Jump to content

Backdoor.Tidserv.I!inf infection


Recommended Posts

  • Replies 61
  • Created
  • Last Reply

Top Posters In This Topic

Yes, when opening msconfig the services tab does have the services (the hide box was not checked), the DHCP Client box was checked, and the status is listed as stopped.

Click Start > Run, type msconfig and press enter.

Click the Services tab. Is there anything listed there? Make sure that Hide Microsoft Services is NOT checked!

Link to post
Share on other sites

Also, the virus seemed to have changed permissions as I took a look at startup programs (in msconfig) and noticed that there were a couple HP Printer related items, I attempted to uncheck them and it was stating that I needed to be logged on as admin (did not used to be this way).

Norton scan came up clean.
Link to post
Share on other sites

I will try that, but first, the most recent Norton scan following a complete removal with the Norton tool (performed 2x as per directions from the Norton people), and reinstall/update found the virus again in two C:system volume information\_restore...sys files. Any thoughts?

Try this: click Start > Run, type cmd and press enter.

Type net start dhcp client and press enter.

Let me know what is returned.

Link to post
Share on other sites

The attempt at starting the DCHP returned a system error 1068 The dependency service or group failed to start.

I will try that, but first, the most recent Norton scan following a complete removal with the Norton tool (performed 2x as per directions from the Norton people), and reinstall/update found the virus again in two C:system volume information\_restore...sys files. Any thoughts?
Link to post
Share on other sites

Hi, Norton found just the copy of the infected file in system restore. This is not a problem, since system restore will be reset anyway when we are all cleaned up. :o

Please click Start > Run, type cmd and press enter.

Type the following line and press enter.

netsh int ip reset resetlog.txt

Now restart your computer and see if the internet works.

Link to post
Share on other sites

Returned the following error:

WARNING: Could not obtain host information from machine: [sYBIL]. Some commands may not be available. Class not registered.

The following command was not found: int reset resetlog.txt

Hi, Norton found just the copy of the infected file in system restore. This is not a problem, since system restore will be reset anyway when we are all cleaned up. :o

Please click Start > Run, type cmd and press enter.

Type the following line and press enter.

netsh int ip reset resetlog.txt

Now restart your computer and see if the internet works.

Link to post
Share on other sites

I think I see the problem here.

OTL

-----

  1. Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"

/md5start
afd.sys
/md5stop
hklm\system\currentcontrolset\services\afd

[*]Click the NONE button and then Push runscanbutton.png

[*]A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

OTL logfile created on: 10/11/2010 3:46:17 PM - Run 2

OTL by OldTimer - Version 3.2.14.1 Folder = F:\virus logs

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 488.00 Mb Available Physical Memory | 48.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free

Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.46 Gb Total Space | 54.82 Gb Free Space | 73.63% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 1.96 Gb Total Space | 0.31 Gb Free Space | 15.99% Space Free | Partition Type: FAT

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: SYBIL

Current User Name: Sybil

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Custom Scans ==========

< MD5 for: AFD.SYS >

[2008/08/14 06:34:26 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=4D43E74F2A1239D53929B82600F1971C -- C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys

[2004/08/04 07:00:00 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=5AC495F4CB807B2B98AD2AD591E6D92E -- C:\i386\afd.sys

[2004/08/04 07:00:00 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=5AC495F4CB807B2B98AD2AD591E6D92E -- C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys

[2004/08/04 06:00:00 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=5AC495F4CB807B2B98AD2AD591E6D92E -- C:\WINDOWS\system32\dllcache\afd.sys

[2004/08/04 06:00:00 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=5AC495F4CB807B2B98AD2AD591E6D92E -- C:\WINDOWS\system32\drivers\afd.sys

[2008/06/20 07:48:03 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=D6EE6014241D034E63C49A50CB2B442A -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys

[2008/06/20 06:44:08 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=D99DDFFB33DEACDCF20717CB520379F6 -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys

[2008/06/20 07:40:08 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=E3049B90FE06F3F740B7CFDA44995E2C -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys

< hklm\system\currentcontrolset\services\afd >

"DisplayName" = AFD

"Description" = AFD Networking Support Environment

"Group" = TDI

"ImagePath" = system32\drivers\tsk72D.tmp -- File not found

"Start" = 1

"Type" = 1

"ErrorControl" = 1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Parameters]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Security]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Enum]

< End of report >

I think I see the problem here.

OTL

-----

  1. Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"

/md5start
afd.sys
/md5stop
hklm\system\currentcontrolset\services\afd

[*]Click the NONE button and then Push runscanbutton.png

[*]A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

Please let me know if your internet works after the following fix. :(

BACKUP THE REGISTRY

---------------------------

Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
    "ImagePath"="\\SystemRoot\\System32\\drivers\\afd.sys"


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

========== REGISTRY ==========

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\\"ImagePath"|"\\SystemRoot\\System32\\drivers\\afd.sys" /E : value set successfully!

OTL by OldTimer - Version 3.2.14.1 log created on 10112010_161803

The only connection of the internet I can check right now is the PDAnet connection. The same thing is still happening, I select connect to internet and nothing happens. It does not say it can't connect or give an error, I just does nothing. Where I'm at now there is no other wired or wireless connection to try. The PDAnet is working just fine on the other computer...

Please let me know if your internet works after the following fix. :(

BACKUP THE REGISTRY

---------------------------

Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
    "ImagePath"="\\SystemRoot\\System32\\drivers\\afd.sys"


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

Do you think it's O.K. to manually delete those two system volume information\_restore .sys files so that Norton stops picking them up as threats?

========== REGISTRY ==========

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\\"ImagePath"|"\\SystemRoot\\System32\\drivers\\afd.sys" /E : value set successfully!

OTL by OldTimer - Version 3.2.14.1 log created on 10112010_161803

The only connection of the internet I can check right now is the PDAnet connection. The same thing is still happening, I select connect to internet and nothing happens. It does not say it can't connect or give an error, I just does nothing. Where I'm at now there is no other wired or wireless connection to try. The PDAnet is working just fine on the other computer...

Link to post
Share on other sites

It's taking a really long time...it says processing registry data and the hour glass is showing, but its been at least 10 minutes

Please try the following fix:

:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"ImagePath"=hex(2):"\\SystemRoot\\System32\\drivers\\afd.sys"

Link to post
Share on other sites

Sorry, my bad. Try this instead. Please make sure to back up your registry with ERUNT first!

Please click Start > Run, type notepad and press enter. Copy paste the following text into Notepad and save it as fixme.reg to your desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"ImagePath"="\\SystemRoot\\System32\\drivers\\afd.sys"

Exit Notepad and doubleclick on fixme.reg to run it. Allow the information to be merged. You will receive a success message, click OK.

Restart your computer and let me know how things are now.

Link to post
Share on other sites

Hey Elise, no worries. I have done as you asked. What were your thoughts about deleting the files Norton found?

Sorry, my bad. Try this instead. Please make sure to back up your registry with ERUNT first!

Please click Start > Run, type notepad and press enter. Copy paste the following text into Notepad and save it as fixme.reg to your desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"ImagePath"="\\SystemRoot\\System32\\drivers\\afd.sys"

Exit Notepad and doubleclick on fixme.reg to run it. Allow the information to be merged. You will receive a success message, click OK.

Restart your computer and let me know how things are now.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.