topic Help - Backdoor.Tidserv virus problem, can't boot in Norton 360

Help - Backdoor.Tidserv virus problem, can't boot

BarryS — Mon, 07 Dec 2009 10:13:57 GMT

Help - I have a virus problem.

I have Norton 360 (2009 version) installed, running on Windows XP (SP2, with all updates) on a Dell PC

I was fooled into running an executable (I know, but it had been a long day, and it was well disguised as being from a legitimate source). I did run a Norton scan on the file, it said it was OK. However, when it ran it rebooted the PC.

Obviously I was suspicious so immediately ran a full scan overnight. The scan reported 1 threat and needed to reboot to complete the fix. I let it reboot. The computer failed to boot, with a blue screen and a Stop message (code 7B hex). Safe mode would also not reboot – same blue screen. Selecting “reboot using last safe settings” did boot. I checked the Norton log. The scan found one virus – Backdoor.Tidserv.l!inf, which it claimed to have resolved. However auto-protect also reported finding the same virus a bit later, again claiming to have resolved it. Rebooting again resulted in the same blue screen, this time in all types of boot, including last safe settings. I'm now unable to boot at all.

Any suggestions on how to proceed – I would like to avoid completely reformatting the disc and reinstalling Windows if possible? Is booting from the Norton 360 installation CD likely to allow me to clear this?

(I seem to recall that the product comes with e-mail support, but I can’t find an e-mail address to send this to – the only virus support I can find on the web page is a premium paid service.)

Any suggestions gratefully received.

Re: Help - Backdoor.Tidserv virus problem, can't boot

yogesh_mohan — Mon, 07 Dec 2009 17:18:36 GMT

Hi BarryS,

Welcome to Norton Community!

I would suggest you to restart your computer in Safe Mode and then try running a full system scan with your Norton program. You can also try booting from the Norton Recovery tool and then try running the scan using the Norton Recovery tool mentioned by Tim_Lopez in this thread:

http://community.norton.com/norton/board/message?board.id=Norton_360&message.id=5754

Refer to the removal instructions from the following Symantec Article:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-111113-1112-99&tabid=3

Yogesh

Message Edited by yogesh_mohan on 12-07-2009 10:48 PM

Re: Help - Backdoor.Tidserv virus problem, can't boot

Quads — Mon, 07 Dec 2009 17:57:21 GMT

Yogesh the poster reports "Rebooting again resulted in the same blue screen, this time in all types of boot, including last safe settings. I'm now unable to boot at all."

So No point in stating to "I would suggest you to restart your computer in Safe Mode".

Barry

1. You are at least the 3rd PC with the exact same problem, seeing as you were able to look up in Norton what was taken first time around are you able to say what file(s) or registry entries were taken??

2. Firstly I would suggest getting your personal files off the HD and on to flash drive so your photos etc are OK, See

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=90371#M90371

Quads

Re: Help - Backdoor.Tidserv virus problem, can't boot

delphinium — Mon, 07 Dec 2009 17:58:38 GMT

If the above instructions are not successful, as they are a year old, and the new generation rootkits are much more complex to remove, you might also be wise to take the problem to a malware removal site such as www.bleepingcomputer.com

They have the tools and the know-how to walk you through the removal.

Re: Help - Backdoor.Tidserv virus problem, can't boot

yogesh_mohan — Mon, 07 Dec 2009 18:20:49 GMT

Thanks for pointing that poster is unable to boot. But still, he/she can try to boot using the Norton Recovery Tool and run a scan. If that corrects the boot problem, surely safe mode can be done afterwards.

Yogesh

Message Edited by yogesh_mohan on 12-07-2009 11:50 PM

Re: Help - Backdoor.Tidserv virus problem, can't boot

BarryS — Mon, 07 Dec 2009 18:25:16 GMT

Thanks all.

As I said, currently unadle to boot - all options lead to blue screen with stop code 7b hex.

I will try producing the rescue disk, and booting from that. If that doesn't help, then I'll try the linux boot disk to get at the files.

Luckily all my photos and music are on a separate usb disk, with a backup on another disk and on my Windows Home Server. My files are backed up on the WHS and also daily and weekly using Genie Backup Manager, so its all recoverable, just potentially very time consuming. As is reinstalling everything. I'd rather be able to boot and copy files, or ideally clear the problem.

I was sort of hoping Norton 360 would deal with this, that being what it's for, though I know viruses are forever changing.

I did not see any information in the log about which files were impacted, just the virus name and that it had been resolved. It's possible there were more details I didn't find - I do find it hard to get at the details in Norton 360. If I can get it back to booting I'll take another look.

Barry

Re: Help - Backdoor.Tidserv virus problem, can't boot

Quads — Mon, 07 Dec 2009 18:28:14 GMT

yogesh_mohan wrote:

Barry wrote:

The computer failed to boot, with a blue screen and a Stop message (code 7B hex). Safe mode would also not reboot – same blue screen. Selecting “reboot using last safe settings” did boot.
Quads,

It seems that the poster was able to boot to "Last Known Good Configuration". So, I think it is possible to boot to Safe Mode from there onwards.

Yogesh

Read the post again,

Not the second time around First thing is to get the personal data of off the HD, You learn that in PC repair when it goes that far. Get personal data

Depends what is being taken by Norton on 3 PC's that report Tidserv (or not) to whether the Norton Recovery Cd will do anything.

Norton may have taken an important OS registry entry or file. Maybe Norton is now detecting TDL3, but is deleting the likes of "atapi.sys" which ummm is not good.

who knows what is happening to peoples PC's at this point.

Quads

Re: Help - Backdoor.Tidserv virus problem, can't boot

Quads — Mon, 07 Dec 2009 19:03:49 GMT

A Report from a person with TDL3 after AV software attempted or succeeded to remove the driver file

"Well ... beside the fact that you don't detect all variants I have access to, cleaning an infection results in a nice BSOD loop on boot ... my guess is because you deleted my (infected) disk driver:"

Stop Code 7b restart loop, Now that's a bugger.

Maybe Norton is doing the same then, Detecting TDL3 as Tidserv, and removing files, to cause this.

Not a good idea.

Just trying to work out what is going on with Norton and the BSOD loop after detection.

Quads

Re: Help - Backdoor.Tidserv virus problem, can't boot

BarryS — Mon, 07 Dec 2009 19:39:16 GMT

Yep, that looks limke the same issue - I'll double check when I get home - but its the same hex error.

I am wondering if Norton 360 has deleted something that is vital, or if this a left over from the virus itself.

Any specific suggestions for getting past this? Do you think I should try a repair from my Windows installation disk (though this is pre SP2)?

Is there somewhere I should "officially" report this, or is this forum as official as required?

Re: Help - Backdoor.Tidserv virus problem, can't boot

Quads — Tue, 08 Dec 2009 09:11:17 GMT

Symantec is looking into this,

Could you please confirm you are getting the same Blue screen (BSOD) Code??

Quads

Re: Help - Backdoor.Tidserv virus problem, can't boot

BarryS — Tue, 08 Dec 2009 17:09:33 GMT

Yes its definitely the same error code (7B) on the BSOD, and the same text. I get it for all boot types, though the value of the first parameter changes depending on whether it is safe mode or normal mode (maybe an address?).

If this is under investigation should I hold off on trying anything for now? I have prepared a Norton recovery disk using the suggested download, and was going to give that a go.

Thanks

Re: Help - Backdoor.Tidserv virus problem, can't boot

Quads — Tue, 08 Dec 2009 17:45:53 GMT

Although Symantec has PMed me said they can't reproduce the problem, also basically asked then if I have any idea what is going on,

To your question, "If this is under investigation should I hold off on trying anything for now? I have prepared a Norton recovery disk using the suggested download, and was going to give that a go."

It's up to you, from this distance I can't get into your PC with my gear to see which file or whatever has been taken, whether it's a problem not when the infected file is atapi.sys but when it's a third party driver that got infected instead, or something else.

Then most people want there PC back.

When you say you have the Norton Recovery disc do you mean the Norton Boot CD for Virus scanning?? I can't see how that will work due to the nature of the problem.

I hope you transfered your personal data off.

Quads

Re: Help - Backdoor.Tidserv virus problem, can't boot

BarryS — Tue, 08 Dec 2009 18:49:27 GMT

Luckily I have other PCs, so I can wait a little while, especially if there is hope of getting it back without a complete reinstall.

I have downloaded the Norton Boot CD for Virus scanning - thought I'd start there in case it is the virus rather than Norton 360 that has done this. I can't quite understand why restore last working settings worked once, but not subsequently.

I have also downloaded UBC4Win and Knoppix in the hope that one or other of these may allow me to boot, get in and copy a load of stuff to an external drive (which I believe will be easier than recovering stuff from my backups). I'll probably try this at the weekend, as it will take a while.

If I can get in, are there there any particular files or information that would help diagnose this?

After that I guess I should try a Windows repair - slightly worried as my Windows XP Home CD is vanilla, as in pre SP1 and SP2 - not sure if that's relevant but may be a nuisance as I think Windows repair is more of a completely reload keeping the registry (I could be wrong here).

After that I guess it's reformat and reinstall (maybe this is the universe telling me it's time to upgarde to Windows 7).

Thanks again

Re: Help - Backdoor.Tidserv virus problem, can't boot

Quads — Tue, 08 Dec 2009 19:12:01 GMT

The reason I found the Knoppix tutorial page for rescuing your personal data is due to the fact I use other software and that webpage telling you how has screenshots you can click to enlarge to help you.

Using the XP CD to repair install, reinstalls Windows and everything to do with windows, but leaves your personal data and programs where they are, When decided to try the CD to repair install on my PC and the only thing I had to reinstall after was the 3rd party audio drivers, so not bad, Norton also stays installed as well as all the history, which should them show what was removed in terms of Files etc. for Tidserv just before the BSOD occured.

There is the SP3 download for XP as a full Service Pack package also.

If you can find the .exe you ran that you think had the rootkit inside, that would be good, for Myself and Norton, I would infect my PC and see if I can cause the same problem.

Quads

Re: Help - Backdoor.Tidserv virus problem, can't boot

delphinium — Tue, 08 Dec 2009 20:44:46 GMT

BarryS:

This thread will provide a link to an uptodate version of XP sp3 through Microsoft. It doesn't seem to say what version it is. The thread also provides information on downloading, and burning, and provides other links. Scroll to the top of the page for Mijcar's post with the link.

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=90525#M90525

Re: Help - Backdoor.Tidserv virus problem, can't boot

BarryS — Tue, 08 Dec 2009 21:26:20 GMT

Thanks, I'll download the SP3 ISO - I assume this makes a bootable instalation CD, and I can use the key from my original CD.

The Norton recovery tool that was sugested (recovery_nav_x86.iso downloaded from the FTP site suggested by Tim) loaded (very slowly) but would not accept the key from my Norton 360 (2009) or my son's NIS. The about screen says 2008, so it may be I need a newer version. Anybody know if there is a newer one and where it is?

In case it's relevant, the parameters on the Stop code on the BSOD are 0x7BH (0xF7A71524, 0xC0000034, 0, 0) [I've missed out leading zeroes]. If I select safe mode rather than normal, I get the same BSOD, but the first parameter changes to 0xF78BF524.

Re: Help - Backdoor.Tidserv virus problem, can't boot

Quads — Sun, 13 Dec 2009 18:49:17 GMT

The other way as well as a repair install is to use the recovery console with the CD

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=91307#M91307

have the recovery console copy over "atapi.sys"

Quads

Re: Help - Backdoor.Tidserv virus problem, can't boot

BarryS — Mon, 14 Dec 2009 17:50:12 GMT

Had to go to London on Saturday, but had a go at this on Sunday - only limited success.

Downloaded another Norton Recovery SOS image, but that wanted a PIN not a serial number so gave that up.

Used a Knoppix boot CD and copied lots of data to a USB disk. Between that and my backups I should be well covered (though there's bound to be something somewhere that I'll want in 2 years time :-) )

Then I tried teh Windows installation disk. I was able to get into the recovery console, but didn't really know what to do with it (hadn't seen your post at that point, unfortunately).

Then I went into the Repair Windows option. All seemed to be going well, but some way in to the setup it started reporting that it couldn't copy various files. These were a large number of files of types DL_ and EX_. In each case I was given the choice of Retry, which would just represent the error, or Cancel, which would allow me to skip the file, or Browse which would allow me to see the file it was refusing to copy! I tried using cancel and skipping the files, but once it had asked about 20 or 30 I lost patience; I powered it down in mid installation - on reboot it new it was in the middle of an installation, it resumed but produced the same errors again. At this point I gave up, and powered down again.

It's an original SP2 CD (though not the original installation CD, as Dell don't supply these, it's from another PC that I built, and is an OEM version). I did use the serial number from the Dell installation.

I've no idea what the problem is here. Is this possibly some problem with the C drive partition, or the Windows directory, or file attributes? The disc wasn't anywhere close to full before all this happenned. (OK - it was a long trip the day before, so by late Sunday I admit I may have missed something obvious; for a start I guess I could have checked the disk space via the recover console or Knoppix.)

Any suggestions? I'd still like to avoid a re-install, but I'm starting to resign myself to it.

Is it time to give in, and just completely reinstall XP? If so do I need to do anything special to wipe the disk? Will just the partition with Windows do, or should I do something with the other partitions, especially the hidden diagnostic partitions Dell pre-installs? Do I need to wipe the Master Boot Record, and if so what is the easiest way to do this? Do I need to go as far as Darik's Boot and Nuke, or something similar to completely blat the disk?

If a reformat or reinstall are needed, are there any files such as logs that might be useful to you that I can get via Knoppix?

Thank's for all your help and suggestions so far.

Re: Help - Backdoor.Tidserv virus problem, can't boot

Quads — Tue, 15 Dec 2009 01:06:59 GMT

BarryS wrote:

Then I tried teh Windows installation disk. I was able to get into the recovery console, but didn't really know what to do with it (hadn't seen your post at that point, unfortunately).

Any suggestions? I'd still like to avoid a re-install, but I'm starting to resign myself to it.

How far do you get to with the recovery console??

Quads

Re: Help - Backdoor.Tidserv virus problem, can't boot

BarryS — Wed, 16 Dec 2009 19:04:18 GMT

I didn't originally try much with the recover console. I could try finding and replacing Atapi.sys if you think that worthwhile. However now the issue is that the PC boots up, realises it's part way through a install, and prompts me for the CD again.

I assume I can boot from the CD and redo the repair install. I may have a go at a repair with a different Windows disk, to see if that works.

I really don't understand why so many files failed to install on the repair. I'm a bit worried this might be something to do with the virus, but I guess it's more likely to be some more mundane issue (it is a genuine SP2 installation disk, but it's the OEM version - I don't know if that makes a difference on a repair) .

If the retrying the repair with a different disk doesn't work, I'll delete and recreate the partition, and re-install Windows completely (though it will have to wait to the weekend again)

Thanks