Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

https tidserv2 request

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

https tidserv2 request

Unread postby k0brs » May 24th, 2010, 8:06 am

Hi, I have been getting these https tidserv request and now I am gettting https tidserv2 requests on my system. These requests are being blocked by my Norton Anti virus, But I need help removing them from my system. I am running XP sp3. I am also getting redirects with my browsers both ie 6 and mozilla. I have attached the log also.
thanks for any and all Help k0brs

Here is a copy of my hijack this log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:55 AM, on 5/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Sktempdm.exe
C:\Documents and Settings\Family\My Documents\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WorkPad\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Juno\bin\juno.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.k99.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\coIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Detect Kbd Daemon] SK2000DM.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Window Washer] C:\Documents and Settings\Family\My Documents\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\Family\LOCALS~1\Temp\TEMPOR~1\Content.IE5\WXPT3MV3.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\TEMPOR~1\Content.IE5\KP89AP8D.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\TEMPOR~1\Content.IE5\AX854LED.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\TEMPOR~1\Content.IE5\8ZQLCHSX.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\TEMPOR~1\Content.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\TEMPOR~1.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\History\History.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\History.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\Cookies.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\TEMPOR~1\Content.IE5\H3HN8B25.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\TEMPOR~1\Content.IE5\CPERGEIM.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\TEMPOR~1\Content.IE5\BFXFO07E.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\History\History.IE5\MSHIST~1.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\TEMPOR~1\Content.IE5\U8012I8S.SH! C:\DOCUME~1\Family\LOCALS~1\Temp\TEMPOR~1\Content.IE5\O5QRC5QN.SH! C:\DOCUME~1\Family\LOCALS~1\T
O4 - Global Startup: HotSync Manager.lnk = C:\WorkPad\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: WLSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 8847 bytes

Access IBM
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Apple Software Update
Audacity 1.2.6
AXIS Media Control
Choice Guard
Comcast High-Speed Internet Install Wizard
CutePDF Writer 2.7
Deluo GPS Diagnostics
DeluoGPS Toolkit 1.2.0.1
Desktop Doctor
eXplorist Wizard
FileZilla Client 3.3.0.1
FT-2800 Programmer
HijackThis 2.0.2
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Solution Center 7.0
HP Update
IBM Access Support
IBM DLA
IBM Rapid Access Keyboard (III, IIIe)
IBM Rapid Restore PC Setup
IBM RecordNow
IBM RecordNow Update Manager
IBM Update Connector
Infuzer
Intel(R) Network Connections Drivers
Intel(R) PROSet II
Intellicast Desktop
Java(TM) 6 Update 18
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
Juno
LADSPA_plugins-win-0.4.15
Malwarebytes' Anti-Malware
MapSend Lite
MapSend Topo 3D USA
McAfee Virtual Technician
MCP-2A (Remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office Converter Pack
Microsoft Office Live Add-in 1.3
Microsoft Office Sounds
Microsoft Office XP Standard
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mouse Suite
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
Norton Security Suite
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
OpenOffice.org 3.0
PCI SoftV92 Modem
QuickTime
RealPlayer
ResumeMaker Professional
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Shop for HP Supplies
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
Support.com Software
The Print Shop Ensemble III
The Weather Channel Desktop 6
TravelPlus for Repeaters 11.0
Uninstall PC-Doctor
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VX-3 Programmer
W6ELProp
WeatherBug
Winamp
Window Washer
Windows Backup Utility
Windows Driver Package - Prolific (ser2plms) Ports (04/28/2004 2.0.0.18)
Windows Driver Package - RT Systems RT CDM Driver Package (10/22/2009 2.06.00)
Windows Driver Package - RT Systems RT CDM Driver Package (10/22/2009 2.06.00)
Windows Imaging Component
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format Runtime
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Messenger
You do not have the required permissions to view the files attached to this post.
k0brs
Active Member
 
