Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/Malware infections backdoor.Tidserv.I!inf , Murlo , GASF etc


  • This topic is locked This topic is locked
6 replies to this topic

#1 EdEd

EdEd

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 02 September 2010 - 03:14 PM

Hello
Would be grateful for help in removing viruses/malware from my PC.
Approx. 1 week before I changed from norton internet security 2009 to 2010 I received a number of popup adverts, didn't think much about it at the time, I just deleted quickly, however as I look back now I realise I fell for a Microsoft window claiming virus infection etc I downloaded the exe. file but did not open the file once downloaded which is when I woke up and realised it was not from Microsofts website I deleted the file from my computer (sorry did not take down the name), I do not know if downloading the exe file would infect my pc as I did not open it, but assume backdoor.Tidserv.I!inf coursed the popups in the 1st place.

On installing Norton internet security 2010 the Sonar protection detected backdoor.tidserv.I!inf and asked for manual removal, which did not work, looked on their site and it said to disable restore points and manual remove in safe mode which again did not work. In Norton security history noticed Norton was blocking loads of attacks at medium severity, a few every minute when online, so googled how to remove this from my PC. Don't get angry with me PC helpers but I ran Combofix (now see it is advised not to do so without expert help), + Malwarebytes. But anyway this has greatly reduced attack rate but when I start my PC up am still getting around 7 medium level notices from Norton 3 various descriptions 'Unauthorized access blocked (open process Token) and (access process data) and (Duplicate object)' . When online I get the odd 1 or 2 medium level notices, an additional norton message to above 'Unauthorized access blocked (send terminate message to window).

Have also run Spywaredoctor which has dected Murlo,
And Stopzilla! has detected the following:
'Rogue' internetSecurity2010 file location rnpatch70.exe$$rnpatch70.exe AND internetSecurity2010 file rnpatch72.exe$$rnpatch72.exe (don't know if these are to do with the fact that norton was also running).
'Trojan' GASF , location c:\system volume information\_restore{d8696f73-2d76-412a-a981-4300c43ef86f}\rp10\a0003086.exe
'Trojan' W32.RemoteHack12 (x10 times connected with basically same document)
'Trojan' Gen Downloader.1 , location c:\documents and settings\hp_owner\desktop\20100819-019-v5i32.exe
'Spyware' lpv4mons located registry key hklm\software\Windows\CurrentVersion\controlPanel\load
'Hijacker' System Policies.DisableRegistryTools
'Adware' Cognac , location c:\system volume information\_restore{d8696f73-2d76-412a-a981-4300c43ef86f}\rp10\a0003082.exe
As I do not have a licence for these 2 anitvirus programs have not removed them.

Thank you any help you can give, have attached log files.
Ed


DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Owner at 22:02:21.23 on 27/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.495 [GMT 1:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.ebay.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q305&bd=pavilion&pf=desktop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD06] "c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe"
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [DSLAGENTEXE] "c:\program files\voyager 105 adsl modem\dslagent.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.astonmartin.com/configurator/db9volante_load.html
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {265D1C3F-3D2E-4D6E-8B18-7385CA687F03} - hxxp://www.the-saleroom.com/LiveAuctions/ActiveX/uSaleRoomParamsProj.cab
DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - hxxp://download.ebay.com/turbo_lister/UK/install.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130933371468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130933726359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-8-17 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-8-17 173104]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\bashdefs\20100810.004\BHDrvx86.sys [2010-8-19 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-8-17 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-8-17 116784]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-8-17 126392]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-17 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\ipsdefs\20100826.001\IDSXpx86.sys [2010-8-27 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\virusdefs\20100826.048\NAVENG.SYS [2010-8-27 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\virusdefs\20100826.048\NAVEX15.SYS [2010-8-27 1362608]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-11-22 30192]

