My computer infected with Backdoor.tidserv

Hi bleepingcomputer folk. Yesterday I began to receive alerts from Symantec Antivirus saying I was infected with "Backdoor.tidserv". I ran malwarebytes anti-malware quick scan, it had infected files, cleaned them up.. Then I ran malwarebytes full scan, had 1 infected file and it cleaned it up.... I Then ran symantec antivirus auto-protect. This continually alerted me that I still had an infected file in my temporary internet files, one file that I could not delete, nor that malwarebytes could detect as infected entitled "UAC47FF.tmp"....

I am running another quick scan with malwarebytes and here are the results:

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/29/2009 12:48:36 PM
mbam-log-2009-07-29 (12-48-36).txt

Scan type: Quick Scan
Objects scanned: 94560
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





PLEASE HELP! THANK YOU THANK YOUU!!! I'm just a little girl in college trying to study for my MCAT's and these pop-ups are REALLY distracting!

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.

• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
• Make sure the following are checked:
  • Running processes
  • Windows Registry
  • Local Hard Drives
• Click Start scan.
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
  • Files tagged as Removable: No are not marked for removal and cannot be removed.
  • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
  • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
• A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
• After reboot, a dialog box displays the files you selected for removal and the action taken.
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.

Important: Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

• Disconnect from the Internet or physically unplug you Internet cable connection.
• Clean out your temporary files.
• Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
• Temporarily disable your anti-virus and real-time anti-spyware protection.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

ok, i ran the program, but all the infected files that came back were "removable: yes(but clean up not recommended). Here is the log:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 7/29/2009 at 13:40:05 PM
User "Valerie" on computer "VALERIEUM"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\Valerie\Local Settings\Temp\nsmcxrewoa.tmp
Hidden: file C:\WINDOWS\Temp\UAC47ff.tmp
Hidden: file C:\Documents and Settings\Valerie\Local Settings\Temp\E_N4\krnln.fnr
Hidden: file C:\Documents and Settings\Valerie\Local Settings\Temp\E_N4\HtmlView.fne
Hidden: file C:\dell\drivers\R127811\Drivers\w29NCPA.DLL
Hidden: file C:\Documents and Settings\Valerie\Local Settings\Temp\E_N4\eAPI.fne
Hidden: file C:\Documents and Settings\Valerie\Local Settings\Temporary Internet Files\Content.IE5\PNKJNKD8\P;t=R;abr=!webtv;pos=BAR;sz=300x250;tile=1;!c=Companion;!c=LS;!c=LSV;!c=LSL;!c=LSSL;!c=LH;!c=LHL;!c=LB;!c=LBHL;!c=LBTN;!c=SV;!c=S2L2;!c=BL;!c=HL;uri=default[1].htm
Hidden: file C:\Documents and Settings\Valerie\Local Settings\Temporary Internet Files\Content.IE5\P8WYSIEH\iness;adlocation=site_below_header;campaign=;page=category;kw=blinkx;pid=12;sz=728x90,728x91;dclu5=24c3e723ed561fa;source=site;t=1;tile=1;ord=230862591900251[1].03
Hidden: file C:\Documents and Settings\Valerie\Local Settings\Temporary Internet Files\Content.IE5\TZM0B6IS\ness;adlocation=site_below_player;campaign=;page=category;kw=blinkx;pid=12;sz=468x62,300x251;dclu5=24c3e723ed561fa;source=site;t=1;tile=2;ord=230862591900251[1].03
Hidden: file C:\Documents and Settings\Valerie\Local Settings\Temporary Internet Files\Content.IE5\NV4L0G7N\news;adlocation=site_below_player;campaign=;page=category;kw=blinkx;pid=10;sz=468x62,300x251;dclu5=924e6ac76b2ec6b;source=site;t=1;tile=2;ord=4714381409977887[1]
Hidden: file C:\Documents and Settings\Valerie\Local Settings\Temporary Internet Files\Content.IE5\JFCYX16N\ComboFix[1].exe
Hidden: file C:\Documents and Settings\Valerie\Local Settings\Temporary Internet Files\Content.IE5\PNKJNKD8\business;adlocation=site_above_results;campaign=;page=category;kw=blinkx;pid=12;sz=300x250;dclu5=24c3e723ed561fa;source=site;t=1;tile=3;ord=230862591900251[1].03
Hidden: file C:\Documents and Settings\Valerie\Local Settings\Temp\UACa493.tmp
Hidden: file C:\Documents and Settings\Valerie\Application Data\Move Networks\ie_bin\qsp2ie071303000006.dll
Hidden: file C:\Documents and Settings\Valerie\Application Data\Mozilla\Firefox\Profiles\wpx3cut6.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
Info: Starting disk scan of D: (NTFS).
Stopped logging on 7/29/2009 at 14:22:48 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 7/29/2009 at 14:24:32 PM
User "Valerie" on computer "VALERIEUM"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).

Please download TFC by Old Timer and save it to your desktop.
alternate download link

• Save any unsaved work. TFC will close ALL open programs including your browser!
• Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
• Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
• Important! If TFC prompts you to reboot, please do so immediately.

Please download OTM by OldTimer and save to your Desktop.

• Double-click on OTM.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
• Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.

:Processes
explorer.exe

:Files
C:\Documents and Settings\Valerie\Local Settings\Temp\nsmcxrewoa.tmp
C:\WINDOWS\Temp\UAC47ff.tmp
C:\Documents and Settings\Valerie\Local Settings\Temp\E_N4\krnln.fnr
C:\Documents and Settings\Valerie\Local Settings\Temp\E_N4\HtmlView.fne
C:\Documents and Settings\Valerie\Local Settings\Temp\E_N4\eAPI.fne
C:\Documents and Settings\Valerie\Local Settings\Temp\UACa493.tmp

:Commands
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
• Click the red MoveIt! button.
• The list will be processed and the results will be displayed in the right-hand pane.
• Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
• Click Exit when done.
• A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.

-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.

Edited by quietman7, 29 July 2009 - 01:59 PM.

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File/Folder C:\Documents and Settings\Valerie\Local Settings\Temp\nsmcxrewoa.tmp not found.
File/Folder C:\WINDOWS\Temp\UAC47ff.tmp not found.
File/Folder C:\Documents and Settings\Valerie\Local Settings\Temp\E_N4\krnln.fnr not found.
File/Folder C:\Documents and Settings\Valerie\Local Settings\Temp\E_N4\HtmlView.fne not found.
File/Folder C:\Documents and Settings\Valerie\Local Settings\Temp\E_N4\eAPI.fne not found.
File/Folder C:\Documents and Settings\Valerie\Local Settings\Temp\UACa493.tmp not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Valerie
->Temp folder emptied: 813 bytes
->Temporary Internet Files folder emptied: 1114029 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1.10 mb


OTM by OldTimer - Version 3.0.0.5 log created on 07292009_150738

Files moved on Reboot...

Registry entries deleted on Reboot...

Looks like TFC found and removed the files without problem as OTM didn't find anything.

How is your computer running now? Are there any more reports/alerts, signs of infection or issues with your browser?

Well, symantec anti-virus keeps on popping up wiht results again, saying they acted on so-and-so file, and that the comp must reboot again to complete remediation tasks.... Then when I reboot, symantec pops up again saying the remediation taks could not be completed... I am running malwarebytes quick scan again and here are the results:


Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/29/2009 3:41:50 PM
mbam-log-2009-07-29 (15-41-50).txt

Scan type: Quick Scan
Objects scanned: 92627
Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Also, Everytime I log on to the computer, a warning about dsca.exe keeps popping up. This only just started happening yesterday, when my computer got infected... Any way this can be eliminated? Thanks so much for all the help!

Everytime I log on to the computer, a warning about dsca.exe keeps popping up.

What does the warning say? dsca.exe is related to Dell Support. See here.

symantec anti-virus keeps on popping up wiht results again, saying they acted on so-and-so file

That doesn't provide any information which I can use to help you. Did your anti-virus provide a specific file name associated with this malware threat(s) and if so, where is it located (full file path) at on your system?

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer.