United States
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Norton Internet Security / Norton AntiVirus

Reply
Topic Options
Regular Visitor
dfa1963
Posts: 7
Registered: ‎11-18-2010
Accepted Solution

Backdoor.Tidserv.I!inf

[ Edited ]
Options

‎11-18-2010 11:12 AM - edited ‎11-18-2010 11:18 AM

Win 7 Pro 32bit.  NIS 2010 is detecting Backdoor.Tidserv.I!inf in the following files:

 

C:\Windows\System32\drivers\RPCDD.SYS

 

&

 

C:\Windows\winsxs\x86_microsoft-windows-t..niportdisplaydriver_31bf3856ad364e35_6.1.7600.16385_none_d4b17a3e9f928d55\RPCDD.SYS

 

NIS unable to resolve the issue automatically and is asking for manual removal of the virus.  Can I delete these files manually or will this cause issues with windows operation?  And if I do delete the files what do I replace them with?  I cannot see a similar file on my windows installation disk nor one available for download from the internet.

 

 

I'm not very computer savvy so I hope the above makes sense. 

Report Inappropriate Content
Message 1 of 7 (2,335 Views)
0 Kudos
Quads
Bot Obliterator
Quads
Posts: 13,250
Registered: ‎07-21-2008

Re: Backdoor.Tidserv.I!inf

Options

‎11-18-2010 11:23 AM

Try this, as long as you have NO fake popups appearing on your PC, as they would have to be stopped first as a safety measure for the tools below.

 

Checking for the TDL Rootkit / Bootkit

 

TDSSkiller can cure the latest I have. NOTE: The Kaspersky Tool removes the variant of the family known including the Bootkit versions, Symantec's tool does not.

 

Try http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

If the variant is too new a warning will appear when trying to repair, but it will list the driver involved.

 

If that doesn't work because it's a new variant of TDL3 or is the TDL4 Bootkit try http://support.kaspersky.com/viruses/solutions?qid=208280684

You will see that an .exe version is available for download. Click on TDSSkiller.exe on the download site.

 

You could try both in a way to double check that the main .sys file has been cured / disinfected.

 

Quads

Report Inappropriate Content
Message 2 of 7 (2,317 Views)
Symantec Employee
Peter_Linhardt
Posts: 9
Registered: ‎09-16-2008

Re: Backdoor.Tidserv.I!inf

[ Edited ]
Options

‎11-18-2010 03:28 PM - edited ‎11-18-2010 03:45 PM

An anti-bootkit version of FixTDSS has been posted since 10/13.

The available version 2.1.1.2 handles all currently known variants.

 

Report Inappropriate Content
Message 3 of 7 (2,255 Views)
0 Kudos
Regular Visitor
dfa1963
Posts: 7
Registered: ‎11-18-2010

Re: Backdoor.Tidserv.I!inf

Options

‎11-19-2010 09:59 AM

No joy with the Symantec prog but kaspersky one caught it and removed the problem.  As an aside, it took the Symantec prog 15 hours to scan the whole system (5 HDDs) whereas the kaspersky prog was more focused and executed itself in under 2 mins.  Guess which one I ran first!!

 

Thanks for the help.

Report Inappropriate Content
Message 4 of 7 (2,175 Views)
0 Kudos
Quads
Bot Obliterator
Quads
Posts: 13,250
Registered: ‎07-21-2008

Re: Backdoor.Tidserv.I!inf

Options

‎11-19-2010 10:56 AM

The 2 Tools use different techniques for instance TDSSkiller doesn't scan the whole drive but is targeted to the area involved.

 

Now you will probably have to remove the Tidserv.inf entry from within Norton's History at  in the Unresolved Threats listing, Also file

 

 C:\Windows\winsxs\x86_microsoft-windows-t..niportdisplaydriver_31bf3856ad364e35_6.1.7600.16385_none_d4b17a3e9f928d55\RPCDD.SYS

 

TDSSkiller probably doesn't scan that location so, if the file in that location is still infected you with have to delete the one over then make a copy of the now cured / disinfected one 

 

C:\Windows\System32\drivers\RPCDD.SYS

 

And paste the clean copy into

 

 C:\Windows\winsxs\x86_microsoft-windows-t..niportdisplaydriver_31bf3856ad364e35_6.1.7600.16385_none_d4b17a3e9f928d55\RPCDD.SYS

 

Quads

 

 

Report Inappropriate Content
Message 5 of 7 (2,163 Views)
Symantec Employee
Peter_Linhardt
Posts: 9
Registered: ‎09-16-2008

Re: Backdoor.Tidserv.I!inf

Options

‎11-19-2010 03:00 PM

Sorry that the tool failed to find your problem.

FixTDSS fixes a particular class of threats and there can be variations that use components of other threat families.

We will certainly try to improve the tool as new varieties emerge.

 

FixTDSS employs a series of detection techniques of which the last is a volume scan really intended to find older versions of the threat.

 

This time consuming scan can be skipped by launching the tool with the command line swtich: "-nolegacyscan".

 

Report Inappropriate Content
Message 6 of 7 (2,134 Views)
0 Kudos
Quads
Bot Obliterator
Quads
Posts: 13,250
Registered: ‎07-21-2008

Re: Backdoor.Tidserv.I!inf

Options

‎11-19-2010 03:16 PM

Hmmm what about having 2 scan buttons, one which is Quick (Like TDSSkiller does) and just checks specific locations for the Rootkit / Bootkit.  MBR,  System32 and drivers folders. once it is able to cure or disinfect the files or MBR involved, stopping the conflicts BSOD's the longer scan can be used to mop up the rest.

 

This is good for PC's where there is a conflict causing crashes of services or an overall BSOD of the system.  Try running a long scan when the PC is really playing up.

 

As the tool by default run a quick scan.

 

I hate the PC restart when first running FixTDSS before the scan, what if as seen in the past someone has trouble booting into Windows.  Runs FixTDSS which restarts the PC, now having trouble getting back in.  

 

Where as TDSSkiller is Quick and does not restart the PC first,  the scan is first.

 

Just Ideas

 

Quads

Report Inappropriate Content
Message 7 of 7 (2,125 Views)

Products

Services

Support

Norton on Facebook
Norton on Twitter
Norton's YouTube Channel
Symantec on Linked In
Norton on Google+