Mshta.exe "DoorDoOpenPipeStream" Dell Inspiron 6400 Windows XP

[drb930]

Machine is a Dell Inspiron 6400 intel dual core running Windows XP

I am getting google re-directed after getting this virus.

I cleaned most of the virus when I got it using Malwarebytes, and have updated and run Malware at least 6 times now, but no help.

Attached is the Malwarebytes Log, DDS, Attach, Ark, and HyjackThis file if someone can help me with this.

Thanks in advance,

Dave

mbam_log_2011_02_09__20_43_29_.txt

DDS.txt

Attach.zip

ark.zip

hijackthis.log

[MrCharlie]

Welcome to the forum

Download TDSSKiller to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Start Scan.

Don't Change These Settings:

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

You may be asked you to reboot the computer to complete the process. Click on Reboot Now

To view the report:

Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory.

---------------------------------------

Please download and run ComboFix:

A few notes first:

[*]ComboFix is compatible exclusively with W2K, XP, Vista, and Windows 7

[*]ComboFix must be run from an Administrative account.

[*]Vista and W7 users - Right click, choose "Run as Administrator"

[*]It must be downloaded to and run from your desktop.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (see below)

[*]ComboFix Guide <---please read!

Download ComboFix from one of these locations: (you may have to use right click > save target as)

[*]Link 1

[*]Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit.

More info HERE<-------

They may interfere with the running of ComboFix.

Note: If you have AVG or CA Internet Security Suite installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download and run Opswat AppRemover

[*]Double click on ComboFix.exe & follow the prompts.

[*]Note: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

[*] Note: If you have SP3, use the SP2 package.

If Vista or Windows 7, skip the Recovery Console part

[*]ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[*]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

[*]1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

[*]2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

[*]3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun ASAP!.

[*]4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix and Here

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

[*]5.Give ComboFix at least 20-30 minutes to finish if needed.

MrC

[drb930]

Welcome to the forum

Download TDSSKiller to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Start Scan.

Don't Change These Settings:

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

You may be asked you to reboot the computer to complete the process. Click on Reboot Now

To view the report:

Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory.

---------------------------------------

Please download and run ComboFix:

A few notes first:

[*]ComboFix is compatible exclusively with W2K, XP, Vista, and Windows 7

[*]ComboFix must be run from an Administrative account.

[*]Vista and W7 users - Right click, choose "Run as Administrator"

[*]It must be downloaded to and run from your desktop.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (see below)

[*]ComboFix Guide <---please read!

Download ComboFix from one of these locations: (you may have to use right click > save target as)

[*]Link 1

[*]Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit.

More info HERE<-------

They may interfere with the running of ComboFix.

Note: If you have AVG or CA Internet Security Suite installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download and run Opswat AppRemover

[*]Double click on ComboFix.exe & follow the prompts.

[*]Note: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

[*] Note: If you have SP3, use the SP2 package.

If Vista or Windows 7, skip the Recovery Console part

[*]ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[*]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

[*]1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

[*]2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

[*]3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun ASAP!.

[*]4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix and Here

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

[*]5.Give ComboFix at least 20-30 minutes to finish if needed.

MrC

Mr C,

I down loaded and ran TDSSKiller, and the virus appears to be gone!

Sweet!!!!

Should I still run the Combo Fix?

Log file posted as requested.

Thanks,

Dave

TDSSKiller.2.4.17.0_10.02.2011_17.58.17_log.txt

[MrCharlie]

That's not the complete log.

It's located in C:\ please locate and post it, MrC

[drb930]

Not sure which log you are asking for that is incomplete.

Still seeing backdoor.tidserv.l!lnf.

More logs-

Thanks,

Dave

aaw7boot.log

ComboFix.txt

mbam_error.txt

TDSSKiller.2.4.17.0_10.02.2011_17.55.20_log.txt

TDSSKiller.2.4.17.0_10.02.2011_17.58.17_log.txt

TDSSKiller.2.4.17.0_10.02.2011_18.34.37_log.txt

[drb930]

Scan type: Realtime Protection Scan

Event: Virus Found!

Virus name: Backdoor.Tidserv.I!inf

File: C:\System Volume Information\_restore{B70A2B00-BEC1-4907-9CEB-2DEEFFFCE226}\RP619\A0053865.sys

Location: C:\System Volume Information\_restore{B70A2B00-BEC1-4907-9CEB-2DEEFFFCE226}\RP619

Computer: DAVE

User: Dave B

Action taken: Clean failed : Quarantine failed : Access denied

Date found: Thu Feb 10 19:17:43 2011

[drb930]

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5736

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

2/10/2011 7:32:46 PM

mbam-log-2011-02-10 (19-32-46).txt

Scan type: Full scan (C:\|)

Objects scanned: 192064

Time elapsed: 25 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Qoobox\quarantine\C\documents and settings\Dave B\application data\ht92maey.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\documents and settings\Dave B\application data\khzduhs1w.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Qoobox\quarantine\C\documents and settings\networkservice\application data\pl5t2uro.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\system volume information\_restore{b70a2b00-bec1-4907-9ceb-2deefffce226}\RP623\A0068190.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\system volume information\_restore{b70a2b00-bec1-4907-9ceb-2deefffce226}\RP623\A0068191.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

[MrCharlie]

Do you have any idea what these bat files are from?

You may have to enable hidden files to see them:

http://www.microsoft.com/windowsxp/using/h...iddenfiles.mspx

c:\documents and settings\Dave B\Application Data\684.bat

c:\documents and settings\NetworkService\Application Data\9368.bat

c:\documents and settings\Dave B\Application Data\7399.bat

c:\documents and settings\LocalService\Application Data\3766.bat

c:\documents and settings\Dave B\Application Data\4789.bat

c:\documents and settings\Dave B\Application Data\3020.bat

---------------------------------

The logs look OK, how is it?? MrC

[drb930]

Do you have any idea what these bat files are from?

You may have to enable hidden files to see them:

http://www.microsoft.com/windowsxp/using/h...iddenfiles.mspx

c:\documents and settings\Dave B\Application Data\684.bat

c:\documents and settings\NetworkService\Application Data\9368.bat

c:\documents and settings\Dave B\Application Data\7399.bat

c:\documents and settings\LocalService\Application Data\3766.bat

c:\documents and settings\Dave B\Application Data\4789.bat

c:\documents and settings\Dave B\Application Data\3020.bat

---------------------------------

The logs look OK, how is it?? MrC

Mr C

I don't know what those files are, that's why I sent them, look suspicious?

Machine is running okay, Malwarebytes seemed to finally clean off the virus.

The problem I have now is I want my AutoStarts back?

Do I need to take the Combofix off?

Also when I first got the virus and used Malwarebytes it took out my d: cd drive, and I can't restore it.

I got it to see the d drive now, and can see the files in browse, but it will not work.

It works if I boot the machine with the dell drivers disc in the machine, and passes all the tests, except for the fn f10 button to open the door.

Any ideas?

Thanks,

Dave

[MrCharlie]

Can you drag one of those bat files into notepad, that will open it up and you'll be able to see what's inside, copy and paste the contents of notepad back here.

Click on the link below and about half way down is Enable Autorun FixIt:

http://support.microsoft.com/kb/967715

That should enable autoruns again.

-----------------------

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

--------------------

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button.

Reboot and let me know how it is, MrC

[drb930]

Autorun still does not work, and I still can't get my cd drive to work.

Did all the above.

Machine seems to be working fine other than the above.

Thanks,

Dave

[MrCharlie]

Can you do this for me so I can see if those bat files are malware related:

Can you drag one of those bat files into notepad, that will open it up and you'll be able to see what's inside, copy and paste the contents of notepad back here.

-------------

Try the Autoplay Repair Wizard from Microsoft:

http://www.microsoft.com/downloads/en/deta...71-1b389cfacdad

Follow the directions carefully, MrC

[drb930]

Mr C-

Thanks so much, the machine is working well now, autostart for the cd and usb also.

I had to remove NAV Corp as it was not updating since Oct 2010.

It will not reload, pretty old version now.

Is there something that you would recommend for real/time protection, or should I just buy a new copy of NAV?

Thanks,

Dave

[MrCharlie]

If you want to buy something...I would highly recommend you buy the Full Version of MBAM, it's a one time fee and this will give you the best realtime protection plus:

**Dynamically Blocks Malware Sites & Servers

**Malware Execution Prevention

It also works well with Microsoft Security Essentials

-----------------

If not.... I like Microsoft Security Essentials

There's also Avira or Avast.

All this info can be find in My Preventive Maintenance

Any questions...please post back, MrC

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.