11-18-2010 11:12 AM - edited 11-18-2010 11:18 AM
Win 7 Pro 32bit. NIS 2010 is detecting Backdoor.Tidserv.I!inf in the following files:
NIS unable to resolve the issue automatically and is asking for manual removal of the virus. Can I delete these files manually or will this cause issues with windows operation? And if I do delete the files what do I replace them with? I cannot see a similar file on my windows installation disk nor one available for download from the internet.
I'm not very computer savvy so I hope the above makes sense.
Solved! Go to Solution.
11-18-2010 11:23 AM
Try this, as long as you have NO fake popups appearing on your PC, as they would have to be stopped first as a safety measure for the tools below.
Checking for the TDL Rootkit / Bootkit
TDSSkiller can cure the latest I have. NOTE: The Kaspersky Tool removes the variant of the family known including the Bootkit versions, Symantec's tool does not.
If the variant is too new a warning will appear when trying to repair, but it will list the driver involved.
If that doesn't work because it's a new variant of TDL3 or is the TDL4 Bootkit try http://support.kaspersky.com/viruses/solutions?qid
You will see that an .exe version is available for download. Click on TDSSkiller.exe on the download site.
You could try both in a way to double check that the main .sys file has been cured / disinfected.
11-19-2010 09:59 AM
No joy with the Symantec prog but kaspersky one caught it and removed the problem. As an aside, it took the Symantec prog 15 hours to scan the whole system (5 HDDs) whereas the kaspersky prog was more focused and executed itself in under 2 mins. Guess which one I ran first!!
Thanks for the help.
11-19-2010 10:56 AM
The 2 Tools use different techniques for instance TDSSkiller doesn't scan the whole drive but is targeted to the area involved.
Now you will probably have to remove the Tidserv.inf entry from within Norton's History at in the Unresolved Threats listing, Also file
TDSSkiller probably doesn't scan that location so, if the file in that location is still infected you with have to delete the one over then make a copy of the now cured / disinfected one
And paste the clean copy into
11-19-2010 03:00 PM
Sorry that the tool failed to find your problem.
FixTDSS fixes a particular class of threats and there can be variations that use components of other threat families.
We will certainly try to improve the tool as new varieties emerge.
FixTDSS employs a series of detection techniques of which the last is a volume scan really intended to find older versions of the threat.
This time consuming scan can be skipped by launching the tool with the command line swtich: "-nolegacyscan".
11-19-2010 03:16 PM
Hmmm what about having 2 scan buttons, one which is Quick (Like TDSSkiller does) and just checks specific locations for the Rootkit / Bootkit. MBR, System32 and drivers folders. once it is able to cure or disinfect the files or MBR involved, stopping the conflicts BSOD's the longer scan can be used to mop up the rest.
This is good for PC's where there is a conflict causing crashes of services or an overall BSOD of the system. Try running a long scan when the PC is really playing up.
As the tool by default run a quick scan.
I hate the PC restart when first running FixTDSS before the scan, what if as seen in the past someone has trouble booting into Windows. Runs FixTDSS which restarts the PC, now having trouble getting back in.
Where as TDSSkiller is Quick and does not restart the PC first, the scan is first.