TechSpot

Backdoor.Tideserv!inf help

By AdamCulp
Jun 14, 2010
  1. Hi I,m new here and hope some one can give me some help I've been having norton popping up on my telling me atapi.sys is infected and cannot fix. I ran recovery console from my xp disc and replaced the file. Now I am getting the same error but with nvatabus.sys. I'm not sure if there is a main file causing these to return or how many files are infected. I really don't want to reformat as I have a lot of programs I would have to reinstall. If anyone could help that would be great.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,890   +344

  3. AdamCulp

    AdamCulp TS Rookie Topic Starter

    Here are the following logs from the scans. I tried to add them to the reply but it said it was too large so I had to attach them.

    Thank you for the quick reply.
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    You're running two AV programs, Norton and Avast. One of them has to go.
    If Norton (preferably), make sure to use Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. AdamCulp

    AdamCulp TS Rookie Topic Starter

    Sorry it took me a couple days to post this log but it took it several hours to run. As far as the Avast and Norton, I'll keep Norton for the time being until I can get a copy of the complete Avast internet security. Thank you agian for all the help. Also just another not Norton is no longer telling me nvatabus.sys is infected but pci.sys, don't know if thats is any importance or not.
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Combofix log is incomplete.
    Check again in C:\ComboFix.txt
    If it looks very same as the log, you just posted, re-run Combofix.
     
  7. AdamCulp

    AdamCulp TS Rookie Topic Starter

    I just want to make sure I'm uploading the correct file, the file that is located on my computer is atually at C:\ComboFix\ComboFix.txt. I did not find anything located directly on the C: drive. If so they are identical. I will go ahead and re-run combofix either way.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Please, re-run Combofix then.
     
  9. AdamCulp

    AdamCulp TS Rookie Topic Starter

    Ok I reran the scan and it went through this time. Here is the log.
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\1A56ABED96.sys
    
    
    Folder::
    c:\documents and settings\All Users\Application Data\Alwil Software
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abb3506a-afcc-11db-8dff-806d6172696f}]
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  11. AdamCulp

    AdamCulp TS Rookie Topic Starter

    Here is the new log.
     

    Attached Files:

  12. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
  13. AdamCulp

    AdamCulp TS Rookie Topic Starter

    Here is the new log file. I notice that Norton is no longer giving me warning messages.
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Very good :)

    Please, delete your Combofix file, download fresh one, run it and post new log.
     
  15. AdamCulp

    AdamCulp TS Rookie Topic Starter

    Here is the new log.
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Delete your TDSSKiller file, download fresh one, run it and post new log.
     
  17. AdamCulp

    AdamCulp TS Rookie Topic Starter

    Sorry for the delay, I have been out of town.
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Delete your Combofix file, download fresh one, run it and post new log.
     
  19. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Are you still out there?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...