• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Virus help

Hi

After getting the backdoor.tidserv!inf infection , I have attemted to follow the instuctions as per the NAV centre. I got stuck on the Recovery console instructions:
  1. Insert the Windows XP CD-ROM into the CD-ROM drive.
  2. Restart the computer from the CD-ROM drive.
  3. Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
  4. Select the installation that you want to access from the Recovery Console.
  5. Enter the administrator password and press Enter.
  6. Type CD System32
  7. Press Enter
  8. Type Expand %DriveLetter%\i386\advapi32.dl_
  9. Press Enter
  10. Type exit
  11. Press Enter. The computer will now restart automatically

Step 8 is the confusing one for me as I do not know EXACTLY what to type????? Subsequently my machine "seems" to be running fine and NAV is not picking up anything but when I tried to run a defrag and chck for disk errors, I received a message saying that the NTFS boot sector is unreadable! I am thinking that this is a  result of not completing the Recovery console step when removing the virus.

Please can someone help me as I have battled for 12 hours now. A month ago fossy710 had a similar problem but I do not know if that solution will be the same for me

Look forward to your expert advice

Paul

Replies

Kudos0

Re: Virus help

Hi

After getting the backdoor.tidserv!inf infection , I have attemted to follow the instuctions as per the NAV centre. I got stuck on the Recovery console instructions:
  1. Insert the Windows XP CD-ROM into the CD-ROM drive.
  2. Restart the computer from the CD-ROM drive.
  3. Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
  4. Select the installation that you want to access from the Recovery Console.
  5. Enter the administrator password and press Enter.
  6. Type CD System32
  7. Press Enter
  8. Type Expand %DriveLetter%\i386\advapi32.dl_
  9. Press Enter
  10. Type exit
  11. Press Enter. The computer will now restart automatically

Step 8 is the confusing one for me as I do not know EXACTLY what to type????? Subsequently my machine "seems" to be running fine and NAV is not picking up anything but when I tried to run a defrag and chck for disk errors, I received a message saying that the NTFS boot sector is unreadable! I am thinking that this is a  result of not completing the Recovery console step when removing the virus.

Please can someone help me as I have battled for 12 hours now. A month ago fossy710 had a similar problem but I do not know if that solution will be the same for me

Look forward to your expert advice

Paul

Kudos0

Re: Virus help

Hang in there for a bit Collaros, I just want to make sure that I don't make anything worse, before I ask you for any scans.  I will advise.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Virus help

OK
Kudos0

Re: Virus help

collaros:

When you come online again we will require a GMER scan.  Please scan ONLY

http://www.gmer.net/

After it is downloaded to your desktop, right click on the icon, go to properties, and click unblock and apply.

You will be able to attache the log produced to your next post by using the "add attachments" link below the orange post button.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Virus help

Hi

I had to do the gmer scan in SAFE mode as it kept hanging in normal mode. I have attached the log file and await your reply. Thanks again.

File Attachment: 
Kudos0

Re: Virus help

Collaros:

You have a rotscx rootkit infection.  Quads will be along later to request a different kind of log to enable him to find all of the files.

It will be a three part remediation that will require you to follow his directions exactly.  It will take a bit of patience, but the repairs where the user followed directions have been successful.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Virus help

Hi guys

Still await reply?

Kudos0

Re: Virus help

Hi Delphinium

Thanks for the reply. Can you give me an idea of time for Quads. It is 9:10PM my time

Kudos0

Re: Virus help

Hi

I am getting there, I am reading the log plus the Norton security response page where you got the instructions

Quads 

Kudos0

Re: Virus help

Hi

Now

1.  Download Combofix  to your Desktop, http://www.bleepingcomputer.com/combofix/how-to-use-combofix  

Don't use yet.

2. I have Personal Messaged you the script between the lines, look for the yellow envelope at the upper right hand side.   Copy the Script.

3.  Open Notepad and paste it in to notepad with the first line being killall::

4. Save the script as "CFScript.txt"       CFScript.txt is what you see on your desktop after saving.

5. Disable Nortons Auto-Protect and Firewall.

6.  Drag and drop CFScript.txt on top of Combofix.exe, like when you drop files into the recycle bin.

7. Combofix will start,  When it is scanning don't move the mouse cursor inside the box, can cause freezing.

Quads 

Kudos0

Re: Virus help

OK Quads, have done as you asked and Personal mailed you the log....What now

Thanks again

Kudos0

Re: Virus help

Hi

Now you combofix log is attached

I have No idea what this driver is, good / bad or otherwise


S1 zpleoafkdv7;zpleoafkdv7.sys;c:\windows\system32\DRIVERS\zpleoafkdv7.sys --> c:\windows\system32\DRIVERS\zpleoafkdv7.sys [?]

Could be a [random].sys, another person who had a driver like that and couldn't get chkdsk to work or Safe Mode for that matter was poster  Linn11

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=66145#M66145 

One problem could be that you have Symantec AV Corp leftovers of ESET

Now can you update and run Malwarebytes??

Quads

Message Edited by Quads on 09-09-2009 07:27 PM
File Attachment: 
Kudos0

Re: Virus help

Hi Quads

It could be eset leftovers because I was advised to run another AV program to ensure getting rid of the trojans. I installed Eset, ran it, then uninstalled it ( all while NAV was disabled). Should I do anything about this? I am currently running the Malwarebytes scan for your further advise and will attach as soon as is finished. I must say however that yesterday the Malwarebytes scan showed "0" infections. It was only the GMER program that showed rootkit activity

Also, the Mware scan is still busy, but NAV has just come up with autoprotect delete threats! I have attached the text file of the results. Why is Norton picking this up during the Malwarebytes scan?

Thanks

Message Edited by collaros on 09-09-2009 10:27 AMMessage Edited by collaros on 09-09-2009 11:03 AM
File Attachment: 
Kudos0

Re: Virus help

Hi Quads

The Malwarebytes log as requested

Kudos0

Re: Virus help

Hi

Good to see an Updated Malwarebytes comes back clean. That odd driver does not match anything on searching.

Now  Norton is working and as you Scanned with Malwarebytes Norton Auto-Protect also scans the files. Some of the Files are from the System Restore, The others are from the Combofix Quarantine so that's OK.

Quads 

Kudos0

Re: Virus help

Hi Quads

Thanks...Should I run Gmer scan again to see if there is rootkit activity, or is all in ok now?

Kudos0

Re: Virus help

No, Combofix was scripted to remove it, 

Quads 

Kudos0

Re: Virus help

So, that is it! I am clean! Quads, thanks a lot to you guys
Kudos0

Re: Virus help

I would say, If everything like Malwarebytes Norton etc is working OK then yeah.

Done

Quads 

Replies are locked for this thread.