Posts: 9
Joined: May 24th, 2010, 7:46 am
Top
Advertisement
Register to Remove

Re: https tidserv2 request

Unread postby askey127 » May 25th, 2010, 7:36 am

k0brs,
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :
Choice Guard
Hitman Pro 3.5
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
Uninstall PC-Doctor
WeatherBug
Take extra care in answering questions posed by any Uninstaller.
----------------------------------------------
Run Temp File Cleaner
Download Temp File Cleaner and save it to your desktop.
Double click to run it. (Right click and Run as Administrator in Vista)
If it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
--------------------------------------------
TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Double-click the tdsskiller Folder on your desktop.
  • Right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy (Ctrl+C) the text in the codebox below.
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste (Ctrl+V) the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply
------------------------------------------------------------
Please download GMER Rootkit Scanner from Here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    See image below
    Image
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

So we are looking for the contents from tdsskiller.txt and the contents of Gmer.txt
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: https tidserv2 request

Unread postby k0brs » May 25th, 2010, 3:32 pm

askey127,
I have removed the programs listed. I ran temp file cleaner, Then I ran tdsskiller, but first time was unable to save the contents of the log but it did find a *.sys file that would be removed on a reboot, So I rebooted and then ran the Gmer and was able to capture logs. I also will append the tdsskiller log from the second run, and also the first gmer log. I am not sure If I was supposed to have only the c:\ under the files checked or not.. So as shown I have run it with it checked but my m:\ disk unchecked since the c:\ is my system disk.

12:16:15:406 2760 TDSS rootkit removing tool 2.3.1.0 May 25 2010 12:52:14
12:16:15:406 2760 ================================================================================
12:16:15:406 2760 SystemInfo:

12:16:15:406 2760 OS Version: 5.1.2600 ServicePack: 3.0
12:16:15:406 2760 Product type: Workstation
12:16:15:406 2760 ComputerName: IBM-C8A9E96DF6F
12:16:15:406 2760 UserName: Family
12:16:15:406 2760 Windows directory: C:\WINDOWS
12:16:15:406 2760 Processor architecture: Intel x86
12:16:15:406 2760 Number of processors: 1
12:16:15:406 2760 Page size: 0x1000
12:16:15:406 2760 Boot type: Normal boot
12:16:15:406 2760 ================================================================================
12:16:15:578 2760 Raw disk subsystem init failed!
12:16:15:578 2760 Initialize success
12:16:15:578 2760
12:16:15:578 2760 Scanning Services ...
12:16:15:984 2760 Raw services enum returned 368 services
12:16:16:000 2760 !dthrs1
12:16:16:000 2760 DetectCureTDL3 failed
12:16:16:000 2760
12:16:16:015 2760 Completed
12:16:16:015 2760
12:16:16:015 2760 Results: **** First run without using command showed a *.sys as infected that would be cleared on reboot ****
12:16:16:015 2760 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:16:16:015 2760 File objects infected / cured / cured on reboot: 0 / 0 / 0
12:16:16:015 2760
12:16:16:125 2760 KLMD(ARK) unloaded successfully
I will post the gmer log when It completes the Scan later today
thanks again for ll your help... k0brs
k0brs
Active Member
 
Posts: 9
Joined: May 24th, 2010, 7:46 am
Top

Re: https tidserv2 request

Unread postby k0brs » May 25th, 2010, 5:20 pm

Askey127,
Here is the first gmer.log and then the second log I ran as noted above.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-25 12:32:56
Windows 5.1.2600 Service Pack 3
Running: gc8mk4u3.exe; Driver: C:\DOCUME~1\Family\LOCALS~1\Temp\kfldakoc.sys


---- System - GMER 1.0.15 ----

SSDT 8723A7E0 ZwAlertResumeThread
SSDT 86E86238 ZwAlertThread
SSDT 86E7F260 ZwAllocateVirtualMemory
SSDT 870F6BA8 ZwAssignProcessToJobObject
SSDT 871DE120 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF56C1210]
SSDT 86E44420 ZwCreateMutant
SSDT 870E8CF8 ZwCreateSymbolicLinkObject
SSDT 86E4E2F8 ZwCreateThread
SSDT 87107CA8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF56C1490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF56C19F0]
SSDT 86E802C8 ZwDuplicateObject
SSDT 86E4C1F8 ZwFreeVirtualMemory
SSDT 870F8BC8 ZwImpersonateAnonymousToken
SSDT 8723A700 ZwImpersonateThread
SSDT 87231E78 ZwLoadDriver
SSDT 86E4B270 ZwMapViewOfSection
SSDT 86E44360 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xF56C17A0]
SSDT 86E83308 ZwOpenProcess
SSDT 86E801E8 ZwOpenProcessToken
SSDT 870F7D30 ZwOpenSection
SSDT 86E83238 ZwOpenThread
SSDT 870E8DC8 ZwProtectVirtualMemory
SSDT 86E7C1D0 ZwResumeThread
SSDT 86E452B8 ZwSetContextThread
SSDT 86E4A220 ZwSetInformationProcess
SSDT 87107D88 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF56C1C40]
SSDT 870F7E10 ZwSuspendProcess
SSDT 86E7C270 ZwSuspendThread
SSDT 86E48290 ZwTerminateProcess
SSDT 86E451D8 ZwTerminateThread
SSDT 86E4B1D0 ZwUnmapViewOfSection
SSDT 86E4C2C8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 234 804E28A0 8 Bytes CALL 6850112B
.text PCIIDEX.SYS!PciIdeXSetBusData + B29 F79E245D 4 Bytes [24, DA, AB, 85]
.text PCIIDEX.SYS!PciIdeXDebugPrint + 23 F79E26DD 4 Bytes [24, DA, AB, 85]
PAGE PCIIDEX.SYS!PciIdeXDebugPrint + 7CB F79E2E85 4 Bytes [24, DA, AB, 85]
PAGE PCIIDEX.SYS!PciIdeXDebugPrint + 1065 F79E371F 4 Bytes [24, DA, AB, 85]
PAGE PCIIDEX.SYS!PciIdeXDebugPrint + 10B7 F79E3771 4 Bytes [24, DA, AB, 85]
PAGE PCIIDEX.SYS!PciIdeXDebugPrint + 15DE F79E3C98 4 Bytes [24, DA, AB, 85]
PAGE ...
PAGE PCIIDEX.SYS!PciIdeXInitialize + 288 F79E5C64 4 Bytes [24, DA, AB, 85]
.text SCSIPORT.SYS!ScsiPortInitialize + FFFF473B F76CA6AF 4 Bytes [E4, F9, BC, 85]
.text SCSIPORT.SYS!ScsiPortInitialize + FFFF4AD1 F76CAA45 4 Bytes [E4, F9, BC, 85]
.text SCSIPORT.SYS!ScsiPortGetUncachedExtension + 852 F76CBD5A 4 Bytes [64, 87, A1, 85]
.text SCSIPORT.SYS!ScsiPortGetUncachedExtension + FDA F76CC4E2 4 Bytes [E4, F9, BC, 85]
.text SCSIPORT.SYS!ScsiPortGetUncachedExtension + 1710 F76CCC18 4 Bytes [64, 87, A1, 85]
.text SCSIPORT.SYS!ScsiPortGetUncachedExtension + 17F8 F76CCD00 4 Bytes [64, 87, A1, 85]
.text SCSIPORT.SYS!ScsiPortGetUncachedExtension + 1FCE F76CD4D6 4 Bytes [14, A9, 32, 86]
.text ...
.text SCSIPORT.SYS!ScsiPortCompleteRequest + 10C F76CF576 4 Bytes [64, 87, A1, 85]
.text SCSIPORT.SYS!ScsiPortCompleteRequest + 2BA F76CF724 4 Bytes [14, A9, 32, 86]
.text SCSIPORT.SYS!ScsiPortCompleteRequest + 4DE F76CF948 4 Bytes [14, A9, 32, 86]
.text SCSIPORT.SYS!ScsiPortCompleteRequest + 6C9 F76CFB33 4 Bytes [14, A9, 32, 86]
.text SCSIPORT.SYS!ScsiPortCompleteRequest + 1599 F76D0A03 4 Bytes [E4, F9, BC, 85]
.text atapi.sys!ZwSetSystemPowerState + FFE74DB6 F76B77C1 4 Bytes [14, 71, 2A, 87]
.text atapi.sys!ZwSetSystemPowerState + FFE74E69 F76B7874 4 Bytes [44, D6, E4, 85] {INC ESP; SALC ; IN AL, 0x85}
.text atapi.sys!ZwSetSystemPowerState + FFE75108 F76B7B13 4 Bytes [14, 71, 2A, 87]
.text atapi.sys!ZwSetSystemPowerState + FFE75DAD F76B87B8 4 Bytes [44, D6, E4, 85] {INC ESP; SALC ; IN AL, 0x85}
.text atapi.sys!ZwSetSystemPowerState + FFE7628A F76B8C95 4 Bytes [14, 71, 2A, 87]
.text ...
.rsrc C:\WINDOWS\system32\drivers\symc810.sys entry point in ".rsrc" section [0xF7B809B4]
.text CLASSPNP.SYS!ClassReleaseRemoveLock + 193 F7821553 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassCompleteRequest + 3F6 F7821FD9 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassSendSrbSynchronous + EE F782218C 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassReleaseQueue + EA F7823372 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassReleaseChildLock + 66 F78239C6 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassSendIrpSynchronous + 3A F7823B90 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassGetDriverExtension + 15D F7824131 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassFindModePage + 1D3 F7824775 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassFindModePage + 77F F7824D21 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassFindModePage + 9A6 F7824F48 4 Bytes [14, 41, 2F, 86]
.text CLASSPNP.SYS!ClassFindModePage + ADC F782507E 4 Bytes [14, 51, A7, 85]
.text CLASSPNP.SYS!ClassFindModePage + B06 F78250A8 4 Bytes [24, 3A, 33, 86]
.text ...
.text CLASSPNP.SYS!ClassInternalIoControl + 87 F7825FAF 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassGetVpb + 167 F78261AB 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassSendStartUnit + C9 F7826421 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassSendSrbAsynchronous + 10D F782656C 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassWmiFireEvent + 3A9 F7826A16 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassWmiFireEvent + 843 F7826EB0 4 Bytes [24, 3A, 33, 86]
.text CLASSPNP.SYS!ClassIoCompleteAssociated + 18B F78274E9 4 Bytes [14, 41, 2F, 86]
PAGE CLASSPNP.SYS!ClassDebugPrint + 59B F7827B33 4 Bytes [24, 3A, 33, 86]
PAGE CLASSPNP.SYS!ClassDebugPrint + 7B5 F7827D4D 4 Bytes [24, 3A, 33, 86]
PAGE CLASSPNP.SYS!ClassInvalidateBusRelations + 203 F782823A 4 Bytes [24, 3A, 33, 86]
PAGE CLASSPNP.SYS!ClassInitialize + 6C0 F78289F8 4 Bytes [24, 3A, 33, 86]
PAGE CLASSPNP.SYS!ClassClaimDevice + 7A F7829ECF 4 Bytes [24, 3A, 33, 86]
PAGE CLASSPNP.SYS!ClassModeSense + 57D F782AB68 4 Bytes [24, 3A, 33, 86]
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? system32\drivers\klmd.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
.text C:\WINDOWS\Explorer.EXE[164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A7000A
.text C:\WINDOWS\Explorer.EXE[164] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006B000A
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006A000C
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!GetCursorPos 7E42974E 3 Bytes JMP 01CE000A
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!GetCursorPos + 4 7E429752 1 Byte [83]
.text C:\WINDOWS\System32\svchost.exe[1124] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 01CD000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3352] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FB000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3352] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FC000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3352] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FA000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\klmd23 \Device\KLMD203010 klmd.sys

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fastfat \Fat tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device -> \Driver\atapi \Device\Harddisk0\DR0 872E6CEC

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\symc810.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Here is the second run of Gmer

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-25 15:15:33
Windows 5.1.2600 Service Pack 3
Running: gc8mk4u3.exe; Driver: C:\DOCUME~1\Family\LOCALS~1\Temp\kfldakoc.sys


---- System - GMER 1.0.15 ----

SSDT 86EAC230 ZwAlertResumeThread
SSDT 86EEB1D0 ZwAlertThread
SSDT 86EAB208 ZwAllocateVirtualMemory
SSDT 8714EAA0 ZwAssignProcessToJobObject
SSDT 871D1830 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF5A75210]
SSDT 87170F38 ZwCreateMutant
SSDT 870DBE70 ZwCreateSymbolicLinkObject
SSDT 86EAD2B8 ZwCreateThread
SSDT 8714EB80 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF5A75490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF5A759F0]
SSDT 86EAE260 ZwDuplicateObject
SSDT 86EEF308 ZwFreeVirtualMemory
SSDT 870C3E90 ZwImpersonateAnonymousToken
SSDT 870C3F70 ZwImpersonateThread
SSDT 872E52D0 ZwLoadDriver
SSDT 86EEF208 ZwMapViewOfSection
SSDT 87170E78 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xF5A757A0]
SSDT 86ECE2C8 ZwOpenProcess
SSDT 86EAB2D8 ZwOpenProcessToken
SSDT 86ECDB30 ZwOpenSection
SSDT 86ECE1D8 ZwOpenThread
SSDT 870DBF60 ZwProtectVirtualMemory
SSDT 86EEB270 ZwResumeThread
SSDT 86EED228 ZwSetContextThread
SSDT 86EED308 ZwSetInformationProcess
SSDT 86E962D0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF5A75C40]
SSDT 86ECDC10 ZwSuspendProcess
SSDT 86EEA1D8 ZwSuspendThread
SSDT 86ED0250 ZwTerminateProcess
SSDT 86EEA2B8 ZwTerminateThread
SSDT 86EA6290 ZwUnmapViewOfSection
SSDT 86EA8280 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 7C 804E26E8 8 Bytes JMP EEB1D086
.text ntoskrnl.exe!_abnormal_termination + 98 804E2704 4 Bytes JMP 2CC48714
? klmdb.sys The system cannot find the file specified. !
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fastfat \Fat tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)

---- EOF - GMER 1.0.15 ----
please let me know what your findings are...
Thanks k0brs
k0brs
Active Member
 
Posts: 9
Joined: May 24th, 2010, 7:46 am
Top

Re: https tidserv2 request

Unread postby askey127 » May 26th, 2010, 7:16 am

k0brs,
It appears you do indeed have a rootkit infection.
These are very serious and can be difficult to remove.
We will run Rkill and ComboFix first, then address some file removals directly
------------------------------------------------
Download and Run Rkill
Please download Rkill from one of the following links and save to your Desktop:
One, Two,Three or Four
  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore and allow the download to continue.
If you cannot get one of the Rkill versions to download and run without being stopped, don't proceed further, and post back to tell me about it.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.. See below.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • Disable ALL antivirus/antimalware programs before proceeding!
    Disable Norton Security Suite
    • Start Norton Internet Security.
    • In the left pane, click Status & Settings.
    • Click Security.
    • Click Turn on or Turn off.
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Reenable your protection software and post the log in your next reply
A copy of the log will be located here -> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

Re-enable your Norton.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: https tidserv2 request

Unread postby k0brs » May 26th, 2010, 4:39 pm

askey127,
I ran the Rkill and it completed without any problems. I then Ran combofix as zzz.exe
Combofix did install the recovery console, and continued with the scan
and here is the log:

