Backdoor.Tidserv!inf trouble

[IronKnot]

Hi guys, I have recently been having trouble with this Backdoor.Tidserv!inf. It keeps redirecting my browser and is delivering incorrect search results when I do a search through Google or Yahoo. I have also noticed that my computer has been freezing randomly since getting this. I have done the 8 preliminary steps, however during the Avira scan stops at 74.1% on C:\WINDOWS\System32\drivers\rkhit.sys. I have tried manually removing this file, but it says that access is denied. I have also taken a look at other threads concerning this issue, but they did not help. I have attached all of the necessary logs as well. Any help is appreciated.

 

[Blind Dragon]

HI IronKnot,

Welcome to Techspot!

The first thing you should understand is that a backdoor gives unauthorized access to your computer. Though we can most likely clean the infection, I cannot guarantee that your personal information has not already been compromised. I suggest you read this thread Is your system infected? Read this before Cleaning or Formatting

After reading the above thread, if you still want to clean your system proceed below
======================================

Step 1:

TDSS special

• Click on Start, click Run, and then type devmgmt.msc and click OK
• On the View menu click on Show hidden devices
• Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys you may also want to check the driver you listed above
• Highlight that driver and right click on it and select DISABLE
• Now RESTART your computer.
• After restart update avira and retry the scan

========================================

Step 2:

Run Smitfraudfix

• Download Smitfraudfix by S!ri from HERE
• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infected files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

==========================================

Step 3:

Run a fresh Hijackthis from normal mode

Come back and attach here:
1) rapport.txt
2) fresh hijackthis log

This thread is for the use of IronKnot only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[IronKnot]

Hey Blind Dragon, thanks for responding.

I disabled the tdsserv.sys driver and ran Avira again, but it still freezes at the same file. That particular driver did not show up in the list for me to disable it. I ran the fix you told me to download and ran a fresh hijack this, but the backdoor is still there. I attached the necessary reports.

 

[Blind Dragon]

Looks like we may end up doing at least part of this the hard way. No worries - just follow all instructions carefully and ask questions if you are unsure how to proceed at any point.

Disable Avira by right clicking in the system tray and uncheck Antivir Guard enabled

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

 

[IronKnot]

I downloaded and ran combofix, however it did not save a log. I can run it again and submit a log just in case, but the problem is fixed! I am no longer having any trouble and everything is running well. I am still going to submit the hijackthis log just in case there is something there. Thank you so much for helping me. I was beginning to lose my mind with this thing!

 

[Blind Dragon]

Just a little more to go. I still see at least one thing we need to remove.

First - check c:\combofix.txt to see if it can be found there

 

[IronKnot]

There is no log there. Should I run it again and post the new log?

 

[Emre]

You sure there is no log in C:\ ? (there should be a notepad file, with the extension txt, named combofix - not in the folder named combofix but a combofix named word-notepad kind of document.) If there is none, i recommend running it again and saving the log to your desktop this time.

 

[IronKnot]

Reran combofix and it made a log this time. Also ran hijackthis again just in case.

 

[Blind Dragon]

Ok, little bit of work to do my friend.

Step 1
Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders
• Remove the checkmark from the checkbox labeled Hide protected operating system files
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types
• Put a checkmark in the checkbox labeled Display the contents of system folders.

=======================================

Step 2:
Upload a File to Virustotal
Please visit Virustotal found HERE

• Click the Browse... button
• Navigate to the file
  c:\windows\System32\uekbdd.exe
• Click the Open button
• Click the Send button
• Copy and paste the results back here please.

===========================================

Step 3:
FindAWF

Click here to download FindAWF.exe and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to Press any key to continue.
• Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
• Attach AWF.txt file in your next reply.

There will be more to come I need to see:
1) The Virustotal results
2) AWF.txt

 

[IronKnot]

There was no uekbdd.exe in that directory. I spent about 20 minutes trying to find it and I couldn't. I double checked that I had everything set to show hidden files and it still wasn't there. FindAWF ran perfectly.

 

[Blind Dragon]

Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\AIM6\bak\aim6.exe"
"C:\Program Files\DellSupport\bak\DSAgnt.exe"
"C:\Program Files\Messenger\bak\msmsgs.exe"
"C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe"

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Press 2 then Enter
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for bak folders.
• It may take a few minutes to complete, so please be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
• Please attach AWF.txt file in your next reply

 

[IronKnot]

Everything went well, attached the log.

 

[Blind Dragon]

Fix AWF Folders
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\PROGRA~1\AIM6\BAK
C:\PROGRA~1\DELLSU~1\BAK
C:\PROGRA~1\MESSEN~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\HP\HPSOFT~1\BAK
C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
C:\DOCUME~1\ALLUSE~1\APPLIC~1\DELL\TRANSF~1\BAK

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
• Press 3, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the bad folders and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please attach the AWF.txt file in your next reply.

Run Fix AWF one more time and press 4, then press Enter.

 

[IronKnot]

It ran successfully, attached the log.

 

[Blind Dragon]

That got it,

Please run a fresh scan with combofix and attach the log here