Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware Removal "HTTPS Tidserv Request 2"

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware Removal "HTTPS Tidserv Request 2"

Unread postby shahyogi » February 19th, 2010, 12:27 am

I have some kind of virus/malware on my laptop. My Norton is listing it at HTTPS Tidserv Request 2 it is saying source address is 94.228.209.144 with the last 3 digits changing with every notification. It's telling me the application path is \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE. Norton has listed it as high but tells me no action is required and won't allow me to take any. System restore is not working. I new the second I got the problem and ran the restore but it said it was not working. All my previous dates in restore are gone. Now it works but only recently with recent dates. I have installed and ran in regular mode and safe mode the full versions of SUPERAnti, ATF-Cleaner and Norton 2009. All programs are helpful but still I have the Tidserv. Norton is crazy with pop-ups on this and I periodically get booted but not frequent. I do not know how to send the Hijack as well.

Please guide.

Hijack Log as below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:53:16, on 19-02-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\ACT\Act for Windows\ActSage.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio-online.sony.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02C7D6E9-9C2D-4073-81E5-280E33574D59} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [] 
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: S&end to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.co.in/s/v/58.14/uploader2.cab
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsup ... gctlcm.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.in/s/v/43.10/uploader2.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.1.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0CD60BB-AC96-44A1-8B5E-E8B64A947E28}: NameServer = 218.248.255.145,218.248.255.193
O18 - Protocol: skyline - {3A4F9195-65A8-11D5-85C1-0001023952C1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ACT! Scheduler - Sage Software, Inc. - C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cleaning Service - Unknown owner - C:\PROGRA~1\QUICKH~1\QUICKH~1\ntclnsrv.exe (file missing)
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\Windows\system32\eTSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SupportSoft Sprocket Service (nxpclient) (sprtsvc_nxpclient) - SupportSoft, Inc. - C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13224 bytes


Uninstall log as below___________________________________________________________________


ACT! by Sage Premium 2009 (11.0)
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 5.0.2 Patcher
Adobe Reader 8.1.2
Airtel NetXpert 2.0
Alps Pointing-device for VAIO
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Application Suite
Azureus Vuze
Bluetooth Stack for Windows by Toshiba
Bonjour
Compatibility Pack for the 2007 Office system
Creative Element Power Tools
DSD Direct
DSD Playback Plug-in
DVgate Plus
eToken Run Time Environment 3.60
eToken Utilities 2.10
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
HDAUDIO SoftV92 Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Update
HPSSupply
inSSIDer
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 3
LAN Setting Utility
Loki ActiveX Control
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office Access MUI (English) 14
Microsoft Office Excel MUI (English) 14
Microsoft Office Groove MUI (English) 14
Microsoft Office Groove Setup Metadata MUI (English) 14
Microsoft Office InfoPath MUI (English) 14
Microsoft Office OneNote MUI (English) 14
Microsoft Office Outlook MUI (English) 14
Microsoft Office PowerPoint MUI (English) 14
Microsoft Office Professional Plus 14
Microsoft Office Professional Plus 2010 (Technical Preview)
Microsoft Office Proof (English) 14
Microsoft Office Proof (French) 14
Microsoft Office Proof (Spanish) 14
Microsoft Office Proofing (English) 14
Microsoft Office Publisher MUI (English) 14
Microsoft Office Send-a-Smile
Microsoft Office Shared MUI (English) 14
Microsoft Office Shared Setup Metadata MUI (English) 14
Microsoft Office Word MUI (English) 14
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server 2005 Express Edition (VAIO_VEDB)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MSVCRT
MSXML 4.0 SP2 (KB973688)
neroxml
Norton 360
NVIDIA Drivers
OEM
OGA Notifier 2.0.0048.0
OpenMG Secure Module 4.6.01
QuickTime
RealPlayer
Setting Utility Series
SigmaTel Audio
Skype™ 4.0
SonicStage 4.2
SonicStage Mastering Studio
SonicStage Mastering Studio Audio Filter
SonicStage Mastering Studio Audio Filter Custom Preset
SonicStage Mastering Studio Plugins
Sony Snymsico for Vista
Sony Utilities DLL
Sony Video Shared Library
Spelling Dictionaries Support For Adobe Reader 8
Sprite Backup
SUPERAntiSpyware Professional
Symantec Technical Support Web Controls
TATA Indicom Dialer
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VAIO Aqua Breeze Wallpaper
VAIO Azure Float Wallpaper
VAIO Camera Capture Utility
VAIO Camera Utility
VAIO Control Center
VAIO Cozy Orange Wallpaper
VAIO Data Restore Tool
VAIO Entertainment Platform
VAIO Event Service
VAIO Floral Dusk Wallpaper
VAIO Hardware Diagnostics
VAIO HDD Protection
VAIO Long Battery Life Wallpaper
VAIO Manual
VAIO Media 6.0
VAIO Media AC3 Decoder 1.0
VAIO Media Content Collection 6.0
VAIO Media Integrated Server 6.0
VAIO Media Redistribution 6.0
VAIO Media Registration Tool 6.0
VAIO Photo 2007
VAIO Power Management
VAIO Teal Whisper Wallpaper
VAIO Tender Yellow Wallpaper
VAIO Update 3
VAIO Video & Photo Utilities
VCRedistSetup
VideoLAN VLC media player 0.8.6c
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live for Windows Mobile
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Mobile Device Center
Windows Mobile Device Center Driver Update
WinRAR archiver
Wireless Switch Setting Utility
WordWeb
Yahoo! Messenger
shahyogi
Active Member
 
