Backdoor.Tidserv.I!inf infection

[planthead]

Hello, I have a Dell Latitude D820 that Norton 360 has identified the Backdoor.Tideserv.I!inf virus on and has said that it requires manual removal. I have tried using Norton in safe mode as well and it is still unable to remove it. I have used the suggestions on the Norton website also and turned off system restore and again tried to remove it with no help. I have attempted to do the recommended procedures for posting on this site. Malware Bytes does not find any infected files. Ran DDS with no problem. However, when attempting to run GMER, every time shortly after starting the scan two copies of ccSvcHst.eve (one for System and one for the current user) begin taking up 100% of the CPU Usage, which prevents the scan from completing (sometimes crashes, once blue screen, sometimes save button does not appear, etc). These processes can't be stopped (Access is Denied). When trying to run the GMER scan in safe mode, it wil scan but due to the screen resolution, the save button cannot be seen, and no amount of resizing, repositioning allows it to be seen. The screen resolution option does not appear to be available in safe mode. When examining the start up programs, there are two that cannot be removed, they are NvCpl and ctfmon. They cannot even be removed in safe mode as it states that must be logged in as an admin even if logged in as an admin. I have tried to use the Norton Bootable Recovery Tool for Norton 360, but am given an error that Windows failed to start because file (\windows\system 32\boot\winload.exe) with status (0xc0000001) was missing or corrupt, after pressing enter it then says file (\Boot\BCD) status (0xc0000001) had an error while trying to read the boot configuration data. After hitting enter again it just attempts too reboot. It tells you to use the repair settings on the Windows install disk. When selecting the R, it then just proceeds to load windows normally. We would just wipe the thing and start over except there is a piece of software that was a nightmare to install (do to it being a piece of crap) that has a large amount of important data on it that we need access to, so we are hoping to find a way to recover this. Does anyone have any suggestions? Thanks in advance...

[Elise]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the Quick Scan button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download Rootkit Unhooker and save it to your Desktop

• Double-click on RKUnhookerLE to run it
  
• Click the Report tab, then click Scan
  
• Check Drivers, Stealth and uncheck the rest
  
• Click OK
  
• Wait until it's finished and then go to File > Save Report
  
• Save the report to your Desktop
  

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• RKU log
  

Thanks and again sorry for the delay.

[planthead]

Hello Elise, thanks so much for your help. I have performed the suggested scans and have pasted the results below. The scan from Norton 360 is saying that two files (and one browser cache) are being affected both of which are in the location C:\system volume information\_restore (system restore is currently turned to the off) Previous scans by Norton had said only one file was affected which was a different file, which I discarded. The results of the scans are:

OTL

OTL logfile created on: 10/5/2010 3:55:28 PM - Run 1

OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Sybil\Desktop\virus logs

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 477.00 Mb Available Physical Memory | 47.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free

Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.46 Gb Total Space | 55.30 Gb Free Space | 74.27% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 1.96 Gb Total Space | 0.66 Gb Free Space | 33.46% Space Free | Partition Type: FAT

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: SYBIL

Current User Name: Sybil

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/10/05 11:32:22 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sybil\Desktop\virus logs\OTL.exe

PRC - [2010/08/05 15:36:54 | 003,467,096 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360.exe

PRC - [2010/06/11 18:14:24 | 001,280,344 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360tray.exe

PRC - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe

PRC - [2010/01/26 18:49:33 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe

PRC - [2009/12/04 16:16:40 | 000,103,280 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe

PRC - [2009/08/24 18:49:41 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

PRC - [2007/07/02 13:29:22 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe

PRC - [2007/06/06 16:44:44 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe

PRC - [2007/05/22 14:18:56 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe

PRC - [2006/09/08 15:10:22 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe

PRC - [2006/06/29 14:12:34 | 000,376,832 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe

PRC - [2006/05/15 21:19:00 | 000,315,392 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\common\DataServer.exe

PRC - [2006/03/24 18:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe

PRC - [2005/12/28 14:04:56 | 000,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe

PRC - [2005/12/28 13:47:10 | 000,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

PRC - [2005/12/28 13:45:02 | 000,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

PRC - [2005/12/28 13:44:24 | 000,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

