topic Re: Norton 360 and Boot.tidserv nightmare ! in Norton 360

Norton 360 and Boot.tidserv nightmare !

ferrux — Sat, 07 Jan 2012 00:18:30 GMT

Hi there,

I am experiencing a nightmare with this rootkit, I have done tons of tests but cannot get rid of it,

The pc is a HP Desktop Pavilion 1209 with Windows XP Home 1gb ram.

The system boots normally' then after 3,4 minutes tha hard drive starts again to work a lot and comes up with the attached screen contained in this set:
https://picasaweb.google.com/109175126296685887586/MBRBOOTVIRUS?authuser=0&feat=directlink
I choose the option to cure within the combo box and the problem seems fixed, only till next boot actually.

Here is only a small part of all tests that I recall:

>NPE
>NPE boot disk

>karpersky removal tool

>bit defender removal tool
>TDSSKiller

>g-data rescue live cd

>bitdefender rootkit new tool

>bitdefender recue live cd

>karsperky rescue live cd

>combofix

>gmer

>mbr.exe

>hitman pro second opinion

---

Lately I also booted from cd and hit the 'R' and successfully run the commands: 'fixboot' and 'fixmbr'.

---

Also, tried enabling and disabling the Windows restore point function

---

Gparted showes a hidden partition, I deleted that but no luck, still the dreadfull Norton notice.

---

I am quite desperate, Hope someone can help, I would seriously need to avoid the zerofilling of hard disk and reinstalling everything.

Please en-light me :-)

Thank you

Ferrux

Re: Norton 360 and Boot.tidserv nightmare !

ferrux — Sat, 07 Jan 2012 09:56:06 GMT

I forgot to mention that I also run

Malwarebytes and Superantispyware

no luck :-(

The Beast is still alive !

Re: Norton 360 and Boot.tidserv nightmare !

Quads — Sat, 07 Jan 2012 11:48:07 GMT

"Gparted showes a hidden partition, I deleted that but no luck, still the dreadfull Norton notice."

As long as you have the right partition that you removed, you still after have to go into Norton's history and clear the unresolved threats list.

Quads

Re: Norton 360 and Boot.tidserv nightmare !

ferrux — Sat, 07 Jan 2012 13:34:43 GMT

Thank you for email
do you think that could be a false positive ?

Ferrux

Re: Norton 360 and Boot.tidserv nightmare !

ferrux — Sat, 07 Jan 2012 14:13:52 GMT

how can I do that ?

Thank you :-)

Re: Norton 360 and Boot.tidserv nightmare !

arno50 — Sun, 08 Jan 2012 16:29:54 GMT

It is no false message but you can remove it manually.

In my case i had the BootTidserv virus. It made a small extra hidden partition and made it the default boot device.

I used a linux live cd with parted magic and moved the default boot device tag to the windows partition.

Now boot from your windows XP install CD.

Choose R to repair windows.

At the command line use fixmbr to repair your boot record.

Now windows should be save to use.

Use aswmbr and gmer to remove the rest of the rootkit.

After all was working i used parted magic once more to remove the hidden partition with the virus.

Re: Norton 360 and Boot.tidserv nightmare !

Quads — Sun, 08 Jan 2012 20:03:35 GMT

As long as you have the right partition that you removed, you still after have to go into Norton's history and clear the unresolved threats list.

That's because Norton still has the detected listing in the unresolved threats list, due to the fact Norton didn't remove the detection but another program was used instead (Gparted) to do the job.

aswmbr and gmer is not required, expect by people who are trying anything and everything. For MaxSS there are now instructions on how to use Gparted for MaxSS on this forum.

Quads

Re: Norton 360 and Boot.tidserv nightmare !

arno50 — Sun, 08 Jan 2012 20:47:16 GMT

Quads you are probably right in your advise.

In this forum I am classified as a beginner but my first encounter was frodo lives and have learned a lot since then.

There are two reasons why you should use those two tools:

1) fixing the mbr with fixmbr is not always sufficient with a non standard mbr and the threat may still be there.

2) you have to clear up all the mess, if you do not you could get an instable system or wrong information when you get infected a second time.

Re: Norton 360 and Boot.tidserv nightmare !

ferrux — Sun, 08 Jan 2012 21:05:22 GMT

Hi there

cleaning the unresolved threat in the Norton' history the problem seems fixed.

The system seems to work with no more apparent problems, however I am sure some dormient or leftovers are still in the pc, for instance I tried to :

Right click My computer >Hardware>Device Manager

In Device Manager clicked view>Show hidden devices

In Non-plug and play drivers I saw and disabled TDSS.sys driver

Rebooting the pc got crazy, it war continuosly restarting the pc even in safe mode, I have

to reboot with last know good configuration.

I am attachin some screen shots ( it is a zip renamed to txt), sorry there are not in english but are readable, hope so.

Do you recall some possible action from this screens, please do not say reformat :-) since the pc now is usable.

Thank you

best regards.

Ferrux

Re: Norton 360 and Boot.tidserv nightmare !

Quads — Mon, 09 Jan 2012 00:09:15 GMT

"cleaning the unresolved threat in the Norton' history the problem seems fixed."

That is good, nothing else is detected then don't bother looking and screwing around, makes things a deep hole sometimes.

"Right click My computer >Hardware>Device Manager

In Device Manager clicked view>Show hidden devices

In Non-plug and play drivers I saw and disabled TDSS.sys driver"

Don't bother with that as Norton, Malwarebytes Combofix can delete the files for OLD TDL1 and 2 files if they arethe malware versions.

How old, see http://community.norton.com/t5/Norton-Internet-Security-Norton/Seneka-Rootkit-with-TDSServ/td-p/46674

Quads

Re: Norton 360 and Boot.tidserv nightmare !

Quads — Mon, 09 Jan 2012 00:18:43 GMT

Looked at the screenshots, leave it alone, the driver you are looking at is legit, belongs to FixTDSS (Symantec)

Quads

Re: Norton 360 and Boot.tidserv nightmare !

ferrux — Mon, 09 Jan 2012 08:15:28 GMT

Hi Quads

thank you for your email, infact when I tried to deactivate / unable the driver the system got crazy

and was restarting and booting to the infinite :-)

So that driver is the cure from the antivirus ? Is that correct ?

Thank you, very much, indeed .-)

Re: Norton 360 and Boot.tidserv nightmare !

CristianMéfiant — Wed, 22 Feb 2012 12:21:31 GMT

Ran Norton tool, tdsskiller found no threat, updated norton, re-scanned, threat still there. help!

Re: Norton 360 and Boot.tidserv nightmare !

Quads — Wed, 22 Feb 2012 22:33:53 GMT

Norton Tool (FixTDSS) = no detection.

TDSSkiller = no detection.

hmmmm Norton detects MaxSS as Boot.Tidserv, which is actually another partition. Like this thread http://community.norton.com/t5/Norton-Internet-Security-Norton/BOOT-Tidserv/td-p/610864

Quads