Tidserv

[SuperDave]

Also can I run a live update with "Symantec Endpoint" or will it interfere with all the programs that were installed to help resolve my issues?

Yes. Go ahead and run it . We will be removing those programs now. You may keep SAS and MBAM, if you wish. Update them and run them every so often to keep the bugs out.

Also I am currently using Mozilla and it is asking me to upgrade, should I. 

If I am to upgrade to latest Mozilla should I delete old one first.

Mozilla is a safer browser than Internet Explorer. Not sure about Chrome. You can just download the updates and it will install over itself and it will save all your settings.

* Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
*******************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
******************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[luca]

Thanks for all your help !!

Just wondering do I keep Symantec Endpoint with all the programs that I downloaded like Malwarebytes, SUPERantispyware, spybot, spywarebuster and HijackThis.  Can you run all these programs at the same time?


Thanks again !!!

[SuperDave]

Just wondering do I keep Symantec Endpoint with all the programs that I downloaded like Malwarebytes, SUPERantispyware, spybot, spywarebuster and HijackThis.  Can you run all these programs at the same time?

You can uninstall HiJackThis. We won't need it anymore. You may keep SAS, MBAM and Spybot. Keep them updated and run the scans every so often to keep your computer clean and for peace of mind. SpywareBlaster can be uninstalled but it won't hurt to keep it running.

[luca]

Hey SuperDave,

What about TDSSKiller should it still be on my system? 

Also will there be any problems when I run Symantec Endpoint at the same time as all these other programs in my system?

Sorry just want to make sure because from what I heard,  running more than one system will cause your system to crash?                             Is this true ??The systems conflict with each other??? Remember I'm a rookie  Ha Ha

Thanks again.

[SuperDave]

What about TDSSKiller should it still be on my system? 

Ok. Please delete it.

Also will there be any problems when I run Symantec Endpoint at the same time as all these other programs in my system?

Sorry just want to make sure because from what I heard,  running more than one system will cause your system to crash?                             Is this true ??The systems conflict with each other??? Remember I'm a rookie  Ha Ha

No. The only things you should only have one of, is your Anti-Virus and your Firewall. I run at least 4 malware programs on my computer with no problem.
You can try running this tool to check to see what's running at start-up. Also, read the link I mentioned earlier in my closing speech about Slow computer for maintenance you can do to improve performance.
StartupLite

Download StartupLite by MalwareBytes to your Desktop.
Doubleclick StartupLite.exe to launch the program.
Ensure the Disable box is checked.
Click Continue.
A pop up message will tell you the unecessary startup items in your list have been disabled and ask you to restart your computer.
Re-start your computer.

[luca]

Do you think with this "Tidserv" virus that any of my passwords have been comprised ??  Or was it strictly hijacking web searches and web pages ?

Thanks again for all your help in ridding my computer of this problem!!!

[SuperDave]

Tidserv is known as a backdoor trojan but all the scans didn't reveal this infection. However, we did find and fixed a rootkit infection.
We cannot guarantee that your computer is 100% clean.
While looking over this thread I realized that I had forgot one important scan. I will also give you some information about rootkits and then the decision will be up to you on your course of action. If you don't use your computer for financial transactions it shouldn't bother you too much.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
*****************************************
It appears your system was infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

 What danger is presented by rootkits?
 Rootkits and how to combat them
 r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
 Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

[luca]

The scan ran for about 25 minutes and found no threats (0 threats)  the following is the log from eset:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9dd46370711cd64da8d35ff45b4f10f7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-23 03:22:10
# local_time=2010-11-23 10:22:10 (-0500, Eastern Standard Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1314078 1314078 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=48118
# found=0
# cleaned=0
# scan_time=2934

Upon completeion Eset asked if I wanted to remove program when finished and I opted yes remove it.

Just to keep you up to speed,  computer is running very good with no problems since you fixed rootkit issue.  I have used computer in the past (very sparingly) to do banking, but have not done anything in the past 3 months or so.  The problems with tidserv started about a month and a half or so ago, so nothing was done on computer (financial) while "Tidserv" was detected.

[SuperDave]

As I mentioned before, the decision is yours to make. If you don't feel comfortable doing financial transactions or other personal business then you should back-up whatever important documents, files and pictures and reformat. My laptop was hit with a rootkit a few days after I puchased it and I still won't conduct financial business on it. Plus, I'm not too happy with Vista.

[luca]

I appreciate all your guidance and advice !!  I have read alot of the links you have attached in a previous thread about rootkits and malware.  I did a search in virus and malware database but didn't find "Tidserv Backdoor", do you have any info on it? is it high risk, low risk? 

Also in my reading it says that alot of these rootkit issues are undetectable, does that mean that a computer can have these issues and never even get a warning that something is wrong?  In my case the Symantec Endpoint was constantly giving me a popup warning that "Tidserv" was detected.

You also directed me to Panda Security website for reading about rootkits and they have a tool called "Panda Anti-Rootkit"  Is this worth running?

Again thanks for your direction !!!

[SuperDave]

do you have any info on it? is it high risk, low risk? 

You can find some info here.

does that mean that a computer can have these issues and never even get a warning that something is wrong?

The most difficult thing about rootkits is their ability to hide themselves. That's why we have to run so many tools/scans to find them.

Is this worth running?

Yes, by all means. Download it and run it. Most major AV companies have their own rootkit scanner.

[luca]

Thanks again for all your help!  I have read the article from symantec about tidserv very informative.  In one of the articles from symantec it states the following:

Response
A removal tool is available to clean infections of Backdoor.Tidserv.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

When I went into My Computer and system restore I noticed my system restore was already disabled??  Should this be changed back to enable restore?

When it says delete any values added to the registry, where would i find that info?  Will Symantec tell me if there is any values added? 

[SuperDave]

Disable System Restore (Windows Me/XP).

I would never ask a user to disable their System Restore. An infected Restore Point is better than no Restore Point.

Should this be changed back to enable restore?

Yes.

When it says delete any values added to the registry, where would i find that info?

Only an expert should mess around in the registry. You could turn your computer into a doorstop.

[luca]

Thanks I will set my computer to have  restore enabled.  I don't ever remember disabling it???  Could it of been the "Tidserv" malware doing this??

[luca]

Also I was thinking could it have been EvilFantasy that turned system restore off while doing one of his processes??  Also he installed something whereas when I first turn on my computer i get a black screen for only about 3-5 seconds that has different options on it to help me in case there are issues (I believe this is for if computer has issues i can debug, start in safe mode, reboot etc.) 

Thanks again to yourself and EvilFantasy for all your help!!