The other computer

[kerri191]

Some info:
This computer is my parents'.  It's about four years old, I think.  I'm pretty sure it has never been updated with anything but Norton 360.
If there is any info on the computer that you need, besides the HijackThis log, please let me know.
Problems:
- Browsers load very slowly
- Some .dll files are missing (I saw this in the log I'll post)
- A virus keeps popping up that Norton detects: backdoor.tidserv.exe
Norton does not seem to be able to resolve the problem.  It pops up daily.
- Sites are sometimes slow to load.  The browser occasionally has to be shutdown using taskmanager.
- When I do open taskmanager, I notice something weird that's been there for awhile.  Under the user applications that are running, even if there is no browser running, or one iexplorer.exe running, there is almost ALWAYS a browser program running in the background.  Mozilla has begun to display this problem.  I just noticed this.  Mozilla was the only browser running (one window, one tab in use), but the taskmanager list displayed 2 iexplorer.exe running and 2 mozilla.exe running.  I can shut down the programs, but they inevitably come back.

The best I have ever been able to do is keep the computer running semi-functionally.  There have been x number of viruses, spyware, adware on this thing over the years.  My father will click on any ad that pops up, and if it looks good, he is all for it.  If it promises him some wonder miracle to fix the problems he has generated over the years, he'll download it without a second thought.  I have explained numerous times the harmful consequences of these actions.  Nothing I say works.
What I would like is some help resolving the issues I stated above, along with any other issues that might be present, and then advice on how to keep this computer protected despite it's user.  I would also like to be able to repair the problems that have been caused, if that is possible.
I have seriously considered just letting him mess it up beyond all comprehension.  But I want one last try before I wash my hands.

So, here goes.  Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:43 PM, on 5/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freemegatube.com/%20to%20verify...8%20years%20old
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: {052bbff6-746c-2eb8-81e4-3ad57d3836b0} - {0b6383d7-5da3-4e18-8be2-c6476ffbb250} - C:\WINDOWS\system32\gwapse.dll (file missing)
O2 - BHO: (no name) - {1D6931F4-6F48-424C-AD55-3D3AA5EA2BF8} - C:\WINDOWS\system32\mlJAsTKc.dll (file missing)
O2 - BHO: (no name) - {43A78A75-B7C2-410E-A43E-3996D4C08C48} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\nnnkigg.dll (file missing)
O2 - BHO: QWProtectBHO - {70FEAD04-A7FD-4B89-B814-8A8251C90EF7} - C:\Documents and Settings\All Users\Application Data\AV1\QWProtect.dll (file missing)
O2 - BHO: (no name) - {95db63e1-9500-4d6c-aa8c-8a77c5142408} - C:\WINDOWS\system32\gakosali.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\_helper.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {DC8B71C8-3D19-4FDD-A791-2E60385EF2E8} - C:\WINDOWS\system32\iifGAQJd.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FD24A6CA-EEE1-4D6C-9389-73A799AD263E} - C:\WINDOWS\system32\gebcy.dll (file missing)
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dogedihanu] Rundll32.exe "C:\WINDOWS\system32\puzegido.dll",s
O4 - HKLM\..\Run: [b0f5bc3c] rundll32.exe "C:\WINDOWS\system32\majubilu.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [A00F2AD68801.exe] C:\DOCUME~1\user\LOCALS~1\Temp\_A00F2AD68801.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [81709051072090661745765135778029] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKUS\S-1-5-19\..\Run: [dogedihanu] Rundll32.exe "C:\WINDOWS\system32\puzegido.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [dogedihanu] Rundll32.exe "C:\WINDOWS\system32\puzegido.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241085100906
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O18 - Filter hijack: text/html - {5a89ed1b-fa25-474f-bb7c-71ada7d1c209} - C:\WINDOWS\system32\mst123.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\mesebena.dll gnbenw.dll anymtu.dll gwapse.dll c:\windows\system32\kiramega.dll
O20 - Winlogon Notify: b0f5bc93382 - C:\WINDOWS\system32\__c009A0E4.dat (file missing)
O20 - Winlogon Notify: gebcy - C:\WINDOWS\system32\gebcy.dll (file missing)
O20 - Winlogon Notify: geeda - C:\WINDOWS\system32\geeda.dll (file missing)
O20 - Winlogon Notify: mlJAsTKc - mlJAsTKc.dll (file missing)
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll (file missing)
O20 - Winlogon Notify: nnnkigg - nnnkigg.dll (file missing)
O20 - Winlogon Notify: vtutq - C:\WINDOWS\system32\vtutq.dll (file missing)
O20 - Winlogon Notify: __c00BD756 - C:\WINDOWS\system32\__c00BD756.dat (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kiramega.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kiramega.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.shipofgoldinfo.com/images/bkgd_beige.gif

--
End of file - 9206 bytes


My own log will also be posted soon in the thread about my computer.

[guestolo]

I'm a little short on time tonight, but in the meantime, can you do the following please

Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]

• If you are using Firefox, make sure that your download settings are as follows:
• Tools->Options->Main tab
• Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  

* It is important you rename Combofix during the download, but not after.
    * Please do not rename Combofix to other names, but only to the one indicated.
SAVE IT ONLY TO YOUR DESKTOP

      --------------------------------------------------------------------
[color=\"#2E8B57\"]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with some tools[/color]
     

• Double click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  C:\Combo-Fix.txt
I'll need to see that log later
Afterwards: Do the following

Go to [color=\"#FF0000\"]Kaspersky website[/color] and perform an online antivirus scan.

   1. Read through the requirements and privacy statement and click on Accept button.
   2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
   3. When the downloads have finished, click on Settings.
   4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
            [color=\"#FF0000\"]Spyware, Adware, Dialers, and other potentially dangerous programs
            Archives
            Mail databases[/color]
   5. Click on My Computer under Scan.
   6. Once the scan is complete, it will display the results. Click on View Scan Report.
   7. You will see a list of infected items there. Click on Save Report As....
   8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Please include all the following in your next reply

1. The report from Kaspersky's
2. The log from Combo-Fix
3. Run a fresh scan and save logfile with Hijackthis and post it

[kerri191]

This may take until the weekend to get done.  Just to let you know.