Spread the love! TechSpot Tech Gift Shortlist 2017

Another Backdoor.Tidserv.I!inf virus infected computer

By jturncoat ยท 5 replies
May 15, 2010
  1. ONE: I have norton 360 and have been receiving repeated notices of blocked attacks like the one below:

    Category: Intrusion Prevention
    Date & Time,Severity,Activity,Status,Recommended Action,Category,Risk Name,Attacking Computer,Destination Address,Source Address,Traffic Description,Attacker URL

    12/05/2010 11:15 PM,High,"An intrusion attempt by was blocked. Application path <path>\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE</path>",Blocked,No Action Required,,HTTPS Tidserv Request 2,", 443","OWNER-089EAD158 (, 4764)",,"TCP, https",

    TWO: I ran a scan on Safe Mode which listed the backdoor virus and inabilty to remove it.

    Category: Unresolved Security Risks
    Date & Time,Severity,Activity,Status,Recommended Action,Component,Definitions Version,ERASER Version,Risk Name,Risk Category,Risk Type,Risk State
    12/05/2010 11:47 PM,High,Backdoor.Tidserv!inf detected by Virus scanner,Manual Removal Required,Review risk details on Symantec Web site.,Virus scanner,2010.05.12.022,,Backdoor.Tidserv!inf,Virus,File Based,Not safe to remove

    THREE: I followed the 8 steps indicated at the top of this section. I have completed the scans and have inlcuded them with this message as well as the norton log scan.

    If someone can help me with this it will be most appreciated.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    There is only one entry in the Norton log to be concerned about:

    12/05/2010 11:47 PM,High,Backdoor.Tidserv!inf detected by Virus scanner,Manual Removal Required,Review risk details on Symantec Web site.,Virus scanner,2010.05.12.022,,Backdoor.Tidserv!inf,Virus,File Based,Not safe to remove
    Manual Removal
    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • You should get a screen like this:
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.
    Then please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Follow with Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please include all logs with next reply.
  3. jturncoat

    jturncoat TS Rookie Topic Starter

    Thanks for your assistance to date.

    I have followed the next steps recommended with TDSS, ComboFix and Eset. The logs are attached for your reference.

    Can you let me know if any next steps are needed?


    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Your logs are clean as a whistle! Are you experiencing anymore malware related problems?
  5. jturncoat

    jturncoat TS Rookie Topic Starter

    All is well at my end. Thanks again for your help. I read on another forum posting that the moderators don't accept donations for their services or for the continued operations of this site or its upkeep. If that policy changes, please let me know and in the meantime once again accept my sincere thanks not just for the looking into my problem but for all of us less technically nubile users of gadgetry.

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You're very welcome. Glad to help. As for donations, some sites do accept them, even encourage them, but this site does neither. All of us are volunteers and enjoy what we are doing. You can 'play it forward' sometime if you can help others out- not in this forum, but in one of the many other ones on the board where members ask for help.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    I'll close this thread but let me know if you need help in the future.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...