=============== Created Last 30 ================

2010-08-27 20:50:17 1064 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-08-27 20:42:09 0 ----a-w- c:\documents and settings\hp_owner\defogger_reenable
2010-08-27 15:45:41 16384 ---ha-w- C:\SZKGFS.dat
2010-08-27 15:42:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-08-27 15:41:24 0 d-----w- c:\program files\STOPzilla!
2010-08-27 15:41:24 0 d-----w- c:\program files\common files\iS3
2010-08-27 15:41:23 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-08-26 21:32:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-26 21:32:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-26 21:32:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-25 00:49:00 0 d-----w- c:\program files\Murlo Trojan Removal Tool
2010-08-24 21:52:37 0 d-----w- c:\program files\common files\PC Tools
2010-08-24 09:30:25 0 d-----w- c:\windows\system32\NtmsData
2010-08-23 15:08:37 0 d-----w- c:\program files\CCleaner
2010-08-23 15:05:41 0 d-----w- c:\program files\Defraggler
2010-08-22 20:01:24 0 d-----w- c:\docume~1\hp_owner\applic~1\SUPERAntiSpyware.com
2010-08-22 20:01:24 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-22 20:00:52 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-21 00:40:36 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-20 21:39:11 0 d-----w- c:\docume~1\hp_owner\applic~1\Malwarebytes
2010-08-20 21:38:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-20 21:12:41 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-08-20 21:12:41 0 d-----w- c:\documents and settings\hp_owner\log
2010-08-20 17:58:45 0 d-----w- c:\docume~1\hp_owner\applic~1\Tific
2010-08-18 23:26:00 0 d-----w- c:\docume~1\hp_owner\applic~1\Uniblue
2010-08-18 23:25:43 0 d-----w- c:\program files\Uniblue
2010-08-17 11:22:42 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-17 11:22:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-17 11:22:41 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-17 11:22:41 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-17 11:22:41 0 d-----w- c:\program files\Symantec
2010-08-17 11:21:47 0 d-----w- c:\windows\system32\drivers\NIS
2010-08-17 11:21:44 0 d-----w- c:\program files\Norton Internet Security
2010-08-17 11:21:30 0 d-----w- c:\program files\NortonInstaller
2010-08-12 23:05:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-12 22:49:47 0 d-----w- c:\docume~1\hp_owner\applic~1\CB7FCC6644A742AF385A36B3F0C2E53E