Posts: 8
Joined: February 18th, 2010, 8:44 am
Advertisement
Register to Remove

Re: Malware Removal "HTTPS Tidserv Request 2"

Unread postby MWR 3 day Mod » February 22nd, 2010, 5:07 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Malware Removal "HTTPS Tidserv Request 2"

Unread postby Katana » February 27th, 2010, 9:12 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly Image

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe


----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following



GMER Rootkit Detector

Please download GMER Rootkit Scanner from Here or Here

***Please close any open programs ***
  • Extract the contents of the zip file to your desktop.
  • Disable your onboard Anti Virus and any other Active protection programs you have installed.
  • Double-click gmer.exe. The program will begin to run.

    Note:- If GMER doesn't run, please Reboot and then rename gmer.exe to Look.exe and try again

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO,
  • Now use the following settings for a more complete scan..

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once the scan is complete, you may receive another notice about rootkit activity. If you recive it, click OK.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.


DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply along with a fresh HJT log.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Malware Removal "HTTPS Tidserv Request 2"

Unread postby shahyogi » March 2nd, 2010, 6:05 am

GMER LOG
----------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-02 15:30:03
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\YoG!\AppData\Local\Temp\pxldrpow.sys


---- System - GMER 1.0.15 ----

SSDT 87D62108 ZwAlertResumeThread
SSDT 878BC948 ZwAlertThread
SSDT 879FE3A0 ZwAllocateVirtualMemory
SSDT 877323A8 ZwAlpcConnectPort
SSDT 88481530 ZwAssignProcessToJobObject
SSDT 8848C800 ZwCreateMutant
SSDT 884A1830 ZwCreateSymbolicLinkObject
SSDT 878C4DE8 ZwCreateThread
SSDT 8847BBD8 ZwDebugActiveProcess
SSDT 8843A690 ZwDuplicateObject
SSDT 8848B1A8 ZwFreeVirtualMemory
SSDT 8795D120 ZwImpersonateAnonymousToken
SSDT 878D5108 ZwImpersonateThread
SSDT 874472F8 ZwLoadDriver
SSDT 8848B108 ZwMapViewOfSection
SSDT 8842D118 ZwOpenEvent
SSDT 8847E198 ZwOpenProcess
SSDT 87CE1E00 ZwOpenProcessToken
SSDT 87957120 ZwOpenSection
SSDT 8847FE00 ZwOpenThread
SSDT 88492F00 ZwProtectVirtualMemory
SSDT 87A5B808 ZwResumeThread
SSDT 8786CA40 ZwSetContextThread
SSDT 8848CE60 ZwSetInformationProcess
SSDT 8847D1A8 ZwSetSystemInformation
SSDT 8847A3A8 ZwSuspendProcess
SSDT 878BB788 ZwSuspendThread
SSDT 878B3D80 ZwTerminateProcess
SSDT 878B9448 ZwTerminateThread
SSDT 878B5158 ZwUnmapViewOfSection
SSDT 8848B740 ZwWriteVirtualMemory
SSDT 884969E0 ZwCreateThreadEx

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 859AD81A

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Hijack This

-----------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:35:06, on 02-03-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\ACT\Act for Windows\ActSage.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02C7D6E9-9C2D-4073-81E5-280E33574D59} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [] 
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: S&end to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsup ... gctlcm.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skyline - {3A4F9195-65A8-11D5-85C1-0001023952C1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ACT! Scheduler - Sage Software, Inc. - C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cleaning Service - Unknown owner - C:\PROGRA~1\QUICKH~1\QUICKH~1\ntclnsrv.exe (file missing)
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\Windows\system32\eTSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SupportSoft Sprocket Service (nxpclient) (sprtsvc_nxpclient) - SupportSoft, Inc. - C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11879 bytes
shahyogi
Active Member
 
Posts: 8
Joined: February 18th, 2010, 8:44 am

Re: Malware Removal "HTTPS Tidserv Request 2"

Unread postby Katana » March 2nd, 2010, 3:15 pm

REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Azureus Vuze

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.


----------------------------------------------------------------------------------------
Step 1

Download TDSSKiller.zip and extract TDSSKiller.exe to your Desktop.

Double-click TDSSKiller.exe and follow the prompts to run it.

When finished, it will prompt you to press any key.

It will produce a log here > C:\TDSSKiller.2.2.7_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

----------------------------------------------------------------------------------------
Step 2


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • TDSSKiller Log
  • Combofix Log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Malware Removal "HTTPS Tidserv Request 2"

Unread postby shahyogi » March 3rd, 2010, 2:50 am

09:59:02:990 4736 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
09:59:02:991 4736 ================================================================================
09:59:02:991 4736 SystemInfo:

09:59:02:991 4736 OS Version: 6.0.6002 ServicePack: 2.0
09:59:02:991 4736 Product type: Workstation
09:59:02:991 4736 ComputerName: YS
09:59:02:992 4736 UserName: YoG!
09:59:02:992 4736 Windows directory: C:\Windows
09:59:02:992 4736 Processor architecture: Intel x86
09:59:02:992 4736 Number of processors: 2
09:59:02:992 4736 Page size: 0x1000
09:59:02:995 4736 Boot type: Normal boot
09:59:02:996 4736 ================================================================================
09:59:03:005 4736 UnloadDriverW: NtUnloadDriver error 2
09:59:03:005 4736 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
09:59:03:718 4736 Initialize success
09:59:03:718 4736
09:59:03:718 4736 Scanning Services ...
09:59:03:719 4736 wfopen_ex: Trying to open file C:\Windows\system32\config\system
09:59:03:719 4736 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:59:03:719 4736 wfopen_ex: Trying to KLMD file open
09:59:03:719 4736 wfopen_ex: File opened ok (Flags 2)
09:59:03:734 4736 wfopen_ex: Trying to open file C:\Windows\system32\config\software
09:59:03:734 4736 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:59:03:734 4736 wfopen_ex: Trying to KLMD file open
09:59:03:734 4736 wfopen_ex: File opened ok (Flags 2)
09:59:05:412 4736 GetAdvancedServicesInfo: Raw services enum returned 505 services
09:59:05:423 4736 fclose_ex: Trying to close file C:\Windows\system32\config\system
09:59:05:424 4736 fclose_ex: Trying to close file C:\Windows\system32\config\software
09:59:05:424 4736
09:59:05:424 4736 Scanning Kernel memory ...
09:59:05:425 4736 Devices to scan: 2
09:59:05:425 4736
09:59:05:425 4736 Driver Name: ti21sony
09:59:05:425 4736 IRP_MJ_CREATE : 8F1E3196
09:59:05:425 4736 IRP_MJ_CREATE_NAMED_PIPE : 8F1B26B2
09:59:05:425 4736 IRP_MJ_CLOSE : 8F1E3204
09:59:05:425 4736 IRP_MJ_READ : 8F1E340C
09:59:05:425 4736 IRP_MJ_WRITE : 8F1E365E
09:59:05:425 4736 IRP_MJ_QUERY_INFORMATION : 8F1B26B2
09:59:05:426 4736 IRP_MJ_SET_INFORMATION : 8F1B26B2
09:59:05:426 4736 IRP_MJ_QUERY_EA : 8F1B26B2
09:59:05:426 4736 IRP_MJ_SET_EA : 8F1B26B2
09:59:05:426 4736 IRP_MJ_FLUSH_BUFFERS : 8F1E32FE
09:59:05:426 4736 IRP_MJ_QUERY_VOLUME_INFORMATION : 8F1B26B2
09:59:05:426 4736 IRP_MJ_SET_VOLUME_INFORMATION : 8F1B26B2
09:59:05:426 4736 IRP_MJ_DIRECTORY_CONTROL : 8F1B26B2
09:59:05:426 4736 IRP_MJ_FILE_SYSTEM_CONTROL : 8F1B26B2
09:59:05:426 4736 IRP_MJ_DEVICE_CONTROL : 8F1E3248
09:59:05:426 4736 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8F1E3272
