Remove Backdoor.Tidserv.K

Posted on: February 12th, 2010

Discovered: January 28, 2010
Updated: January 29, 2010 3:47:48 PM
Type: Trojan
Systems Affected: Windows XP, Windows Server 2003, Windows 2000
Recommended Action:
In order to Remove Backdoor.Tidserv.K you need to Download the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of Backdoor.Tidserv.K. Read our full No Adware Review

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

No Adware Review

Technical Details:
This Trojan may arrive as the following file:

%CurrentFolder%\Surprise.exe

When the Trojan is executed, it creates the following mutex so that only

one instance of the Trojan exists on the computer:

{CC51461B-E32A-4883-8E97-E0706DC65415}

It then creates a copy of itself in the following location:

%Windir%\system32\spool\prtprocs\[RANDOM NAME ONE].tmp

Next, the Trojan creates the following file:

%Temp%\[RANDOM NAME TWO].tmp

It then registers itself as a service by creating the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[

RANDOM NAME THREE]

The Trojan then deletes the above registry subkey as well as the following

files:

* %CurrentFolder%\Surprise.exe

* %Windir%\system32\spool\prtprocs\[RANDOM NAME ONE].tmp

* %Temp%\[RANDOM NAME TWO].tmp

Note: The Trojan then enters a dormant state and will be removed from

the computer if the computer is restarted at this time.

The Trojan resumes executing if either of the following processes are

executed:

* spoolsv.exe

* svchost.exe

It also tests the name of any new processes that are started and executes

if the process name contains any of the following strings:

* avant

* browser

* chrome

* explore

* firefox

* netscape

* opera

* safari

The Trojan then monitors Internet access to the following sites:

* abmr.net

* adbureau.net

* adrevolver.com

* aol.com

* aolcdn.com

* ask.com

* atdmt.com

* bing.com

* blinkx.com

* doubleclick.net

* everesttech.net

* fimserve.com

* google

* google-analytics.com

* img.youtube.com

* live.com

* msn.com

* othersonline.com

* powerset.com

* search.aol.com

* search.yahoo.com

* tribalfusion.com

* upload.wikimedia.org

* www.ask.com

* www.bing.com

* www.google.

* yahoo.com

* yieldmanager.com

* yimg.com

It may then download and execute a file from one of the following locations.

It may also send information to the following locations:

* https://d45648675.cn

* https://d92378523.cn

* https://91.212.226.62

* http://b11335599.cn

* http://b00882244.cn

* http://m3131313.cn

* http://mfdclk001.org

* https://a57990057.cn

* https://a58990058.cn

* https://212.117.174.178

* http://c36996639.cn

* http://c58446658.cn

* http://m2121212.cn
Action Steps:
FREE SCAN: NoAdware can Remove Backdoor.Tidserv.K. Click the link below for your free download & scan your PC now.

Please click here for manual removal instructions.

Posted on Friday, February 12th, 2010 at 4:00 pm - filed under Blog, Trojan.