ComboFix 10-05-26.01 - Family 05/26/2010 13:40:31.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.505 [GMT -6:00]
Running from: c:\documents and settings\Family\Desktop\zzz.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
M:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-26 10:15 . 2010-05-26 10:15 -------- d-----w- c:\windows\LastGood
2010-05-25 09:32 . 2010-05-25 09:33 149304 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-25 09:32 . 2010-05-25 09:32 129 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\fusioncache.dat
2010-05-18 18:50 . 2010-05-18 18:50 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-18 18:50 . 2010-05-18 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-18 18:50 . 2010-05-18 18:50 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-17 22:28 . 2010-05-17 22:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-05-17 17:21 . 2009-05-18 22:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-17 17:21 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-05-17 17:21 . 2010-05-17 17:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-17 17:21 . 2010-05-17 17:21 -------- d-----w- c:\program files\Symantec
2010-05-17 17:21 . 2010-05-17 17:21 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-17 17:21 . 2010-05-17 17:21 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-17 17:20 . 2010-05-17 17:37 -------- d-----w- c:\windows\system32\drivers\N360
2010-05-17 17:20 . 2010-05-17 17:20 -------- d-----w- c:\program files\Norton Security Suite
2010-05-17 17:20 . 2010-05-17 17:20 -------- d-----w- c:\program files\Windows Sidebar
2010-05-17 17:17 . 2010-05-17 17:17 -------- d-----w- c:\program files\NortonInstaller
2010-05-17 17:17 . 2010-05-17 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-17 17:04 . 2010-05-17 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-14 18:19 . 2010-05-14 18:19 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 18:45 . 2007-08-20 16:44 -------- d-----w- c:\program files\Juno
2010-05-25 18:35 . 2002-09-24 17:08 16256 ----a-w- c:\windows\system32\drivers\symc810.sys
2010-05-25 18:06 . 2009-06-12 17:40 -------- d-----w- c:\program files\Microsoft
2010-05-25 17:40 . 2007-08-21 04:55 -------- d-----w- c:\program files\Java
2010-05-25 17:40 . 2007-08-21 04:55 -------- d-----w- c:\program files\Common Files\Java
2010-05-18 10:23 . 2009-10-26 20:33 188152 ----a-w- c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\cqobbvtn.default\FlashGot.exe
2010-05-17 17:21 . 2010-05-17 17:21 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-17 17:21 . 2010-05-17 17:21 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-17 17:16 . 2009-06-25 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-09 14:31 . 2009-03-05 01:09 1 ----a-w- c:\documents and settings\Family\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-29 21:39 . 2008-08-29 19:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-14 15:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 22:14 . 2010-04-25 02:15 -------- d-----w- c:\program files\Yaesu
2010-04-25 02:19 . 2010-04-25 02:15 -------- d-----w- c:\program files\Common Files\RT SystemsV4
2010-04-25 02:17 . 2008-02-24 03:15 -------- d-----w- c:\program files\DIFX
2010-04-25 02:15 . 2010-04-25 02:15 -------- d-----w- c:\documents and settings\Family\Application Data\RT Systems
2010-04-25 02:15 . 2010-04-25 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\RT Systems
2010-04-21 13:02 . 2009-09-05 23:24 -------- d-----w- c:\documents and settings\Family\Application Data\HpUpdate
2010-04-12 14:00 . 2007-08-20 17:17 -------- d-----w- c:\program files\Winamp
2010-04-07 18:10 . 2007-08-26 03:15 -------- d-----w- c:\documents and settings\Family\Application Data\U3
2010-03-09 11:09 . 1980-01-01 07:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43 . 1980-01-01 07:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2007-08-20 18:08 81920 ------w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\documents and settings\Family\My Documents\Webroot\Washer\wwDisp.exe" [2005-04-20 894464]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-08-03 4493312]
"nwiz"="nwiz.exe" [2004-08-03 917504]
"PROMon.exe"="PROMon.exe" [2002-04-19 73728]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-07 90112]
"Tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2001-11-07 1519616]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2002-08-19 106551]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"Hot Key Kbd Daemon"="SKDAEMON.EXE" [2001-07-05 53248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Detect Kbd Daemon"="SK2000DM.EXE" [2001-04-28 36864]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-12 286720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\workpad\HOTSYNC.EXE [2007-8-20 260096]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^Family^Start Menu^Programs^Startup^DeluoGPS Toolkit.lnk]
path=c:\documents and settings\Family\Start Menu\Programs\Startup\DeluoGPS Toolkit.lnk
backup=c:\windows\pss\DeluoGPS Toolkit.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Juno\\bin\\juno.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:*:Disabled:Red Swoosh
"5000:UDP"= 5000:UDP:*:Disabled:Red Swoosh

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [2009-11-26 172592]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\ccHPx86.sys [2010-02-25 501888]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.SYS [2010-02-27 116784]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe [2010-02-25 126392]
S2 WLSVC;WLSVC;c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe [2004-02-07 41025]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-17 102448]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100518.002\IDSxpx86.sys [2010-05-18 331640]
S3 SKUSBKBF;USB Keyboard Filter Driver;c:\windows\system32\DRIVERS\SKUSBKBF.sys [2001-07-27 14048]
S3 tenCapture;tenCapture;c:\windows\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.k99.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\cqobbvtn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.eham.net/|http://www.arrl.or ... m.php?f=11
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPWXM32.DLL
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKCU-RunOnce-DelayShred - c:\program files\mcafee\mshr\ShrCL.EXE
HKLM-Run-UC_SMB - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-klmdb.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 13:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-05-26 13:57:25
ComboFix-quarantined-files.txt 2010-05-26 19:57

Pre-Run: 56,238,931,968 bytes free
Post-Run: 56,199,565,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 514B3BC4B555FD28A4DAE09A213A8DAB

I have re-enabled all the Norton services ...
Let me know what I need to do next, again thanks for your help.
k0brs
k0brs
Active Member
 
Posts: 9
Joined: May 24th, 2010, 7:46 am
Top

Re: https tidserv2 request

Unread postby askey127 » May 27th, 2010, 6:05 am

k0brs,
That looks better.
Please let me know what your system is doing now.
Specifically, are you getting Tidserv messages from Norton?
Also tell me if you are still having redirects on one or both browsers..
Thanks
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: https tidserv2 request

Unread postby k0brs » May 27th, 2010, 7:11 am

Askey127,
My system is running much better and I am no longer seeing the redirects in my browsers nor am I getting the alerts about https tidserv2 or tidserv in Norton. It appears to have removed all the rootkits and everything is back and running good.. I have one medium alert that says a unauthorized access is being blocked from \windows\system32\services.exe actorpid 756 and targeting
\Device\HarddiskVolume1\Program Files\Norton Security Suite\Engine\4.1.0.32\ccsvchst.exe
this is the only thing I see in my history reports. Is this normal for Norton? or is it of any concern and I just see this when my system is starting up and/or being rebooted.

Again Thanks for your help
k0brs
k0brs
Active Member
 
Posts: 9
Joined: May 24th, 2010, 7:46 am
Top

Re: https tidserv2 request

Unread postby askey127 » May 27th, 2010, 7:48 am

k0brs,
I must say I don't know what that is.
You may want to post at the Symantec forum and see what they say.
(We have seen more than one of these kind of messages).
I don't see any infections on you machine at the moment.

(Just a hunch) Since this occurs at bootup, it may be related to one of the Services. These are your O23 entries in the HiJackThis log.
Yours were:
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: WLSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

You could try getting rid of Comcasts Desktop Doctor, or Webroot Washer, or the Nero Backup Service if you don't use them.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: https tidserv2 request

Unread postby k0brs » May 27th, 2010, 3:21 pm

Askey127, I have removed the desktop doctor as suggested.
I found a reply On the Symantec forum from a Symantec/Norton Expert and he said that it was a normal message that occurs on bootup/restart it is not a problem. I would like to thank you again for all your help on my system. :cheers:
It appears to be back to normal.
Thanks k0brs
k0brs
Active Member
 
Posts: 9
Joined: May 24th, 2010, 7:46 am
Top

Re: https tidserv2 request

Unread postby askey127 » May 27th, 2010, 6:49 pm

k0brs,
I would suggest the following as a cleanup exercise:
-----------------------------------------------------------
Reset System Restore Points
  • Click Start > Help and Support
  • Click on ->Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
  • Close Help and Support Center.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware.
-----------------------------------------------------------
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system.
Good luck,

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: https tidserv2 request

Unread postby k0brs » May 28th, 2010, 10:07 pm

askey127,
I have installed winpatrol and also created a new restore point per your recommendations.
My system is back to normal. The last questions I have is about the tools we have installed such as combofix and tdsskiller rkill and gmer. Am I safe to remove the files and logs and uninstall these programs.
Again thanks for your help
k0brs
k0brs
Active Member
 
Posts: 9
Joined: May 24th, 2010, 7:46 am
Top

Re: https tidserv2 request

Unread postby askey127 » May 29th, 2010, 6:28 am

k0brs,
Yes, you should remove those programs and logs.
I would keep TFC for occasional cleaning of old Temporary files.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: https tidserv2 request

Unread postby k0brs » May 29th, 2010, 8:37 am

Askey127,
I will do those clean up tasks. Again thanks for all your help.
k0brs
Active Member
 
Posts: 9
Joined: May 24th, 2010, 7:46 am
Top

Re: https tidserv2 request

Unread postby askey127 » May 29th, 2010, 4:02 pm

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 169 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index