• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos0

backdoor.tidserv!inf

I picked up this trojan yesterday and Nortons action was review and requires manual removal.  I am new at this and I do not know how to remove manually.  The location of the trojan is c:\documents and settings\owner\local settings\temp\tdss3671.tmp.  My Norton version is 15.0.0.58 and I am usind XP 2.  Can any one help me fix this problem.  I have tried scanning in safe mode but that did not work.

Replies

Kudos1

Re: backdoor.tidserv!inf

Removal instructions for Backdoor.Tidserv!inf: http://www.symantec.com/en/uk/security_response/writeup.jsp?docid=2008-111113-1112-99&tabid=3.

You can also Upgrade to N.I.S. 2009, using the Remaining Days of your Norton 2008 Product.

http://www.symantec.com/home_homeoffice/support/special/upgrade2007/vista/select_product.jsp?site=nuc

Upgrading instructions for Norton 2006 Products and Later:

01. Select your Product and Version, from the Web Link (above).

02. Save the Download on your Desktop.

03. Save your Product Key (www.mynortonaccount.com; http://service1.symantec.com/SUPPORT/custserv.nsf/docid/20020610105504925?Open&src=sym).

04. Dis-connect from the Internet.

05. Go to Add/Remove.

06. Locate "Norton Internet Security/Norton AntiVirus (Symantec Corporation)" and click on "Remove".

07. Follow the instrctions and, when asked to, re-start your computer.

08. Locate to Add/Remove upon start-up.

09. Click on LiveUpdate and "Remove" and any other LiveUpdate.

10. If requested, re-start your computer.

11. Double-click on the Saved N.I.S./N.AV. File on your Desktop.

12. Follow the instructions.

13. Open Norton Internet Security or Norton AntiVirus and "Run [Norton] LiveUpdate" manually.

14. It is now Safe to Connect to the Internet again.

15. If you notice things not running right with N.I.S. 2009/N.AV. 2009, it may be a bug; please Post them here [in the Forum].

16. If you have Other Norton Products, then you can re-install LiveUpdate, or, if you have Used the N.R.T., you can re-install your Other Norton Product(s); if you do not have the Disc, then you can re-download it via the Trailware. Norton SystemWorks users have had a "Patch" Released so that Updates are received through Norton LiveUpdate, i.e. your Norton Internet Security 2009 Product.

17. If you have problems un-installing/installing, then use the Norton Removal Tool.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: backdoor.tidserv!inf

I tried this solution and it did not work I still have the Trojan,  Below is the export from Norton.

Scan Stats:
  Scan Time: 3870 seconds
  Scan Options:
  Scan Targets: C:
  Counts:
   Total items scanned: 356,905
   - Files & Directories: 355,657
   - Registry Entries: 252
   - Processes & Start-up Items: 866
   - Network & Browser Items: 124
   - Other: 5

   Total security risks detected: 1
   Total items resolved: 0
   Total items that require attention: 1

Resolved Threats:


Unresolved Threats:
Backdoor.Tidserv!inf
 Virus ID: 38565
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Virus
 State: Review
 -----------
 1 File
c:\documents and settings\owner\local settings\temp\tdss3671.tmp - Failed

Kudos0

Re: backdoor.tidserv!inf

Did you try the full scan in Safe mode??

Quads 

Kudos0

Re: backdoor.tidserv!inf

yes
Kudos0

Re: backdoor.tidserv!inf

In safe mode the only thing different is the error message does not show up but the results are the same.  Review and remove manually
Kudos0

Re: backdoor.tidserv!inf

Are you now running NAV/NIS 2009?
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos1

Re: backdoor.tidserv!inf

Hi  Try Downloading Malwarebytes Antimalware, install, update and run in Safe Mode  If that doesn't work.   Download Hijackthis and install  run and find in the list these entries O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user') Place a Tick besides each on and the click fix. Using Regedit to delete the entries  Click Start ,  Run. Then type "regedit" Click OK. Navigate to and delete the following registry entries: (be careful) HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"build" = "standart" HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"serversdown" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"type" = "popup"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"affid" = "39"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"asubid" = "v2test7" Navigate to and delete the following registry subkeys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sysHKEY_LOCAL_MACHINE\SOFTWARE\TDSS\versionHKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connectionsHKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowedHKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector Exit the Registry Editor and Restart the PC Quads 
Kudos0

Re: backdoor.tidserv!inf

It looks like it is in your temp folder. Can't you just clean out this folder manually?
"All that we are is the result of what we have thought"
Kudos0

Re: backdoor.tidserv!inf

It seems that it uses a Rootkit Driver to even run in Safe Mode So the file would be "in use" so unable to delete...................................

