Backdoor.Tidserv!inf How do I get rid of it ?

The constant threat: viruses, trojans, spyware, ... the list goes on

Backdoor.Tidserv!inf How do I get rid of it ?

Post by acantho on Mon Jun 14, 2010 3:29 pm
([msg=40054]see Backdoor.Tidserv!inf How do I get rid of it ?[/msg])

I've managed to somehow or other get infected with this, there now seems to be two of them ! The 2nd one is not too surprising seeing as one of the things this viruse does is download other malware.

It's hidden itself inside a system driver, Norton picked it up but does not remove or quarentine it as its a system file and when I follow the help link it takes me here http://securityresponse.symantec.com/se ... 99&tabid=3

This looks like more of a fix for ME/XP I'm running vista home premium. I think that if you do a system re-install it will get rid of it but I'm kind of concerend about doing that as I've only ever done complete re-installs that have reformated drives. I've got about 200gigs of data files and progs on this HDD with about 120 gigs free so you'll hopefully understand why I'm rather nervous about doing a system re-instal!
This is what I'm getting from Norton (Unresolved security risks)
(quotes added by me to identifiy the text within each layer from Norton)
source: "netbt.sys"
activity: "infected file C:\Windows\System32\drivers\netbt.sys
manual removal required"

The second iteration of it has
source: "netbt.sys"
activity: "C:\Windows\winsxs\86x_microsoft-windows-netbt_31bf385ad364e35_6.0.6000.16386_none_5e2e0665fa591691\ntbt.sys
Manual removal required
Automatically run driver C:\Windows\System32\drivers\netbt.sys
no fix attempted"

Other things that this viruse does that I can see: turns off themes in Vista making the OS look like an older version of windows - it's easy enough to re-start themes but these should be auto start so it may have turned off other things I haven't noticed.
Every so often I get two pop-ups one saying "host process stopped working windows will notifiy you if a solution is found, the other saying server has stoped working.
Also if I shut down my comp when I restart from cold after I enter my password I get a long wait with the windows "welcome" word being displayed then it says "windows log in failed" the next attempt either starts windows normally or it starts it with most of my desktop missing - I then have to resart it again to get my normal desktop back.
I know it's a system file (from properties of the file) the creasted, modified & access date are all 2nd Nov 2006, which is around when I bought the comp new.
From reading up a little this would be classed as a rootkit, whilst some of them are harmless and needed to run progs e.g. Alcohol120% others can operate to copy passwords and log in info and send them off to whoever wrote the virues
Just wondering if I download these drivers from microsoft and copy them in to the same folders as the infected drivers can I then just delete the infected drivers ? Something is telling me that is too simple and obvious a solution for it to work. I'm pretty shit at this kind of stuff and only learning on here so dont laugh (too long and hard) at my thought of a solution other than doing a re-install.
If I re-install I'll have to download a myriad of windows updates as well seeing as my install disk is from when I bought the comp 3+years back.

Any advice and help greatlly appreciated.
Hopefully I can see a audio-visual media comp technician at work tomorrow - not too sure how up he is on these things and I value the reponses of quite a few of you more.
acantho
Experienced User
Experienced User
 
Posts: 98
Joined: Sat Apr 10, 2010 6:32 pm
Blog: View Blog (0)


Re: Backdoor.Tidserv!inf How do I get rid of it ?

Post by fashizzlepop on Mon Jun 14, 2010 5:40 pm
([msg=40059]see Re: Backdoor.Tidserv!inf How do I get rid of it ?[/msg])

Honesty didn't read much of your post but it's good you gave that much detail.

I'd suggest running malwareBytes malware scanner or a (specially acquired version) of spyware doctor's scanner and remover.
Hope that helps.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2304
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: Backdoor.Tidserv!inf How do I get rid of it ?

Post by msbachman on Mon Jun 14, 2010 5:42 pm
([msg=40060]see Re: Backdoor.Tidserv!inf How do I get rid of it ?[/msg])

See this thread. In short, a recommendation is to try "Malwarebytes". That tool rocks.

http://www.bleepingcomputer.com/forums/topic320777.html


Step through their process and see if it works for you. The name "backdoor.tidserv!inf" means nothing to me, it's a vendor created name created arbitrarily. Malware can and is classified differently per vendor, so the name's not going to help us very much unless someone miraculously has in depth experience with it.

If the thread doesn't help you, hopefully someone who knows more about malware than I do could assist you.
"I'm going to get into your sister. I'm going to get my hands on your daughter."
~Gatito
User avatar
msbachman
Contributor
Contributor
 
Posts: 685
Joined: Mon Jan 12, 2009 10:22 pm
Location: In the sky lol
Blog: View Blog (0)


Re: Backdoor.Tidserv!inf How do I get rid of it ?

Post by LoGiCaL__ on Mon Jun 14, 2010 6:57 pm
([msg=40063]see Re: Backdoor.Tidserv!inf How do I get rid of it ?[/msg])

Hey what's up man. Well the good news is that you can atleast boot the pc. I Agree with the previous post using malware bytes is a great idea. However, makesure you do it in safemode with networking. If it doesn't let you update go here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix go about 1/4 to halfway down the page and click on bleepingcomputer.com to download combofix. This is the best thing outhere.

Just makesure you have nothing else running and just be patient with it. After this is done, download malwarebytes from cnet.com, install, update, and run in safemode. Maybe even run it twice just to make sure. After that you should be good. I use combo fix, malwarebytes and a command line scanner at work on our employees pc. As long as it boots these will help you out.

