Backdoor.Tidserv Removal

Solved/Closed
MullenB74 - Jul 7, 2010 at 09:51 PM
 MullenB74 - Jul 8, 2010 at 08:37 AM
Hello,

My PC seems to be infected w/ Backdoor.Tidserv. I am running Norton Security Suite and every 1/2 hour or so, I am alerted to this threat, which is blocked by Norton. How can I remove this from my system?
Thank you in advance for your help.

MullenB74



1 response

Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Jul 8, 2010 at 05:51 AM
Hello Mullin

Nice little rootkit you have here!:))

Please follow the instructions hereunder:


Set your cookies to high or block everything in the internet options
1.Right click My computer>Hardware>Device Manager
2.In Device Manager click view>Show hidden devices
3.In Non-plug and play drivers disable TDSS.sys or related drivers.
4.Restart computer.
5.Now regedit and delete all TDSS related entries.(If you are not able to delete some entries right click and grant yourself full access for the entry)
6. Temporarily Disable System Restore (Windows Me/XP).
7. Update the virus definitions.
8. Reboot computer in SafeMode
9. Run a full system scan and clean/delete all infected file(s)
10. Delete any values added to the registry. (spme may not be present)
Navigate to and delete the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"build" = "standart"
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"serversdown" = "1?
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"type" = "popup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"affid" = "39?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"asubid" = "v2test7?

Navigate to and delete the following registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\TDSServ
HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Control\SafeBoot\Minimal\TDSServ.sys
HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Control\SafeBoot\Network\TDSServ.sys
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\version
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector

11. Exit registry editor

12. Download, install and run Malwarebyte which you can find on this site:

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware

Ensure you make an update.

Please request a FULL system scan, which may take from 20 minutes to hours. Do not interfere no matter how long in takes. The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.

If Malwarebyte restarts your system, launch it again to finish the Full scan.

When the scan is completed, delete all items found.

Once your computer is clean and working normally just to be on the safe side
*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.

Please let us know about the results of your cleaning work

Regards



6.Run Norton with Rookit settings ON.
0
Dear Ambucias,

Thank you for your kind response. I have solved the rootkit problem through the use of TDSSKiller and ComboFix. I had posted my problem to your site and to another website dedicated to answering computer problems. I was up until 4AM fixing and cleaning, but the seriousness of this infection warrented an immediate action. I will surely recommend your website as a trusted site for fixing PC problems in the future.
Again, thank you for your reponse and interest in this problem.

Sincerely,

MullenB74
0