It can be using the "Svchost.exe" to run. that is where the O4 entry above is mentioned.

Quads

Message Edited by Quads on 11-28-2008 06:27 PM
Kudos0

Re: backdoor.tidserv!inf

Hmmmm

One other idea would be to use a rescue CD.

Antivir has a fee Rescue CD you can download in ".iso" format. (it's free) Burn to CD-ROM.  Then boot the PC from the CD, the CD is Linux based.

Booting from CD instead means Windows doesn't load, thus the infection doesn't load either.

Use the CD to scan the Hard Drive for infections. It should detect Backdoor.tidserv. But as "TR/Dropper.Gen" 

Due to the infection not running, is able to be removed.

Just a thought

Norton Recovery Disc is free to subscribers of NAV / NIS 2009,  crod55 is using 2008 (15.0.0.58)

Quads 

Message Edited by Quads on 11-28-2008 07:39 PM
Kudos0

Re: backdoor.tidserv!inf

Hey Quads,

Thats a good idea with the CD.  I was just about to say that HiJack This!, is a rather complicated product, and if you dont know what you're doing...its easy to fk--up your pc...

What about the Spyware Doctor removal (you know from PC tools)...Haven't used it myself...but heard its quite good and Norton compatible.

Message Edited by TrDo on 11-28-2008 09:50 AM
Kudos0

Re: backdoor.tidserv!inf

When you Reply back, could you tell us:

01. If you have tried the Removal instructions I provided.

02. Are you using N.I.S. 2009.

03. Have you tried Malwarebytes' Anti-Malware in Safe Mode.

04. Have you tried HiJackThis!.

05. Have you tried the C.D. suggestion.

06. Have you tried the Recovery Tool.

07. Have your tried SUPERAntiSpyware in Safe Mode.

Please remember to Update any Product first before Scanning, otherwise it may not catch it.  Thanks!

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: backdoor.tidserv!inf

Trying the option "Rescan" when Norton fails to remove a threat may help.

=\
Kudos0

Re: backdoor.tidserv!inf


Floating_Red wrote:

When you Reply back, could you tell us:

01. If you have tried the Removal instructions I provided.

02. Are you using N.I.S. 2009.

03. Have you tried Malwarebytes' Anti-Malware in Safe Mode.

04. Have you tried HiJackThis!.

05. Have you tried the C.D. suggestion.

06. Have you tried the Recovery Tool.

07. Have your tried SUPERAntiSpyware in Safe Mode.

Please remember to Update any Product first before Scanning, otherwise it may not catch it.  Thanks!


Let's make things less confusing.

Please answer these questions first.

"All that we are is the result of what we have thought"
Kudos0

Re: backdoor.tidserv!inf


Floating_Red wrote:

07. Have your tried SUPERAntiSpyware in Safe Mode.


SUPERAntiSpyware: http://www.download.com/SUPERAntiSpyware-Free-Edition/3000-8022_4-187228.html?tag=mncol&cdlPid=559816.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: backdoor.tidserv!inf


TrDo wrote:

Hey Quads,

Thats a good idea with the CD.  I was just about to say that HiJack This!, is a rather complicated product, and if you dont know what you're doing...its easy to fk--up your pc...

What about the Spyware Doctor removal (you know from PC tools)...Haven't used it myself...but heard its quite good and Norton compatible.

Message Edited by TrDo on 11-28-2008 09:50 AM
Hijackthis and not knowing what you are doing, that is why though in message 8 above I gave the Hijackthis entries for this infection. As well as the rest of message 8
Spyware Doctor I found in conjuction with Norton 2009 at least to really slow down startup, so I had to disabled Spyware Doctor so to not run on startup.
 
Quads 
Kudos0

Re: backdoor.tidserv!inf

Its true..you gave quite specific instructions...What about Symantec, by the way?  It does not have any software to remove the bloody mals/worms and the rest of this stuff?

P.S. Other than the slow down, did you find Spyware Doctor effective in removing mals?

Kudos0

Re: backdoor.tidserv!inf

Hi 

Symantec have made the NRD (Norton Recovery CD) That is free for licence holders of  NAV / NIS 2009. When booting from the CD etc. you have to enter your licence key.  http://www.symantec.com/norton/popup.jsp?popupid=nisnav2009_recovery_tool

 The tread starter stated version 15. xxx  which is 2008

Spyware Doctor was resonably effective, I don't have it installed anymore I was just testing. I find the likes of NIS 2009 and on demand scanners like Malwarebytes installed just as effective. and don't slow down or conflict with NIS.

This is getting off topic.  of what the Original poster asked. 

Quads 

Kudos0

Re: backdoor.tidserv!inf

OK Quads..Thanks for the reply...

As far as the getting off-topic is concerned, allow me to have a small objection since we are talking about removal softwares..and maybe this constitutes some kind of help to the original topic starter...

Kudos0

Re: backdoor.tidserv!inf


TrDo wrote:

Its true..you gave quite specific instructions...What about Symantec, by the way?  It does not have any software to remove the bloody mals/worms and the rest of this stuff?

P.S. Other than the slow down, did you find Spyware Doctor effective in removing mals?


Some Internet Threats are tough to Remove and, sometimes, the Scanner cannot Remove types of hard-removing Threats.  This is not just a problem for symantec, but for other Anti-Virus Companies as well.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: backdoor.tidserv!inf

I caught the same virus sometime yesterday. Norton's Corporate (Updated 11/27/08) picked it up on the RTVS, but failed to quarantine. I disabled system recovery, rebooted, and scanned again. Norton's caught the virus and I was able to delete 4 of the 5 entries that were under the virus. Thinking that the virus might be able to reassert itself, I installed and ran Hijack this, but none of the lines that Quad pointed out were on the list. So I went and did the same through regedt, same story. Booted the machine back up this morning, and Norton's found the virus again, but was able to quarantine it.

So, is this some kind of residual code that is just setting it off, or is the virus still there?

Kudos0

Re: backdoor.tidserv!inf

Sounds like Norton took care of it. Your good.
=\
Kudos0

Re: backdoor.tidserv!inf


BaalAdvocate wrote:

So, is this some kind of residual code that is just setting it off, or is the virus still there?


Please keep "an eye" on how your computer runs over the next few weeks.

If you have any concerns or if your computer is acting in an un-usual fasion, please contact us here at the Forum.  Thank you!

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: backdoor.tidserv!inf

Below are the items I have taken from the security history of Norton since I have had the problems with the virus.  Are they all related in some way.  I never get any thing but tracking coolies when I scan.  Was the svchost (number 3) that caused everything elese to happen and will it continue to happen.

Details: The user has created a rule to "permit" communications.
Local address: All local network adapters(4041).
Process name is "C:\WINDOWS\system32\drivers\svchost.exe".

There is one more I did not list but I think it was something I did when Norton  gave me the first explanation how to remove virus  -- it was Firewall rules were automatically created for file transfer program - the status is listed as protected - even though I do not transfer files as far as I know.  Was this something I should not have done also?

Thanks for everyones help

1)Bloodhound.exploit.213 - 11/26

2)wjqs.exe made 2 modifications to windows startup settings (it says I can remove -can I really remove) - 11/26

3)svchost was allowed to access your network resources 9WHile everythinh else was happening a norton window popped up asking if I wanted to do three things and this was the Norton recommendation so I clicked yes.) Should I have done this? - 11/26

4) The  Backdoor.Tidserv!inf occurred and Norton says to manually remove - 11/26

5) The Backdoor.Tidserv!inf is scanned again and Nortons says it is removed but wen I run a scan it comes up to be manully removed again. - 11/26

6) Trojan Horse detected by Auto-Protect (Norton says to reboot computer) 11/26

7) Trojan Horse detected by virus scanner removed - This occurs on the 11/28

8) hpwucli.exe behaved suspiciously Detected (Norton says you may remove this program - can I?) 11/30

9) downloader deected by virus scanner - removed - I was not on the computer when this happened -11/30

Shouldn't most of these ocurrenses ask me to apply action before taking the action?  I do not know much about the virus scanner

Message Edited by crod55 on 11-30-2008 09:53 PM
Kudos0

Re: backdoor.tidserv!inf

Below are the items I have taken from the security history of Norton since I have had the problems with the virus.  Are they all related in some way.  I never get any thing but tracking coolies when I scan.  Was the svchost (number 3) that caused everything elese to happen and will it continue to happen.

This is waht nortaon shows under the log viewer for number 3

Details: The user has created a rule to "permit" communications.
Local address: All local network adapters(4041).
Process name is "C:\WINDOWS\system32\drivers\svchost.exe".

There is one more I did not list but I think it was something I did when Norton  gave me the first explanation how to remove virus  -- it was Firewall rules were automatically created for file transfer program - the status is listed as protected - even though I do not transfer files as far as I know.  Was this something I should not have done also?

Thanks for everyones help

1)Bloodhound.exploit.213 - 11/26

2)wjqs.exe made 2 modifications to windows startup settings (it says I can remove -can I really remove) - 11/26

3)svchost was allowed to access your network resources 9WHile everythinh else was happening a norton window popped up asking if I wanted to do three things and this was the Norton recommendation so I clicked yes.) Should I have done this? - 11/26

4) The  Backdoor.Tidserv!inf occurred and Norton says to manually remove - 11/26

5) The Backdoor.Tidserv!inf is scanned again and Nortons says it is removed but wen I run a scan it comes up to be manully removed again. - 11/26

6) Trojan Horse detected by Auto-Protect (Norton says to reboot computer) 11/26

7) Trojan Horse detected by virus scanner removed - This occurs on the 11/28

8) hpwucli.exe behaved suspiciously Detected (Norton says you may remove this program - can I?) 11/30

9) downloader deected by virus scanner - removed - I was not on the computer when this happened -11/30

Shouldn't most of these ocurrenses ask me to apply action before taking the action?  I do not know much about the virus scanner

Kudos0

Re: backdoor.tidserv!inf

Hi

1. "wjqs.exe" does indeed seem to be a Trojan file.

2. But "hpwucli.exe" is actually the Hewlett Packard Update Client, you have an HP PC?

3. "C:\WINDOWS\system32\drivers\svchost.exe" is NOT the legit svchost.exe.  The Legit place is "C:\WINDOWS\system32\svchost.exe" with a backup copy in C:\WINDOWS\system32\dllcache

The Hijackthis entry for this, if still there is  "O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\System32\drivers\svchost.exe"

Quads 

Kudos0

Re: backdoor.tidserv!inf

QUADS -

Ok.  First, I run Symantec AV software and also Sygate Agent.  Here's the version info:

 

Symantec AntiVirus

Program Version: 10.1.0.396

Scan Engine: 81.3.0.13

Virus Def Version: 12/1/2008 rev. 6

 

Sygate Security Agent 4.1 build 2827 C

 

I initially tried running Norton's suggested fix - where I disable system restore, download updated virus definitions, and then run a full scan.  Didn't work - kept coming back with backdoor.tidserv!inf and further told me that no action was taken.  I tried to manually navigate to the file and remove it, but it said it was in use.

 

I have used Hijackthis in the past, so I downloaded it and ran it.  The entries you list were not present.

 

I have also (carefully) used regedit in the past, so I tried that as well.  The only entry of those you list that was close was the following:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ.sys

 

None of the other entries you list were present.  I did remove the one above via regedit.

 

I rebooted and Norton immediately found backdoor.tidserv!inf and took no action.  I also notice that sometimes my Sygate Security Agent is stopped in my system tray.  I have to open it manually from Programs, which I never had to do before.

 

I'm at a loss as to how to get this pernicious little bugger off of my machine.

 

Suggestions?

 

Kudos0

Re: backdoor.tidserv!inf

And here's the logfile from Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:01 PM, on 12/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\sygate\ssa\syg_hp.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Remote tools\msraLinkMonitor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe
C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe
C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://athp.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autocache.hp.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [COEMsgDisplay] c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [GetIT] C:\Program Files\Hewlett-Packard\GetIT\GetIT.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IDA] c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WinZip Quick Pick.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra button: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra 'Tools' menuitem: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files\Hewlett-Packard\IEToolBar\HP IE Fix.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://*.compaq.com
O15 - Trusted Zone: *.cpqcorp.net
O15 - Trusted Zone: http://*.dcu.org
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://*.dec.com
O15 - Trusted Zone: *.hp.com
O15 - Trusted Zone: http://*.hpe-learning.com
O15 - Trusted Zone: *.hpqcorp.net
O15 - Trusted Zone: *.hpshopping.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://*.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189776183175
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://fedgov.webex.com/client/T26L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: HP Sygate Icon Control (HPSygControl) - Hewlett-Packard Company - C:\PROGRA~1\sygate\ssa\syg_hp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: MSRA Link Monitor (msralinkmonitor) - Unknown owner - C:\Program Files\Remote tools\msraLinkMonitor.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 

Kudos0

Re: backdoor.tidserv!inf

Have you tried uninstalling Sygate Security Agent to see its presence in the system is the cause of Symantec's detection?
mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: backdoor.tidserv!inf

Hi

After deleting the entry, "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ.sys" and restarting the computer  did you then try and delete the file, as you couldn't before as it was in use?? If the File cannot be deleted right click it and check the properties.

You could have any of the Variants of the Seneka Rootkit (which includes part of Tdsserv), which blocks or attempts to block the running of security software (possible your Sygate load problem??). Also stops the likes of Malwarebytes being installed, Though Malwarebytes should be able to be installed from safe mode.

Try this to see if any of these exist. Remember I'm not at your PC to see.

 Open up Device Manager
2. Click 'View' and select 'Show Hidden Devices'
3. Expand the 'Non-Plug and Play' Drivers category
4. Right-click and 'Disable' clbdriver.sys, tdsserv.sys (or tdssxyz.sys where xyz.sys are random characters), and/or seneka.sys
5. Restart computer to Safe Mode
6. After restart, go back to Device Manager and right-click 'Uninstall' the above drivers
7. Navigate to 'C:\Windows\System32\Drivers' folder and delete these files if they exist (They will be hidden so show hidden files)

8. Navigate to 'C:\Windows\System32\ directory, Sort By Date, and remove any recently modified traces of files that resemble clb*.*, td*.*, and seneka*.*  (careful)

Then try and download and install malwarebytes and/ or Superantispyware, update it and do a full system scan in safe mode.

See how that goes 

Quads 

. 

Message Edited by Quads on 12-02-2008 08:46 PM
Kudos0

Re: backdoor.tidserv!inf

oops what I downloaded was the hijackthis... sorry...sherry and got this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:59 AM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINDOWS\system32\ScsiAccess.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\121041~1\EE\aolsoftware.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 12.108.132.6
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1210413593\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\PROGRA~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\RunOnce: [AOLDeskbarInstall] "C:\Program Files\AOL Deskbar\AOLDeskbarSetup.exe" /s /u
O4 - HKLM\..\RunOnce: [AOLIEToolbarInstall] C:\Program Files\AOL Toolbar\AOLToolbarSetup.exe /s /u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Sherry Mantooth\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak Picture Easy 3.1 Batch Transfer.lnk = C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {53D40FAA-4E21-459F-AA87-E4D97FC3245A} (InstallShield Setup Player V12) - http://www.respondus2.com/LDB/setup.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1CD0A42-CF23-4493-A5B9-BCC296B9520D}: NameServer = 12.108.132.6,12.108.132.7
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 14470 bytes

Kudos0

Re: backdoor.tidserv!inf

Hi Slm139

Firstly, You have NIS 2009 installed yet you still have parts of the old version installed, Might be a good idea to Uninstall NIS 2009, Use the Norton Removal Tool http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Run that then Restart the Computer and Install 2009 again.

Second you can use Hijackthis to remove these entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 12.108.132.6

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')     (Don't need to run on startup)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab

I see you have "Mywebsearch" installed.

Now, search (use the search feature) for "TDSS" Interesting to see how many you find. 

Also try this to see if any drivers are installed that belong to it

Go to the "Control Panel" click on "System

Click on the "Hardware" tab.  

Click on "Device Manager" to open it
Click 'View'  in the menu and select 'Show Hidden Devices'
Expand the 'Non-Plug and Play' Drivers category
If you find them, You can tell me, Right-click and 'Disable' clbdriver.sys, tdsserv.sys (or tdssxyz.sys where xyz.sys are random characters), and/or seneka.sys

Restart computer to Safe Mode
After restart, go back to Device Manager and right-click 'Uninstall' the above drivers
Navigate to 'C:\Windows\System32\Drivers' folder and delete these files if they exist (They will be hidden so show hidden files)

Navigate to 'C:\Windows\System32\ directory, Sort By Date, and remove any recently modified traces of files that resemble clb*.*, td*.*, and seneka*.*  (careful) 

See how we go.

Quads 

Message Edited by Quads on 12-04-2008 06:09 AM
Kudos0

Re: backdoor.tidserv!inf

Quads

I went to the link and deleted all the norton items on my computer. I rebooted, reinstalled norton antivirus 2009. Went to hijackthis and deleted the files you had listed. Rebooted again and ran my norton scan. It found no virus's so guess it worked.

Thank you!!  

sherry

Kudos0

Re: backdoor.tidserv!inf

Quads

another question.   what is the 'mywebsearch' you are talking about?   is it a virus? a program? what? and do I need to remove it? if so where do I find it so I can delete it?

thanks sherry

Kudos0

Re: backdoor.tidserv!inf

Hi

I'm sorry missed this one accidently Opps

Mywebsearch, see http://www.pchell.com/support/mywebsearch.shtml

Quads 

Kudos0

Re: backdoor.tidserv!inf



slm139 wrote:

Quads

another question.   what is the 'mywebsearch' you are talking about?   is it a virus? a program? what? and do I need to remove it? if so where do I find it so I can delete it?

thanks sherry


Yes, please remove it.

"All that we are is the result of what we have thought"
Kudos0

Re: backdoor.tidserv!inf

ok, how does this backdoor.tidserv.!inf get on our computers? I removed everything, ran the scan it didn't show it, it was all clear and then ran another today and it says it found an occurrance again?????   how come norton 2009 isn't keeping it from entering my computer? Can someone explain how this works to me and what I need to do so I don't keep getting it?  I don't go to porno sites or chat sites... so no idea where I keep getting it. Please help!!

sherry

Kudos0

Re: backdoor.tidserv!inf

Hi

Is it a completely new infection??, or is it a left over registry entry or file that can't work due to most of the infection has been removed??  What can happen is a file or Registry entry gets left behind and when Norton gets it's definitions updated a detection for the Malware in question gets added.  Then the Next time you do a scan (or Auto-Protect) after that update detects the left overs.  

If it is a left over OK, no problem.

Re-infection,  try this,  Newest version of SDfix does detect this Malware

Take your time on each step haste can make more accidental problems!
You are not the only one reporting this infection (of any variant 'TDSS')

How to use SDFix:
1. Download SDFix and save to your Desktop.
2. Install SDFix: double-click on the SDFix. If a “Security Warning window opens”, click on the Run button.
3. Follow the prompts.
4. Reboot your PC in to Safe mode.

- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.

5. Click Start -> Run,type the following text in type box: C:\SDFix\RunThis.bat
6. Press Enter or OK button.
7. When the tool is finished, it will produce a report for you.

Notes:
If this error message is displayed when running SDFix:

The command prompt has been disabled by your administrator. Press any key to continue . . .
Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press OK then run SDFix again

If the Command Prompt window flashes on then off again on XP or Windows2000

Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\FixPath.exe /Q Reboot and then run SDFix again 
 
Quads 
Kudos0

Re: backdoor.tidserv!inf

Hi.. I also have acquired this infection on not one, but two computers on my network! I am currently running Windows XP SP3 and Symantec Antivirus version 10.1.7.7000. I have tried all methods listed above in this thread and am trying to resolve by using the Antivir Recovery CD method as a last resort as I type this. Needless to say NOTHING else I tried has worked. I searched for the registry entries that are listed in this thread and they are non-existent on my systems, but the infections are. Even though Symantec classifies this as a "Low Level" threat, this is turning out to be a pretty nasty bug. I really am trying to avoid reformatting my drives.  Do I have any other options?? It doesn't appear so. PLEAAASSSE HELP!!
Kudos0

Re: backdoor.tidserv!inf

Hi

See http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=23740

I am at this point been investigating and there is more than 1 variant of Malware that use TDSSserv.sys and TDSS.sys  as a driver file.  

