Endpoint Protection

 View Only

  • 1.  Backdoor.Tidserv!inf -Filename UAC43bf.tmp

    Posted Sep 29, 2009 02:35 PM
    Hi,

    I have a backdoor virus file name UAC43bf.tmp.  NAV 10.1 (updated) cannot remove the virus in regular or safe modes.  MBAM (updated) does not even recognize the virus.  I did have a UAC rootkey virus last month which this may be a residual of, but I have not had any problems in the intervening period until today when the virus was detected.  I have attached Hijackthis and sysprot logs.  Please help.

    Thanks.

    Attachment(s)

    txt
    hijackthis.txt   7 KB 1 version
    txt
    SysProtLog.txt   29 KB 1 version


  • 2.  RE: Backdoor.Tidserv!inf -Filename UAC43bf.tmp

    Posted Sep 29, 2009 02:51 PM
    Well it looks like a UAC rootkit.I would suggest you to run Icesword  or GMER to find hidden rootkits on your system.
    These UAC rootkit often creates UAC...sys, exe files using icesword check the services in registry
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    and delete any files or entries naming UAC...in that location ( if your PC is XP )

    also go to start - run -%temp% and delete all the files.
    same with c:\windows\temp


  • 3.  RE: Backdoor.Tidserv!inf -Filename UAC43bf.tmp

    Posted Sep 29, 2009 03:13 PM
    I downloaded icesword.

    Can you be more specific how I can use it to delete the rootkits?


  • 4.  RE: Backdoor.Tidserv!inf -Filename UAC43bf.tmp

    Posted Sep 30, 2009 04:53 AM
     Rootkits are hidden from user API. so you won't be able to see any of its entries.
    Using icesword you can browse the registry,drives it will show you all the user level and kernel level files and entries

    Back up the registry first
    open icesword go to registry -then browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    HKEY_CURRENT_USER\Software
    HKEY_LOCAL_MACHINE\SOFTWARE
    and then look for anything starting with UAC
    if it looks suspicious delete it.