MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 02-19-12, 01:44
shayla97 shayla97 is offline
Private E-2
 
Join Date: Nov 2007
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Norton detecting backdoor.Tidserv threat

Norton unable to remove theat. I have read and run through the removal process for Windows XP...
SuperAntiSpyware did not detect a threat.
MB.exe did not detect a threat.
Combofix.exe just hung for an hour at the blue screen - when it stated it was starting the scan process, and before changing the clock display...
RootRepeal - log attached.
MGTools - received Error while running processdll.exe to find loaded DLLs
"Application Error" "The application failed to initialize properly (0x0000135). Click OK to terminate application."
Attached Files
File Type: log SUPERAntiSpyware Scan Log - 02-18-2012 - 22-01-08.log (574 Bytes, 0 views)
File Type: txt RRlog.txt (36.0 KB, 1 views)
File Type: txt mbam-log-2012-02-18 (22-05-43).txt (1.9 KB, 1 views)
File Type: zip MGlogs.zip (111.6 KB, 3 views)
Reply With Quote
Sponsored links
  #2  
Old 02-19-12, 01:58
shayla97 shayla97 is offline
Private E-2
 
Join Date: Nov 2007
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Norton detecting boot.Tidserv threat

virus is boot.tidserv not backdoor.tidserv.
Reply With Quote
  #3  
Old 02-19-12, 12:09
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,712
Thanks: 61
Thanked 7,413 Times in 3,965 Posts
Default Re: Norton detecting backdoor.Tidserv threat

Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
  • Be sure to attach your log from TDSSKiller
Now please also download MBRCheck to your desktop.



See the download links under this icon
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    • Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    • Found non-standard or infected MBR.
    • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
Do you have your Windows XP boot CD? We will need it. You have an infection in your partitions. The one below in red is the infection for sure. And partition # 2 above it it may also be part of the infection..
Code:
Partition Disk #0, Partition #0 
Partition Size 31.35 MB (32,868,864 bytes) 
Partition Starting Offset 32,256 bytes 
Partition Disk #0, Partition #1 
Partition Size 145.88 GB (156,634,007,040 bytes) 
Partition Starting Offset 32,901,120 bytes 
Partition Disk #0, Partition #2 
Partition Size 3.10 GB (3,331,238,400 bytes) 
Partition Starting Offset 156,666,908,160 bytes 
Partition Disk #0, Partition #3 
Partition Size 1.76 MB (1,845,248 bytes) 
Partition Starting Offset 159,998,146,560 bytes
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #4  
Old 02-19-12, 14:21
shayla97 shayla97 is offline
Private E-2
 
Join Date: Nov 2007
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Norton detecting backdoor.Tidserv threat

I ran TDSSKiller - log attached
I ran MBRCheck - log attached
I have have the Dell reinstallation cd for XP Pro..
Attached Files
File Type: txt MBRCheck_02.19.12_12.15.23.txt (8.8 KB, 3 views)
File Type: txt TDSSKiller.2.7.13.0_19.02.2012_12.10.25_log.txt (87.0 KB, 3 views)
Reply With Quote
  #5  
Old 02-19-12, 14:34
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,712
Thanks: 61
Thanked 7,413 Times in 3,965 Posts
Default Re: Norton detecting backdoor.Tidserv threat

Quote:
Originally Posted by shayla97 View Post
I have have the Dell reinstallation cd for XP Pro..
Okay. Make sure that you know how to boot your PC from this disk to get into the Recovery Console before continuing with the below. We may not even need it for your problems, but just in case your PC becomes unbootable after the G-Parted fix below, you will need this Win XP CD.


We are going to begin by just removing one of the partitions ( the 1.76 MB one ) and we will see what happens.

Please download: gparted-live-0.11.0-7.iso (114 MB)
Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

Now boot off of the newly created GParted CD.

You should be here...
Press ENTER

By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.

Choose your language and press ENTER. English is default [33]

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below

According to your logs, the partition that you want to delete is 1.76 MiB (1.76 MB)
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:

Now you should be here:

Is boot next to your OS drive? According to your logs, your OS drive is the 145.88 GB sized partition.

If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

Now press the Close button to save these changes.
Now double-click the button.
You should receive a small pop up like this:

Choose reboot and then press OK.

Now see if your PC boot up normally. If it does, then skip down to the Once back in Windows... instructions further dow.

If it does not boot normally, then reboot your Windows XP CD and get into the Windows XP Recovery Console CD and execute the following commands pressing ENTER after each:
  • fixmbr
  • fixboot
  • exit
Once back in Windows...
Re-run another scan with MBRCheckand attach its latest log. (How to attach)
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #6  
Old 02-19-12, 16:00
shayla97 shayla97 is offline
Private E-2
 
Join Date: Nov 2007
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Norton detecting backdoor.Tidserv threat

all the latest steps completed
windows booted normally
MBR check log attached.
Attached Files
File Type: txt MBRCheck_02.19.12_13.55.42.txt (8.6 KB, 3 views)
Reply With Quote
  #7  
Old 02-19-12, 16:38
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,712
Thanks: 61
Thanked 7,413 Times in 3,965 Posts
Default Re: Norton detecting backdoor.Tidserv threat

That looks good. Now let's check the partitions.

Rerun TDSSkiller and if you see the below two items, Delete them:
12:13:32.0218 3612 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
12:13:32.0218 3612 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • the new TDSSkiller log
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #8  
Old 02-19-12, 23:31
shayla97 shayla97 is offline
Private E-2
 
Join Date: Nov 2007
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Norton detecting backdoor.Tidserv threat

reran TDSSKiller, those items didn't appear.
log attached.
reran MGTools, received the processdll.exe error again.
log attached.

System seems fine, norton not detecting anything, but cookie trackers.

Thank you..... Let me know any other steps...
Attached Files
File Type: txt TDSSKiller.2.7.13.0_19.02.2012_21.21.55_log.txt (44.8 KB, 3 views)
File Type: zip MGlogs.zip (49.9 KB, 4 views)
Reply With Quote
  #9  
Old 02-20-12, 21:48
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,712
Thanks: 61
Thanked 7,413 Times in 3,965 Posts
Default Re: Norton detecting backdoor.Tidserv threat

Quote:
Originally Posted by shayla97 View Post
Thank you..... Let me know any other steps...
Your logs are clean now.



If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  7. Go to add/remove programs and uninstall HijackThis.
  8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
    related to MGtools and some other items from our cleaning procedures.
  9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work thru the below link:
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Tags
boot.tidserv

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Backdoor.Tidserv.I!inf mgrammas Malware Removal 7 07-23-10 13:47
Backdoor.Tidserv!inf Clockwork Avatar Malware Removal 7 06-12-10 16:26
Backdoor.Tidserv!inf B_Brown Malware Removal 6 05-28-10 07:20
Backdoor.tidserv Trelaina Malware Removal 4 12-18-08 10:40
backdoor.tidserv!inf rmoran08 Malware Removal 1 12-06-08 12:13


All times are GMT -5. The time now is 05:12.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger