Hello!  First post on these forums, though I've been a user of NIS since 2007.

On December 1, my personal laptop was infected with what I believe to be a new variant of the Backdoor.TIDserv ("Scour redirect") virus.  NIS 2013, which was fully updated, failed to detect an infection, even with the most aggressive heuristic settings possible.  I eventually found the viral file by searching for new DLLs on my machine, and submitted it via Quarantine within the application.  (A reboot following the quarantine verified that I had found the right file.)

My question is this: other than the obvious - willful reinfection - is there any easy way to determine if Norton has updated their latest definitions to detect this variant?  I've scoured the "Latest Threat list" etc. for news on this new variant but haven't seen anything yet.

---

jtrevor99 wrote:

Hello!  First post on these forums, though I've been a user of NIS since 2007.

 

On December 1, my personal laptop was infected with what I believe to be a new variant of the Backdoor.TIDserv ("Scour redirect") virus.  NIS 2013, which was fully updated, failed to detect an infection, even with the most aggressive heuristic settings possible.  I eventually found the viral file by searching for new DLLs on my machine, and submitted it via Quarantine within the application.  (A reboot following the quarantine verified that I had found the right file.)

 

My question is this: other than the obvious - willful reinfection - is there any easy way to determine if Norton has updated their latest definitions to detect this variant?  I've scoured the "Latest Threat list" etc. for news on this new variant but haven't seen anything yet.

---

Welcome,
I suspect that the answer to your question is no. When protection is being built it is designed to trap more than a single infection. In fact, the more the better. So, as the experts were working on keeping that individual out of your system they would also be trying to keep any variants from sneaking past.

Without the tools, experience and expertise of someone like user Quads I cannot recommend you reinfect your system. All may go well but all may not. Please surf safe

Especially when I doubt it was Tidserv,   Just delete a .dll  hahaha, 

Quads

Quads, it is possible that the DLL was not the only piece of this virus, but quarantining the DLL (and removing its associated registry entries) did disable it.  Since DLL drops are clearly documented as part of tidserv's behavior, and since the virus was redirecting me to Scour.com and other websites/IPs associated with tidserv, I think I identified it correctly.

I just found it interesting that NIS 2013 did not detect it, even with full updates and aggressive heuristics, nor did Power Eraser.  And now I'm just curious when, if ever, I can expect an update from Norton that properly identifies this new strain.

EDIT: I should also note that the "publisher" of the DLL was an organization previously identified with tidserv.  I can't remember who the publisher was, but can look it up again if necessary.

I was able to figure out more of the virus's behavior by searching for files created on my machine 12/1 10:44 am (the time of the infection).  This is of course a partial reconstruction, based on what I've found:

1. The malicious download (unknown source) occurred.
2. The virus created a temp file called 0.04401299438935069 in my AppData\Local\Temp folder.
3. The virus created a file called xdhcyez.dll in AppData\Local\Temp\xdhcyez.
4. This now-infected xdhcyez.dll was then copied to a new folder, AppData\Local\Asus\Adobe.  ("Adobe" is the first legitimate folder in Local, and "Asus" the third.)
5.  A registry key was created in HKEY_USERS\S-1-5-21-3798062404-692387110-2465610323-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe, to cause the DLL to hook at boot.

1. The virus created a temp file called 0.04401299438935069 in my AppData\Local\Temp folder.
2. The virus created a file called xdhcyez.dll in AppData\Local\Temp\xdhcyez.
3. This now-infected xdhcyez.dll was then copied to a new folder, AppData\Local\Asus\Adobe.  ("Adobe" is the first legitimate folder in Local, and "Asus" the third.)
4.  A registry key was created in HKEY_USERS\S-1-5-21-3798062404-692387110-2465610323-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe, to cause the DLL to hook at boot.

Hahahaha, not Tidserv,  I know one is the installer for a couple of things it could be,  AppData\Local\Asus\Adobe\xdhcyez.dll is not Tidserv, I know what that is I have infected my system with it in  the past and removed the family (not Tidserv but Tracur)  one time it actually rebuilt itself on system reboot.

You keep thinking it is Tidserv  and digging around into your system.

For users reading

C:\Users\[username]\AppData\Local\Temp\0.5812232367648337 (Trojan.Happili)  (the numbers change)

uRun: [HP] rundll32.exe "C:\Users\[username]\AppData\Roaming\HP\HP\hdpkf.dll ",DllRegisterServer

C:\Users\[username]\AppData\Roaming\HP\HP\hdpkf.dll (Trojan.Tracur)

uRun: [Adobe] rundll32.exe "c:\users\[username]\appdata\local\google\adobe\ihkpbqo.dll",DllRegisterServer

C:\users\[username]\appdata\local\google\adobe\ihkpbqo.dll  (Trojan.Tracur)

The file names, locations and program folder names change.

Quads

Aha!  You're right, the described behavior does sound like it is a Tracur.B or Happili variant.  Thanks for the identification.

I'm surprised that Norton's Tracur.C heuristic rule didn't catch this then.  Hopefully they'll have a chance to update it soon, based on the files I submitted.

EDIT: I could be wrong, but it sounds like this person had the same virus.