==================== Find3M ====================

2010-08-27 13:57:43 910 ----a-w- c:\docume~1\hp_owner\applic~1\wklnhst.dat
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 16:51:58 11077120 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-12-29 03:00:22 338 ----a-w- c:\program files\country.ini
2009-12-29 03:00:22 2208 ----a-w- c:\program files\printhse.ini
2009-12-29 02:59:59 1253 ----a-w- c:\program files\CorelApp.ini
2009-11-21 01:55:20 1996 ----a-w- c:\program files\photohse.ini
2009-06-24 09:31:11 2449 ----a-w- c:\program files\corelprn.ini
2008-01-16 11:54:20 100259 ---ha-w- c:\program files\photohse.GID
2007-01-08 11:18:10 148564 ---ha-w- c:\program files\Printhse.GID
2005-11-07 19:25:16 713 ------w- c:\program files\BOX.REG
2005-11-07 19:25:16 2860 ------w- c:\program files\PHOTOHSE.REG
2005-11-07 19:25:15 832 ------w- c:\program files\PRINTHSE.REG
2001-03-28 12:02:58 122880 ----a-w- c:\windows\inf\agfa\message.exe
1999-01-18 23:58:16 27031 ------w- c:\program files\BOX.ID
1999-01-11 00:51:34 406231 ------w- c:\program files\Techsupp.hlp
1999-01-11 00:51:32 2888 ------w- c:\program files\Techsupp.cnt
1998-12-10 21:33:48 6538752 ------w- c:\program files\photohse.exe
1998-12-10 16:34:26 1863168 ------w- c:\program files\photoint.dll
1998-12-08 23:06:30 6975488 ------w- c:\program files\Printhse.exe
1998-12-07 21:16:02 16459 ------w- c:\program files\Readme.hlp
1998-12-07 02:11:44 42711 ------w- c:\program files\Search.lst
1998-12-07 02:11:44 121142 ------w- c:\program files\Search.idx
1998-12-01 23:55:28 834701 ------w- c:\program files\printhse.hlp
1998-12-01 18:16:06 2228736 ------w- c:\program files\phintl.dll
1998-11-30 01:59:24 421888 ------w- c:\program files\PrintWiz.exe
1998-11-30 01:50:14 1118132 ------w- c:\program files\PHOTOHSE.HLP
1998-11-29 11:37:48 6144 ------w- c:\program files\plgt3280.dll
1998-11-29 10:45:42 990720 ------w- c:\program files\Crlui80.dll
1998-11-29 10:38:42 571392 ------w- c:\program files\Crlctl80.dll
1998-11-18 23:44:42 27421 ------w- c:\program files\printhse.cnt
1998-11-12 02:07:54 1031 ------w- c:\program files\Readme.cnt
1998-11-12 02:04:46 18336 ------w- c:\program files\photohse.cnt
1998-10-27 11:20:14 20204 ------w- c:\program files\PLGT1680.DLL
1998-10-13 01:41:42 14045 ------w- c:\program files\filters.ini
1998-10-13 01:40:50 440 ------w- c:\program files\corelflt.ini
1998-10-08 18:48:48 17920 ------w- c:\program files\OFFICONS.DLL
1998-08-27 03:05:08 77824 ------w- c:\program files\WTUI80EN.dll
1998-08-10 22:28:54 171008 ------w- c:\program files\WTLD80XX.dll
1998-08-10 22:28:50 65024 ------w- c:\program files\WTCB80EN.dll
1998-08-10 22:27:42 568832 ------w- c:\program files\WTLD80EN.dll
1998-08-10 22:24:36 505344 ------w- c:\program files\WTLI80.dll
1998-07-27 02:02:36 123 ------w- c:\program files\photowi.reg
1998-07-27 02:02:26 124 ------w- c:\program files\photoccx.reg
1998-06-09 15:02:10 175104 ------w- c:\program files\IeJpeg70.dll
1998-05-31 20:26:38 79 ------w- c:\program files\House.url
1997-11-19 01:58:30 61952 ------w- c:\program files\comreg.exe
1997-11-07 02:02:16 121856 ------w- c:\program files\cdrcpr80.dll
1997-11-01 03:25:34 244224 ------w- c:\program files\swi32.dll
1997-10-24 06:10:08 141824 ------w- c:\program files\Fn3api.dll
1997-09-18 02:17:08 212480 ------w- c:\program files\pcdlib32.dll
1997-08-20 01:35:40 126 ------w- c:\program files\phototif.reg
1997-08-20 01:35:34 118 ------w- c:\program files\photopng.reg
1997-08-20 01:35:30 124 ------w- c:\program files\photopcx.reg
1997-08-20 01:35:24 126 ------w- c:\program files\photopcd.reg
1997-08-20 01:35:20 122 ------w- c:\program files\photojpg.reg
1997-08-20 01:35:16 126 ------w- c:\program files\photogif.reg
1997-08-20 01:35:12 116 ------w- c:\program files\photofpx.reg
1997-08-20 01:35:06 116 ------w- c:\program files\photobmp.reg
1997-08-12 00:20:10 332288 ------w- c:\program files\FPXLIB.DLL
1997-08-12 00:16:54 122880 ------w- c:\program files\JPEGLIB.DLL
1997-04-24 16:47:00 141312 ------w- c:\program files\cdrpng70.cmp
1996-09-25 18:16:56 48128 ------w- c:\program files\Kpsys32.dll
1995-10-30 00:19:42 37888 ------w- c:\program files\Icccodes.dll
2005-12-15 12:04:55 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 22:03:03.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:13 PM

Posted 11 September 2010 - 06:59 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


In your reply, please post both OTL logs


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 EdEd

EdEd
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 14 September 2010 - 08:28 AM