One last thing. Make sure you have your system restore turned off. Just right click on my computer, go to properties > system restore and turn it off until all scans are done. Otherwise you run the risk of having it reinstalling during the next boot. Also, you may have to update malwareBytes a couple of times. Sometimes when you update it the first time it goes up to May and you have to update it one more time to get it current. You will see the date version under update.

Good luck.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1060
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: Backdoor.Tidserv!inf How do I get rid of it ?

Post by fashizzlepop on Mon Jun 14, 2010 10:02 pm
([msg=40078]see Re: Backdoor.Tidserv!inf How do I get rid of it ?[/msg])

I recently got a virus that MalwareBytes didn't catch. That's why I suggested Spyware Doctor too. In case MalwareBytes doesn't work.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2304
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: Backdoor.Tidserv!inf How do I get rid of it ?

Post by LoGiCaL__ on Mon Jun 14, 2010 11:18 pm
([msg=40080]see Re: Backdoor.Tidserv!inf How do I get rid of it ?[/msg])

We'll that's the thing, I don't think one will ever get rid of all viruses. I use malware bytes, avg, norton, combofix and a command line scanner. I usually run only three depending on how bad the computer is. I have found that they all miss viruses and each one gets ones others don't. My strategy is just to cast a wide net.

With that being said, there definately are some better than others and for there own individual reasons. I just have avg on my work pc because they are to cheap to shell out for a suite. However, I find it is pretty good at real time protection and spyware/cookies. Finding deeply routed viruses it's not so good at. That's when malwarebytes and combofix come into play. It's funny how some of the free ones are more useful at riding the viruses then ones to pay for. Norton was good at intrusion detection but at the cost of slowing down my pc very much.

It all comes down to your own needs and uses for the computer itself. But yeah, i have seen malwarebytes miss viruses also. Sometimes even catching one that it previously missed. Running it like 2-3 times would produce this result sometimes.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1060
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: Backdoor.Tidserv!inf How do I get rid of it ?

Post by Goatboy on Mon Jun 14, 2010 11:32 pm
([msg=40081]see Re: Backdoor.Tidserv!inf How do I get rid of it ?[/msg])

One tip I've learned that works on a lot of viruses is to boot into a live CD and manually remove a good chunk of the infected files. This cripples the virus enough (in most cases) that Malwarebytes can get it. Any good virus will block removal attempts from within the OS, so using a live CD takes that factor out of the equation.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2752
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Backdoor.Tidserv!inf How do I get rid of it ?

Post by fashizzlepop on Tue Jun 15, 2010 1:57 am
([msg=40089]see Re: Backdoor.Tidserv!inf How do I get rid of it ?[/msg])

Goatboy wrote:One tip I've learned that works on a lot of viruses is to boot into a live CD and manually remove a good chunk of the infected files. This cripples the virus enough (in most cases) that Malwarebytes can get it. Any good virus will block removal attempts from within the OS, so using a live CD takes that factor out of the equation.

Another way to use a Linux live cd is to use this tool that usually sits on the desktop. It is called "install" and can solve many of your virus problems. Quite the ingenious tool if I don't say so myself.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2304
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: Backdoor.Tidserv!inf How do I get rid of it ?

Post by acantho on Tue Jun 15, 2010 3:42 am
([msg=40091]see Re: Backdoor.Tidserv!inf How do I get rid of it ?[/msg])

Thanks guys !

I had ran malwarebytes before but it didn't pick it up, (also ran ad-aware it picked up another minor infection but not this one) but I hadn't ran it in safe mode. So I'll try updating it and running it agan in safe mode, then try the combofix and spyware doctor. I'll let you know how I get on.

Not so worried about what I can see this virus doing it's more the potential for it stealing passwords/logins/creditcard/bank details - though as I'm really skint at the moment they wont get much if anything if they do get them !

-- Tue Jun 15, 2010 12:02 pm --

Spyware Doctor seems to have got it and removed it. Just running another scan with Norton now and then will re-scan with Spyware doctor and malwarebytes, do a system restart and repeat scans and see where I am after that, (*crosses fingers lapy will re-start OK).

Not sure how allowed the following is, if it's breaking rules please delete this part of my post and accept my appologies. I got spyware doctor with antivirus, downloaded and ran the scan - but it wouldn't fix anything without buying it/registering it, had a google and found a license and user name for it that works. If anybody wants it them PM me and I'll pass it on.

Thanks for your help and advice again guys - much appreciated.
acantho
Experienced User
Experienced User
 
Posts: 98
Joined: Sat Apr 10, 2010 6:32 pm
Blog: View Blog (0)


Re: Backdoor.Tidserv!inf How do I get rid of it ?

Post by Goatboy on Tue Jun 15, 2010 7:43 am
([msg=40098]see Re: Backdoor.Tidserv!inf How do I get rid of it ?[/msg])

Ummm... Yea. The whole point of the live CD is so you can mess with your Windows files from a non-restricted environment where the virus can't block your actions. Then when you're done, Windows has no idea you were there, since it was from a live CD It's like a doctor removing a tumor as opposed to you trying to do it yourself. Installing Linux would technically fix the virus problem, but it's kind of silly to do that now isn't it?

ADD: Just got the sarcasm. It's 7:30 in the morning. Give me a break.

And yea, that would count as "piracy" which we're supposed to warn against. Plus, there are so many better AVs that are free that I can't imagine a use for something commercial. At least not on an individual basis.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2752
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests