TechSpot

Dough1397 · #1 12-08-2008

Hi, I've been having difficulty removing this virus from my computer. I also have a problem with Backdoor.Tidserv!inf

Wondering if anyone could of assistance. I'll include my HJT log, hopefully it is helpful. Let me know if anything else is req'd.

I've follow the symantec website instructions numerous times, only to have these both come back.

the Path of the infections are:

backdoor.tidserv!inf
C:\WINDOWS\Temp\

Hacktool.rootkit:
C:\Documents and Settings\Nikesh\Local Settings\Temp\

I hope thats a good starting point....

kimsland · #2 12-08-2008

Have a look at:

UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Ideally un-install the troublesome Symantec (Norton) Antivirus, before doing so

Dough1397 · #3 12-10-2008

I've followed those instructions... although I disabled the symantec AV, rather than uninstall...

Starting today i've been getting these popups saying

*filename.exe* - Bad Image
The application or DLL *C:\Windows\system32\filename.dll* is not a valid Windows image. Please check this against your installation diskette.

they have the red x to the left of the popup.... Its a windows popup and not a internet one....

Hope I can get some help with this, Thanks!

kimsland · #4 12-11-2008

Quote:

Originally Posted by Dough1397

I disabled the symantec AV, rather than uninstall...

That's a contradiction
You can't disable Norton, and I lost count at how many startups and services are presently running just for this one Program in your HJT log. I noticed that it didn't help in you getting the infection in the first place either!

I can't stress enough to you to remove it, and use a far better Antivirus, like Avira which is also free

But if you reeeaally want it (norton) then you will need to do this all over again oneday (soon) By the way, Norton usually corrupts when a virus is found, how strange is that

Anyway, I'll try to continue, please remove these from HJT log (ie tick and fix)

Quote:

O4 - HKLM\..\Run: [CPM336919cb] Rundll32.exe "C:\WINDOWS\system32\rujamika.dll",a
O4 - HKLM\..\Run: [sowurovigi] Rundll32.exe "C:\WINDOWS\system32\tutatezu.dll",s

Then, we really need to scan with an Antivirus! So do this:
[color=blue]Run Kaspersky Online AV Scanner[/color]

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary.
Once the database has downloaded, click Next.
Click on "[color=blue]My Computer[/color]"
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

Dough1397 · #5 12-11-2008

ok, so i guess you do have to tell me twice... i uninstalled symantec AV, installed Avira, deleted those hjt reg keys... and I am going to start the kaspersky thing in a sec...

the purpose of this message is to ask, should i start the 8 steps again seeing how i uninstalled symantec AV? I've run hjt again, attached is the log.

Thanks!

kimsland · #6 12-11-2008

No I wouldn't run the 8-step process in full again

By the way I hope Kaspersky picks up these files
If not just run HJT again and tick and fix this entry: (oh and after restart delete the two bolded filles)

Quote:

O20 - AppInit_DLLs: c:\windows\system32\rujamika.dll,C:\WINDOWS\system32\gefejobu.dll

By the way, as per norm, Symantec just doesn't want to let go!
Please tick and fix the following entry in HJT too

Quote:

C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

Once done run CCleaner again

Then restart again, and supply all the logs

Dough1397 · #7 12-11-2008

looking good..... avira is picking up a few things here and there, see the events.txt

Thanks again

kimsland · #8 12-11-2008

Had a quick look, and it looks good

Please run CCleaner again to remove the 1 found Trojan in Temporary Internet Files

Dough1397 · #9 12-11-2008

what about:

O2 - BHO: (no name) - {b2ab05b8-e568-4e6e-8a30-d002bd7fb106} - C:\WINDOWS\system32\merilaro.dll (file missing)

doesn't sound normal....

kimsland · #10 12-11-2008

All "File Missings" can be left doing nothing, or the entry removed
Either way, it is not doing anything, and is not Malware (any longer

)

Dough1397 · #11 12-11-2008

so is that it? Am I good or should i supply some more logs?

Seemed pretty quick?!

Also, is Avira the best? I dunnoh if I like it lol... it makes my computer beep loudly when it finds something. Any other recommendations?

kimsland · #12 12-11-2008

You are good to go. All done
Avira is posted in the guide therefore tried and proved, worth keeping.

Title: "Hacktool.Rootkit and Backdoor.Tidserv!inf" --- > Resolved

Have a nice day

Similar Topics
Topic	Replies	Forum
Backdoor.Tidserv!inf Help	36	Virus and Malware Removal
Backdoor.tidserv!inf ... please help	1	Virus and Malware Removal
Backdoor.tidserv!inf help	5	Virus and Malware Removal
Backdoor.tidserv!inf Help	1	Virus and Malware Removal
Hacktool.Rootkit and Backdoor.Rustock.B removal problems.	3	Virus and Malware Removal

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

TechSpot

Hacktool.Rootkit and Backdoor.Tidserv!inf

Follow TechSpot

Subscribe to our Newsletter