Solved Another Backdoor.Tidserv.I!inf virus infected computer

Status
Not open for further replies.
J

jturncoat

Posts: 8   +0
ONE: I have norton 360 and have been receiving repeated notices of blocked attacks like the one below:

Category: Intrusion Prevention
Date & Time,Severity,Activity,Status,Recommended Action,Category,Risk Name,Attacking Computer,Destination Address,Source Address,Traffic Description,Attacker URL

12/05/2010 11:15 PM,High,"An intrusion attempt by 91.212.226.59 was blocked. Application path <path>\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE</path>",Blocked,No Action Required,,HTTPS Tidserv Request 2,"91.212.226.59, 443","OWNER-089EAD158 (192.168.1.64, 4764)",91.212.226.59,"TCP, https",

TWO: I ran a scan on Safe Mode which listed the backdoor virus and inabilty to remove it.

Category: Unresolved Security Risks
Date & Time,Severity,Activity,Status,Recommended Action,Component,Definitions Version,ERASER Version,Risk Name,Risk Category,Risk Type,Risk State
12/05/2010 11:47 PM,High,Backdoor.Tidserv!inf detected by Virus scanner,Manual Removal Required,Review risk details on Symantec Web site.,Virus scanner,2010.05.12.022,109.2.3.12,Backdoor.Tidserv!inf,Virus,File Based,Not safe to remove

THREE: I followed the 8 steps indicated at the top of this section. I have completed the scans and have inlcuded them with this message as well as the norton log scan.

If someone can help me with this it will be most appreciated.
 

Attachments

  • Attach.txt
    13.3 KB · Views: 1
  • DDS.txt
    9.4 KB · Views: 1
  • mbam-log-2010-05-14 (23-02-42).txt
    896 bytes · Views: 1
  • gmer.log.log
    8.2 KB · Views: 1
  • Norton History Log File.txt
    120.7 KB · Views: 1
There is only one entry in the Norton log to be concerned about:

12/05/2010 11:47 PM,High,Backdoor.Tidserv!inf detected by Virus scanner,Manual Removal Required,Review risk details on Symantec Web site.,Virus scanner,2010.05.12.022,109.2.3.12,Backdoor.Tidserv!inf,Virus,File Based,Not safe to remove
===========================
Manual Removal
Download TDSSKiller. Extract the zipped file to your desktop.

Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
Code: 
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
  • This will have the program write a detailed log
  • The screen will resemble this black screen:
2663_5.jpg

  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
  • You should get a screen like this:
TDSSKillerResults.jpg

  • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
  • Follow the prompts and attach the report to your next reply.
========================
Then please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=====================
Follow with Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please include all logs with next reply.
 
Thanks for your assistance to date.

I have followed the next steps recommended with TDSS, ComboFix and Eset. The logs are attached for your reference.

Can you let me know if any next steps are needed?

Thanks
 

Attachments

  • ComboFix log.txt
    11.1 KB · Views: 1
  • ESET log.txt
    741 bytes · Views: 1
  • TDSS report.txt
    16.7 KB · Views: 1
Your logs are clean as a whistle! Are you experiencing anymore malware related problems?
 
All is well at my end. Thanks again for your help. I read on another forum posting that the moderators don't accept donations for their services or for the continued operations of this site or its upkeep. If that policy changes, please let me know and in the meantime once again accept my sincere thanks not just for the looking into my problem but for all of us less technically nubile users of gadgetry.

Cheers
 
You're very welcome. Glad to help. As for donations, some sites do accept them, even encourage them, but this site does neither. All of us are volunteers and enjoy what we are doing. You can 'play it forward' sometime if you can help others out- not in this forum, but in one of the many other ones on the board where members ask for help.

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


I'll close this thread but let me know if you need help in the future.
 
Status
Not open for further replies.

Similar threads

D
Solved Re-markable ads virus and HJ POL (PUM) removal help
Replies
18
Views
7K
Broni
Broni
M
  • Locked
Solved 0i763f66bz... infected -- MalawareBytes doesn't respond
Replies
15
Views
3K
Jay Pfoutz
Jay Pfoutz
H
  • Locked
Resolved Backdoor.Tidserv.I!inf virus
Replies
5
Views
2K
Bobbye
Bobbye

Latest posts

Back