PRC - [2004/08/04 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/10/05 11:32:22 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sybil\Desktop\virus logs\OTL.exe

MOD - [2010/07/30 10:18:26 | 000,232,960 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360mon.dll

MOD - [2010/01/26 18:49:02 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\asOEHook.dll

MOD - [2004/08/04 06:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)

SRV - [2010/01/26 18:49:33 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe -- (N360)

SRV - [2009/12/04 16:16:40 | 000,103,280 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe -- (Norton PC Checkup Application Launcher)

SRV - [2009/08/24 18:49:41 | 000,126,392 | R--- | M] (Symantec Corporation) [unknown | Running] -- C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe -- (PCCUJobMgr)

SRV - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

SRV - [2007/03/01 07:04:58 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)

SRV - [2006/11/09 19:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)

SRV - [2006/06/29 14:12:34 | 000,376,832 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)

SRV - [2006/06/12 12:01:14 | 000,180,224 | ---- | M] () [Auto | Stopped] -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe -- (tcsd_win32.exe)

SRV - [2006/05/15 21:19:00 | 000,315,392 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe -- (DataSvr2)

SRV - [2005/12/28 14:04:56 | 000,262,217 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®

SRV - [2005/12/28 13:47:10 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®

SRV - [2005/12/28 13:45:02 | 000,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®

SRV - [2005/12/28 13:44:24 | 000,217,164 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®

SRV - [2005/08/30 19:36:00 | 000,188,416 | ---- | M] (Cambridge Silicon Radio) [Disabled | Stopped] -- C:\Program Files\BlueTooth\HidSwitchService\HidSw.exe -- (Bluetooth Hid Switch Service)

SRV - [2002/04/11 20:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) [Disabled | Stopped] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\PalmUSBD.sys -- (PalmUSBD)

DRV - File not found [File_System | Boot | Stopped] -- C:\WINDOWS\System32\drivers\klmdb.sys -- (klmdb)

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\tsk72D.tmp -- (AFD)

DRV - [2010/09/28 04:00:00 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100928.056\NAVEX15.SYS -- (NAVEX15)

DRV - [2010/09/28 04:00:00 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100928.056\NAVENG.SYS -- (NAVENG)

DRV - [2010/09/02 17:49:06 | 000,013,312 | ---- | M] (June Fabrics Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pneteth.sys -- (pneteth)

DRV - [2010/08/04 19:02:44 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2010/08/04 19:02:44 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2010/05/28 15:33:19 | 000,331,640 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100928.001\IDSXpx86.sys -- (IDSxpx86)

DRV - [2010/01/26 18:49:47 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)

DRV - [2010/01/26 18:49:40 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS -- (SYMTDI)

DRV - [2010/01/26 18:49:39 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SYMEFA.SYS -- (SymEFA)

DRV - [2010/01/26 18:49:39 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS -- (SRTSP)

DRV - [2010/01/26 18:49:39 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS -- (SYMFW)

DRV - [2010/01/26 18:49:39 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)

DRV - [2010/01/26 18:49:39 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)

DRV - [2010/01/26 18:49:39 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)

DRV - [2010/01/26 18:49:39 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS -- (SYMNDIS)

DRV - [2010/01/26 18:49:39 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS -- (SYMIDS)

DRV - [2010/01/26 18:49:38 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys -- (ccHP)

DRV - [2010/01/26 18:49:38 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys -- (BHDrvx86)

DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2007/06/25 18:53:10 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)

DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)

DRV - [2006/06/13 13:22:58 | 000,111,232 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfbd.sys -- (Tosrfbd)

DRV - [2006/06/09 23:40:00 | 000,040,192 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)

DRV - [2006/05/29 15:11:20 | 000,060,672 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfhid.sys -- (Tosrfhid)

DRV - [2006/03/24 18:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)

DRV - [2006/01/19 10:14:00 | 003,595,296 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2006/01/10 13:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)

DRV - [2005/12/28 15:22:08 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)

DRV - [2005/12/09 17:35:00 | 000,018,816 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\pbadrv.sys -- (PBADRV)

DRV - [2005/12/05 01:55:30 | 001,428,096 | ---- | M] (Intel

[planthead]

Extras:

OTL Extras logfile created on: 10/5/2010 3:55:28 PM - Run 1

OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Sybil\Desktop\virus logs

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 477.00 Mb Available Physical Memory | 47.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free

Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.46 Gb Total Space | 55.30 Gb Free Space | 74.27% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 1.96 Gb Total Space | 0.66 Gb Free Space | 33.46% Space Free | Partition Type: FAT

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: SYBIL

Current User Name: Sybil

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"D:\SETUP.EXE" = D:\SETUP.EXE:*:Enabled:Setup -- File not found

"C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager -- (iAnywhere Solutions, Inc.)

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )

"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)

"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger -- File not found

"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found

"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine -- File not found

"D:\setup\HPZNET01.EXE" = D:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe -- File not found

"D:\setup\HPONICIFS01.EXE" = D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe -- File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{054C3038-FFAC-446D-9682-E25891DC2E05}" = QuickBooks Product Listing Service

"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO

"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data

"{07D618CD-B016-438A-ADC9-A75BD23F85CE}" = Wave Support Software

"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow

"{0B0A2153-58A6-4244-B458-25EDF5FCD809}" = Private Information Manager

"{0BA2A0BA-7F4D-4B7B-AE94-5F0233AC8A5A}" = NTRU Hybrid TSS v2.0.25

"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA

"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig

"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime

"{2081D245-46EF-40E1-9DBD-17D1B287D85D}" = Clip Art Collection

"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2

"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress

"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe

"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Advanced Control Suite

"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006

"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager

"{3248F0A8-6813-11D6-A77B-00B0D0150080}" = J2SE Runtime Environment 5.0 Update 8

"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35748B06-FCFC-4700-8285-DAD41689E4FE}" = Broadcom TPM Driver Installer

"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone

"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant

"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA

"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant

"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting

"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1

"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm

"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell

"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe

[Elise]

Hello there, so far, your logs show now more Tidserv, but lets check that.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[planthead]

Below is the combofix log:

ComboFix 10-10-05.06 - Sybil 10/06/2010 15:06:05.1.2 - x86

Running from: c:\documents and settings\Sybil\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\amcdr.dll

c:\windows\vmdcr.dll

.

((((((((((((((((((((((((( Files Created from 2010-09-06 to 2010-10-06 )))))))))))))))))))))))))))))))

.

2010-10-03 23:21 . 2004-08-04 10:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll

2010-10-03 23:21 . 2004-08-04 10:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys

2010-10-03 23:21 . 2004-08-04 10:00 53248 -c--a-w- c:\windows\system32\dllcache\wamreg51.dll

2010-10-03 23:21 . 2004-08-04 10:00 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll

2010-10-03 23:21 . 2004-08-04 10:00 76800 -c--a-w- c:\windows\system32\dllcache\wam51.dll

2010-10-03 23:21 . 2004-08-04 10:00 73728 -c--a-w- c:\windows\system32\dllcache\w3ext.dll

2010-10-03 23:21 . 2004-08-04 10:00 5632 -c--a-w- c:\windows\system32\dllcache\w3svapi.dll

2010-10-03 23:21 . 2004-08-04 10:00 4608 -c--a-w- c:\windows\system32\dllcache\w3ctrs51.dll

2010-10-03 23:21 . 2004-08-04 10:00 363520 -c--a-w- c:\windows\system32\dllcache\w3svc.dll

2010-10-03 23:21 . 2004-08-04 10:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll

2010-10-03 23:21 . 2004-08-04 10:00 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll

2010-10-03 23:21 . 2004-08-04 10:00 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll

2010-10-03 23:19 . 2004-08-04 10:00 20736 -c--a-w- c:\windows\system32\dllcache\ramdisk.sys

2010-10-03 23:18 . 2004-08-04 10:00 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe

2010-10-03 23:17 . 2004-08-04 10:00 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll

2010-10-03 23:16 . 2004-08-04 10:00 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys

2010-10-03 23:15 . 2004-08-04 10:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll

2010-10-03 23:05 . 2004-08-04 04:56 27136 ----a-w- c:\windows\system32\irmon.dll

2010-10-03 23:05 . 2004-08-04 04:56 152576 ----a-w- c:\windows\system32\irftp.exe

2010-10-03 23:05 . 2004-08-04 04:56 8192 ----a-w- c:\windows\system32\wshirda.dll

2010-10-03 22:57 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2010-10-03 22:57 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll

2010-10-03 22:57 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2010-10-03 22:57 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll

2010-10-03 18:42 . 2010-10-03 18:42 -------- d-----w- c:\windows\dell

2010-09-29 22:52 . 2010-09-29 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

2010-09-29 22:52 . 2010-09-30 13:53 -------- d-----w- c:\program files\RegCure

2010-09-28 21:24 . 2010-09-28 21:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2010-09-28 15:26 . 2010-09-28 15:26 -------- d-----w- c:\documents and settings\Sybil\Local Settings\Application Data\Symantec

2010-09-13 19:31 . 2010-09-02 21:49 13312 ----a-w- c:\windows\system32\drivers\pneteth.sys

2010-09-13 19:15 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll

2010-09-13 19:12 . 2009-11-08 06:41 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll

2010-09-13 19:12 . 2009-11-08 06:41 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll

2010-09-13 19:12 . 2010-09-20 14:19 -------- d-----w- c:\program files\PdaNet for Android

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-06 13:09 . 2007-09-08 17:11 116488 ----a-w- c:\windows\hpoins11.dat

2010-10-03 23:57 . 2010-10-03 23:57 -------- d-----w- c:\documents and settings\Sybil\Application Data\IObit

2010-10-03 23:37 . 2010-10-03 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-10-03 23:37 . 2010-10-03 23:37 -------- d-----w- c:\program files\IObit

2010-10-03 23:27 . 2006-12-04 07:15 122086 ----a-w- c:\windows\system32\nvModes.dat

2010-09-28 21:12 . 2010-09-28 21:12 15792 ----a-w- c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\FixTDSS.sys

2010-09-28 21:12 . 2010-09-28 21:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\FixTDSS

2010-09-27 16:09 . 2008-03-13 15:15 -------- d-----w- c:\documents and settings\Sybil\Application Data\AMICAS

2010-09-27 12:34 . 2009-08-27 19:51 -------- d-----w- c:\documents and settings\Sybil\Application Data\Clip Art Collection

2010-09-22 21:07 . 2007-12-06 22:45 -------- d-----w- c:\documents and settings\Sybil\Application Data\U3

2010-09-13 19:21 . 2009-05-03 22:13 -------- d-----w- c:\program files\Microsoft Silverlight

2010-09-13 19:16 . 2010-09-13 19:16 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf

2010-09-13 19:15 . 2010-09-13 19:15 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

2010-08-04 23:02 . 2010-09-28 21:12 371248 ----a-w- c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\eeCtrl.sys

2010-07-22 05:57 . 2009-04-16 14:48 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2007-08-25 03:52 . 2008-01-26 23:44 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

2008-12-18 15:57 . 2008-12-18 15:57 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2008-12-18 15:57 . 2008-12-18 15:57 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2008-12-18 15:57 . 2008-12-18 15:58 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2008-12-18 15:58 . 2008-12-18 15:58 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]

"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sybil^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Sybil\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sybil^Start Menu^Programs^Startup^PdaNet Desktop.lnk]

path=c:\documents and settings\Sybil\Start Menu\Programs\Startup\PdaNet Desktop.lnk

backup=c:\windows\pss\PdaNet Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2005-06-07 04:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2007-07-02 17:29 159744 ----a-w- c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2006-06-29 18:13 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2006-08-29 03:57 395776 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 11:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]

2006-05-16 18:35 102400 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2005-12-10 02:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]

2005-12-28 17:56 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]

2005-12-28 17:55 667718 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]

2003-09-10 08:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-01-19 14:14 7401472 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]

2006-01-19 14:14 73728 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2006-01-19 14:14 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]

2005-03-18 11:18 98304 ----a-r- c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2006-03-24 22:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2006-07-26 07:03 49263 ----a-w- c:\program files\Java\jre1.5.0_08\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\SETUP.EXE"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 klmdb;klmdb;c:\windows\system32\drivers\klmdb.sys [x]

R3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [2004-06-15 7882]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-01-26 310320]

S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-01-26 259632]

S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-01-26 482432]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100928.001\IDSxpx86.sys [2010-05-28 331640]

S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2010-06-11 312152]

S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-01-26 117640]

S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [2009-12-04 103280]

S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [2009-08-24 126392]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-08-04 102448]

S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2010-09-02 13312]

.

Contents of the 'Scheduled Tasks' folder

2010-10-01 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-09-30 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061204

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061204

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: cayugamed.org\rad

DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file:///D:/CDVIEWER/CdViewer.cab

FF - ProfilePath - c:\documents and settings\Sybil\Application Data\Mozilla\Firefox\Profiles\9u2y5u3h.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

FF - plugin: c:\documents and settings\Sybil\Application Data\Mozilla\Firefox\Profiles\9u2y5u3h.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\Java\jre1.5.0_08\bin\NPJPI150_08.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

SafeBoot-Wdf01000.sys

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]

"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD]

"ImagePath"="system32\drivers\tsk72D.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1696)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

.

Completion time: 2010-10-06 15:13:25

ComboFix-quarantined-files.txt 2010-10-06 19:13

Pre-Run: 59,240,353,792 bytes free

Post-Run: 59,374,821,376 bytes free

- - End Of File - - FAF1BDFAE3ECFCA1E54478FC5A84FB8B

Hello there, so far, your logs show now more Tidserv, but lets check that.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Elise]

Hi that looks good!

How are things running at this point?

[planthead]

Well most things seem to be running O.K. with a few exceptions that make me a little suspicious. The first is that if you try to start Norton 360 from the shortcut on the desktop, you get the error "C:\Program Files\Norton 360\Engine\3.8.0.41\uiStub.exe The specified path does not exist. Check the path and try again." Norton will open from the tray, but when opening it has several messages as listed below:

-Symantec Email Proxy cannot scan your email messages because your network is not properly configured

-listed again (one for outgoing, one for inbound)

The most Norton recent comprehensive recent scan (in Normal mode) however came up clean, seems odd. This is the first scan it did not find anything. I attempted to perform the scan in safe mode, only to find that the touchpad is now not functioning while in safe mode (this is a new problem that did not exist yesterday.

Networking seems to be disabled somehow as well. When the computer attempts to connect to a wireless network it never establishes an IP (just keeps trying), and when trying to hook the computer directly to a printer via a network cable, it does not see the printer. So something is not right as all of these things were functioning fine before the virus showed up.

Hi that looks good!

How are things running at this point?

[Elise]

For Norton, the simplest solution would be to uninstall/reinstall. If you have a possibility to reinstall it, you can run the following uninstaller.

Please click HERE and follow the instructions in STEP 2 to download and run the norton removal tool.

Click Start > Run, type services.msc and press enter. Scroll down to the DHCP service and verify it is set to Automatic and Started. If not, start it manually and let me know what happens.

[planthead]

Hi again Elise,

I attempted to run the Norton removal tool, only to be given an error message that the specified path does not exist. I am transferring the file via a thumb drive because I can't hook the computer to a network until I'm sure its clean. I followed the instructions to put the file on the desktop and open it. I also tried putting it in other locations and opening it with the same result. Something else odd, the computer won't let me throw the file away either, I get en error message that Access is denied. It really still feels like there is a virus controlling things. Any thoughts? Thanks again for your help.

For Norton, the simplest solution would be to uninstall/reinstall. If you have a possibility to reinstall it, you can run the following uninstaller.

Please click HERE and follow the instructions in STEP 2 to download and run the norton removal tool.

Click Start > Run, type services.msc and press enter. Scroll down to the DHCP service and verify it is set to Automatic and Started. If not, start it manually and let me know what happens.

[Elise]

AV's usually have pretty limited permissions, which is a prevention measure against malware that often attacks installed security programs in order to be able to install itself.

Can you try to run the uninstaller from safe mode please? Alternatively, try to uninstall Norton using Add/Remove programs and when done, run the Uninstaller in order to get rid of any leftovers.

[planthead]

Hi Elise, yes I will give that a try, but I recently cleared the virus incidents from the Norton unresolved threats list (as per directions of the mods on the Norton boards), and then rescanned and Norton again said it found the virus (location C:\system volume information\_restore{46dde8921-1d39-44d2-a9e9-64119261f211}\rp1\a0002187.sys) and 1 browser cache. System restore is currently turned off. I'll post again after attempting the uninstall in safe mode.

AV's usually have pretty limited permissions, which is a prevention measure against malware that often attacks installed security programs in order to be able to install itself.

Can you try to run the uninstaller from safe mode please? Alternatively, try to uninstall Norton using Add/Remove programs and when done, run the Uninstaller in order to get rid of any leftovers.

[planthead]

I forgot, the touchpad and pointer stick are disabled in safe mode which means I will have to attempt your second suggestion.

Hi Elise, yes I will give that a try, but I recently cleared the virus incidents from the Norton unresolved threats list (as per directions of the mods on the Norton boards), and then rescanned and Norton again said it found the virus (location C:\system volume information\_restore{46dde8921-1d39-44d2-a9e9-64119261f211}\rp1\a0002187.sys) and 1 browser cache. System restore is currently turned off. I'll post again after attempting the uninstall in safe mode.

[Elise]

Okay, please let me know if that did the trick.

[planthead]

Hi Elise, the uninstall did work, but now I need a way to reinstall Norton 360 without going online. When I attempt to download the from Norton, it just downloads the download manager which goes straight to install when activated, and it will only let you install on the hard drive (not a thumbdrive). I can't put the infected computer online until I'm sure it is not infected because there is sensitive information that I can't risk being sent out.

Okay, please let me know if that did the trick.

[Elise]

Things are looking quite good at this point. So, best would be to run a scan with MBAM, see if it comes up clean and then go online in order to reinstall Norton.

[planthead]

Hi Elise,

I'm running a full scan now, but I don't anticipate that it will find anything since it never identified the virus in the first place, even before I made any attempts to remove it. Also, all methods of getting the computer online have been disabled by the virus (which seems counter intuitive)or the havoc it ended up wreaking. Both wireless and direct connect fail to connect.

Things are looking quite good at this point. So, best would be to run a scan with MBAM, see if it comes up clean and then go online in order to reinstall Norton.

[planthead]

Hey Elise, so MBAM found three infected files:

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0002655.sys

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0002747.sys

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0002856.sys

Should I go ahead and select remove selected? Then rescan?

Hi Elise,

I'm running a full scan now, but I don't anticipate that it will find anything since it never identified the virus in the first place, even before I made any attempts to remove it. Also, all methods of getting the computer online have been disabled by the virus (which seems counter intuitive)or the havoc it ended up wreaking. Both wireless and direct connect fail to connect.

[Elise]

Can you please explain to me what happens when you try to connect? Does the icon in the tray say you are connected or does it indicate a problem?

[planthead]

With the wireless it just keeps says something like trying to establish an IP address, with the wired (through the phone via PDAnet) when telling it to connect it doesn't do anything at all, and doesn't give an error message.

Can you please explain to me what happens when you try to connect? Does the icon in the tray say you are connected or does it indicate a problem?

[Elise]

Please click Start > Run, type services.msc and press enter.

Scroll down to the DHCP Client service and make sure it is set to Automatic and Started. If not, start it and let me know what happens.

[planthead]

Hi Elise, sorry for taking so long to respond. When opening the services window, the only thing that shows up is Services (Local) in the left hand column, and nothing in the right. There doesn't appear to be anything to expand or turn on or off.

Please click Start > Run, type services.msc and press enter.

Scroll down to the DHCP Client service and make sure it is set to Automatic and Started. If not, start it and let me know what happens.

[Elise]

What happens if you highlight Services (Local)? Doesn't that make a list to appear in the right pane?

[planthead]

No, when highlighting it, clicking on it, etc. there is nothing. Also I have removed the files that MBAM found , uninstalled Norton with the removal tool, reinstalled Norton and updated with the intelligent updater, and am now running a full scan.

What happens if you highlight Services (Local)? Doesn't that make a list to appear in the right pane?

[planthead]

I do see what you mean by looking at my other computer, so that's seems strange...

No, when highlighting it, clicking on it, etc. there is nothing. Also I have removed the files that MBAM found , uninstalled Norton with the removal tool, reinstalled Norton and updated with the intelligent updater, and am now running a full scan.