[StarrEa]

Hi there, I have norton antivirus and since earlier today, I have been getting intrusion warnings from tidserv request 2. Norton has been blocking the them but I would really like to get rid of it. I would like some help in doing so. I've downloaded Combofix and here are the results:


ComboFix 10-06-07.03 - HP_Administrator 06/07/2010 16:14:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.495 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\My Documents\Downloads\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-06-07 15:46 . 2010-06-07 15:46 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\vcdtca
2010-05-25 01:34 . 2010-05-25 01:34 -------- d-----w- c:\program files\7-Zip
2010-05-23 18:17 . 2010-05-23 18:17 348160 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33688668-n\msvcr71.dll
2010-05-23 18:17 . 2010-05-23 18:17 61440 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-54f1b967-n\decora-sse.dll
2010-05-23 18:17 . 2010-05-23 18:17 503808 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33688668-n\msvcp71.dll
2010-05-23 18:17 . 2010-05-23 18:17 499712 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33688668-n\jmc.dll
2010-05-23 18:17 . 2010-05-23 18:17 12800 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-54f1b967-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 20:33 . 2010-04-26 21:49 -------- d-----w- c:\program files\Common Files\Akamai
2010-06-07 19:48 . 2005-05-31 09:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-07 17:40 . 2010-03-23 00:15 25 ----a-w- c:\windows\popcinfot.dat
2010-06-07 15:53 . 2005-05-31 09:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-05 14:01 . 2010-03-07 20:25 439816 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\setup.exe
2010-05-23 02:13 . 2010-02-24 18:19 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2010-05-14 11:51 . 2010-02-19 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-02 00:56 . 2010-02-20 01:54 52968 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-30 17:28 . 2010-04-30 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-04-30 17:26 . 2010-02-24 18:19 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-30 17:26 . 2010-04-30 17:26 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-04-23 22:51 . 2010-04-23 22:51 -------- d-----w- c:\program files\Veoh Networks
2010-04-19 15:26 . 2010-04-19 15:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FastStone
2010-04-19 15:25 . 2010-04-19 15:25 -------- d-----w- c:\program files\FastStone Photo Resizer
2010-04-19 15:23 . 2010-04-19 15:23 50354 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Facebook\uninstall.exe
2010-04-19 15:23 . 2010-04-19 15:23 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Facebook
2010-04-12 18:39 . 2010-02-19 21:50 1808752 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2010-03-10 06:15 . 2004-08-10 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-5 258048]
SpySubtract.lnk - c:\program files\InterMute\SpySubtract\sslaunch.exe [2005-5-31 73728]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe.vir [2005-5-31 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1745:TCP"= 1745:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 7:00 AM 14336]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [1/25/2008 9:47 PM 149352]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [5/31/2005 3:43 AM 85248]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/6/2010 12:56 PM 102448]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/19/2010 6:31 PM 717296]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-06-05 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
- c:\my files\Programs\Norton Antivirus 2008\Navw32.exe [2008-02-07 15:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:1075
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\45coigkn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\my files\Programs\Firefox\plugins\np-mswmp.dll
FF - plugin: c:\my files\Programs\Java\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\my files\Programs\Java\bin\new_plugin\npjp2.dll

---- FIREFOX POLICIES ----
c:\my files\Programs\Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\my files\Programs\Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\my files\Programs\Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\my files\Programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\my files\Programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\my files\Programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\my files\Programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\my files\Programs\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\my files\Programs\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\my files\Programs\Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 16:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-07 16:20:32
ComboFix-quarantined-files.txt 2010-06-07 21:20

Pre-Run: 210,096,672,768 bytes free
Post-Run: 210,345,631,744 bytes free

- - End Of File - - 1FE815AEB76BC016FB8783D392B88963



I hope to hear from someone soon. Thank you! Have a great day!

[SweetTech]

Hello and welcome to the forums! My name is SweetTech, it's a pleasure to meet you.

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

If you have already received help elsewhere please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

• Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  
• Please make sure to carefully read any instruction that I give you.
  Reading too lightly will cause you to miss important steps, which could have destructive effects.
  
• If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  
• These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  
• Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  
• If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  
• I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together
  Because of this, you must reply within three days failure to reply will result in the topic being closed!
  
• Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
  Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

ComboFix Script

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Folder::
c:\documents and settings\HP_Administrator\Local Settings\Application Data\vcdtca
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:1075

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  
• When finished, it shall produce a log for you.
  
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Scanning with MalwareBytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Check
  
• Make sure that the option "Remove found threats" is Unchecked
  
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin
  scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as
  ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

NEXT:



Re-Running OTL

We need to create a New FULL OTL Report

• Please download OTL from here if you have not done so already:
  
  • Main Mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• Change the "Extra Registry" option to "SafeList"
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:
  
  • OTL.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized

NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The log that is produced after running the ComboFix script.
3. The log that is produced after running the updated MalwareBytes' Anti-Malware scan.
4. The log that is produced after running the ESET Online Virus Scanner.
5. The logs that are produced after running the OTL scan.
6. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Cheers,
SweetTech.

[SweetTech]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.