Solved Backdoor.Tidserv!inf Help

[spuratic]

Tidserv virus help? not sure what to do

Ive read conflicting information on how to remove this and what to use. My symantec antivirus picked this up this morning and im have trouble dealing with it. My internet explorer keeps randomly opening and closing, but I can not open it myself. I use firefox any way. Would like to know what to do? I have attached a highjack this log, but from here im pretty uneducated with dealing with these things.

Thanks

 

[spuratic]

Having a lot of trouble here as to what to do

I have downloaded many programs that ive read here...here are some reports.

 

[Bobbye]

Welcome to TechSpot spuratic. I will help with the malware. I do ask though that you stay within out instructions, which you appear not to have read.

I have downloaded many programs that ive read here...here are some reports.

Each forum has their own set of steps for preliminary malware removal. Ours can be found here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Ive read conflicting information on how to remove this and what to use

This is because each fix is customized to the system it is 'fixing' and the malware that needs to be removed. And you will need to be patient.

Your searches are being routed through a site in the Ukraine. I'm going to move some of the malware and then set up steps for you to follow:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  c:\users\spuratic\ntuser.dat{56471034-32db-11df-97eb-001b38b0739e}.TM.blf
  :Services
  
  :Reg
  
  :Files 
  C:\Users\spuratic\AppData\Local\Temp\Windows-Update-KB327462-x86-ENU.exe
  C:\Users\spuratic\AppData\Local\Temp\nspF49D.tmp\nsF5D6.tmp
  C:\Users\spuratic\AppData\Local\Temp\mrt.exe
  C:\Users\spuratic\AppData\Local\Temp\Mkh.exe
  c:\windows\system32\YoItzVlad22222.tmp
  c:\windows\system32\Fubar.tmp
  C:\__MACOSX
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==============================
When you have finished, run both of the following:

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware from from HERE
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  [o] Update Malwarebytes' Anti-Malware
  [o] and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Quick scan, then click Scan.
  * When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.[
  *] When completed, a log will open in Notepad. please attach this log with your reply
  [o] If you accidentally close it, the log file is saved here and will be named like this:
  [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

================

SuperAntiSpyware Home Edition Free Version

• Please download SuperAntiSpyware from HERE
• Launch SuperAntiSpyware and click on 'Check for updates'.
• Wait for the updates to be installed
• On the main screen click on 'Scan your computer'.
• Check: 'Perform Complete Scan then Click 'Next' to start the scan.
• Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
• Make sure everything found has a checkmark next to it,then press 'Next'.
• Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Attach the notepad file here on your reply

Leave the 3 logs. There are steps 5 and 6.
I will also have you remove all the old Java versions, which are each vulnerabilities.

Please do not run any other cleaning programs unless I ask you to. Do not use a Registry cleaner or make ant changes in the Registry.

 

[spuratic]

Thanks

Thanks for the reply, and sorry for not following the forum rules...ive read so many things that my brain is scrambled. Ive followed all the steps and my logs that you've asked for are attached... Again thanks for the help!

 

[Bobbye]

Well, that didn't work very well! I thought you could get by without Combofix, but no: I can set the entries up for removal from that:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.

 

[spuratic]

Ok...after a long day watching the Masters....LOL. Ready to nip this thing in the but. Combofix log attatched.

 

[spuratic]

I also did some windows updates before i proceeded to use combofix... The update did include a malicious remover.

 

[Bobbye]

Please download GMER: Go to this site http://www.gmer.net/files.php and click on Download EXE. Save the file to your desktop
Two other links for the download should you need one:
Link 2
Link 3

• Double click on downloaded .exe file on the desktop
• Select Rootkit tab> click Scan
• When scan is completed, click Save button, and save the results as gmer.log

This screenshot HERE will show you how the display will come up.

Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

 

[spuratic]

Ran GMR and probably 10 minutes into it my computer went "Blue Screen" Saying that window had to shut down to prevent any damage.. then is restarted.

 

[spuratic]

got it to work

Here is the GMER log file that you requested... It finally took on the second try.

 

[Bobbye]

Please download SystemLook from one of the links below and save it to your Desktop:

• Download Mirror #1
• Download Mirror #2

• Double-click SystemLook.exe to run it.
• A blank Windows will open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy the content of the following codebox into the main textfield :
  

        :filefind
         atapi.sys
         afd.sys

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan.
• Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
Source: bleepingcomputer.com

 

[spuratic]

Ok...doing so right now.

 

[spuratic]

Here is the log

 

[Bobbye]

Okay, we're going to back up for a minute. I don't want to start doing something with a file if it isn't needed. GMER shows 2 suspicious files but the first Combofix didn't indicate either of them. You can delete the exe file for Combofix on the desktop- the first log- then run Combofix again. I want to see if there's anything about 'atapi.'

After Combofix, please do this online AV scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Are you actually having any computer system problems at this point? Redirects? Pop-ups and so on?

 

[spuratic]

Hello

I am running the online scan right now. To answer your question about pop-ups...Yes, they started with internet explorer and have moved on to my fire fox. They just randomly pop-up all the time now..10-15 per day. I also noticed today that internet explorer shortcut has been added to my desktop and i can not remove it (after deleting it is back after re-boot) will send both of the logs as soon as the ESET Online scanner is done..thanks

 

[spuratic]

Still scanning, but found trojan.

WIN32/OLMARIK.WW Trojan has been found by the ESET online scanner. Its not even half way done though and im 1hr 21min into it.

 

[spuratic]

logs

Finally done with the ESET...here are the cobo-fix and ESET logs

 

[Bobbye]

Please repeat SystemLook (Post 11) but enter the code like this:

:filefind
atapi.sys
afd.sys

Sorry- this was my mistake.

 

[spuratic]

sys look file

Here you are.

 

[Bobbye]

It appears that you are also getting help in this forum: 04-09-2010, 10:56 PM. You received a reply which you have not acknowledged.
http://forums.extremeoverclocking.com/showthread.php?p=3671140

While we appreciate that you very likely posted at multiple forums in order to ensure a response, that only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. Although there are many forums that handle HijackThis logs, there are not so many helpers; most of us help out at several forums. In addition, the results may not work out so well when you're following different instructions from different helpers. They may suggest different approaches for the same problem, all of which may be good; however, system conflicts may arise if different fixes for the same problem are applied simultaneously.

In the future, for your sake as well as ours, please refrain from requesting help from multiple forums. Choose one, and stick with that one until they've resolved your problem.

 

[spuratic]

Thanks

Thus far I've only been following directions from you. I was in a panic when this all begun and didn't know where to tunr for help. I make and sell a lot music with my computer and is my only source of income, to loose productivity is not good for me. In he future I will definatly only go to one forum for help now that I'm not a noob at going on these forums.

 

[Bobbye]

Okay. Consider letting the other forum helpers know that you are getting help elsewhere.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::
C:\Windows\Mcecua.exe	
c:\users\spuratic\AppData\Local\temp
c:\users\TEMP\AppData\Local\temp
c:\users\TEMP.spuratic-PC\AppData\Local\temp
c:\users\Public\AppData\Local\temp
c:\users\Default\AppData\Local\temp

Folder::
c:\program files\LimeWire

Registry::
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Can you give me any information about this program? It related to music but it appears a recent update had malware. I will look on their site if needed to see if the update caused problems for others.
E:\Downloaded Programs\Native.Instruments.Kontakt.VSTi.RTAS.v3.5-AiR\Kontakt 3.5 Update.exe

 

[spuratic]

Cannot access internet now

I've ran combo-fix and have the log, but am unable to run any internet program to post it.. "Internet explorer, firefox and google chrome" all say : illegal operation attempted on a registerey key yhat has been marked for deletion.

 

[spuratic]

Correction

All of my programs on my computer will not open.. "Iligel operation attempted on a registry key that has been marked for deletion" I'm not sure what to do and do not want to screw any thing up?

 

[spuratic]

Restart back to normal

I restarted my computer and can now access the internet...Combo-Fix file attached. Also the program that you asked about is an old program that I do not need or use any more. I can uninstall/delete if you would like, but will not take any action until told to do so. I also went on the other forum and asked them to close my issue/help request as I was getting help from other resources.