Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Problem removing Tidserv.Activity.2


  • Please log in to reply

#46
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Try starting FF in Safe Mode:
At the top of the Firefox window, click the Firefox button, go over to the Help menu and select Restart with Add-ons Disabled.... Firefox will start up with the Firefox Safe Mode dialog when you close it and restart. Just skip through the dialog we don't want to make changes - just want nothing to load except basic FF)

Go into Control Panel, Windows Firewall and Settings and turn it Off.

Also try renaming your current firefox profile
C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\bzm625f8.default

with Firefox closed (just add old to the name). Then when it restarts I think it will create a new one.

Ron
  • 0

Advertisements


#47
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
No change, except when I changed the default file name, it would not let Firefox open until I changed it back.
  • 0

#48
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot.

Now try to use Firefox and IE. Then go into Event Viewer,Windows Logs, System and see if there are any events that might explain what is happening. A service which doesn't start or anything like that. Also check Applications.

We could also try uninstalling IE9. That will bring back IE8 and perhaps it will be better behaved.
  • 0

#49
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
Lots of errors in both sections....

Under System, here are a few of them:

Application Pop-up - \SystemRoot\SysWOW64\DRIVERS\DMICall.sys has been blocked from loading due to incompatibility with the system
NETLOGON - This computer was not able to set up a secure session with a domain controller in domain CAMPUS due to the following: There are currently no logon servers available to service the logon request

That one almost sounds like it is trying to connect to the wrong server/network?

GROUP POLICY - This failed because of the lack of network connectivity'

Several Service Control Manager Eventlog Provider errors. One of those specifically aimed at my network monitoring - "The Pure Networks Platform Service terminated with service specific error 2147953403 (0x80072AFB)

And another DMICall error
  • 0

#50
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
As far as the application logs -

Failure to load plugins -

Several errors from the source SideBySide, it suggests using sxstrace.exe for detailed diagnosis

A couple of errors from the source WMI
  • 0

#51
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP

domain CAMPUS

Was there some special software or procedure you went through when you first connected to this network? I'm wondering if we may have killed it off by accident.

Is this a laptop or a desktop? Just wondering if you could try it at an internet cafe or hotspot and see if maybe it would work there.

Ron
  • 0

#52
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
When I connected to CAMPUS I would have to go through a proxy, that was the only difference.

I have all the proxies turned off, though.
  • 0

#53
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
The problem started immediately after running the script in OTL. I know nothing about the script, but what does RESET HOSTS do at the end of it?
  • 0

#54
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
Afraid I am going to have to give up for this evening, and maybe get a fresh start tomorrow.
  • 0

#55
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
The OTL script shouldn't have hurt anything:

:processes
killallprocesses (Just stops all non essential process)

:OTL
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: File not found (removing dead wood Firefox plugins that no longer exist)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: File not found (removing dead wood Firefox plugins that no longer exist)
[2010/07/10 11:17:31 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
(This is the Java Console (6.20) in Firefox. Java does not remove old consoles from Firefox so I remove them when I know we are going to upgrade. Current Java is 6.26 or 7.0)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found (removing dead wood.)
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation) (This one just sends you to AVG site to ask you why you uninstalled. You might check that it didn't accidentally remove C:\Windows\SysWow64\cmd.exe )

The 010s are all entries in the winsock stack. Bonjour is some garbage from Apple tho how it can be found in one entry and missing in the others is beyond me. mmswsock.dll is your malware. Didn't really need these as your last OTL showed they were already gone but I didn't see it until I'd already posted but it really shouldn't have done anything. The netsh winsock reset catalog command that we also ran restores the winsock stack to the default which is what we are doing here.

O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000003 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000007 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000008 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000009 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000010 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000011 - mmswsock.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found

O16 entries are Downloaded Program Files from Internet sites. They are not important. I'm just cleaning up the logs since we will be installing 6.26)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.) (Deadwood)

This just tells it not to run whatever the autorun program is without asking.
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\Autorun\Autorun.exe

This is just garbage.
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:411E1BE2

:files
These are just there in case of a certain infection which steals the links from All programs and puts them in a folder in the temp file. This puts them back whewre they belong. IF the folder doesn't exist then nothing happens.
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C

:Commands
[RESETHOSTS]
Takes the hosts file back to default. Spybot S&D "immunizes" your PC by adding a bunch of bogus entries here so that you can't go to a list of bad sites. This was OK on XP but slows Vista down.


[purity]
Purity just checks for a special type of infection.

[Reboot]
Just reboots when done.

Are you still connecting to Campus? Perhaps we need to put the proxies back?

It's possible that we had a hard drive glitch during the reboot.

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, then restart. It will take 1 to 2 hours to complete.

Ron
  • 0

Advertisements


#56
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
Running the CHKDSK now.

The main problem is all of the programs that I no longer have the installation disk for..... otherwise, I would just reinstall Vista. If I upgrade to Windows 7, would it fix the problem without having to reinstall everything?
  • 0

#57
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
If you have the Vista disk you can try booting from it and seeing if it wants to repair it:

http://www.bleepingc...startup-repair/

This shouldn't change any of your installed programs but I would turn System Restore back on.

My guess is since it starts OK it will say there is nothing wrong. In that case go to the Command Prompt option and do

map

If it works it should show you the drives on your system. Which drives does it show? Do you see any that it says are hidden? Zero Access is known to create its own partition on the drive and this may need to be deleted. All hidden drives are not bad. HP and Dell and others use them to store the recovery information so you can return it to how it came from the factory.

I don't know what Win7 would do.

Can you get the reset.log text file that was created when you ran "netsh int ip reset reset.log" It should be in C:\windows\system32\

Ron
  • 0

#58
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
No change with CHKDSK
  • 0

#59
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
In addition to what I said in the last post. Tell me about how you connect to the Internet. Are you on a campus where they control the network or in a private situation where you have a DSL or Cable connection to a DSL/Cable modem or router? Is there a separate router?

Ron
  • 0

#60
tedins

tedins

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
I connect through a private network. I have DSL, connecting to a Cisco router. What confuses me is that the Network monitoring software from Cisco Does not recognize a network. It basically crashes when I run it. It asks to "restart the platform service", but that does not work.

All other machines/phones connect fine.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP