Norton detecting backdoor.Tidserv threat

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by shayla97, Feb 19, 2012.

  1. shayla97

    shayla97 Private E-2

    Norton unable to remove theat. I have read and run through the removal process for Windows XP...
    SuperAntiSpyware did not detect a threat.
    MB.exe did not detect a threat.
    Combofix.exe just hung for an hour at the blue screen - when it stated it was starting the scan process, and before changing the clock display...
    RootRepeal - log attached.
    MGTools - received Error while running processdll.exe to find loaded DLLs
    "Application Error" "The application failed to initialize properly (0x0000135). Click OK to terminate application."
     

    Attached Files:

  2. shayla97

    shayla97 Private E-2

    Re: Norton detecting boot.Tidserv threat

    virus is boot.tidserv not backdoor.tidserv.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.



    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
    Do you have your Windows XP boot CD? We will need it. You have an infection in your partitions. The one below in red is the infection for sure. And partition # 2 above it it may also be part of the infection..
    Code:
    Partition Disk #0, Partition #0 
    Partition Size 31.35 MB (32,868,864 bytes) 
    Partition Starting Offset 32,256 bytes 
    Partition Disk #0, Partition #1 
    Partition Size 145.88 GB (156,634,007,040 bytes) 
    Partition Starting Offset 32,901,120 bytes 
    Partition Disk #0, Partition #2 
    Partition Size 3.10 GB (3,331,238,400 bytes) 
    Partition Starting Offset 156,666,908,160 bytes 
    [COLOR=red][B]Partition Disk #0, Partition #3 [/B][/COLOR]
    [B][COLOR=red]Partition Size 1.76 MB (1,845,248 bytes) [/COLOR][/B]
    [B][COLOR=red]Partition Starting Offset 159,998,146,560 bytes[/COLOR][/B]
     
  4. shayla97

    shayla97 Private E-2

    I ran TDSSKiller - log attached
    I ran MBRCheck - log attached
    I have have the Dell reinstallation cd for XP Pro..
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay. Make sure that you know how to boot your PC from this disk to get into the Recovery Console before continuing with the below. We may not even need it for your problems, but just in case your PC becomes unbootable after the G-Parted fix below, you will need this Win XP CD.


    We are going to begin by just removing one of the partitions ( the 1.76 MB one ) and we will see what happens.

    Please download: gparted-live-0.11.0-7.iso (114 MB)
    Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
    If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

    Now boot off of the newly created GParted CD.
    [​IMG]
    You should be here...
    Press ENTER
    [​IMG]
    By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
    [​IMG]
    Choose your language and press ENTER. English is default [33]
    [​IMG]
    Once again, at this prompt, press ENTER
    You will now be taken to the main GUI screen below
    [​IMG]
    According to your logs, the partition that you want to delete is 1.76 MiB (1.76 MB)
    Click the trash can icon to delete and then click Apply.
    You should now be here confirming your actions:
    [​IMG]
    Now you should be here:
    [​IMG]
    Is boot next to your OS drive? According to your logs, your OS drive is the 145.88 GB sized partition.
    [​IMG]
    If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags

    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]
    Now press the Close button to save these changes.
    Now double-click the [​IMG] button.
    You should receive a small pop up like this:
    [​IMG]
    Choose reboot and then press OK.

    Now see if your PC boot up normally. If it does, then skip down to the Once back in Windows... instructions further dow.

    If it does not boot normally, then reboot your Windows XP CD and get into the Windows XP Recovery Console CD and execute the following commands pressing ENTER after each:
    • fixmbr
    • fixboot
    • exit
    Once back in Windows...
    [​IMG] Re-run another scan with MBRCheckand attach its latest log. (How to attach)
     
  6. shayla97

    shayla97 Private E-2

    all the latest steps completed
    windows booted normally
    MBR check log attached.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That looks good. Now let's check the partitions.

    Rerun TDSSkiller and if you see the below two items, Delete them:
    12:13:32.0218 3612 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
    12:13:32.0218 3612 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the new TDSSkiller log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  8. shayla97

    shayla97 Private E-2

    reran TDSSKiller, those items didn't appear.
    log attached.
    reran MGTools, received the processdll.exe error again.
    log attached.

    System seems fine, norton not detecting anything, but cookie trackers.

    Thank you..... Let me know any other steps...
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean now.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds