Backdoor.Tidserv.I!nf Virus on XP Machine

This virus multiplies and eventually comes up with list after list of new trojans, ect... Even after clearing the quarentine files, Symantec pops up again and again starting the process over.

Help~! Logs are attached.

Thanks!
Seven

 

Forgot logs.

 

Hello sevenismagic.

I suggest going to Add or Remove Programs and uninstalling:

• Noderator

This is the Nod32 registration reminder and is not doing you any good. It is running at every startup.



Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any sub-folder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
c:\windows\Aboxuqejakok.dat
c:\windows\Onodafidacos.bin

Folder::
c:\program files\Registry Patrol
c:\documents and settings\PowerSpec\Local Settings\Application Data\cyuaualid
c:\documents and settings\PowerSpec\Local Settings\Application Data\hyebtqlyb
c:\documents and settings\PowerSpec\Local Settings\Application Data\qyxbtykhx
c:\documents and settings\PowerSpec\Local Settings\Application Data\clvctowwh
c:\documents and settings\PowerSpec\Local Settings\Application Data\lkpctwwee

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://img249.imageshack.us/img249/1218/cfscript1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze




Were you able to get SUPERAntiSpyware to install correctly?

It shouldn't be running from your desktop.

In your next reply please attach the SAS log. It is located here:

Code:

C:\Documents and Settings\PowerSpec\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\superantispyware.log

MGtools should not be running from the desktop either.

Go to C:\MGtools and run the GetLogs.bat from there and attach the new MGlogs.zip file that it creates.

It's important to always let software install where it is supposed to be. If something goes wrong you could easily loose any backups and be stuck with a broken OS and have to reinstall.

Next post please attach:

• TDSSKiller log
  
• New ComboFix log
• New MGlogs.zip
• Also attach the Superantispyware log from the location shown above.

 

Firstly, thank you.

Ok. Noderator has been uninstalled. None of the programs from the sticky post had any problems running. I have attached the logs created by running them from the C: drive as you requested. I installed and ran them from the desktop because in one of steps it seemed to say that installing and running from C: might not be the right thing to do. Maybe it was just one of the programs and I did all of them that way.

 

I don't think that's the right TDSSkiller log. Please delete TDSSkiller and run it again with these new instructions.

Download TDSSKiller from Kaspersky to your directly onto your Desktop

• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
• Allow the application to run if prompted by Windows or any security programs you have installed
• It will start the scan and run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.
• Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
• Please attach the log to your next reply.

 

I'm on it today after work hours.

 

Seems to have done the trick. It seems gone - is that possible?

 

Let's get a look at a new MGtools log to make sure that everything is gone.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Attach the new C:\MGlogs.zip file that will be created.

 

Issue has somehow been resolved. Thanks for trying.

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
3. Go back to step 6 of the READ ME and re-nable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

I'm a little sad, but the person I was working with :majorthought it was taking too much time, and the issue didn't get resolved. At the current time I think she is just too frustrated. Hopefully I will get the machine at my home in order to do all of this. I'm sorry to have wasted your time - I appreciate the effort very much.:major