09:59:05:426 4736 IRP_MJ_SHUTDOWN : 8F1E34D2
09:59:05:426 4736 IRP_MJ_LOCK_CONTROL : 8F1B26B2
09:59:05:426 4736 IRP_MJ_CLEANUP : 8F1E30FC
09:59:05:426 4736 IRP_MJ_CREATE_MAILSLOT : 8F1B26B2
09:59:05:426 4736 IRP_MJ_QUERY_SECURITY : 8F1B26B2
09:59:05:426 4736 IRP_MJ_SET_SECURITY : 8F1B26B2
09:59:05:426 4736 IRP_MJ_POWER : 8F1E3364
09:59:05:426 4736 IRP_MJ_SYSTEM_CONTROL : 8F1E3596
09:59:05:426 4736 IRP_MJ_DEVICE_CHANGE : 8F1B26B2
09:59:05:426 4736 IRP_MJ_QUERY_QUOTA : 8F1B26B2
09:59:05:426 4736 IRP_MJ_SET_QUOTA : 8F1B26B2
09:59:05:446 4736 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
09:59:05:446 4736 sion
09:59:05:455 4736 C:\Windows\system32\drivers\ti21sony.sys - Verdict: Clean
09:59:05:455 4736
09:59:05:455 4736 Driver Name: atapi
09:59:05:455 4736 IRP_MJ_CREATE : 859C781A
09:59:05:455 4736 IRP_MJ_CREATE_NAMED_PIPE : 859C781A
09:59:05:455 4736 IRP_MJ_CLOSE : 859C781A
09:59:05:455 4736 IRP_MJ_READ : 859C781A
09:59:05:455 4736 IRP_MJ_WRITE : 859C781A
09:59:05:456 4736 IRP_MJ_QUERY_INFORMATION : 859C781A
09:59:05:456 4736 IRP_MJ_SET_INFORMATION : 859C781A
09:59:05:456 4736 IRP_MJ_QUERY_EA : 859C781A
09:59:05:456 4736 IRP_MJ_SET_EA : 859C781A
09:59:05:456 4736 IRP_MJ_FLUSH_BUFFERS : 859C781A
09:59:05:456 4736 IRP_MJ_QUERY_VOLUME_INFORMATION : 859C781A
09:59:05:456 4736 IRP_MJ_SET_VOLUME_INFORMATION : 859C781A
09:59:05:456 4736 IRP_MJ_DIRECTORY_CONTROL : 859C781A
09:59:05:456 4736 IRP_MJ_FILE_SYSTEM_CONTROL : 859C781A
09:59:05:456 4736 IRP_MJ_DEVICE_CONTROL : 859C781A
09:59:05:456 4736 IRP_MJ_INTERNAL_DEVICE_CONTROL : 859C781A
09:59:05:456 4736 IRP_MJ_SHUTDOWN : 859C781A
09:59:05:456 4736 IRP_MJ_LOCK_CONTROL : 859C781A
09:59:05:456 4736 IRP_MJ_CLEANUP : 859C781A
09:59:05:456 4736 IRP_MJ_CREATE_MAILSLOT : 859C781A
09:59:05:456 4736 IRP_MJ_QUERY_SECURITY : 859C781A
09:59:05:456 4736 IRP_MJ_SET_SECURITY : 859C781A
09:59:05:456 4736 IRP_MJ_POWER : 859C781A
09:59:05:456 4736 IRP_MJ_SYSTEM_CONTROL : 859C781A
09:59:05:456 4736 IRP_MJ_DEVICE_CHANGE : 859C781A
09:59:05:456 4736 IRP_MJ_QUERY_QUOTA : 859C781A
09:59:05:456 4736 IRP_MJ_SET_QUOTA : 859C781A
09:59:05:457 4736 ihd: 4, FFDF0308, 333, 121, 3, 109, 1
09:59:05:457 4736 Driver "atapi" Irp handler infected by TDSS rootkit ... 09:59:05:458 4736 cured
09:59:05:459 4736 siohd: 1
09:59:05:459 4736 Driver "atapi" StartIo handler infected by TDSS rootkit ... 09:59:05:459 4736 cured
09:59:05:474 4736 C:\Windows\system32\drivers\atapi.sys - Verdict: Infected
09:59:05:474 4736 File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 09:59:05:475 4736 Processing driver file: C:\Windows\system32\drivers\atapi.sys
09:59:07:551 4736 vfvi6
09:59:07:791 4736 dsvbh1
09:59:10:909 4736 fdfb1
09:59:10:909 4736 Backup copy found, using it..
09:59:11:198 4736 will be cured on next reboot
09:59:11:198 4736 Reboot required for cure complete..
09:59:11:408 4736 Cure on reboot scheduled successfully
09:59:11:408 4736
09:59:11:409 4736 Completed
09:59:11:409 4736
09:59:11:409 4736 Results:
09:59:11:410 4736 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
09:59:11:410 4736 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:59:11:411 4736 File objects infected / cured / cured on reboot: 1 / 0 / 1
09:59:11:413 4736
09:59:11:413 4736 UnloadDriverW: NtUnloadDriver error 1
09:59:11:413 4736 KLMD_Unload: UnloadDriverW(klmd21) error 1
09:59:11:419 4736 KLMD(ARK) unloaded successfully


____________


ComboFix 10-03-02.02 - YoG! 03-03-2010 11:49:22.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.91.1033.18.3069.1910 [GMT 5.5:30]
Running from: c:\users\YoG!\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1616490093-2566343142-1035564614-500
c:\$recycle.bin\S-1-5-21-4222846610-1205131765-3165888219-500
c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\YoG!\Documents\REgbackup.reg
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

----- BITS: Possible infected sites -----

hxxp://liveupdate.symantec.com
hxxp://definitions.symantec.com
.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-03 06:32 . 2010-03-03 06:32 -------- d-----w- c:\users\YoG!\AppData\Local\temp
2010-03-03 06:05 . 2009-11-17 00:51 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100224.002\Scxpx86.dll
2010-03-03 06:05 . 2009-11-17 00:51 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100224.002\IDSxpx86.dll
2010-03-03 06:05 . 2009-11-17 00:51 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100224.002\IDSXpx86.sys
2010-03-03 06:05 . 2009-11-17 00:51 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100224.002\IDSviA64.sys
2010-03-03 06:05 . 2009-11-17 00:51 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100224.002\IDSvix86.sys
2010-03-03 06:04 . 2010-03-01 19:30 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100302.025\NAVENG.SYS
2010-03-03 06:04 . 2010-03-01 19:30 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100302.025\NAVENG32.DLL
2010-03-03 06:04 . 2010-03-01 19:30 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100302.025\NAVEX32A.DLL
2010-03-03 06:04 . 2010-03-01 19:30 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100302.025\NAVEX15.SYS
2010-03-03 06:04 . 2010-03-01 19:30 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100302.025\EECTRL.SYS
2010-03-03 06:04 . 2010-03-01 19:30 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100302.025\CCERASER.DLL
2010-03-03 06:04 . 2010-03-01 19:30 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100302.025\ECMSVR32.DLL
2010-03-03 06:04 . 2010-03-01 19:30 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100302.025\ERASER.SYS
2010-03-03 06:00 . 2009-12-10 03:16 784752 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
2010-03-03 05:42 . 2009-11-17 00:51 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\BinHub\IDSvia64.sys
2010-03-03 05:42 . 2009-11-17 00:51 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\BinHub\IDSvix86.sys
2010-03-03 05:42 . 2009-11-17 00:51 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2010-03-03 05:42 . 2009-11-17 00:51 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\BinHub\scxpx86.dll
2010-03-03 05:42 . 2009-12-08 02:21 1117040 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\OCS\hsplayer.dll
2010-03-03 05:42 . 2009-11-17 00:51 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\BinHub\idsxpx86.dll
2010-03-03 05:42 . 2009-11-17 00:51 164216 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
2010-03-03 05:42 . 2009-12-17 07:10 893296 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CLT\cltLMSx.dll
2010-03-03 05:01 . 2010-03-03 05:01 -------- d-----r- c:\program files\Norton Support
2010-02-24 04:29 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-19 09:56 . 2010-02-19 10:11 -------- d-----w- c:\users\YoG!\AppData\Roaming\GeoVid
2010-02-19 09:56 . 2005-06-07 09:41 60416 ----a-w- c:\windows\system32\dsetup.dll
2010-02-19 09:55 . 2010-02-19 09:55 -------- d-----w- c:\program files\Common Files\GeoVid
2010-02-19 04:22 . 2010-02-19 04:22 -------- d-----w- c:\program files\Trend Micro
2010-02-19 04:15 . 2010-02-19 04:14 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-19 04:15 . 2010-02-19 04:14 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-18 11:15 . 2010-03-03 05:48 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-18 11:15 . 2010-03-03 05:48 -------- d-----w- c:\program files\Symantec
2010-02-18 11:14 . 2010-03-03 05:58 -------- d-----w- c:\windows\system32\drivers\N360
2010-02-18 11:14 . 2010-02-18 11:15 -------- d-----w- c:\program files\Norton 360
2010-02-18 11:14 . 2010-02-18 11:14 -------- d-----w- c:\program files\NortonInstaller
2010-02-17 10:19 . 2010-02-17 10:19 369599514 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2010-02-17 05:19 . 2010-02-17 05:19 52224 ----a-w- c:\users\YoG!\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-17 05:19 . 2010-02-19 11:23 117760 ----a-w- c:\users\YoG!\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-17 05:17 . 2010-03-03 18:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-17 05:17 . 2010-02-17 05:17 -------- d-----w- c:\users\YoG!\AppData\Roaming\SUPERAntiSpyware.com
2010-02-17 05:16 . 2010-02-17 05:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-16 15:06 . 2010-02-16 15:06 -------- d-----w- c:\users\YoG!\AppData\Local\ICS
2010-02-16 11:17 . 2010-02-16 11:17 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-02-16 11:16 . 2010-02-16 11:16 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-02-16 11:16 . 2010-02-16 11:16 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-16 11:14 . 2010-02-16 11:14 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-02-16 11:11 . 2010-02-16 11:11 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-02-16 11:09 . 2010-02-16 11:09 -------- d-----r- C:\MSOCache
2010-02-11 18:44 . 2010-02-11 18:44 201616 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100211.001\BHRules.dll
2010-02-11 18:44 . 2010-02-11 18:44 1406352 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100211.001\BHEngine.dll
2010-02-11 18:44 . 2010-02-11 18:44 676912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100211.001\BHDrvx64.sys
2010-02-11 18:44 . 2010-02-11 18:44 536112 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys
2010-02-11 18:44 . 2010-02-11 18:44 611216 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100211.001\bbRGen.dll
2010-02-10 04:42 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 04:42 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 04:42 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 04:42 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 04:42 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 04:42 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 04:42 . 2009-12-08 20:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 04:42 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-10 04:41 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-10 04:41 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-10 04:41 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-10 04:41 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-10 04:41 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-10 04:41 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-10 04:41 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-10 04:41 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-10 04:41 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-06 09:13 . 2010-02-06 09:13 -------- d-----w- c:\program files\iPod
2010-02-06 09:13 . 2010-02-06 09:14 -------- d-----w- c:\program files\iTunes
2010-02-06 09:06 . 2010-02-06 09:06 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-03 10:44 . 2010-02-03 10:46 -------- d-----w- c:\users\YoG!\AppData\Local\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 18:17 . 2006-11-02 07:25 673088 ----a-w- c:\windows\system32\mlang.dat
2010-03-03 18:11 . 2008-04-12 06:58 -------- d-----w- c:\programdata\FLEXnet
2010-03-03 18:11 . 2008-01-31 12:30 -------- d-----w- c:\programdata\Microsoft Help
2010-03-03 18:11 . 2008-11-12 09:29 -------- d-----r- c:\program files\Skype
2010-03-03 18:11 . 2007-10-06 19:28 -------- d-----w- c:\program files\Protector Suite QL
2010-03-03 18:11 . 2008-01-31 12:43 -------- d-----w- c:\program files\Microsoft Works
2010-03-03 18:11 . 2009-03-17 12:08 -------- d-----w- c:\program files\Common Files\Skype
2010-03-03 18:11 . 2007-11-17 14:39 -------- d-----w- c:\program files\Azureus
2010-03-03 18:11 . 2007-03-26 22:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-03 05:53 . 2007-11-07 19:32 12 ----a-w- c:\windows\bthservsdp.dat
2010-03-03 05:52 . 2009-04-13 08:01 -------- d-----w- c:\programdata\Norton
2010-03-03 05:48 . 2010-02-18 11:15 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-03 05:48 . 2010-02-18 11:15 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-25 17:55 . 2007-10-08 05:27 7728 ----a-w- c:\users\YoG!\AppData\Local\d3d9caps.dat
2010-02-24 11:10 . 2008-11-03 10:03 952 --sha-w- c:\programdata\KGyGaAvL.sys
2010-02-24 11:10 . 2008-11-03 10:03 952 --sha-w- c:\programdata\KGyGaAvL.sys
2010-02-24 03:46 . 2009-10-28 04:28 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 12:32 . 2007-11-17 14:43 -------- d-----w- c:\users\YoG!\AppData\Roaming\Azureus
2010-02-19 10:03 . 2008-04-22 05:13 -------- d-----w- c:\program files\MSECache
2010-02-19 04:15 . 2009-04-13 08:02 -------- d-----w- c:\programdata\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2010-02-18 11:14 . 2009-04-13 07:44 -------- d-----w- c:\programdata\NortonInstaller
2010-02-18 11:06 . 2006-11-02 08:19 1024 ----a-w- c:\windows\system32\NOISE.DAT
2010-02-18 11:04 . 2006-11-02 06:43 1024 ----a-w- c:\windows\system32\drivers\gmreadme.txt
2010-02-18 10:27 . 2009-08-29 12:12 -------- d-----w- c:\users\YoG!\AppData\Roaming\mjusbsp
2010-02-17 09:23 . 2009-04-17 09:57 -------- d-----w- c:\users\YoG!\AppData\Roaming\GetRightToGo
2010-02-16 11:37 . 2007-10-06 00:46 114776 ----a-w- c:\users\YoG!\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-16 11:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2010-02-16 11:16 . 2007-10-06 19:15 -------- d-----w- c:\program files\Microsoft.NET
2010-02-06 12:20 . 2007-03-26 20:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 11:40 . 2007-03-26 22:31 -------- d-----w- c:\programdata\Sony Corporation
2010-02-06 11:38 . 2007-03-26 21:09 -------- d-----w- c:\program files\Sony
2010-02-06 09:13 . 2009-12-30 15:16 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 07:32 . 2007-03-26 22:41 318658 ----a-w- c:\windows\system32\prfh0404.dat
2010-02-06 07:32 . 2007-03-26 22:41 117248 ----a-w- c:\windows\system32\prfc0404.dat
2010-01-21 04:00 . 2009-04-21 10:34 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-13 09:43 . 2010-01-13 09:43 -------- d-----w- c:\program files\Skyhook Wireless
2010-01-13 04:50 . 2010-01-13 04:50 -------- d-----w- c:\program files\MetaGeek
2010-01-12 13:05 . 2010-01-12 13:05 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-01-12 13:01 . 2007-11-22 13:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-04 09:05 . 2007-11-10 06:06 -------- d-----w- c:\users\YoG!\AppData\Roaming\Apple Computer
2010-01-02 06:38 . 2010-01-22 04:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 04:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 04:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 04:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-05-09 10:31 . 2008-05-09 10:31 608 --sha-w- c:\windows\System32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-04-08 10:35 739688 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-11-29 11:43 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-11-29 11:43 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 08:51 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-11-29 11:30 90112 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-11-24 17:36 73728 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WordWeb.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WordWeb.lnk
backup=c:\windows\pss\WordWeb.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 11:14 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):c6,19,b6,58,34,38,ca,01

