05-15-2010 05:38 AM - edited 05-15-2010 05:39 AM
For the fist time in 2 years I had a BSOD this week, twice on startup. Then NIS 2009 started reporting "HTTP Tidserv Request" intrusion attempts. I'm guessing they are linked. Is it definately a rootkit and what harm could it be doing?
I am running Vista Home pro, sp2, and ran full system NIS scan etc, and nothing found. I've trawled this board and googled a lot, and all references to fixes are very confusing, try this, then don't try this etc.
What's the latest advice on how to get rid of this? I'm at a loss as what to do next, Windows is installed on it's own partition, all data is stored on other partitions on my HD. So last resort could be a format of C drive reinstall of Vista which I really don't want to do unless absolutley necessary.
Any advice on how to remove this is much appreciated!
Many thanks, Ciaran
05-15-2010 05:50 AM - edited 05-15-2010 05:50 AM
What you've got is a nasty rootkit; from the reading I have done on it in this forum, it is best if you go over to the Bleeping Computers forum as soon as possible to get it cleaned up:
Ladies and Gentlemen, we are now ready for take-off. We would like to remind you that smoking and flaming are prohibited on all boards of this forum. We wish you an enjoyable flight with Norton Airlines.
05-15-2010 08:08 AM
Do put the name of the infection in your first post to them so they know what they are dealing with. There may be a bit of a wait as they are busy. They are well-versed in clearing these infections, and worth the wait.
05-15-2010 08:42 AM - edited 05-15-2010 08:43 AM
This message is posted having regard to the following statement which you are kindly requested to read first.
Hi. As you have already found out there is a lot of opinion often contradictory - sometimes even in these forums.
You say you definately have a rootkit. I don't know. Sometimes a rootkit affects a system driver such that on reboot you get a bsod. Even if you get passed that point, the next reboot will render your system inoperable because the driver is corrupted and can only be restored (99% of the time) by getting a clean copy. i.e. it cannot be cleaned by tools including NIS.
BTW you really ought to be on 2010.
Usually NIS will at least identify the infected file. This does not seem to be the case. You might consider posting a screen shot of the report "HTTP tdserve Request". What I think you have is an attack and a warning from NIS that your system is being attacked. This signature detects Backdoor.Tidserv communication with control servers.
The Symantec advice is
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
In your case, I would update to NIS 2010 free and then re-scan.
Now there are a whole raft of tools that you could start applying but the thing is you have to decide whether to gain further help here or apply and wait for Bleeping. I can tell you that a user infected on 3rd May 2010 and posting in Bleeping has still today 15th May had no response. So you can expect a long wait.
05-15-2010 08:59 AM
In most cases, the HTTP Tidserv request does not identify a rootkit. What has been happening is that the notification indicates that a rootkit is being blocked from accessing the net. Rootkits will download other malware, so often, you will end up with other infections if they gain access to the internet.
Norton products are not allowed to remove the infected files because they are usually crucial system files, that if removed improperly cause a boot re-boot loop.
If Bleeping is too slow, there are other free malware forums that have experience in handling this type of problem. They are probably the preferred forum.
05-15-2010 09:16 AM - edited 05-15-2010 09:29 AM
NIS version reports 22.214.171.124, maybe I have NIS 2010? I can't tell, I purchased NIS 2009 last year and have all the updates. I'll check if I'm on NIS 10 and if not get an udpate and scan.
Anyway, the attacks are getting more frequent, screenshot attached. I usually use Firefox, as of 20 mins ago, when I load it I get a BSOD. One curious thing, if I have Firefox open, the NIS report shows that, or when not in Firefox it's srvhost, and now I have IE open, the NIS report shows that. Any clues there?
I'm guessing it's a rootkit after a bit of googling of tidserv request intrusions, maybe the attack screenshot attached can confirm?
I'm thinking about formatting c drive and renistall, really don't want to but my PC is becoming unstable today. All my data is on d and e partitions, would a format of C drive and reinstall of Vista do the trick of removing it, I'm resuming it's buried inside windows and data on d and E would be fine?
05-15-2010 09:39 AM
Version 126.96.36.199 is the latest version for NIS 2009. I would not update to a newer version until your computer is cleaned up. Any install on a corrupted computer will result in a corrupted install also.
Success always occurs in private and failure in full view.
05-15-2010 02:10 PM
My point is that what you advised and the screen shot shows is not the rootkit infection itself. It is an attempt possibly by the infected driver to connect to 188.8.131.52 to update the patch.
If you want to know more about rootkit, the loader and the mods to the hard drive get the document Backdoor.tdss.565 from www.drweb.com.
05-15-2010 06:32 PM
Not all TDL3 and TDL4's are "Backdoor.tdss.565" the number keeps going up, like "Backdoor.tdss.2459".
Also means documents relating to TDSS also become some what out of date.
05-16-2010 03:47 AM
I decided to reformat c-drive/primary partitiion and reinstall vista, read enough about TDL to make me want to play it safe and not risk my PC. Looked like it had infected the disk controller driver, and I don't think anything would clear it as it's such a clever bit of code.
thanks for the inputs folks, just wish I knew how it got there though as it's the first real bad thing that got on my PC after 20 years in IT.