Backdoor.Tidserv!inf need help

By obelib
May 3, 2010
Topic Status:
Not open for further replies.
  1. the other day i was researching for a class on google. i randomly clicked on a link and a download popup appeared for a fraction of a second (not fast enough to cancle) i thought it was just a PDF at first. but while i continued research, Antimalware doctor began its deceptive tricks. i followed the process for removing it. but before i ran the Mbam scan for it, my norton blocked 2 keyloggers, and detected a trojan. regretfully, i have norton. i now need to manually remove it.
    i have 2 of the 3 logs in the 8 steps.
    i would supply the 3rd but every time i run gmer, it crashes. (gmer crashes not the computer)
    any help is appreciated :) thanks

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Try GMER with "Devices" unchecked in the right pane.
    If it still doesn't work, try running GMER in Safe Mode.
    =================
    Then run this:
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ========================
    Then Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  3. obelib

    obelib Newcomer, in training Topic Starter

    i am running GMER now. i will get all the logs requested posted ASAP
    but in the first post i forgot to mention, every time i start up my computer i get a windows "Entry Point Not Found" pop up
    AirGCFG.exe - entry point not found
    the procedure entry point apsSearchInterface could not be located in the dynamic link library wlanapi.dll

    WZCSLDR2.exe- entry point not found
    the procedure entry point apsGetMIB could not be located in the dynamic link library wlanapi.dll

    these did not display before norton discovered this trojan. i do not know if it is relevant though.
  4. obelib

    obelib Newcomer, in training Topic Starter

    is 8 hours to run GMER normal?
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    If GMER does not finish, try running it in Safe Mode or with 'Devices' unchecked on the right screen. When GMER has finished, please run the following:

    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    [​IMG]
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • You should get a screen like this:
    [​IMG]
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.
    ==========================
    Follow with ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Please leave all logs in your next reply.
    I will have you remove any of the entries that are left in both HijackThis and Combofix.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    By the way, Air GCFG.exe & WZCSLDR2.exeare components of your wireless network card. Occasionally, the dlink utility doesn't install properly and conflicts with Windows' built-in utility (only one utility can manage your wireless connections). Suggest you uninstall the dlink software if you're running xp sp2 or later or vista. If you prefer the dlink software, uninstall the old software and download and install the latest utility for your card from http://support.dlink.com/downloads/
  7. obelib

    obelib Newcomer, in training Topic Starter

    During the GMER scan, it completed the scan but froze like always. so i waited untill it deceted the same files and saved the log.
    and first run of Combofix. when it was creating log my computer black screened. so i restarted and got log from running it again.
    i dont know if this is necessary just telling you incase it is important.
    and another symptom i forgot to metion is that my computers usage spikes to 100% and everything slows down severly, this happens randomly

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    You are running both Avast and Norton. Please remove one of them: Tools to help:
    Norton Removal Tool
    Avast Removal
    Download and run only the removal for the programs you are not going to keep.
    =====================
    You are using 2 file sharing programs- BitLord and uTorrent. I recommend that you uninstall them both. If you choose not to, please do not use them while I am helping clean the system. Here are the reasons:
    • Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.
    Please read the information on P2P Warning to help you better understand these dangers.
    =============================
    When this happens, open the Task Manager> Processes tab> Double click in the top frame of the CPU column to sort in descending order. Look for the process using high CPU. Normal use will show for System, System Idle and taskmgr. Search for what that process is.
    =====================
    You have only 8.5% of the system resources free. You should be running as close to 80% as possible. This is a good time to uninstall any programs you no longer use or need. Check in Add/Remove Programs in the Control Panel.
    ====================
    Have you noticed any improvement in the system since running the programs? Let me know what remains. I'd like to see the log from the Eset scan. Please run a scan with HijackThis:

    Download HijackThis HERE and save it.
    • Double-click on the saved file.
    • When it runs it will prompt you to extract hijackthis.exe to C:\Program Files\Trend Micro\HijackThis.
    • When the installation has finished. HijackThis will automatically launch.
    • When the license agreement appears, select I accept and then click on the Do a system scan only button.
    • When the scan is complete, click on the Save Log button to create a log of your information.
    • Paste the log into your next reply.
  9. obelib

    obelib Newcomer, in training Topic Starter

    i have not used the torrent programs but once, and it wasnt recently. i will promptly remove those though :)
    i havent really noticed anything different. but the only thing was the random spiking of my CPU usage when nothing was running on my desktop and blue screening because of it. that only happened recently when i ran the GMER scan though. everything else seems fine
    here is the hijackthislog

    also, i did not have both the anti viruses running at the time, i downloaded avast to try a fix for this my friend suggested. but i have it uninstalled now

    Attached Files:

  10. obelib

    obelib Newcomer, in training Topic Starter

    *removed*
    double post
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Please run Combofix again after you removed one of the antivirus programs. Please note that we ask that all security be disabled when running Combofix> that means antivirus, firewall and antimalware programs. One the program is on your desktop, you can safely go offline to run it without the security programs running.

    Please reopen HijackThis to 'do system scan only.' Check each of the following if present:
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
    O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')

    (Note: The PowerReg Scheduler is added by the PowerReg adware program.)
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


    Optional: GoToAssist allows their support personnel to "Instantly view and control customer computers with secure, easy-to-use GoToAssist® remote-support technology."
    Since you are posting the problem on a free internet computer forum, it would appear that you do not use this service and do not need it to run. This is a legitimate entry and removal is optional. If you o decide to stop oit, the Service Startup[ entry should be disabled.

    Close all windows except for HijackThis and click on "Fix Checked."
    =========================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ====================================
    Regarding file sharing programs and malware: it only takes one time to have the system get infected. As ling as uTorrent and BitLord are installed on your system, you are vulnerable,

    I notice you have an entry in Documents and settings for Application Data\PopCap. You should know that the PopCap games have a high record of leaving malware on systems.
    =========================
    If you find the system slow, take all of the media programs off of Startup. then call the program up as you need it.
    Real Player
    Cyberlink
    MusicMatch
    WinAmp
    Samsung Media
    Picassa
    iTunes
    HP Imaging
    Kodak camera
    iPod
    Nero
    Sonic
    QuickTime

    Please leave the new Combofix report and Eset online scan log in your next reply.
  12. obelib

    obelib Newcomer, in training Topic Starter

    i will begin scans now
    but another thing has displayed itself. Today when i logged onto my computer it said my hard drive has insufficient space. followed by this a message was displayed on the screen saying i have 1mb out of a 145g drive. i did not install anything since yesterday and i had atleast 20g open then.
    also ESET will not download. it gets past the accept terms window then it doenst load the next screen
  13. obelib

    obelib Newcomer, in training Topic Starter

    since i cannot run ESET i will just post combofix untill further instructed
    i also ran the Hijackthis and "fixed checked" (all were present except C:\Program Files\Viewpoint\Common\ViewpointService.exe) but when i did so i ran the scan again and
    "O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')" and
    "O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')" still appeared.

    thank you very much for your time patience with me Bobbye :)

    Attached Files:

     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    When you ran the first scans, DDS shows: C: is FIXED (NTFS) - 146 GiB total, 12.668 GiB free. That is approximately 8.7% free. You should be as close to 80% as possible. That is a big difference.

    All the programs I listed if you are slow are installed and running. The 'installed' part is your hard drive and the 'running' part is your RAM. Taking the programs off of startup will free up RAM.

    You also have to reboot Windows occasionally. And you need to review Add/Remove Programs and uninstall anything you no longer use. Uninstalling will free up the hard drive.
    ========================
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\DellSupport\DSAgnt.exe
    c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
    c:\program files\HP\HP Software Update\HPWuSchd2.exe
    c:\dell\bldbubg.exe
    c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
    c:\\Program Files\\VirtualDJ\\virtualdj_trial.exe
    
    DDS::
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    mURLSearchHooks: H - No File
    BHO: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - No File
    BHO: {7FCEE6E5-22F6-1945-3DE8-30305AB1EE6B} - No File
    BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
    BHO: {A7327C09-B521-4EDB-8509-7D2660C9EC98} - No File
    BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No File
    BHO: {D4ABD9B5-83ED-4157-BDFF-2080AE859906} - No File
    BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
    BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
    BHO: {FE64DB3C-5598-46E8-A21C-EAFECB02F913} - No File
    BHO: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - No File
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    mRun: [BuildBU] c:\dell\bldbubg.exe
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    
    Folder::
    c:\documents and settings\All Users\Application Data\Alwil Software
    c:\program files\Norton Support
    c:\program files\Alwil Software
    
    Registry::
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    This will help a little. When you finish, please reboot the system and try to run the Eset scan again.
  15. obelib

    obelib Newcomer, in training Topic Starter

    i have been cleaning up my hard drive but yesterday it went from being around 20gigs to 15 mb. and i dont have any idea how this happened. so i cleared out some other files that i wasnt using and it says i have 20gigs now. also i was looking at my files. and in Documents and settings it gave me a total of 31 between the two users and the admin account. but in all users it said 40 gigs, and when i opened and checked all the folders in it, it said 4gigs.

    Attached Files:

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Part of the Combofix report is missing. Find the log and open it. Look for the Find3M Report section. Go to the end of it and copy all of the rest. Paste it into the next reply.

    You can't count bits and pieces of files and folders and expect them to add up exactly. 20GB out of 145GB is still only 13.7%. IF you plane on using this system for a while, I suggest you move everything you can to an external hard drive. I moved a lot of junk off, but unless you use overwriting software like Erase, it is still on the hard drive until it gets overwritten by the system.

    Did you try running Eset again?
  17. obelib

    obelib Newcomer, in training Topic Starter

    what is posted in the log is the only thing that appears in the log on my computer. and also, im trying to delete utorrent. but it says it is currently running, but i know for a fact neither account has it open when i try to delete it.
    also Eset continues to fail right after the first page of the popup
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    It sounds like you are just out of space! I can have you remove all of the cleaning tools but that's not going to solve your problem:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    See if Eset will scan now.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.