Norton detecting backdoor.Tidserv threat

[shayla97]

Norton unable to remove theat. I have read and run through the removal process for Windows XP...
SuperAntiSpyware did not detect a threat.
MB.exe did not detect a threat.
Combofix.exe just hung for an hour at the blue screen - when it stated it was starting the scan process, and before changing the clock display...
RootRepeal - log attached.
MGTools - received Error while running processdll.exe to find loaded DLLs
"Application Error" "The application failed to initialize properly (0x0000135). Click OK to terminate application."

[shayla97]

virus is boot.tidserv not backdoor.tidserv.

[chaslang]

Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.



See the download links under this icon

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Do you have your Windows XP boot CD? We will need it. You have an infection in your partitions. The one below in red is the infection for sure. And partition # 2 above it it may also be part of the infection..

Code:

Partition Disk #0, Partition #0 
Partition Size 31.35 MB (32,868,864 bytes) 
Partition Starting Offset 32,256 bytes 
Partition Disk #0, Partition #1 
Partition Size 145.88 GB (156,634,007,040 bytes) 
Partition Starting Offset 32,901,120 bytes 
Partition Disk #0, Partition #2 
Partition Size 3.10 GB (3,331,238,400 bytes) 
Partition Starting Offset 156,666,908,160 bytes 
Partition Disk #0, Partition #3 
Partition Size 1.76 MB (1,845,248 bytes) 
Partition Starting Offset 159,998,146,560 bytes

[shayla97]

I ran TDSSKiller - log attached
I ran MBRCheck - log attached
I have have the Dell reinstallation cd for XP Pro..

[chaslang]

Quote:

Originally Posted by shayla97

I have have the Dell reinstallation cd for XP Pro..

Okay. Make sure that you know how to boot your PC from this disk to get into the Recovery Console before continuing with the below. We may not even need it for your problems, but just in case your PC becomes unbootable after the G-Parted fix below, you will need this Win XP CD.


We are going to begin by just removing one of the partitions ( the 1.76 MB one ) and we will see what happens.

Please download: gparted-live-0.11.0-7.iso (114 MB)
Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

Now boot off of the newly created GParted CD.

You should be here...
Press ENTER

By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.

Choose your language and press ENTER. English is default [33]

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below

According to your logs, the partition that you want to delete is 1.76 MiB (1.76 MB)
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:

Now you should be here:

Is boot next to your OS drive? According to your logs, your OS drive is the 145.88 GB sized partition.

If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

Now press the Close button to save these changes.
Now double-click the button.
You should receive a small pop up like this:

Choose reboot and then press OK.

Now see if your PC boot up normally. If it does, then skip down to the Once back in Windows... instructions further dow.

If it does not boot normally, then reboot your Windows XP CD and get into the Windows XP Recovery Console CD and execute the following commands pressing ENTER after each:

• fixmbr
• fixboot
• exit

Once back in Windows...
Re-run another scan with MBRCheckand attach its latest log. (How to attach)

[shayla97]

all the latest steps completed
windows booted normally
MBR check log attached.