Solved Backdoor.Tidserv!inf Help

[Bobbye]

See if you can run GMER:

Please download GMER: Go to this site http://www.gmer.net/files.php and click on Download EXE. Save the file to your desktop
Two other links for the download should you need one:
Link 2
Link 3

• Double click on downloaded .exe file on the desktop
• Select Rootkit tab> click Scan
• When scan is completed, click Save button, and save the results as gmer.log

This screenshot HERE will show you how the display will come up.

Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

When I see this log, it should give me the information I need to move the offender so that the system will work.

EDIT: you got your log up at the same time I was posting this. Go ahead with the GMER scan- it is still needed. Okay to remove the old program I asked about. Please reboot the computer after the uninstall. Don't run any other cleaning or scanning programs except for GMER>

 

[spuratic]

GMER log you requested

Here is the log you requested.

 

[Bobbye]

Guess we were posting at the same time!
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\users\spuratic\AppData\Roaming\LimeWire
c:\users\spuratic\AppData\Local\LWEEECLF
C:\Users\spuratic\AppData\Local\LWEEECLF\StartServ ice.exe
c:\users\spuratic\AppData\Local\temp
c:\users\TEMP\AppData\Local\temp
c:\users\TEMP.spuratic-PC\AppData\Local\temp
c:\users\Public\AppData\Local\temp
c:\users\Default\AppData\Local\temp
c:\windows\system32\drivers\iszlwgpg.sys 
c:\windows\system32\drivers\kehjqfmc.sys
c:\windows\system32\drivers\sjjxelxm.sys
c:\windows\system32\drivers\uptbxaau.sys
c:\windows\system32\drivers\vnptgxss.sys

Folder::
c:\program files\MSECACHE
c:\program files\Windows Installer Clean Up
c:\program files\Common Files\Native Instruments
c:\program files\Native Instruments
	
Registry::

Driver::
iszlwgpg
kehjqfmc 
sjjxelxm 
uptbxaau 
vnptgxss 

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  TpChoice.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
=======================================
Questions:
You have an entry that could mean 2 different things> one legit, one bad:
c:\users\spuratic\AppData\Roaming\AVP 2009
Is this game 'Alien vs Predator 2009'?

There are 2 drivers indicating they are old or no longer used:
"HWSetup">> Description: Toshiba utility that allows you to change various hardware settings on your computer.
"NDSTray.exe">> Description: ConfigFreeT Tray on a Toshiba laptop. Tray utility for their network switching application which permits switching network devices and settings with a click on the tray icon.
They are both legitimate entries- but showing old or inactive. Do you use these 2 processes?

We're almost through.

 

[spuratic]

Thank you

Im not a gamer...so that alien vs predator is not mine..lol. I have a question about the combo-fix before i do it... i see it says something about native instruments...there are a few that i still use in that folder....just wanted to know if its going to wipe my computer clean of those files so i remember to reinstall the 2 i use.

 

[Bobbye]

I guess I misunderstood: I asked about this:
E:\Downloaded Programs\Native.Instruments.Kontakt.VSTi.RTAS.v3.5-AiR\Kontakt 3.5 Update.exe

Because there was malware in the update. You answered:

Also the program that you asked about is an old program that i do not need or use any more. I can uninstall/delete if you would like, but will not take any action until told to do so.

If I misunderstood and you do not want to remove it, just omit the following 2 entries in Folder in the script:
c:\program files\Common Files\Native Instruments
c:\program files\Native Instruments

The alternative to 'Alien vs Predator' was Antivirus 2009- the bad entry, so we'll need to include the in the script. If it's not too confusing, add this line to the script Code box in the File section:
c:\users\spuratic\AppData\Roaming\AVP 2009

Edit: regarding your comment about wiping the computer, I'm not planning on that. I hope you weren't either or that it doesn't come to that. You have made a lot of progress.

 

[spuratic]

Will do

Sorry about the confusion... The native instruments folder holds many vst Plug-ins that go to my music software...a lot of free-ware and some bought, most of the free ones i don't use (this being one of them). I will run combo-fix now with out that folder included and add the alien vs predator.


Edit: I can see now that we are close...my computer has had 0 pop-ups today

 

[spuratic]

Here are the logs

I also deleted the files that where in the native instruments locations that we were talking about.

 

[Bobbye]

Okay! Looking good. There is one file that won't move and I haven't been able to ID it, so I'd like you to submit it s follows: Leave the log and if it's clean I begin having you remove the cleaning tools and set new restore point.

Please go to http://www.virscan.org/
Submit this Suspicious file(s) to scan: > browse or upload:

c:\users\spuratic\AppData\Local\LWEEECLF\StartServ ice.exe

• 
  [1]. You can UPLOAD any files, but there is 20Mb limit per file.
  [2]. VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
  [3]. VirSCAN can scan compressed files with password 'infected' or 'virus'.[/b]

If this site isn't accessible, you can use either of these: you only need to submit to one of the sites:
http://virusscan.jotti.org/en
http://www.virustotal.com/

Are you noticing any of the original system problems?

 

[spuratic]

Empty

When i go to folder c:\users\spuratic\AppData\Local\LWEEECLF there is nothing in there. I do not see the "StartServ ice.exe" file?


The folder is empty as well.

 

[Bobbye]

Do a right click> Delete on the folder.
Do the following today or wait another day if you want- it appears that the original problems have been resolved.

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Please let me know if I can be of further help.

 

[spuratic]

Thank you very much!

My computer is actually better than it was before i got the virus. I appreciate all the time and patience that was put into helping me with my computer issues. If you would like to let me know where i can go to donate for the help i received please let me know.

Thanks,

Spuratic

 

[Bobbye]

You're welcome- glad to help.

About donations- some sites do ask for donations. TechSpot does not nor do they accept it. What you do can though is look in the other forums- offers help to others if you can. Many of u learn from the experience of others.You did a good job! Here are some tips to help you Stay clean.

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. .