Not what you were looking for? Ask our experts!
Reply
Contributor
BarryS
Posts: 12
Registered: ‎12-07-2009

Help - Backdoor.Tidserv virus problem, can't boot

Help - I have a virus problem.

 

I have Norton 360 (2009 version) installed, running on Windows XP (SP2, with all updates) on a Dell PC

 

I was fooled into running an executable (I know, but it had been a long day, and it was well disguised as being from a legitimate source).  I did run a Norton scan on the file, it said it was OK. However, when it ran it rebooted the PC.

 

Obviously I was suspicious so immediately ran a full scan overnight. The scan reported 1 threat and needed to reboot to complete the fix. I let it reboot. The computer failed to boot, with a blue screen and a Stop message (code 7B hex). Safe mode would also not reboot – same blue screen. Selecting “reboot using last safe settings” did boot. I checked the Norton log. The scan found one virus – Backdoor.Tidserv.l!inf, which it claimed to have resolved. However auto-protect also reported finding the same virus a bit later, again claiming to have resolved it. Rebooting again resulted in the same blue screen, this time in all types of boot, including last safe settings. I'm now unable to boot at all.

 

Any suggestions on how to proceed – I would like to avoid completely reformatting the disc and reinstalling Windows if possible? Is booting from the Norton 360 installation CD likely to allow me to clear this?

 

(I seem to recall that the product comes with e-mail support, but I can’t find an e-mail address to send this to – the only virus support I can find on the web page is a premium paid service.)

 

 Any suggestions gratefully received. 

 

 

Volunteer
yogesh_mohan
Posts: 5,302
Registered: ‎07-29-2008

Re: Help - Backdoor.Tidserv virus problem, can't boot

[ Edited ]

Hi BarryS,

 

Welcome to Norton Community!

 

I would suggest you to restart your computer in Safe Mode and then try running a full system scan with your Norton program. You can also try booting from the Norton Recovery tool and then try running the scan using the Norton Recovery tool mentioned by Tim_Lopez in this thread:

http://community.norton.com/norton/board/message?board.id=Norton_360&message.id=5754

 

Refer to the removal instructions from the following Symantec Article:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-111113-1112-99&tabid=3

 

Yogesh

Message Edited by yogesh_mohan on 12-07-2009 10:48 PM
Bot Obliterator
Quads
Posts: 16,540
Registered: ‎07-21-2008

Re: Help - Backdoor.Tidserv virus problem, can't boot

Yogesh the poster reports "Rebooting again resulted in the same blue screen, this time in all types of boot, including last safe settings. I'm now unable to boot at all."

 

So No point in stating to "I would suggest you to restart your computer in Safe Mode".

 

Barry

 

1. You are at least the 3rd PC with the exact same problem, seeing as you were able to look up in Norton what was taken first time around are you able to say what file(s) or registry entries were taken??

 

2.  Firstly I would suggest getting your personal files off the HD and on to flash drive so your photos etc are OK, See

 

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=90371#M90371

 

Quads 

delphinium
Posts: 9,862
Kudos: 2,965
Solutions: 293
Registered: ‎11-21-2008

Re: Help - Backdoor.Tidserv virus problem, can't boot

If the above instructions are not successful, as they are a year old, and the new generation rootkits are much more complex to remove, you might also be wise to take the problem to a malware removal site such as www.bleepingcomputer.com

 

They have the tools and the know-how to walk you through the removal.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
Volunteer
yogesh_mohan
Posts: 5,302
Registered: ‎07-29-2008

Re: Help - Backdoor.Tidserv virus problem, can't boot

[ Edited ]

Thanks for pointing that poster is unable to boot. But still, he/she can try to boot using the Norton Recovery Tool and run a scan. If that corrects the boot problem, surely safe mode can be done afterwards.

 

Yogesh

Message Edited by yogesh_mohan on 12-07-2009 11:50 PM
Contributor
BarryS
Posts: 12
Registered: ‎12-07-2009

Re: Help - Backdoor.Tidserv virus problem, can't boot

Thanks all.

 

As I said, currently unadle to boot - all options lead to blue screen with stop code 7b hex.

 

I will try producing the rescue disk, and booting from that. If that doesn't help, then I'll try the linux boot disk to get at the files.

 

Luckily all my photos and music are on a separate usb disk, with a backup on another disk and on my Windows Home Server. My files are backed up on the WHS and also daily and weekly using Genie Backup Manager, so its all recoverable, just potentially very time consuming. As is reinstalling everything. I'd rather be able to boot and copy files, or ideally clear the problem.

 

I was sort of hoping Norton 360 would deal with this, that being what it's for, though I know viruses are forever changing.

 

I did not see any information in the log about which files were impacted, just the virus name and that it had been resolved. It's possible there were more details I didn't find - I do find it hard to get at the details in Norton 360. If I can get it back to booting I'll take another look.

 

 

Barry

Bot Obliterator
Quads
Posts: 16,540
Registered: ‎07-21-2008

Re: Help - Backdoor.Tidserv virus problem, can't boot

 


yogesh_mohan wrote:

 


Barry wrote:

 

The computer failed to boot, with a blue screen and a Stop message (code 7B hex). Safe mode would also not reboot – same blue screen. Selecting “reboot using last safe settings” did boot.


Quads,

 

 

It seems that the poster was able to boot to "Last Known Good Configuration". So, I think it is possible to boot to Safe Mode from there onwards.

 

Yogesh


 

 

Read the post again,

 

Not the second time around   First thing is to get the personal data of off the HD, You learn that in PC repair when it goes that far. Get personal data

 

Depends what is being taken by Norton on 3 PC's that report Tidserv (or not) to whether the Norton Recovery Cd will do anything.

 

Norton may have taken an important OS registry entry or file. Maybe Norton is now detecting TDL3, but  is deleting the likes of "atapi.sys" which ummm is not good.

 

who knows what is happening to peoples PC's at this point.

 

Quads 

 

 

 

 

 

 

Bot Obliterator
Quads
Posts: 16,540
Registered: ‎07-21-2008

Re: Help - Backdoor.Tidserv virus problem, can't boot

A Report from a person with TDL3 after AV software attempted or succeeded to remove the driver file

 

 


"Well ... beside the fact that you don't detect all variants I have access to, cleaning an infection results in a nice BSOD loop on boot ... my guess is because you deleted my (infected) disk driver:"

Name:  Windows XP Professional-2009-11-30-17-45-23.pngViews: 545Size:  7.4 KB

 

 

Stop Code 7b restart loop, Now that's a bugger.

 

Maybe Norton is doing the same then,  Detecting  TDL3 as Tidserv, and removing files, to cause this.

 

Not a good idea.

 

Just trying to work out what is going on with Norton and the BSOD loop after detection. 

 

Quads 

Contributor
BarryS
Posts: 12
Registered: ‎12-07-2009

Re: Help - Backdoor.Tidserv virus problem, can't boot

Yep, that looks limke the same issue - I'll double check when I get home - but its the same hex error.

 

I am wondering if Norton 360 has deleted something that is vital, or if this a left over from the virus itself.

 

Any specific suggestions for getting past this? Do you think I should try a repair from my Windows installation disk (though this is pre SP2)?

 

Is there somewhere I should "officially" report this, or is this forum as official as required?

Bot Obliterator
Quads
Posts: 16,540
Registered: ‎07-21-2008

Re: Help - Backdoor.Tidserv virus problem, can't boot

Hi

 

Symantec is looking into this,

 

 

Could you please confirm you are getting the same Blue screen (BSOD) Code??

 

Quads