Solved Backdoor.Tidserv!inf strikes again - help please

[jturncoat]

I had this problem before and it seems to have come back for a repeat visit. Any help in getting it removed is appreciated:

I have attached the recommended logs as per the instructions at the beginning of the thread.

Thanks in advance

 

[Bobbye]

Why do you think this has returned? The only file found in the Norton scan is in the Qoobox. That's where Combofix puts the quarantined files. If you did the Combofix uninstall as directed, this would have been removed.

Please tell me what is happening that you suspect this infection has returned.

I'll check the rest of the logs, but need some info from you.

Edit: All these logs are clean.

 

[jturncoat]

Hi - I don't think I removed combofix from my system. I will do that and run another scan to see if this shows up.

Nothing new has happened to the computer, I just did my periodic scan and the backdoor virus showed up. I did not realise it was in quarantine.

Cheers

 

[jturncoat]

Follow up - I Just tried to remove combofix using the recommended route i.e. Start - Run - Combofix /Uninstall (with a space between the x and the / but a dialogue box appears telling me that Windows cannot find Combofix and to make sure I typed it correctly. I did a search for combofix and two text documents appear in my C drive and C:\Qoobox but that is it.

 

[Bobbye]

Qoobix is where Combofix send the files and folders it's quarantined. When Cobofix is deleted correctly, the logs are deleted with it. It sound like the program itself was uninstalled, but possible not correctly, leaving this behind. Please delete these Qoobox files.

Run this scan and if it shows up here, I can move it for you:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave the log in your next reply. I want the entire log, not just one line.

 

[jturncoat]

Please find attached the ESET Scanner Log

Thanks

 

[Bobbye]

This log is clean. If all you have is the Combofix Qoobox file, you can delete it.

If malware problems have been resolved: Remove all of the tools we used and the files and folders they created (try the Combofix uninstall again). We have users remove the program when clean. You might have removed part of it in the past, damaged the uninstalled and left a few files on system>>> or, you may have run it on your own without guidance.

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if I can be of more help.

 

[jturncoat]

Thanks again - I have followed all the instructions including the creation of a system restore point and emptying the recycle bin.

Cheers

 

[Bobbye]

You're very welcome! Glad to help. I'm leaving some tips to help you stay safe then I will close the thread.


Please follow these simple steps to keep your computer clean and secure:


Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

Do regular Maintenance

• Remove Temporary Internet Files regularly:
  [o]ATF Cleaner by Atribune
  OR
  [o]TFC
• Disable and Enable System Restore:
  [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Have layered Security:

• Antivirus Software(only one): Both of the following programs are free and known to be good:
  [o]Avira Free
  [o]Avast Home
• Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
  [o]Comodo
  [o] Zone Alarm
• Antispyware: I recommend all of the following:
  [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  [o]Google Toolbar Get the free google toolbar to help stop pop up windows.