tidserv backdoor rouge virus on netbook

[shaun]

i have recently had problems connecting to internet, using backup recovery,
system restore and enabling my norton anti-virus software. Eventually i got
my norton internet security connected to the internet and managed to download
updates and run a scan in safe mode.
The scan reported the following risks:
gasfkymlijaoaq.dll (backdoor.tidserv)
c\documents and settings\username\desktop\casino.url
c\recycled\boot.com
c\windows\system32\dll.dll

norton actions were to fix c drive issues and restart pc to resolve backdoor
virus.
Once the pc had restarted all security issues seemed resolved and healthy.
But when running A full scan again, all risks were reinstated.

Whats the best way of removing tidserv backdoor rouge virus ?

regards
shaun

 

[David H. Lipman]

From: "shaun" <[email protected]>

| i have recently had problems connecting to internet, using backup recovery,
| system restore and enabling my norton anti-virus software. Eventually i got
| my norton internet security connected to the internet and managed to download
| updates and run a scan in safe mode.
| The scan reported the following risks:
| gasfkymlijaoaq.dll (backdoor.tidserv)
| c\documents and settings\username\desktop\casino.url
| c\recycled\boot.com
| c\windows\system32\dll.dll

| norton actions were to fix c drive issues and restart pc to resolve backdoor
| virus.
| Once the pc had restarted all security issues seemed resolved and healthy.
| But when running A full scan again, all risks were reinstated.

| Whats the best way of removing tidserv backdoor rouge virus ?

| regards
| shaun

It is not a virus. It is a trojan Rootkit.

It is not rouge, it is a "rogue"

Scan with Gmer anti RootKit - http://www.gmer.net/#files

and back it up with Malwarebytes' Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

 

[shaun]

thanks David for that information.
what and why am i backing it up with Malwarebytes' Anti-Malware
regards
shaun

 

[shaun]

hi David

i have just scanned using Gmer anti RootKit and no hidden have been
identified.
i had previous removed parts of the personal antivirus rogue software from
my notebook and wondering wether this is hidding file
regards
shaun

 

[David H. Lipman]

From: "shaun" <[email protected]>

| hi David

| i have just scanned using Gmer anti RootKit and no hidden have been
| identified.
| i had previous removed parts of the personal antivirus rogue software from
| my notebook and wondering wether this is hidding file
| regards
| shaun


Did you run MBAM like I suggested ?

 

[shaun]

yes i did run MBAM like you suggested, but no hidden files appeared in report
list. I have run norton antivirus scan again and the tidserv high security
risk has been cleared though, so something good is happening.
All that seems to be remaining now is 4 cookies which are removed after
norton scan, but reappear after netbook restart.

(e-mail address removed)/ - not detected
(e-mail address removed)-sys.com/ - not detected
(e-mail address removed)/ - not detected
Orphan cookie cleanup - removed

are these cookies a serious threat

regards and many thanks

shaun

 

[David H. Lipman]

From: "shaun" <[email protected]>

| yes i did run MBAM like you suggested, but no hidden files appeared in report
| list. I have run norton antivirus scan again and the tidserv high security
| risk has been cleared though, so something good is happening.
| All that seems to be remaining now is 4 cookies which are removed after
| norton scan, but reappear after netbook restart.

| (e-mail address removed)/ - not detected
| (e-mail address removed)-sys.com/ - not detected
| (e-mail address removed)/ - not detected
| Orphan cookie cleanup - removed

| are these cookies a serious threat

| regards and many thanks

| shaun

No. They aren't.

 

[shaun]

thanks
for your support

 

[Tom Willett]

http://www.cookiecentral.com/faq/#2.6

: yes i did run MBAM like you suggested, but no hidden files appeared in
report
: list. I have run norton antivirus scan again and the tidserv high security
: risk has been cleared though, so something good is happening.
: All that seems to be remaining now is 4 cookies which are removed after
: norton scan, but reappear after netbook restart.
:
: (e-mail address removed)/ - not detected
: (e-mail address removed)-sys.com/ - not detected
: (e-mail address removed)/ - not detected
: Orphan cookie cleanup - removed
:
: are these cookies a serious threat
:
: regards and many thanks
:
: shaun
:
: "David H. Lipman" wrote:
:
: > From: "shaun" <[email protected]>
: >
: > | hi David
: >
: > | i have just scanned using Gmer anti RootKit and no hidden have been
: > | identified.
: > | i had previous removed parts of the personal antivirus rogue software
from
: > | my notebook and wondering wether this is hidding file
: > | regards
: > | shaun
: >
: >
: > Did you run MBAM like I suggested ?
: >
: > >> and back it up with Malwarebytes' Anti-Malware
: > >> http://www.malwarebytes.org/mbam/program/mbam-setup.exe
: >
: >
: >
: > --
: > Dave
: > http://www.claymania.com/removal-trojan-adware.html
: > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
: >
: >
: >

 

[Anteaus]

Don't overlook the possibility that this might be a false alarm. If you can
identify a suspect file, upload this to http://virustotal.com for
verification.

If you do have a rootkit then you need to disinfect from a bootable CD such
as
http://www.ubcd4win.com/ as attempting to do so with the rootkit active may
not succeed.

Malwarebytes is probably the best disinfector. Sysinternals' rootkit
revealer is also useful.

Oh, and let this be a salutary lesson on what happens if you place your
trust in a preinstalled 'forced sale' antivirus to protect your computer.

Avira, AVG, Eset all work well, as do most other reputable products.

The two to avoid are the ones which you find aggressively demanding
registration the moment you turn your new computer on. They got there not
because they are any good, but because the system-builder was paid to put
them there.