|
|
|
|
Hi I have somehow or other managed to get my machine infected with this Backdoor.Tidserv!inf It was picked up by Norton and the page that Norton sent me to is this one http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-111113-1112-99&tabid=3 it has to be manualy removed.
thing is it is for removal on ME/XP and when I clicked on the link to the MS knowledge base it then sent me to the one for Vista, but doesnt tell me how to get rid of it.
I've been having some probs of late like when trying to log on parts of my desktop would be missing and a restart was required to make them reappear, also some times I'd log on as normal but windows would fail to start and I'd get the "windows log on failed" the next attempt would let me log on.
Other things that I think this thing was causing was that windows aero would keep turning itself off and it was a real pain getting it restarted as the whole themes would be turned off and I'd have to go through various hoops to get it working again.
Every so often I would get a pop up telling me that windows server had stopped working - I dont use my comp as a server so I'm lead to believe that this infection was trying to do something here I would also get the "host processes has stoped working" pop up every so often as well and find it difficult to conect to WiFi.
I've only recently (3 months or so ago) installed a new larger hard drive as my old one was failing, I now have quite a lot of programs and files on my comp that I need for work and no way of copying the hard drive at present (need to get a new HDD to clone it via Norton ghost V.15). So I'm worried about any removal and re-installing of system files which is what it appears I will have to do going by the Norton page for ME/XP that I was getting directed to.
I'm running Windows Vista Home Premium on a Toshiba A100 027 RAM upgraded to 2 gigs (from 1gig original) and I've now got a 320 gig HDD (original was only 80 gigs) with about 100gigs of space left I hope you can understand my nervousness of having to do a re-install.
Any help advice greatly appreciated.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program toallow the changes.
I hope this helps.
Good luck!
Hi acantho1,
Run aSFC scan to repair infected/corrupted system files. Making sure all drivers on your system are up to date will ensure that the system runs smoothly. We recommend that you download the software directly from the manufacturer’s website to ensure the software is safe.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program toallow the changes.
I hope this helps.
Good luck!
HI thanks for your reply Lorien. I had ran Malwarebytes the other day and this is the output below that is the output from the scan I just ran a few moments ago.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4182
Windows 6.0.6000
Internet Explorer 7.0.6000.17037
09/06/2010 11:18:10
mbam-log-2010-06-09 (11-18-10).txt
Scan type: Quick scan
Objects scanned: 132270
Time elapsed: 11 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\My user name here\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\My user name here\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.
Most recent scan
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4194
Windows 6.0.6000
Internet Explorer 7.0.6000.17037
13/06/2010 18:39:42
mbam-log-2010-06-13 (18-39-42).txt
Scan type: Quick scan
Objects scanned: 135470
Time elapsed: 12 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
This is what I'm getting from Norton (Unresolved security risks)
source: netbt.sys
activity: infected file C:\Windows\System32\drivers\netbt.sys
manual removal required.
It's a system file (from properties of the file) the creasted, modified & access date are all 2nd Nov 2006, which is around when I bought the comp new. Just wondering if I update drivers will that remove/replace it ?
Thanks for your advice and help.
Hi acantho1,
Run aSFC scan to repair infected/corrupted system files. Making sure all drivers on your system are up to date will ensure that the system runs smoothly. We recommend that you download the software directly from the manufacturer’s website to ensure the software is safe.
Hi Dena, thanks for your reply.
I tried doing as you said but it only gets to 61% and then stops this is the output:
Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\My name here >sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 61% complete.
Windows Resource Protection could not perform the requested operation.
I had previously ran spyware doctor with antivirus and it picked up the infection and repaired/deleted the file as I can not find netbt.sys in the drivers folder now, also searched the rest of the HDD and vista cant find that file.
Just worried now that if this file has been deleted will my computer restart ok if I shut it down ?
Also I had a browser open when I ran the command prompt, so going to try it again with the browser closed.
I'll let you know if it works.
Turned off all my AVs and windows defender then ran the command prompt again, it reached 100% then said if could not complete the task !
Tried restarting my computer, had the "welcome" screen up for ages then got logon failed and something about group policies, restarted and it started up with my desktop missing, restarted again desktop etc was their but the themes services was turned off again
and then had the pop-up box saying "server has stoped working, windows is checking for solutions and will notifiy you if any are found"
Needles to say I thnk this virus is still there somewhere, will try running virus software again, full scans, and see how I get on this time.
How would I go about updating all my system drivers ?
I've managed to figure out the command prompt and the missing files are
2010-06-16 19:57:04, Info CSI 000000f3 [SR] Cannot repair member file [l:18{9}]"netbt.sys" of Microsoft-Windows-NetBT, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2010-06-16 19:59:59, Info CSI 00000118 [SR] Cannot repair member file [l:20{10}]"sscore.dll" of Microsoft-Windows-SMBServer, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2010-06-16 20:00:02, Info CSI 0000011a [SR] Cannot repair member file [l:20{10}]"sscore.dll" of Microsoft-Windows-SMBServer, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2010-06-16 20:03:46, Info CSI 0000016e [SR] Cannot repair member file [l:18{9}]"netbt.sys" of Microsoft-Windows-NetBT, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2010-06-16 20:03:46, Info CSI 00000170 [SR] Cannot repair member file [l:20{10}]"sscore.dll" of Microsoft-Windows-SMBServer, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2010-06-16 20:03:47, Info CSI 0000017a [SR] Cannot repair member file [l:20{10}]"sscore.dll" of Microsoft-Windows-SMBServer, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
How can I rectifiy this ? Would it be as simple as downlloading them from the microsoft website and putting them in the appropriate place ?
I'm rather lost here now!
Thanks in advance for any help or advice you can offer.
Hi acantho1,
Follow the steps in this thread provided by Marilyn to complete a repair install. Before completing the steps, make sure you backup any data.
Hi Dena,
The netbt.sys driver/file has reappeared (virus free) I am assuming that the SFC that I ran sorted that out and the sscore.dll was an Adobe Acrobat file, when I opened Accrobat it gave me the option of repairing this file by the program itself which I did.
My computer seems to be running fine now, I still occassionaly get the pop up saying that "the server has stopped working" and "Host processes has stopped" with aero occassionally turning itself off. I've restarted a couple of times now and it boots up fine in to my desktop, I can live with having to turn on themes and aero every now and again.
I've re-ran AVs a couple of time and anti-malware/spyware progs and they are picking nothing up at all - so it's all looking good.
Cant thank you enough for your help and advice, alwas nice to know there is someone who can help.
Thinking of upgrading to Windows 7, but first I'm going to clone my HDD using Norton Ghost v15, which I had been meaning to do before the problems started, I always back up my files anyway, but having a "plug & play" cloned HDD is a good idea I think.
Again thank you so much.
I ran the quick scan and even though I know I have this virus (have Symantec Endpoint Protection and it detects it everytime I start my PC) - I got the following:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4261
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18928
6/30/2010 10:01:10 AM
mbam-log-2010-06-30 (10-01-10).txt
Scan type: Quick scan
Objects scanned: 194743
Time elapsed: 3 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I'm currently running a full scan. I've had this problem since Monday and have worked endlessly on it each day. I don't want to wipe my PC (running Vista Business). I've also run the sfc scan that was mentioned here. No longer sure what to do. The file affected is nsiproxy.sys (I've deleted/replaced it with the backup file, but still Symantec Endpoint said it was infected). I've even worked with Symantec tech support and they were supposed to go thru log files from a scan they ran on the computer and get back to me yesterday - I still haven't heard back from them either. VERY frustrated! Any help would be greatly appreciated. I'll update post if the Full Scan of malwarebytes fixes it - which I'm still hopeful that it will, but not counting on it at this point.
Just finished full scan - it found nothing! :(
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4261
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18928
6/30/2010 10:50:44 AM
mbam-log-2010-06-30 (10-50-44).txt
Scan type: Full scan (C:\|)
Objects scanned: 359789
Time elapsed: 48 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Only going by what I did and have heard: make sure you've updated Malwarebytes and run again, you could also start up in safemode and run the scan there: that way nonessential drivers and files are not loaded so you might find it that way.
One other thing if the file is a system file then every time you run back up and then restore from back up then you will reinfect your computer, if you have a save point from before you started getting the problem then I would tentively sugest you restore from that point - but make sure you have a back of any data files e.g. word, excel etc before you restore from an earlier point.
Hope that's of some help to you, not sure if it might be a better idea to start a whole ne thread as the folk who answered me in this thead might not have automatic notification of a reply.
Best of luck to you.
Enter the thread ID of the thread you are merging into
To report abuse, sign in or continue without signing in
Thank you.
|
|
|
Don't have one of the above accounts?
