Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

are these effects of Backdoor.Tideserv?


  • Please log in to reply
10 replies to this topic

#1 typespirit

typespirit

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 25 November 2008 - 04:40 PM

So yesterday I believe i got infected with Trojan Knowedel AKA Backdoor.Tideserv

When i try to click links through search engines, every link seems to direct me to a random site or advertisement site. This seems especially prominent with Google. Is this one of the effects of this virus?
I believe I caught the virus thru a downloaded file from Mininova.org (i was downloading last night's One Tree Hill episode). It told me to install this decrytper (bad mistake on my part i know) and I did and thats when I think it got infected with Backdoor.Tideserv

It also does not allow me to go on www.mininova.org for some reason, it says the page cannot be displayed yet my I asked my friends and they said the site is working fine.

I ran a scan on Norton, they detected the Backdoor.Tideserv but it was "left alone". I am now running a Malwarebyte full System scan; i read somewhere it could be removed by Malware so I am testing my luck.

Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 25 November 2008 - 04:52 PM

Post the Malwarebytes log when it's finished scanning.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 typespirit

typespirit
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 25 November 2008 - 05:23 PM

Malwarebytes' Anti-Malware 1.30
Database version: 1423
Windows 5.1.2600 Service Pack 2

25/11/2008 4:46:23 PM
mbam-log-2008-11-25 (16-46-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 203633
Time elapsed: 1 hour(s), 46 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdejs.exe -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de72b7b5-3079-444c-9339-0692fe2c2b0d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.181;85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{de72b7b5-3079-444c-9339-0692fe2c2b0d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.181;85.255.112.139 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{de72b7b5-3079-444c-9339-0692fe2c2b0d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.181;85.255.112.139 -> No action taken.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> No action taken.

Files Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\tempo-13.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\Temp\tempo-45B.tmp (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\Temp\tempo-CF9.tmp (Trojan.DNSChanger) -> No action taken.





where it says "no action taken" this is before i selected all of them and deleted them. they then asked me to reboot my computer which i did. the search engine problem problem seems to be gone, im running another norton scan on the infected folders from before to see if Backdoor.Tideserv is still there. will update again

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 25 November 2008 - 05:28 PM

Sometimes it can take more than one scan with Malwarebytes to remove everything. So run it again after you've finished the Norton scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 typespirit

typespirit
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 25 November 2008 - 05:32 PM

budapest, thanks for replying to my post.

can you tell from the log i posted, if malwarebyte managed to pick up the backdoor.tideserv? When i looked at the log it gave me when it completed the scan, i did not see any "tideserv" names but I am hoping maybe they found it under a different name? I know this virus was also known as Trojan Knowedel and then Symantec also recognized it as Tideserv after the update. Any help would be appreciated

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 25 November 2008 - 05:48 PM

It's difficult to say as different scanners have different names for this sort of thing. But Rootkit.DNSChanger.H is, I believe, a similar sort of infection. Generally, Malwarebytes should find the tideserv infection if it is present.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 typespirit

typespirit
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 25 November 2008 - 05:55 PM

i used norton to scan the affected folders, C:\windows\temp and C:\documents and settings\local settings\temp
and there is still the 2 Tideserv.inf under the filename tmp24A.tmp and tmp247.tmp
again norton "left alone" the threats.

the good news is that the problem of the search engine directing me to random sites is now gone; i think thanks to malwarebyte.

i am now running another scan with MBAM to see if it can pickup the Tideserv, i found it strange that it failed to pick it up the first time, but like you said maybe it needs multi runs to find all the threats.

do you have any recommendations on what i should do if MBMA fails to pick up the virus?

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 25 November 2008 - 06:05 PM

You could try cleaning out your temp files:

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 typespirit

typespirit
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 25 November 2008 - 08:56 PM

for some reason my MBAM scans a whole lot slower, does anyone know whats causing this? the first time when i installed it today it ran very fast and smooth, but this no longer seems to be the case

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:09 AM

Posted 26 November 2008 - 10:02 PM

Hello would you please run part 1 of S!Ri's SmitfraudFix and post the results.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Spondy

Spondy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 29 November 2008 - 01:59 PM

I had the same thing. GReat advice. I ran MBam and ATF and the seemed to work for me. Once I get back to work I will see if the pops ups are gone.
Great advice and thank you very much for all the links and help
Stupid viruses!!!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users