I need help removing a backdoor.tidserv!inf file!

View previous topic View next topic Go down

I need help removing a backdoor.tidserv!inf file!

Post by Pendulum on Thu 10 Mar 2011, 6:42 am

Hello there,
I have had this virus for two years now, and I'm not sure if it's causing any major problems. I'm trying to get my PC cleaned since my e-mail has been recently hacked by someone from India, and I'm wondering what could be the cause of that. I have two needs of assistance if I may ask kindly.
1) How to manualy remove this virus

-&-

2) How to prevent my e-mail from being hacked.

For #1: I use Norton Internet Securrity, and I have done a full system scan and it says that I have this virus. It also says that It cannot remove it and that I must remove it manualy. However, there are two versions of this file I think. The first one is called atapi.sys.vir and the second one is called atapi.sys.vir_ (They're pretty much named the same and are both 20 KB). They are both located under C:\Qoobox\Quarantine\C\Windows\system32\Drivers and I'm afraid to just click and drag the files to the recycle bin, as perhaps that might not be the solution. I use a Windows Vista 2007 and use Norton Internet Security (As I stated before).

For #2: My e-mail has been acting quite suspicious lately. About sometime earlier this year in Feburary, I checked my e-mail to find that it has sent spam to quite a large number of other e-mails. It was suspicious because even gmail told me that it was. I checked the IP adress of the last location that my e-mail was accessed and it said it was from South Carolina, USA. I live in Iowa, USA. That's quite a distance. Today, just this morning at 4:00 AM Central Time, my e-mail has done the same thing, except now it has sent a virus to EVERY e-mail that I have been in contact with that e-mail. It sent a link to a malicious website. That's not the worst part: some of my contacts include the school teacher's e-mails in which I e-mail to get assignments and it has sent it to pen pals. I checked the IP adress of when and where my e-mail was used and Gmail traced it all the way to India on a CELLPHONE. I don't think I'll ever trust the internet with my passwords in fear of this happening again, unless someone could tell me how this was caused. Luckily, I sent an e-mail to all of my contacts saying that I will delete my e-mail AND that the last message that was sent to them comming from that e-mail wasn't me. I have now deleted the e-mail account so I can no longer access it, as well as anyone else who had access to it. Unfortunatly, I have an open mind. The cause may have been that a person hacked into my e-mail by hacking into my password. It could also have been caused because I have spyware on my PC or someone is hacking me, in which they get to see EVERYTHING I type, including passwords. If there is any way to get rid of my e-mail problem in which it gets hacked, PLEASE let me know. I offer my gratitude and respect for you people who have helped others and hopefully me too.

Pendulum

Unborn
Unborn

Posts : 2
Joined : 2011-03-10
Operating System : Windows Vista

View user profile

Back to top Go down

Re: I need help removing a backdoor.tidserv!inf file!

Post by Gabethebabe on Thu 10 Mar 2011, 8:06 am

Hi Pendulum and welcome to GeekPolice! I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end! If your computer starts running better, doesn´t mean it is clean yet!


====================

We are going to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: I need help removing a backdoor.tidserv!inf file!

Post by Pendulum on Thu 10 Mar 2011, 1:16 pm

Here you are my good sir, I did EXACTLY as the instructions said. Also, thank you for the welcome, I am brand new to this website. I have heard some stories about it and thats how I came to know it.

ComboFix 11-03-09.02 - jamador 03/09/2011 19:47:00.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2036.1219 [GMT -6]
Running from: c:\users\jamador\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\jamador\AppData\Roaming\inst.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))
.
.
2011-03-10 02:00 . 2011-03-10 02:00 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-03-10 02:00 . 2011-03-10 02:00 -------- d-----w- c:\users\rey\AppData\Local\temp
2011-03-10 02:00 . 2011-03-10 02:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-03-10 02:00 . 2011-03-10 02:00 -------- d-----w- c:\users\Petra\AppData\Local\temp
2011-03-10 02:00 . 2011-03-10 02:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-02 01:22 . 2011-03-02 01:22 -------- d-----w- c:\program files\Tag Support Plugin for Media Player
2011-02-23 19:58 . 2011-02-23 19:58 94208 ----a-w- c:\windows\DIIUnin.exe
2011-02-23 19:58 . 2011-02-23 19:58 2829 ----a-w- c:\windows\DIIUnin.pif
2011-02-20 01:29 . 2011-02-23 20:10 -------- d-----w- c:\program files\Diablo II
2011-02-14 23:58 . 2011-02-14 23:58 -------- d-----w- c:\users\jamador\AppData\Roaming\Inspiration Software
2011-02-14 23:58 . 2004-03-29 23:23 90112 ----a-w- c:\windows\unvise32.exe
2011-02-14 23:58 . 2011-02-14 23:58 -------- d-----w- c:\users\jamador\AppData\Roaming\Softland
2011-02-14 23:58 . 2011-02-14 23:58 -------- d-----w- C:\Softland
2011-02-14 23:56 . 2011-03-06 15:19 -------- d-----w- c:\programdata\Inspiration 9
2011-02-08 20:45 . 2010-12-31 13:57 2039808 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-20 14:50 . 2009-05-11 18:47 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-02-20 14:50 . 2009-05-11 18:47 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-02-20 14:50 . 2009-05-11 18:47 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-12-28 15:55 . 2011-01-12 13:19 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-12 13:18 1169408 ----a-w- c:\windows\system32\sdclt.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 17:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-05-13 11:43 2515552 ----a-w- c:\program files\Vuze_Remote\tbVuz1.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]
2009-05-20 23:05 2085400 ----a-w- c:\program files\Mininova-Vuze\tbMini.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d51d388b-f5dc-471a-a1ce-5e2d671091c0}"= "c:\program files\Mininova-Vuze\tbMini.dll" [2009-05-20 2085400]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2010-05-13 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D51D388B-F5DC-471A-A1CE-5E2D671091C0}"= "c:\program files\Mininova-Vuze\tbMini.dll" [2009-05-20 2085400]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2010-05-13 2515552]
.
[HKEY_CLASSES_ROOT\clsid\{d51d388b-f5dc-471a-a1ce-5e2d671091c0}]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"Easy Dock"="" [BU]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
.
c:\users\Petra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\users\jamador\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\users\jamador\Documents\RCA Detective\RCADetective.exe [2009-7-2 910848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-20 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-20 23:23 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 16:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 03:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 07:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-11-24 16:44 2975640 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 16:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-13 00:14 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9cab9bab6c7aa;Google Update Service (gupdate1c9cab9bab6c7aa);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 133104]
R3 EraserUtilDrvI9;EraserUtilDrvI9;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-11-14 691696]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20110225.002\BHDrvx86.sys [2011-02-25 800376]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20110304.001\IDSvix86.sys [2010-11-09 353912]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1108000.005\SYMTDIV.SYS [2010-05-06 339504]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe [2010-02-26 126392]
S2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe [2010-05-23 126904]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-09-14 102448]
S3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2008-10-28 126472]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-26 00:04]
.
2011-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 00:05]
.
2011-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 00:05]
.
2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{A5508526-43D4-4958-B4B2-3B59E463A8E1}.job
- c:\windows\system32\msfeedssync.exe [2011-02-08 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Easy Dock - c:\users\jamador\Documents\RCA easyRip\EZDock.exe
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe
MSConfigStartUp-Easy Dock - c:\users\jamador\Documents\RCA easyRip\EZDock.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-03-09 20:01
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-09 20:06:11
ComboFix-quarantined-files.txt 2011-03-10 02:05
ComboFix2.txt 2010-09-02 16:52
.
Pre-Run: 48,756,166,656 bytes free
Post-Run: 51,559,624,704 bytes free
.
- - End Of File - - AA86AEB334098B32B28212994224B2FB

Pendulum

Unborn
Unborn

Posts : 2
Joined : 2011-03-10
Operating System : Windows Vista

View user profile

Back to top Go down

Re: I need help removing a backdoor.tidserv!inf file!

Post by Gabethebabe on Thu 10 Mar 2011, 11:48 pm

Well, this doesn´t look bad at all, Pendulum. I have two recommendations for you and we´ll run another scan.

====================

You have an old version installed of Adobe Reader. This old version has security issues.
I recommend that you uninstall Adobe Reader through Start > Control Panel > Add or Remove Programs.
After that you should install a PDF reader that is more secure.
Please note that Adobe Reader has a history of security issues and is a prime target for malware writers due to its popularity. You might want to consider installing a non-Adobe PDF reader. Your choice!
  • Adobe Reader 10.0. The last and most safest version of Adobe Reader.
  • SumatraPDF. Very small and very light PDF viewer.
  • PDF XChange. Also available in 64-bit version if you have a 64-bit OS. Can be installed as portable.



====================

It appears you have Ask Toolbar installed. Practically all, if not all anti-malware sites, including GeekPolice, have Ask Toolbar flagged as untrustworthy, because it uses shady practices for distributing and installing its toolbar, see here for more info.

I therefore highly recommend you to go to Start >> Control Panel >> Add/Remove Programs and remove the following programs if present:
  • AskBarDis
  • Ask Toolbar

After that go to the C:\Program Files folder and delete the following folders, if present:
  • AskBarDis
  • Ask.com


====================

  • Download TDSSKiller by Kaspersky from here and save it to your Desktop
  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
  • The report can also be found in the root of your Windows drive (most likely C:\).


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: I need help removing a backdoor.tidserv!inf file!

Post by Sponsored content Today at 11:01 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum