Hacktool.Rootkit and Backdoor.Tidserv!inf

By Dough1397
Dec 8, 2008
  1. Hi, I've been having difficulty removing this virus from my computer. I also have a problem with Backdoor.Tidserv!inf

    Wondering if anyone could of assistance. I'll include my HJT log, hopefully it is helpful. Let me know if anything else is req'd.

    I've follow the symantec website instructions numerous times, only to have these both come back.

    the Path of the infections are:


    C:\Documents and Settings\Nikesh\Local Settings\Temp\

    I hope thats a good starting point....

    Attached Files:

  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. Dough1397

    Dough1397 TS Rookie Topic Starter

    I've followed those instructions... although I disabled the symantec AV, rather than uninstall...

    Starting today i've been getting these popups saying

    *filename.exe* - Bad Image
    The application or DLL *C:\Windows\system32\filename.dll* is not a valid Windows image. Please check this against your installation diskette.

    they have the red x to the left of the popup.... Its a windows popup and not a internet one....

    Hope I can get some help with this, Thanks!
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    That's a contradiction
    You can't disable Norton, and I lost count at how many startups and services are presently running just for this one Program in your HJT log. I noticed that it didn't help in you getting the infection in the first place either!

    I can't stress enough to you to remove it, and use a far better Antivirus, like Avira which is also free ;) But if you reeeaally want it (norton) then you will need to do this all over again oneday (soon) By the way, Norton usually corrupts when a virus is found, how strange is that :confused:

    Anyway, I'll try to continue, please remove these from HJT log (ie tick and fix)
    Then, we really need to scan with an Antivirus! So do this:
    Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  5. Dough1397

    Dough1397 TS Rookie Topic Starter

    ok, so i guess you do have to tell me twice... i uninstalled symantec AV, installed Avira, deleted those hjt reg keys... and I am going to start the kaspersky thing in a sec...

    the purpose of this message is to ask, should i start the 8 steps again seeing how i uninstalled symantec AV? I've run hjt again, attached is the log.

  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    No I wouldn't run the 8-step process in full again

    By the way I hope Kaspersky picks up these files
    If not just run HJT again and tick and fix this entry: (oh and after restart delete the two bolded filles)
    By the way, as per norm, Symantec just doesn't want to let go!
    Please tick and fix the following entry in HJT too
    Once done run CCleaner again

    Then restart again, and supply all the logs :)
  7. Dough1397

    Dough1397 TS Rookie Topic Starter

    looking good..... avira is picking up a few things here and there, see the events.txt

    Thanks again :)

    Attached Files:

  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Had a quick look, and it looks good :grinthumb

    Please run CCleaner again to remove the 1 found Trojan in Temporary Internet Files
  9. Dough1397

    Dough1397 TS Rookie Topic Starter

    what about:

    O2 - BHO: (no name) - {b2ab05b8-e568-4e6e-8a30-d002bd7fb106} - C:\WINDOWS\system32\merilaro.dll (file missing)

    doesn't sound normal....
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    All "File Missings" can be left doing nothing, or the entry removed
    Either way, it is not doing anything, and is not Malware (any longer ;) )
  11. Dough1397

    Dough1397 TS Rookie Topic Starter

    so is that it? Am I good or should i supply some more logs?

    Seemed pretty quick?!

    Also, is Avira the best? I dunnoh if I like it lol... it makes my computer beep loudly when it finds something. Any other recommendations?
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You are good to go. All done
    Avira is posted in the guide therefore tried and proved, worth keeping.

    Title: "Hacktool.Rootkit and Backdoor.Tidserv!inf" --- > Resolved

    Have a nice day :)
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...