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\System32\drivers\shpf.sys [27-03-2007 01:21 12416]
R0 SymDS;Symantec Data Store;c:\windows\System32\drivers\N360\0400000.07F\SymDS.sys [03-03-2010 11:12 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\N360\0400000.07F\SymEFA.sys [03-03-2010 11:12 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [12-02-2010 00:14 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\N360\0400000.07F\cchpx86.sys [03-03-2010 11:12 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100224.002\IDSvix86.sys [03-03-2010 11:35 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05-01-2010 07:56 9968]
R1 SymIRON;Symantec Iron Driver;c:\windows\System32\drivers\N360\0400000.07F\Ironx86.sys [03-03-2010 11:12 116272]
R1 SYMTDIV;Symantec Vista Network Dispatch Driver;c:\windows\System32\drivers\N360\0400000.07F\symtdiv.sys [03-03-2010 11:12 340016]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [27-05-2009 03:27 29262680]
R2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [27-05-2009 03:27 29262680]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe [03-03-2010 11:12 126392]
R2 osppsvc;Office Software Protection Platform;c:\windows\System32\OSPPSVC.EXE [08-04-2009 15:37 4319136]
R2 sprtsvc_nxpclient;SupportSoft Sprocket Service (nxpclient);c:\program files\Airtel\NetXpert\bin\sprtsvc.exe [25-12-2007 16:54 202800]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [27-03-2007 01:22 73472]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [27-03-2007 01:22 43904]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\System32\drivers\SonyImgF.sys [27-03-2007 01:21 30976]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\System32\drivers\SonyPI.sys [27-03-2007 01:22 33792]
R3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [27-03-2007 01:22 227328]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [29-01-2009 11:40 81920]
S2 Cleaning Service;Cleaning Service;c:\progra~1\QUICKH~1\QUICKH~1\ntclnsrv.exe --> c:\progra~1\QUICKH~1\QUICKH~1\ntclnsrv.exe [?]
S3 AKSUP;AKSUP;c:\windows\System32\drivers\aksup.sys [14-05-2008 17:00 32472]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25-04-2009 18:18 33480048]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [07-10-2007 00:53 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [07-10-2007 00:49 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [07-10-2007 00:49 1089536]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SYMDS
*NewlyCreated* - SYMIRON
*NewlyCreated* - SYMTDIV
*Deregistered* - SymIM

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\User_Feed_Synchronization-{9FF92967-C978-45C6-A00A-7FE7D89AD7E8}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: S&end to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: {A0CD60BB-AC96-44A1-8B5E-E8B64A947E28} = 218.248.255.145,218.248.255.193
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
- - - - ORPHANS REMOVED - - - -

BHO-{02C7D6E9-9C2D-4073-81E5-280E33574D59} - (no file)
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Nero\Lib\NeroCheck.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 12:02
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.0.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2010-03-03 12:08:20
ComboFix-quarantined-files.txt 2010-03-03 06:38

Pre-Run: 25,505,529,856 bytes free
Post-Run: 24,200,060,928 bytes free

- - End Of File - - 9278DAB6E43ECD57303B9FD94A4412A9
shahyogi
Active Member
 
Posts: 8
Joined: February 18th, 2010, 8:44 am

Re: Malware Removal "HTTPS Tidserv Request 2"

Unread postby Katana » March 3rd, 2010, 5:29 am

Information

That's looking better, how are things running now ?


Azureus Vuze

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

List programs here

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.


----------------------------------------------------------------------------------------
Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If requested, please reboot
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------------------------------------
Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • MalwareBytes Log
  • Kaspersky log
  • How are things running now ?



---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
Additional Notes



Your Java and Adobe is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java and Adobe components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) from HERE
  • Scroll down to where it says "Java SE Runtime Environment (JRE)".
  • Click the "Download" button to the right.
    • Platform = Windows
    • Language = Multi Language
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Update Adobe Acrobat Reader
Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

  • Please go to this link Adobe Acrobat Reader Download Link
  • Cllick Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Now close all windows, including your browser.
Double click on the Java installation that you downloaded and follow the prompts.

Remove Programs
Now click Start---Control Panel. Double click Add or Remove Programs. If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
  • Adobe Reader 8.1.2
    Java(TM) 6 Update 11
    Java(TM) 6 Update 3
Now close the Control Panel.

Reboot your machine.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Malware Removal "HTTPS Tidserv Request 2"

Unread postby shahyogi » March 3rd, 2010, 8:28 am

The virus seems to be gone !

I have been running the Malaware bytes and Kaspersky, however its been three hours now and they are still running. I am being a little impatient because of this.

I have tried to remove Azurues Vuze, however when I press uninstall from control panel >> remove programs it gives me an error saying "couldn't load main class". WHAT DO YOU SUGGEST ? I doesn't get uninstalled.

I will upload the results of both malware bytes and kaspersky (hope my patience survives). I WOULD LIKE TO KNOW TWO IMPORTANT THINGS IF YOU CAN SUGGEST,

1. SYMANTEC AV, IS UP FOR RENEWAL IN 40 DAYS, DO YOU SUGGEST ITS GOOD TO RENEW IT OR BUY ANY OTHER AV'S BECAUSE WHEN I FACED THIS PROBLEM THEY DIDNT HELP ME, INFACT ASKED FOR 400$ FOR SUPPORT, INSANE !!

2. I HAVE SEVERAL PROGRAMS ON MY LIST WHICH I NEVER USE, THEY ARE FROM SONY I GUESS. HOW DO I ENSURE AND UNINSTALL THEM NOT AFFECTING THE SYSTEM PERFORMANCE.

Thanks,
Yogesh
shahyogi
Active Member
 
Posts: 8
Joined: February 18th, 2010, 8:44 am

Re: Malware Removal "HTTPS Tidserv Request 2"

Unread postby shahyogi » March 3rd, 2010, 9:16 am

Malwarebytes' Anti-Malware 1.44
Database version: 3817
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

03-03-2010 18:44:09
mbam-log-2010-03-03 (18-44-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 294922
Time elapsed: 3 hour(s), 21 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Worm.Allaple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SystemErrorFixerDownloader (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\YoG!\Links\Downloads\ACT Premium 2010\Sage.ACT.Premium.2010.v12.0.409.0\keygen.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
shahyogi
Active Member
 
Posts: 8
Joined: February 18th, 2010, 8:44 am

Re: Malware Removal "HTTPS Tidserv Request 2"

Unread postby Katana » March 7th, 2010, 5:08 am

Hi shahyogi,

Do you have the Kaspersky Log ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Malware Removal "HTTPS Tidserv Request 2"

Unread postby shahyogi » March 9th, 2010, 7:46 am

No

I don't think it would be needed now, as I formatted c drive.
shahyogi
Active Member
 
Posts: 8
Joined: February 18th, 2010, 8:44 am

Re: Malware Removal "HTTPS Tidserv Request 2"

Unread postby Katana » March 9th, 2010, 6:20 pm

shahyogi wrote:I don't think it would be needed now, as I formatted c drive.

I wasn't aware of that.
The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partne ... bscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
    AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention
    These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
    Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D

Happy surfing K'

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware