Backdoor.tidserv!inf

View previous topic View next topic Go down

Solved Re: Backdoor.tidserv!inf

Post by dsapre on 25th November 2008, 5:53 pm

Hi
I apologise, yes I do understand that you have a full life! I deeply regret send you the "PM". Anyways
I am not sure if my USB Hard Dive is clean now. (i do not know how to make sure), I have deleted
C:\Qoobox. What next please?

dsapre
Intermediate
Intermediate

Posts Posts : 81
Joined Joined : 2008-11-24
Gender Gender : Male
OS OS : Win-Xp Home SP3
Points Points : 29510
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by Belahzur on 25th November 2008, 5:56 pm

Hello.
I have a bad feeling were back to square one.

Lets see if your external HD is clean. Plug it in, but do not enter the drive. Your AV will probably popup and the infection will return, but this time we can clean both.

Please download Flash_Disinfector from [You must be registered and logged in to see this link.]

  • First, download it to your desktop.
  • Now double click it to run it and will tell it you what to do when you open it.
  • It will temporarily kill explorer.exe and your desktop will go blank.
  • Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  • It will make a dummy autorun.inf in the root of every drive.
  • You can now delete Flash_Disinfector.exe.


If your AV popped up saying infection found, please re-run combofix. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by dsapre on 25th November 2008, 6:00 pm

Hello

Remember we have done this yesterday, and thats when we got infected again. (if you may please see my previous
posts) you will realize that you had instructed the same to me yesterday. I had run the Flash_Disinfector, after getting the infection, and then we restarted the entire process. You also told me to keep the hard drive plugged in at all times.

Please let me know if I have to do it again!!! Let me think

dsapre
Intermediate
Intermediate

Posts Posts : 81
Joined Joined : 2008-11-24
Gender Gender : Male
OS OS : Win-Xp Home SP3
Points Points : 29510
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by Belahzur on 25th November 2008, 6:05 pm

Ah, my bad. It's easier for me to ask new logs so I know where I am and the malware hasn't dropped a new payload.

I don't think it's infected, CF deleted the autorun worm and flash disinfector will prevent it returning.

Plug it in and see what happens.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by dsapre on 25th November 2008, 6:13 pm

As I said it was plugged in at all the times. Anyways I have accessed it and there was no popup from Norton!
I think its clean now. One thing though, on one of the partition I found Autorun.inf folder created by Flash_Disinfector
Do i need to delete this now or let it be as it is? would you like to see the latest logs from Hijack This and MBAM?

Also you said something about updating the security for the future. Please advise

dsapre
Intermediate
Intermediate

Posts Posts : 81
Joined Joined : 2008-11-24
Gender Gender : Male
OS OS : Win-Xp Home SP3
Points Points : 29510
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by Belahzur on 25th November 2008, 6:18 pm

You can delete Flash_Disinfector.exe, but you won't be able to delete the autorun.inf folder created by F_D. It's hard to remove and was made that way so malware can't overwrite it should anything else happen.

No need for new logs, CF was clean.
Yes, we'll do some updating now, lets start with this:

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.


Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by dsapre on 25th November 2008, 6:38 pm

I am having trouble loading JAVA from the link provided, any alternate links??

dsapre
Intermediate
Intermediate

Posts Posts : 81
Joined Joined : 2008-11-24
Gender Gender : Male
OS OS : Win-Xp Home SP3
Points Points : 29510
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by Belahzur on 25th November 2008, 6:39 pm

Sorry, nope.
I did notice they have been having trouble with their server being slow or down. Just keep trying, it will let you on eventually. Wink


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by dsapre on 25th November 2008, 7:06 pm

Hi
Finished as instructed see the java ra log below:

JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Nov 25 23:04:34 2008

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\JavaPlugin.150_08

Found and removed: SOFTWARE\Classes\JavaPlugin.150_09

Found and removed: SOFTWARE\Classes\JavaPlugin.150_10

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\Classes\JavaPlugin.142_03

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

dsapre
Intermediate
Intermediate

Posts Posts : 81
Joined Joined : 2008-11-24
Gender Gender : Male
OS OS : Win-Xp Home SP3
Points Points : 29510
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by dsapre on 25th November 2008, 7:08 pm

Please also advise on the following if possible:

1) Norton or Kaspersky
2) Do I require a firewall; I dont have one
3) Is it advisable to upgrade to Vista?

dsapre
Intermediate
Intermediate

Posts Posts : 81
Joined Joined : 2008-11-24
Gender Gender : Male
OS OS : Win-Xp Home SP3
Points Points : 29510
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by Belahzur on 25th November 2008, 7:26 pm

1. I'd stay with Norton for now, installing Kaspersky will cause more problems because even though uninstalling Norton, it leaves registry keys behind and Kaspersky picks them up and won't install till you remove them.
2. Yes, firewalls are a must. They will help keep your machine safe.
3. Your choice on this one. Vista requires more RAM than XP to run smoothly because it's a bigger OS, and the UAC feature in Vista can be annoying.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by dsapre on 25th November 2008, 7:29 pm

Your expert advise much appericiated. Thanks again for everything, If you have some tips for system
improvement, Pls let me know.

By the way congrats on achiving 1000 posts, (I saw the log from Inferno)
Cheers!!!

dsapre
Intermediate
Intermediate

Posts Posts : 81
Joined Joined : 2008-11-24
Gender Gender : Male
OS OS : Win-Xp Home SP3
Points Points : 29510
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by Belahzur on 25th November 2008, 7:32 pm

Hello.
Thank you. Bow or Thanks
Some tips:

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
====
This will give you some HDD space back.

Please download Purera.exe from [You must be registered and logged in to see this link.]

  • First, unzip the program.
  • Double click Purera.exe to open it.
  • When it opens, press the "Clean" button.
  • This will open up a menu of options.
  • Tick the box that says "Check All"
  • Then press the "Clean Selected" button.
  • This will start the cleaning proccess.
  • For a minute or two, Purera.exe may act like it isn't responding, but let it run.
  • After it's done, it will make a log file of what it's removed, but I don't need to see it.


If everything is good when you post back, I'll post my tips on keeping your system safe.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by dsapre on 25th November 2008, 7:45 pm

Everything was OK with ATF Cleaner and PureRa; just wondering PureRA can be used on USB Drives? It did not access my USB HDD (that was infected too)
Also please let me know what to do with the following on my desktop:
1) MBAM
2) ComboFix
3) ATF Cleaner
4) PureRa
5) Hijack This

Do I keep all for future disasters or can I uninstall them?
could you suggest me a good firewall!! thanks much appericiated

dsapre
Intermediate
Intermediate

Posts Posts : 81
Joined Joined : 2008-11-24
Gender Gender : Male
OS OS : Win-Xp Home SP3
Points Points : 29510
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by dsapre on 25th November 2008, 7:53 pm

Lastly! could you also suggest some good registry cleaner to get rid of unwanted entries which remain after programme uninstall/removal??

dsapre
Intermediate
Intermediate

Posts Posts : 81
Joined Joined : 2008-11-24
Gender Gender : Male
OS OS : Win-Xp Home SP3
Points Points : 29510
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by Belahzur on 25th November 2008, 7:55 pm

MBAM - Keep it, it can useful as an antispyware program.
Combofix - Delete it.
ATF + PureRa - Keep them, they are very small programs and use them often to keep your HDD free of temp files and other unneeded junk.
Hijack This - You can uninstall it if you want to.

ATF-Cleaner/Purera don't work on external drives, only the drive/partition the system is installed on.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Backdoor.tidserv!inf

Post by Doctor Inferno on 3rd December 2008, 3:52 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum