backdoor.tidserv inf infection

Say what?

I am not seeing any malware in your logs. Let's just do a few things and see how it is afterward.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run both CCleaner as well as ATF Cleaner by Atribune.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

What did you mean by "....... several windows processes are still abending"?

Your logs are clean. Are you still being redirected?

 

I have been over your logs a few times and not finding any malware. Does it happen in IE? Does it happen in either of the other two Admin. accounts? This is starting to sound like a software issue.

Have you run both SAS and MBAM on both the other two accounts?

 

That is a system file for your keyboard. I doubt it is infected. But we can see if we can replace it:

Now please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1


Download Mirror #2

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":

Code:

:filefind
kbdclass.sys

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
• Please attach this log in your next reply.

Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task.

 

Each file is showing the same size, although one is indicating a date from today!

Hummmm.........

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::
FCopy::
C:\WINDOWS\ServicePackFiles\i386\kbdclass.sys | C:\WINDOWS\system32\drivers\kbdclass.sys

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

I just don't get that this would be the cause of the internet issue.

Try doing an online scan:
Using BitDefender Online Scan.

 

I see Bitdefender only hit on your keyfinder file.

And these popped up from nowhere:
* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::
File::
c:\windows\system32\drivers\OLD41.tmp
c:\windows\system32\drivers\OLD3A.tmp
c:\windows\system32\drivers\OLD14.tmp
c:\windows\system32\drivers\OLD37.tmp
c:\windows\system32\drivers\OLD30.tmp
c:\windows\system32\drivers\OLD25.tmp
c:\windows\system32\drivers\OLD1E.tmp
c:\windows\system32\drivers\OLD17.tmp
c:\windows\system32\drivers\OLD6.tmp

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

I am not seeing anything in your logs to cause that. I suggest you follow these instructions for Uninstalling Firefox.

Then after running CCleaner, download and reinstall it. Tell me what happens.

 

From what I can see of what you posted, it is still looking like it doesn't like your keyboard. Why don't you try uninstalling Symnatec and install a different AV software to see what it finds. You can take a pick from any of the suggested programs here:

How to Protect yourself from malware!

 

I have recently seen that file in a few other instances as being infected. You may well have solved it with the file replacement, but I would feel better if we checked one more thing:

• Please download maxlook , saving the file to your desktop.
• Double click maxlook.exe to run it. Note - you must run it only once!
• As instructed when the tool runs, restart the computer and logon to the Recovery Console.
• This will require you to change the boot order in the bios so that your first boot option is the cd drive. Then boot with your xp cd in the drive and enter the RC.
• Execute the following bolded command at the C:\windows> prompt. Refer to the snapshot to see how it will look. Double click the thumbnail to enlarge it.
  
  batch look.bat

http://noahdfear.net/WTT/lookXP.gif

• You will see 1 file copied many times then return to the x:\windows> prompt.
• Type Exit to restart your computer then logon in normal mode.
• Click Start >> Run and then type the following in the run box ( note the space before the - sign )
  
  maxlook -sig
• It will produce looklog.txt on the desktop and open it.
• Please attach the log to your next message.

 

It's clean. If you aren't having any other malware issues, we can do our final cleanup:
We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
[*]If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

• Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
• "%userprofile%\Desktop\combofix" /uninstall
  • Notes: The space between the combofix" and the /uninstall, it must be there.
  • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
[*]If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
[*]If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
[*]Go to add/remove programs and uninstall HijackThis.
[*]Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
[*]If you are running Vista, Windows XP or Windows ME, do the below:

• Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
• Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

• How to Protect yourself from malware!