Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

View previous topic View next topic Go down

Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by entityxero on Mon Feb 15, 2010 8:25 pm

I've tried using malwarebytes, even system restore... nothing is working. Any suggestions would be a HUGE help!

entityxero
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-02-15
Gender Gender : Male
OS OS : windows xp
Points Points : 24953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by Dr Jay on Mon Feb 15, 2010 9:23 pm

Download this [You must be registered and logged in to see this link.] & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
Code:
@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13717
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302127
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by entityxero on Mon Feb 15, 2010 11:08 pm

17:59:56:125 3828 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
17:59:56:125 3828 ================================================================================
17:59:56:125 3828 SystemInfo:

17:59:56:125 3828 OS Version: 5.1.2600 ServicePack: 2.0
17:59:56:125 3828 Product type: Workstation
17:59:56:125 3828 ComputerName: DDXMV7C1
17:59:56:125 3828 UserName: edpjgo
17:59:56:125 3828 Windows directory: C:\WINDOWS
17:59:56:125 3828 Processor architecture: Intel x86
17:59:56:125 3828 Number of processors: 2
17:59:56:125 3828 Page size: 0x1000
17:59:56:125 3828 Boot type: Normal boot
17:59:56:125 3828 ================================================================================
17:59:56:156 3828 UnloadDriverW: NtUnloadDriver error 2
17:59:56:156 3828 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:59:56:171 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:59:56:296 3828 UtilityInit: KLMD drop and load success
17:59:56:296 3828 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
17:59:56:296 3828 UtilityInit: KLMD open success
17:59:56:296 3828 UtilityInit: Initialize success
17:59:56:296 3828
17:59:56:296 3828 Scanning Services ...
17:59:56:296 3828 CreateRegParser: Registry parser init started
17:59:56:296 3828 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
17:59:56:296 3828 CreateRegParser: DisableWow64Redirection error
17:59:56:296 3828 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:59:56:296 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
17:59:56:296 3828 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:59:56:296 3828 wfopen_ex: Trying to KLMD file open
17:59:56:296 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
17:59:56:296 3828 wfopen_ex: File opened ok (Flags 2)
17:59:56:296 3828 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3F4D50
17:59:56:296 3828 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:59:56:296 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
17:59:56:296 3828 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:59:56:296 3828 wfopen_ex: Trying to KLMD file open
17:59:56:296 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
17:59:56:296 3828 wfopen_ex: File opened ok (Flags 2)
17:59:56:296 3828 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3F4DF8
17:59:56:296 3828 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
17:59:56:296 3828 CreateRegParser: EnableWow64Redirection error
17:59:56:296 3828 CreateRegParser: RegParser init completed
17:59:57:046 3828 GetAdvancedServicesInfo: Raw services enum returned 468 services
17:59:57:062 3828 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:59:57:062 3828 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:59:57:062 3828
17:59:57:062 3828 Scanning Kernel memory ...
17:59:57:062 3828 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
17:59:57:062 3828 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8B06BA08
17:59:57:062 3828 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
17:59:57:062 3828
17:59:57:062 3828 DetectCureTDL3: DEVICE_OBJECT: 8B08FC68
17:59:57:062 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B08FC68
17:59:57:062 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B08FC68[0x38]
17:59:57:062 3828 DetectCureTDL3: DRIVER_OBJECT: 8B06BA08
17:59:57:062 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B06BA08[0xA8]
17:59:57:062 3828 KLMD_ReadMem: Trying to ReadMemory 0xE18631A0[0x18]
17:59:57:062 3828 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:59:57:062 3828 DetectCureTDL3: IrpHandler (0) addr: BA10EC30
17:59:57:062 3828 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (2) addr: BA10EC30
17:59:57:062 3828 DetectCureTDL3: IrpHandler (3) addr: BA108D9B
17:59:57:062 3828 DetectCureTDL3: IrpHandler (4) addr: BA108D9B
17:59:57:062 3828 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (9) addr: BA109366
17:59:57:062 3828 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (14) addr: BA10944D
17:59:57:062 3828 DetectCureTDL3: IrpHandler (15) addr: BA10CFC3
17:59:57:062 3828 DetectCureTDL3: IrpHandler (16) addr: BA109366
17:59:57:062 3828 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (22) addr: BA10AEF3
17:59:57:062 3828 DetectCureTDL3: IrpHandler (23) addr: BA10FA24
17:59:57:062 3828 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:59:57:062 3828 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:59:57:062 3828 TDL3_FileDetect: Processing driver: Disk
17:59:57:062 3828 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:062 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:078 3828 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:59:57:078 3828
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8B067C68
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B067C68
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B067C68[0x38]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT: 8B06BA08
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B06BA08[0xA8]
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0xE18631A0[0x18]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
17:59:57:078 3828 DetectCureTDL3: IrpHandler (0) addr: BA10EC30
17:59:57:078 3828 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (2) addr: BA10EC30
17:59:57:078 3828 DetectCureTDL3: IrpHandler (3) addr: BA108D9B
17:59:57:078 3828 DetectCureTDL3: IrpHandler (4) addr: BA108D9B
17:59:57:078 3828 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (9) addr: BA109366
17:59:57:078 3828 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (14) addr: BA10944D
17:59:57:078 3828 DetectCureTDL3: IrpHandler (15) addr: BA10CFC3
17:59:57:078 3828 DetectCureTDL3: IrpHandler (16) addr: BA109366
17:59:57:078 3828 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (22) addr: BA10AEF3
17:59:57:078 3828 DetectCureTDL3: IrpHandler (23) addr: BA10FA24
17:59:57:078 3828 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:59:57:078 3828 TDL3_FileDetect: Processing driver: Disk
17:59:57:078 3828 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:078 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
17:59:57:078 3828 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:59:57:078 3828
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8AFE4AB8
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AFE4AB8
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8B06DF18
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B06DF18
17:59:57:078 3828 DetectCureTDL3: DEVICE_OBJECT: 8B06CD98
17:59:57:078 3828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8B06CD98
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B06CD98[0x38]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT: 8B0C4818
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0x8B0C4818[0xA8]
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0xE18311B0[0x1A]
17:59:57:078 3828 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
17:59:57:078 3828 DetectCureTDL3: IrpHandler (0) addr: B9F1D572
17:59:57:078 3828 DetectCureTDL3: IrpHandler (1) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (2) addr: B9F1D572
17:59:57:078 3828 DetectCureTDL3: IrpHandler (3) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (4) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (5) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (6) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (7) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (8) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (9) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (10) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (11) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (12) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (13) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (14) addr: B9F1D592
17:59:57:078 3828 DetectCureTDL3: IrpHandler (15) addr: B9F197B4
17:59:57:078 3828 DetectCureTDL3: IrpHandler (16) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (17) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (18) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (19) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (20) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (21) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (22) addr: B9F1D5BC
17:59:57:078 3828 DetectCureTDL3: IrpHandler (23) addr: B9F24164
17:59:57:078 3828 DetectCureTDL3: IrpHandler (24) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (25) addr: 804F4476
17:59:57:078 3828 DetectCureTDL3: IrpHandler (26) addr: 804F4476
17:59:57:078 3828 KLMD_ReadMem: Trying to ReadMemory 0xB9F1A7C6[0x400]
17:59:57:078 3828 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
17:59:57:078 3828 TDL3_FileDetect: Processing driver: atapi
17:59:57:078 3828 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:59:57:078 3828 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
17:59:57:109 3828 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
17:59:57:109 3828
17:59:57:109 3828 Completed
17:59:57:109 3828
17:59:57:109 3828 Results:
17:59:57:109 3828 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
17:59:57:109 3828 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:59:57:109 3828 File objects infected / cured / cured on reboot: 0 / 0 / 0
17:59:57:109 3828
17:59:57:109 3828 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
17:59:57:109 3828 UtilityDeinit: KLMD(ARK) unloaded successfully

entityxero
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-02-15
Gender Gender : Male
OS OS : windows xp
Points Points : 24953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by Dr Jay on Tue Feb 16, 2010 2:26 pm

Please download RootRepeal from [You must be registered and logged in to see this link.].

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13717
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302127
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by entityxero on Tue Feb 16, 2010 4:04 pm

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/16 09:43
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8352000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA61B3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\RootRepeal report 02-16-10 (09-43-16).txt
Status: Visible to the Windows API, but not on disk.

Path: c:\windows\temp\perflib_perfdata_3f8.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100214.004\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "" at address 0x8aea8290

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba11887e

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa8823350

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa8823580

==EOF==

entityxero
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-02-15
Gender Gender : Male
OS OS : windows xp
Points Points : 24953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by Dr Jay on Wed Feb 17, 2010 2:43 am

Please run a free online scan with the [You must be registered and logged in to see this link.]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13717
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302127
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by entityxero on Wed Feb 17, 2010 12:26 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.16762 (vista_gdr.081013-1507)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=777c9632b097da439fd0f7308e47899b
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-17 09:16:12
# local_time=2010-02-17 04:16:12 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=527374
# found=3
# cleaned=3
# scan_time=14859
C:\Qoobox\Quarantine\C\WINDOWS\system32\gNoWvyay.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\gNoWvyay.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\gNoWvyay.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

entityxero
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-02-15
Gender Gender : Male
OS OS : windows xp
Points Points : 24953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by entityxero on Wed Feb 17, 2010 2:20 pm

thanks for your help so far, BTW. My anti-virus has been going off about once a day with this bug, however when i ran that scan, it went off about 10 times... what causes that?

entityxero
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-02-15
Gender Gender : Male
OS OS : windows xp
Points Points : 24953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by Dr Jay on Thu Feb 18, 2010 5:18 am

Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13717
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302127
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by Dr Jay on Wed Feb 24, 2010 6:18 pm

Still with us? If so, please tell me how your computer is running.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13717
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302127
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by entityxero on Wed Feb 24, 2010 6:35 pm

Hi, i'm sorry about the lateness of my reply. I still have the issue. I ran the program that you requested, but at the end of the scan i got the "blue screen".. I haven't been able to re-scan, but i will have time this weekend. Thank you very much for helping me with this.

entityxero
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-02-15
Gender Gender : Male
OS OS : windows xp
Points Points : 24953
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by Dr Jay on Wed Feb 24, 2010 6:57 pm

Crashes (Blue-Screen-of-Death) when running anti-malware and anti-rootkit scanners can be influenced by a variety of things including problems encountered with certain types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, etc) that are being scanned. Crashes can also be influenced by hardware/software issues, overheating caused by a failed processor fan, bad RAM (memory), a failing or underpowered power supply, CPU overheating, motherboard, video card, faulty or unsigned device drivers, CMOS battery going bad, BIOS and firmware problems, dirty hardware components, programs hanging or unresponsive in the background, and even malware. Without knowing the specific information provided on the blue diagnostic screen (error codes, files involved) its difficult to determine the exact cause.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13717
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302127
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Symentac alert Backdoor.Tidserv!inf.... can't get rid of it, please help

Post by entityxero on Wed Feb 24, 2010 7:05 pm

It was basically dumping files. If it happens again, i'll post the message. I tried to do a system restore, it seemed to help, but then it came back lol.

entityxero
Novice
Novice

Posts Posts : 7
Joined Joined : 2010-02-15
Gender Gender : Male
OS OS : windows xp
Points Points : 24953
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum