: ScheduleTV.lnk = C:\Program Files\honestech\honestech TVR\scheduleTV.exe
O8 - Extra context menu item: &Download by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Google Search - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Grab video by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Translate English Word - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Do&wnload selected by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - [You must be registered and logged in to see this link.] Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Similar Pages - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 13818 bytes

10310
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-01-02
Gender : Male
OS : Windows XP Media Center Edition 2005

View user profile

Back to top Go down

Re: W32.Tidserv

Post by Belahzur on Fri Jan 02, 2009 10:04 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: W32.Tidserv

Post by 10310 on Fri Jan 02, 2009 10:24 pm

Here's my MBAM log:

Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.1.2600 Service Pack 2

1/2/2009 4:15:48 PM
mbam-log-2009-01-02 (16-15-48).txt

Scan type: Quick Scan
Objects scanned: 68703
Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\msqpdxxrlbnijw.dll (Trojan.TDSS) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\Components\iamfamous.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\videosoft\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\videosoft\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxbqmjcvkq.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxddwfyour.sys (Trojan.Agent) -> Quarantined and deleted successfully.

10310
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-01-02
Gender : Male
OS : Windows XP Media Center Edition 2005

View user profile

Back to top Go down

Re: W32.Tidserv

Post by Belahzur on Fri Jan 02, 2009 10:33 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: W32.Tidserv

Post by 10310 on Fri Jan 02, 2009 10:44 pm

Here is the DDS.txt file:

DDS (Version 1.1.0) - NTFSx86
Run by HP_Administrator at 16:39:20.78 on Fri 01/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.308 [GMT -6:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SVRemote\TVCardRemote.exe
C:\WINDOWS\713xRMT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\eMPIA\EM2801\emRemote.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\honestech\honestech TVR\scheduleTV.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\DISC\DiscStreamHub.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdMgr.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: []
mRun: [PCDrProfiler]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SVRemote] c:\program files\svremote\TVCardRemote.exe
mRun: [TV Card Remote Control Applet] c:\windows\713xRMT.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\emremote.lnk - c:\program files\empia\em2801\emRemote.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\schedu~1.lnk - c:\program files\honestech\tv plus 3.0\tvr 2.0\scheduleTV.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\schedu~2.lnk - c:\program files\honestech\honestech tvr\scheduleTV.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: trymedia.com
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

The other half is in the next post.

10310
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-01-02
Gender : Male
OS : Windows XP Media Center Edition 2005

View user profile

Back to top Go down

Re: W32.Tidserv

Post by 10310 on Fri Jan 02, 2009 10:45 pm

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\yjja29qe.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\norton internet security\norton antivirus\SAVRTPEL.SYS [2005-8-26 53896]
R2 713xTVCard;SAA7130 TV Card;c:\windows\system32\drivers\SAA713x.sys [2008-12-30 276736]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-9-17 192112]
R2 ccProxy;Symantec Network Proxy;"c:\program files\common files\symantec shared\ccProxy.exe" [2005-9-17 202352]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-9-17 169584]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton internet security\norton antivirus\navapsvc.exe" [2005-12-30 139888]
R2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2006-6-5 1251720]
R2 WDMTVTuner;Universal WDM TV Tuner;c:\windows\system32\drivers\WDMTuner.sys [2008-12-30 21760]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe" "WUSB54Gv42.exe" [2008-10-27 53307]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-30 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20090102.006\NAVENG.Sys [2009-1-2 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20090102.006\NavEx15.Sys [2009-1-2 876112]
R3 SAVRT;SAVRT;\??\c:\program files\norton internet security\norton antivirus\SAVRT.SYS [2005-8-26 334984]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2008-11-10 42512]
S3 SAVScan;Symantec AVScan;"c:\program files\norton internet security\norton antivirus\SAVScan.exe" [2005-8-26 198368]

=============== Created Last 30 ================

2009-01-02 16:07 --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-01-02 16:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 16:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 16:06 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 16:06 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 13:52 192 a------- c:\windows\system32\EDIT.INI
2008-12-31 07:58 --d----- c:\windows\system32\LogFiles
2008-12-30 15:15 286,720 a------- c:\windows\713xRMT.exe
2008-12-30 15:15 --d----- c:\windows\MyInstall
2008-12-30 15:15 420,240 a------- c:\windows\system32\mpg4c32.dll
2008-12-30 15:15 309,616 a------- c:\windows\system32\wmv8dmod.dll
2008-12-30 15:14 276,736 a------- c:\windows\system32\drivers\SAA713x.sys
2008-12-30 15:14 61,440 a------- c:\windows\system32\Prop713x.dll
2008-12-30 15:14 21,760 a------- c:\windows\system32\drivers\WDMTuner.sys
2008-12-30 14:28 255 ---shr-- C:\autorun.inf
2008-12-30 14:19 --d----- c:\program files\directx
2008-12-30 14:19 --d----- c:\program files\honestech
2008-12-30 14:15 --d----- c:\program files\Windows Installer Clean Up
2008-12-30 14:15 --d----- c:\program files\MSECACHE
2008-12-30 14:14 --d----- c:\program files\SVRemote
2008-12-30 14:14 5,504 a------- c:\windows\system32\drivers\MSTEE.sys
2008-12-30 14:14 5,504 a------- c:\windows\system32\dllcache\mstee.sys
2008-12-30 11:30 268 a---h--- C:\sqmdata01.sqm
2008-12-30 11:30 244 a---h--- C:\sqmnoopt01.sqm
2008-12-30 11:22 --d----- c:\program files\EMUSB2.0
2008-12-30 11:22 --d----- c:\program files\eMPIA
2008-12-27 13:48 --d----- c:\documents and settings\hp_administrator\.frugoo_file_store_32
2008-12-24 23:15 --d----- c:\docume~1\hp_adm~1\applic~1\HPQ
2008-12-21 20:11 1,201 a------- c:\windows\Active Setup Log.BAK
2008-12-20 13:44 --d----- c:\program files\Microsoft SQL Server
2008-12-20 13:39 --d----- c:\program files\common files\Merge Modules
2008-12-17 20:13 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-17 20:13 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-10 22:41 92,160 a------- c:\windows\system32\drivers\mcdbus.sys
2008-12-10 22:41 --d----- c:\program files\MagicDisc
2008-12-10 22:41 --d----- c:\program files\MagicISO
2008-12-06 13:44 --d----- c:\program files\BellCraft.com
2008-12-06 13:11 60,928 a------- c:\windows\system32\ieframe.oca
2008-12-06 12:31 3,440,311 a------- C:\1.swf
2008-12-06 12:31 2,647,516 a------- C:\BME.swf
2008-12-06 12:31 1,923,433 a------- C:\2girls1.swf
2008-12-05 12:43 --d----- C:\temp

==================== Find3M ====================

2008-12-28 11:12 31 a------- c:\documents and settings\hp_administrator\jagex_runescape_preferences.dat
2008-11-30 14:28 112,942 a------- c:\windows\hpoins07.dat
2008-11-10 16:39 240,240 a------- c:\windows\system32\wpcap.dll
2008-11-10 16:39 88,704 a------- c:\windows\system32\packet.dll
2008-11-10 16:39 42,512 a------- c:\windows\system32\drivers\npf.sys
2008-10-27 22:21 2,678 a------- c:\windows\java\packages\data\OB7BBDFF.DAT
2008-10-27 22:21 2,678 a------- c:\windows\java\packages\data\I3XJ9R5V.DAT
2008-10-27 22:21 2,678 a------- c:\windows\java\packages\data\7BXZJ9N5.DAT
2008-10-27 22:21 2,678 a------- c:\windows\java\packages\data\RN3R77FZ.DAT
2006-08-31 19:23 22 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 16:40:15.85 ===============

10310
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-01-02
Gender : Male
OS : Windows XP Media Center Edition 2005

View user profile

Back to top Go down

Re: W32.Tidserv

Post by Belahzur on Fri Jan 02, 2009 10:57 pm

Hello.

This file:
C:\2girls1.swf

I think I know what it is, and I don't wanna know where you got it, but wherever you did get it, please be careful.
Downloading stuff like that is the best way to get infected.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    C:\1.swf
    C:\BME.swf
    C:\2girls1.swf
    C:\autorun.inf
    C:\sqmdata01.sqm
    C:\sqmnoopt01.sqm

    :reg

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: W32.Tidserv

Post by 10310 on Fri Jan 02, 2009 11:14 pm

"This file:
C:\2girls1.swf

I think I know what it is, and I don't wanna know where you got it, but wherever you did get it, please be careful.
Downloading stuff like that is the best way to get infected. "

Lol, I got that video from a website using html coding <a href="site.com"></a> and them videos were for a project I was doing in Visual Basic 6. Anyways, here's the log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\1.swf moved successfully.
C:\BME.swf moved successfully.
C:\2girls1.swf moved successfully.
C:\autorun.inf moved successfully.
C:\sqmdata01.sqm moved successfully.
C:\sqmnoopt01.sqm moved successfully.
========== REGISTRY ==========
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_Kdk8mfZi5iblayhxfTYc scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fla125.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\_hphtra07.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF4D9.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF566B.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF56B0.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF63E.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_110.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6b8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b48.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 01022009_170418

Files moved on Reboot...
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_Kdk8mfZi5iblayhxfTYc not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fla125.tmp not found!
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hpodvd09.log moved successfully.
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\_hphtra07.log moved successfully.
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF4D9.tmp not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF566B.tmp not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF56B0.tmp not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF63E.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_110.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_6b8.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_b48.dat moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\yjja29qe.default\XUL.mfl moved successfully.

10310
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-01-02
Gender : Male
OS : Windows XP Media Center Edition 2005

View user profile

Back to top Go down

Re: W32.Tidserv

Post by Belahzur on Fri Jan 02, 2009 11:19 pm

Looks good now, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: W32.Tidserv

Post by 10310 on Fri Jan 02, 2009 11:23 pm

I don't know, let me do a full scan real quick.

10310
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-01-02
Gender : Male
OS : Windows XP Media Center Edition 2005

View user profile

Back to top Go down

Re: W32.Tidserv

Post by 10310 on Sat Jan 03, 2009 12:17 am

I have one virus left and it is the Packed.Generic.200 virus. It's located in D:\resycled\boot.com. My D drive is my backup portion for my windows operating system just to let you know. So is there any easy way of removing that one?

10310
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-01-02
Gender : Male
OS : Windows XP Media Center Edition 2005

View user profile

Back to top Go down

Re: W32.Tidserv

Post by Belahzur on Sat Jan 03, 2009 12:22 am

Hello.
Is D:\ an external drive or another partition on this HD?

If it's external, plug it in now, were gonna use OTMoveIt again.


  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    D:\resycled
    D:\autorun.inf

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: W32.Tidserv

Post by 10310 on Sat Jan 03, 2009 12:40 am

I believe it's a portion of my hard drive because I took apart my computer and only say one hard drive.

10310
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-01-02
Gender : Male
OS : Windows XP Media Center Edition 2005

View user profile

Back to top Go down

Re: W32.Tidserv

Post by Belahzur on Sat Jan 03, 2009 12:44 am

Okay, please run the new OTMoveIt script anyway.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: W32.Tidserv

Post by Doctor Inferno on Sat Feb 21, 2009 9:55 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum