Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about Virus/Trojan removel


  • Please log in to reply
5 replies to this topic

#1 ComputerChallenged1

ComputerChallenged1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 10 September 2010 - 02:21 PM

Hi all. I currently have my computer in the shop because I kept getting a notice from Norton that it had blocked an attempt on my computer and when I clicked on the link it was Tidserv and Tidserv 2 request. The people at the shop said they removed close to 100 of spyware and said they fixed my problem. When I got it home last night, the same thing keeps happening. It also redirects me to different websites after I click on a link. I explained this to the people who are "fixing" my computer today and even showed me how I can do a basic search such as Yahoo or Google and the box pops up with the attack message. They told me it's just Norton doing it's job. :thumbsup: I told them that this is NOT normal activity and would they please check it again. They weren't too pleased with me and I have a feeling they are not going to be able to fix it for me. Should I take it to another shop? I just paid $175.00 and if they can't fix it I'll dispute the charges on my credit card as after reading the boards here it seems fixable. lol Thanks for any advice. I miss my computer.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:57 PM

Posted 10 September 2010 - 03:04 PM

Hello,

You have a bad rootkit aboard which will require specialized tools to remove. Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 ComputerChallenged1

ComputerChallenged1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 10 September 2010 - 03:19 PM

Thanks. When I get my computer back and if I'm still having problems, I'll post what is required. Thanks again.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,069 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:57 PM

Posted 10 September 2010 - 04:00 PM

The identified infection (Backdoor.Tidserv) is related to a nasty variant of the TDSS/TDL3 rootkit.

TDL3 is the third generation of TDSS which uses rootkit technology to hide itself on a system by infecting drivers like atapi.sys, iastor.sys and others. Atapi.sys is a common target for this rootkit because it loads early during the boot process and is difficult to detect. Common symptoms/signs of this infection include:
  • Google search results redirected as TDL3 modifies DNS query results.
  • Infected (patched) files like atapi.sys, iastor.sys and others in the Windows drivers folder.
  • Slowness of the computer and poor performance.
  • Multiple instances of IEXPLORE.exe in Task Manager.
  • Internet Explorer opens on its own.
  • BSODs that occur immediately after splash screen appears.
For more specific analysis and explanation of the infection, please refer to: TDL3: The Rootkit of All Evil?

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change all passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 ComputerChallenged1

ComputerChallenged1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 11 September 2010 - 04:16 PM

WOW!!! I just changed all my passwords except for one in MSN because I can't easily find how to do that at this moment. I'll call my credit card company and bank as well. So far, there has been no unusal activity on either of those accounts. So basically I should start from scratch?? What happens to the pictures I have on there now, I would assume those are not safe to take off. I bought an external hard drive but I don't want to take the chance of reinfecting my computer or infecting another one as well. We have Turbo Tax on there as well. This sucks but thank goodness for my bleepingcomputer.com and all the help you guys offer otherwise, I'd be even more lost than I already am.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,069 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:57 PM

Posted 11 September 2010 - 04:31 PM

There are no guarantees or shortcuts when it comes to malware removal, especially when dealing with backdoor Trojans, Botnets, IRCBots or rootkit components that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Infections will vary and some will cause more harm to your system then others as a result of it having the ability to download more malicious files. Security tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to your data.

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and "...Now What Do I Do?" links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned. In some instances an infection may leave so many remnants behind that security tools cannot find them so the system cannot be completely repaired or trusted. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

Should you decide not to reformat, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Should you decide to reformat and do a clean install or do a factory restore due to malware infection, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users