Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SID:23621 System Infected Tidserv Activity Detected [Solved]


  • This topic is locked This topic is locked

#31
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
This is it? That is all that is there.


[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK





The scan results say no threat found.
  • 0

Advertisements


#32
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
The AppRemover reported nothing of Lavasoft or MacAffee. I sent a report inquiring about the contradictory info I am receiving re Lavasoft.

It did list Spybot Search and Destroy and Malwarebytes. These go after different threats and should be retained. Right? Or not?
  • 0

#33
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Try the AppRemover again using the "Clean Failed Uninstall" option.

It did list Spybot Search and Destroy and Malwarebytes. These go after different threats and should be retained. Right? Or not?

Yes these are Spyware checkers so ok to leave both.
  • 0

#34
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
When I did that I got no results at all.



Also, would you do as I read elsewhere: "Windows Update > Product Updates, and install ALL High-Priority Security Updates listed." ??

What should I do for a firewall?

Also, for Malwarebytes, under Protection enabled, there are four options:

Start protection with Windows.
Start file execution blocking when protection module starts.
Start malcious webstie blocking when protection module starts.
Show tooltip balloon when malcious website is blocked.

Now I have the first checked. Should I check any others? All of them?

Am I missing anything else?

I have installed Sophos Protection for my anti-virus.

Thanks!
  • 0

#35
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi,

Now I have the first checked. Should I check any others? All of them?


Yep, have them all checked.

I've recommended a firewall further down the post.

You're now clean of malware but before I remove all the tools and logs, I'd like you to have a look for a ComboFix log when you first ran it. Can you please look in this folder C:\QooBox\LastRun\ for any ComboFix logs and post the oldest before you follow the cleaning steps.

No worries if you can't find it or it's not there. I would just liked to have known where the main rootkit was hiding :)

Your PC is now clean :thumbsup:

First we'll remove the tools that we've used then look at preventing getting infected again. It's important to remove the tools as it also removes the malware that we currently have quarantined.

Please do the following:

Reset SR Points/Clean up with OTL:
  • Double-click OTL to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Commands
    [ClearAllRestorePoints]
  • Return to OTL, right-click in the Custom Scans/Fixes window and choose Paste.
  • Then click the Run Fix button.
  • Let the program run unhindered. When finished click on OK and close the log that appears.
  • Note: I do not need to review the log produced.
  • Now close all other programs apart from OTL as this step will require a reboot.
  • On the OTL main screen, depress the CleanUp button.
  • Say Yes to the prompt and then allow the program to reboot your computer.

The above process will flush old System Restore Points and create a new clean one.


Next

Please delete aswMBR, MBRcheck and any remaining logs from your desktop.


Next

Follow these steps to uninstall Combofix
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now copy/paste this: ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /Uninstall, it needs to be there.
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.


A few tips to prevent reinfection

A firewall is essential to stop hackers infiltrating your computer. The following firewalls are free for personal use. Do not install more than one firewall.

Zone Alarm is an excellent free basic firewall which is very easy to use.
Online Armor is a more advanced firewall which includes a Host Intrusion Protection System (HIPS).
Comodo is a combined firewall and anti virus.


I personally use the built in windows Firewall but the choice is yours.

It is essential that you regularly check and install the latest Windows Updates. Vulnerabilities within Windows can leave your computer open to infection. Regular updates are released to fix these security vulnerabilities. I recommend that you set Windows to check, download and install your updates automatically.

Click Start
Select Control Panel
Click on Automatic (recommended)
Set the day and time for the update check. Set this to a time when your computer will normally be on and connected to the internet.
Click Apply then OK.

JAVA updates.
Older versions of JAVA have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to here and click Do I have Java
  • It will check your current version and then offer to update to the latest version
Adobe updates.
You should ensure you use the latest Adobe Acrobat Reader and install any security updates that are released. Older versions are susceptible to attack. You can download the latest reader and updates from here.

To learn more about how to protect yourself while on the internet you might like to read this GeeksToGo article. This covers some of the safety measures that I've included and also some more.

Happy surfing and stay safe :happy:

Homburg.
  • 0

#36
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
2012-01-26 17:50:57 . 2012-01-26 17:50:57 163 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKU-Default-RunOnce-AutoLaunch.reg.dat
2012-01-26 17:50:52 . 2012-01-26 17:50:52 166 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Microsoft Works Update Detection.reg.dat
2012-01-26 17:50:52 . 2012-01-26 17:50:52 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2012-01-26 17:50:52 . 2012-01-26 17:50:52 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}.reg.dat
2012-01-26 17:46:03 . 2002-10-16 12:56:50 36 ----a-w- C:\Qoobox\Quarantine\G\Autorun.inf.vir
2012-01-26 17:46:03 . 2002-10-16 12:56:50 36 ----a-w- C:\Qoobox\Quarantine\F\Autorun.inf.vir
2012-01-26 17:41:22 . 2012-01-26 17:41:22 4,097 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-01-26 05:00:56 . 2012-01-26 17:33:21 521 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-01-26 03:49:04 . 2012-01-26 03:49:04 5,176 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\lsflt7.ver.vir
2012-01-23 07:45:36 . 2012-01-23 13:52:23 2,048 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\U\[email protected]
2012-01-23 04:50:51 . 2012-01-26 04:36:04 162 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\keywords.vir
2012-01-23 02:12:41 . 2012-01-26 05:19:36 223,744 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\kwrd.dll.vir
2012-01-23 02:12:41 . 2012-01-26 05:24:28 877 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\bckfg.tmp.vir
2012-01-23 02:12:36 . 2012-01-26 05:19:35 198 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\cfg.ini.vir
2012-01-23 02:12:36 . 2012-01-23 02:12:36 2,048 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\@.vir
2012-01-23 02:12:36 . 2012-01-23 02:12:36 185,856 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\L\ogejidap.vir
2012-01-23 02:12:36 . 2012-01-26 05:18:39 4,608 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\Desktop.ini.vir
2012-01-23 02:12:25 . 2012-01-23 02:12:25 0 -c--a-we C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\632774191.vir
2012-01-13 15:20:19 . 2012-01-23 02:12:40 77,312 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\U\[email protected]
2012-01-05 11:32:16 . 2012-01-23 02:12:39 11,264 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\U\[email protected]
2011-12-02 12:07:49 . 2012-01-23 02:12:41 224,768 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\U\[email protected]
2011-11-29 13:10:08 . 2012-01-23 02:12:40 12,800 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\U\[email protected]
2011-11-02 17:48:14 . 2012-01-23 02:12:39 1,024 -c--a-w- C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB40719$\849325456\U\[email protected]
2009-08-27 17:09:47 . 2009-08-27 17:09:47 348 ----a-w- C:\Qoobox\Quarantine\C\Users\msuman\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\.url.vir
2009-06-26 00:20:48 . 2009-06-28 13:09:22 4,605,753 ----a-w- C:\Qoobox\Quarantine\C\Users\msuman\Documents\~WRL3513.tmp.vir
2009-02-07 03:50:06 . 2009-02-07 03:50:06 23 ----a-w- C:\Qoobox\Quarantine\C\Users\msuman\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.dll.vir
2009-02-06 18:13:49 . 2009-02-06 18:13:49 78 ----a-w- C:\Qoobox\Quarantine\C\Users\msuman\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.tmp.vir
  • 0

#37
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Do I delete OTL, too?

No success with uninstalling Combofix. When I do what you said I get (with the required space): Windows cannot find Combofix. When I clicked on the icon on my desktop, it said the program had been changed or moved. Now that icon itself is gone. I know I did not delete it. It is not in the recycle box.
  • 0

#38
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
A search for Combofix also yields nothing.
Do I also delete Roguekiller?
  • 0

#39
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
I was already set for automatic Windows updates. But I noticed that the most recent updates had failed. I tried repeatedly--failure. Then I followed instructions related to the error code listed and got the new updates to download--success. BUT now when I click check for updates I get: Windows could not check for updates. Error code 80096001. It also lists here: Most recent check for updates: Never. Updates were installed: Never. When I do go to installed updates, they are all there. But now I cannot check for updates.



Sometimes now my computer freezes...
  • 0

#40
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
I am good to go with Java and Adobe.

On windows my malware and firewall are turned off. I guess that is because I have other malware protection and another firewall. Yes?
  • 0

Advertisements


#41
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts

Do I delete OTL, too?

Did you click on the Cleanup button detailed in my last post? This should have removed OTL


No success with uninstalling Combofix

Delete the copy of ComboFix that you have. Download a new copy to your desktop (important). Run ComboFix and then follow the uninstall procedure again.


Do I also delete Roguekiller?

Yes


On windows my malware and firewall are turned off. I guess that is because I have other malware protection and another firewall. Yes?

Your Symantec contained a Firewall so the Windows firewall would have been turned off, you can turn it on from the control panel.
  • 0

#42
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Thanks.

I repeated the OTL removal instructions, with success this time. :)

How long should the Combofix removal take? I followed your instructions (more than once). I pasted into the runbox and hit OK. I could see everthing being extracted. But it is still there and I received no message saying Combofix was uninstalled successfully.

Again, many thanks for your patience with me.

Edited by knarf1, 28 January 2012 - 11:14 AM.

  • 0

#43
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
I followed the Combofix removal instructions multiple times. With no success. Then I noticed that Sophos was quatanteening a file that the process was generating. I authorized the file in Sophos. And then when I went to run the removal again, the message came up that that combofix stuff could not be found, and I noticed that all the Combofix material had disappeared. It is all gone--search reveals nothing. I never got that message that it had been uninstalled. Can I assume it is gone?

Also, any suggesttions re the fact that windows cannot check for updates? Error code 80096001. ?

Thanks.
  • 0

#44
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi,

I followed the Combofix removal instructions multiple times. With no success. Then I noticed that Sophos was quatanteening a file that the process was generating. I authorized the file in Sophos. And then when I went to run the removal again, the message came up that that combofix stuff could not be found, and I noticed that all the Combofix material had disappeared. It is all gone--search reveals nothing. I never got that message that it had been uninstalled. Can I assume it is gone?

I think ComboFix has been uninstalled, sounds like Sophos was stopping it. In future I'll recommend that security programs have to be paused during the uninstall process, thanks.

Also, any suggesttions re the fact that windows cannot check for updates? Error code 80096001. ?

Goto here, click the fixit button about a third of the way down. Try the default mode first and if that fails try the aggressive mode.
  • 0

#45
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Hi.

I had already tried the fixit a dozen times and no go.
Where is the "aggressive mode"? I do not see that option.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP