Problems caused by whitesmoke and offerbox malware

sys specs
---------
HP Pavilion t365.be (custom model)
Pentium 4 3GHz
1 Gb DDR
C:/ 80 Gb HDD
D:/ 4.36 Gb HDD
Samsung DVD-ROM
HP DVD-writer +r +rw
Nvidia Geforce fx5200
Windows XP home editon SP3
---------

Recently, when looking for pics for my mp3's I suddenly came across a site that started installing an app called whitesmoke on my pc.
Microsoft Security Essentials detected 2 trojans and removed them.
I also have Symantec Endpoint Protection and since yesterday avira antivir on my pc. Some peeps told me to remove two of them to avoid conflicts.
I haven't done so (yet).

After the install of whitesmoke and offerbox malware, symantec started to report backdoor tidserv request2 problems.
I uninstalled the whitesmoke and offerbox malware programs, but the problems persisted.
Here is a sample of the log:

[SID: 23615] HTTPS Tidserv Request 2 detected.
Traffic has been blocked from this application: C:\WINDOWS\system32\svchost.exe

[SID: 23621] HTTP Tidserv Request detected.
Traffic has been blocked from this application: C:\Program Files\Internet Explorer\iexplore.exe

[SID: 23615] HTTPS Tidserv Request 2 detected.
Traffic has been blocked from this application: C:\Program Files\Internet Explorer\iexplore.exe

I tried tdss killers from symantec and malwarebytes (iirc) but both found nothing.
I ran a symantec scan and an avira scan, and both also found nothing.
Also a S&D scan didn't find anything.

After installing avira, it reported that something tried to access D:/ autorun.inf and blocked it.

Then someone advised me to run malwarebytes antimalware in safe mode, followed by combofix with all active security programs disabled.
Included in this post are the mbam, combofix and hijack this logs (run in that order).

Apparently combofix yanked out a driver that it shouldnt have (see log)...

Is there anything I should still worry about and what about that driver?
I am absolutely no PC-expert, that's why I ask the help of you top notch guys.

Thx in advance.

PS. I've only been showed to this website as of a few moments ago, so I read that I should remove all but one AV indeed. All the above has already happened as it was though...
I guess two of these have to go now: symantec endpoint, ms security essentials, avira.
Which is best?

 

After reading your post I've decided to run the readme for malware removal to the letter (including the things I already did before), so I executed all steps till this point of posting the logs.

Additional info: I remember that I was running Google Chrome when the malware attacked and after the trojan removal by MSSE the browser would no longer load pages. Also FF encountered similar problems so I had IE8 reinstalled and also FF. Chrome is not reinstalled.

Avira and MSSE were removed following the readme.
The combofix log is in Dutch. I've added English descriptions for your convenience. No log info was altered.

(additional post follows with remaining logs)

 

Here is the remaining MGtools log and a new HJT log.
After your analysis I hope all is fine and that I can get that driver back.

 

Hi again

Following your instructions the 6 entries were successfully removed with HJT (analyse.exe) and the regkeys were also successfully added with a message in the lines of: "data was successfully added to the registry".

I was unable to copy, cut or rename the driver in the qoobox folder. Attempts to do anything with it just yield no response. Altering properties from the qoobox folder, like 'read only', also doesn't work.

I've also noticed that my second combofix log again showed these for removal:

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

Is this normal?

Awaiting your next reply. Thx for your efforts.

 

The combofix procedure did not unlock that file but I did indeed get a cf update.
The file is still totally unresponsive to everything.
Funny thing is, I can now see what is inside the backenv folder that was totally inaccessible before.

@dr.m thx 4 the .nfo

Edit: did you rename it to "HP_DT3~1" and will it work under a different name?
There is indeed such a copied file with that name in my sys32/drivers now but with that name and no .MRK extension.
The original file is still locked in qoobox.

Additional thing I noticed: where the original file still is the folder now says that it is empty while I can still see it inside.

 

Yes I can but normally when you click a file it should show the full name.
This stays shortened as an unclicked file with ... at the end.

The only options available with rightclick are: open, scan for viruses with s&d and copy to- , but it doesn't respond to anything.
The popup window when pointing at it doesnt show the full name either, but it does say .vir file.

 

Here is the updated log.

 

"The syntax of the command is incorrect."

 

A DOS window appeared briefly while running the bat from the desktop.
The driver is not present in C/windows/system32/drivers.
Here is the updated log.

The driver did copy with a different name as I described in post #9. Wouldn't it just be possible to rename it to its original name?
Its size is identical to the driver stuck in qoobox (3.61kb).

 

All that was left was this pesky driver, but now it's no use anymore.
A plastic hook broke from my cpu-fan releasing an iron clamp that fell down and fried the motherboard. Needless to say that the pc is dead.

Anyway thx alot for your help Kestrel. I'm on a laptop now but might ask in a different section on how to save the hdd's data.