Quads

Kudos0

Re: backdoor.tidserv!inf

Thanks for the prompt response. I attempted to follow the instructions in the seneca rootkit thread you provided but none of the entries you mentioned were located in the non plug and play section in device drivers on my system.. Normally I would just reformat and be done with this. But since it is affecting 2 PCs on my network I am trying to take the road I seldomly travel and actually delete the threat without reformat. Any other suggestions?
Kudos0

Re: backdoor.tidserv!inf

Did you use Sdfix??   SDfix does show the hidden driver.

Quads 

Message Edited by Quads on 12-07-2008 03:29 PM
Kudos0

Re: backdoor.tidserv!inf

Hi,

I seem to have the same virus. When I log on, I get a fake security center alert. I can only use my browser after I do a CONTROL-ALT-DEL and click End Task. I put TDSS in SEARCH (MY Computer). I found 4 TDSS files. The files are:

TDSSewakdony (C:\Windows\System32)

TDSSfdlxuips (C:\Windows\System32)

TDSSnvkqciat.dll (C:\Windows\System32)

TDSSserv (C:\Windows\System32\drivers)

I was not able to quarantine them in Norton. Is it safe to right click and delete them, or will this damage my system?

Thank You

Kudos0

Re: backdoor.tidserv!inf

Hi

Poster Number 6 with this I think,

Probably, though they may be locked, especially "TDSSserv " try this proceedure which also shows TDSS.............. without the rootkit. That makes sure the driver files and associates are not in use. 3 major steps.

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=23740 

Quads 

Kudos0

Re: backdoor.tidserv!inf

Could someone tell me in plain english houw to remove this virus?  I do not understand most of waht is being said.

Thank you

Kudos0

Re: backdoor.tidserv!inf

Hi  crod55

I don't know how much simpler I can make the instuctions for the TDSS variants (with or without the rootkit)

Follow the instuctions in ths post http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=23740

a poster called "limejen" said they followed the instuctions for tiddserv....... and it worked.

Quads 

Kudos0

Re: backdoor.tidserv!inf

Thanks for the info. I used SDFix. I can now use my browser, but the fake message still appears. I did a search again and found

 

TDSSnvkqciat.dll (C:\Windows\System32)

TDSSserv (backups)

 

Shoud I re-run SDFix or just delete the remaining files manually. Thanks
Kudos0

Re: backdoor.tidserv!inf

Hi

TDSSnvkqciat.dll is a new file name for me to add to my list, thanks

The backup one should be easy to delete  See if you can just delete "TDSSnvkqciat.dll " if easy good.  Did you run the SuperAntispyware Free Prerelease??

This from your previous post "TDSSserv (C:\Windows\System32\drivers)" is the driver that won't move without disabling etc. 

The fake message when you start your browser could be some different infection bundled with the TDSS variants, and you still have a leftover BHO, which Hijackthis would show.  You can Personal Message the log if you like, to see if I can see it..

You are getting somewhere now you can use your browser. 

Quads 

Message Edited by Quads on 12-11-2008 04:07 PMMessage Edited by Quads on 12-11-2008 04:08 PM
Kudos0

Re: backdoor.tidserv!inf

I am having a terrible time removinig this virus! I caught the virus acouple of days ago and havent been able to remove it manually. I formated my C:\ drive and reinstallled windows and a strange message appears at the startup and it crashed a version of windows i installed but another vista windows works fine for me now, but i am still getin the same error message at the startup. My question is.. will a full format completely remove the virus? since i dont have much on my laptop and a format wont be much of a problem...THanks.

Kudos0

Re: backdoor.tidserv!inf

what does the error message say??

Quads 

Replies are locked for this thread.