Jump to content

Recommended Posts

Hi there

 

Norton Anti-Virus alerted me my computer was infected with backdoor.tidserv.l!inf. It said it had to be removed manually and the first thing to do was to do a full system scan.

 

I did that and it said it then said it had been resolved.

 

I wanted to be sure, so I opened Malwarebytes Anti-Malware and updated it (I already had it installed on my computer from a few years ago when I had a problem). Then performed a full scan. It found the following file: PUP.Optional.OpenCandy, which has now been quarantined. I don't know if that file was connected to the virus.

 

Please can you tell me whether my system is now clean? 

 

Here is the log and many thanks in advance:-

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.12.27.06
 
Windows XP Service Pack 3 x86 FAT32
Internet Explorer 8.0.6001.18702
Flatau :: ACER-AC84C68AD3 [administrator]
 
27/12/2013 19:24:54
mbam-log-2013-12-27 (19-24-54).txt
 
Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 377209
Time elapsed: 2 hour(s), 16 minute(s), 45 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Documents and Settings\Flatau\Local Settings\Temporary Internet Files\Content.IE5\O2B3MVKK\stubinst_pkg_en-uk[1].cab (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
 
(end)
 
Link to post
Share on other sites

Hello Blue Mermaid! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
No, there is no connection between them.

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

Link to post
Share on other sites

Hello Borislav

 

Thank you very much for replying to my question.

 

I am using my brother's notebook right now. He came over to my house to help me with your advice.

 

He changed the password on my router as you suggested (from his notebook).

 

He used the system and recovery discs supplied by Acer to reinstall my system (XP) and we saw that it deleted my personal files and reinstalled Windows from an Acer file.

 

We have a question for you please:-

 

Could the virus infect Windows XP installation files (Acer) used for Windows XP recovery (these Windows files were copied from a single Acer installation file)? My brother thought it unlikely that the virus would be able to recognise an Acer file used for reinstallation of Windows.

 

A full reformat wasn't done by the recovery program. There was no option to do that.

 

However, I did format the D partition, which still had some files in it after the Windows installation.

 

All other files have been deleted from the C drive.

 

Many thanks.

Link to post
Share on other sites

Thanks very much for your last reply.

 

The XP Installation files didn't look like they were being copied from the Acer cd but from an Acer XP installation file on the C drive of the computer. That's why we're concerned and wanted to ask you whether the virus could have been copied onto the computer again?

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Thanks very much for all your help Maniac. It is much appreciated.

 

Thanks also for the link you posted for me.

 

I do like to try and understand the techie stuff and learn from it, so could you explain why the trojan didn't infected the Windows Installation file when it infected the rest of my system please?

 

Many thanks.

 

 

Link to post
Share on other sites

I told my brother what you said and he told me he'd had a look on the internet about what happened when we used the Acer Recovery CD's. He said the following:-

 

"I think what happened is that there is a recovery partition on the hard drive which resets the C: partition and then uses installation files on the recovery partition to install the OS as it came from the factory. So it was re-installed but from a recovery partition on the hard drive.

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.