Hello
Thank you for your reply, Current status is as above, I do not know if what I did removed backdoor.Tidserv.I!inf, in addition - Norton internet security 2010 recent updates may have removed it but I still have this virus in my history of unresolved security risks. Still getting the few medium Norton level attacks in my recent history as dscribed above.
Please find attached the 2 OTL logs a requested.
Thank you Ed

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:13 PM

Posted 14 September 2010 - 05:47 PM

Hello, EdEd.
Tidserv is a backdoor rootkit.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




Registry Cleaner Warning


I also see that you have a Ccleaner installed. It is a great tool that I use. However, be careful of the registry cleaning functionality (versus file cleaning), Here at BC, we do not recommend using registry cleaners as they don't speed up your computer and they can do more harm than good if they remove a legitimate entry. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/ind...p;#entry1326578


Viewpoint (foistware) Warning"

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/clickz/news/1714488/viewpoint-plunge-into-adware

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1


I see you have Stopzilla installed. This is of debatable quality; see Web of Trust here:
http://www.mywot.com/en/scorecard/stopzilla.com

I recommend you uninstall it.



Step 2


Please post C:\Combofix.txt



Step 3

Scan With RKUnHooker
  • Please Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

QUOTE
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"




Step 4

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 EdEd

EdEd
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 16 September 2010 - 10:08 AM

Hello
When you say reformat and reinstall of the OS, I assume that is returning my computer to it's 'as bought' state using the system recovery section of my hard drive, is that correct? if so I think I will use that method if it will give the best clean result. Is there anything I should know before I go ahead, I have got my HP basic instructions for carrying that out. I see alternatively you say running various virus detection softwares etc would not guarantee that it will be 100% secure afterwards, does full system recovery give a 100% secure result, I guess there is risk from reinstalling my document files (which I need to do), please advise
On a minor point just wondered if there is anyway I can backup my Favourites list in explorer.
I would appreciate any other advise before I carry out the system recovery, not sure if it's age being from 2005 would course any problems when it comes to software updates.

Thank you
Ed

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:13 PM

Posted 16 September 2010 - 06:32 PM

Yes, reimaging from the recovery partition counts as a reinstall of the OS. Backup your files first. To minimize chance of reinfection, don't back up windows system files (*.SYS, *.DLL, or anything in C:\windows) and don't' back up programs (*.EXE, *.PIF, *.SCR, *.COM, *.BAT, etc.). Reinstall programs from scratch. Only backup documents & media, the rest can be replaced. When you put them on a backup media (e.g. external HD), make sure to hold down SHIFT before, during and after plugging it in to a clean computer until Windows tells you your hardware is installed and ready to use. That will disable autorun and minimize any malware jumping over to the clean computer. Then, update your antivirus and scan the external drive; then update and scan it with MBAM or SAS as well.

The age shouldn't matter, except you would need a lot of updates from Windows Update, so make sure to do that. If the restore doesn't have secuirty software, don't forget to install 1 antivirus (Avast or AntiVir are good free ones), 1 antispyware (MBAM or SAS) and enable the firewall or use a third party one before doing much on the clean install.

Now...you can never be 100% sure any computer is safe. What if a developer wrote a virus so good it didn't impact system performance and wasn't detectable? Would you ever know? Would we? So, the second you plug that computer into the internet, it could be infected and that's a risk we all take by accessing the internet. I can guarantee you that you would start from a secure state.

By backing up your favorites list, do you mean in Internet Explorer? You can import/export favorites. See here:
http://www.ehow.com/how_4481107_back-up-fa...t-explorer.html

Here's some reading for other questions you may have about reformating and security.


Here's a good article on how to reformat:
When Should I Format, How Should I Reinstall

Also, to protect yourself against malware and reduce your chance of reinfection in the future, I strongly recommend to have a look at following links (giving some advice and tips):


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:13 PM

Posted 21 September 2010 - 06:36 PM

Since this issue appears to be resolved ... this Topic has been closed.

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users