W32.Tidserv
W32.Tidserv is a Worm that may represent security risk for the infected computer. The trojan uses sneaky rootkit-specific techniques designed to hide the software presence in the system.
Once active, W32.Tidserv blocks access to security websites, web pages have a "VIMAX" ad that always appears that links through a b12.adv.net site, and search results in Google, Yahoo, MSN and others redirect you to non-related sites. Additionally, W32.Tidserv changes the NDS server options to a fixed IPS.
W32.Tidserv spreads by copying itself to all removable drives so that it executes whenever the drive is accessed.
File System Modifications
- The following files were created in the system:
# File Name 1 %System%\dll.dll 2 %Temp%\tmp[RANDOM CHARACTERS].tmp
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\homeview\CLSID\"default" = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"HKEY_CLASSES_ROOT\msqpdxvx\"msqpdxaff" = "[RANDOM DWORD VALUE]"HKEY_CLASSES_ROOT\msqpdxvx\"msqpdxid" = "[RANDOM STRING VALUE]"HKEY_CLASSES_ROOT\msqpdxvx\"msqpdxinfo" = "[RANDOM STRING VALUE]"HKEY_CLASSES_ROOT\msqpdxvx\"msqpdxpff" = "[RANDOM DWORD VALUE]"HKEY_CLASSES_ROOT\msqpdxvx\"msqpdxpos" = "[RANDOM STRING VALUE]"HKEY_CLASSES_ROOT\msqpdxvx\"msqpdxsrv" = "[RANDOM DWORD VALUE]"
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.