Hi ciaran77,

What you've got is a nasty rootkit; from the reading I have done on it in this forum, it is best if you go over to the Bleeping Computers forum as soon as possible to get it cleaned up:

http://www.bleepingcomputer.com

Do put the name of the infection in your first post to them so they know what they are dealing with.  There may be a bit of a wait as they are busy.  They are well-versed in clearing these infections, and worth the wait.

---

ciaran77 wrote:

 Ciaran

 

---

This message is posted having regard to the following statement which you are kindly requested to read first.
http://community.norton.com/t5/Forum-Feedback/Statement-of-contribution-by-cgoldman/m-p/215993#M5047

Hi. As you have already found out there is a lot of opinion often contradictory - sometimes even in these forums.

You say you definately have a rootkit. I don't know. Sometimes a rootkit affects a system driver such that on reboot you get a bsod. Even if you get passed that point, the next reboot will render your system inoperable because the driver is corrupted and can only be restored (99% of the time) by getting a clean copy. i.e. it cannot be cleaned by tools including NIS.

BTW you really ought to be on 2010.

Usually NIS will at least identify the infected file. This does not seem to be the case. You might consider posting a screen shot of the report "HTTP tdserve Request". What I think you have is an attack and a warning from NIS that your system is being attacked. This signature detects Backdoor.Tidserv communication with control servers.

The Symantec advice is

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

In your case, I would update to NIS 2010 free and then re-scan.

Now there are a whole raft of tools that you could start applying but the thing is you have to decide whether to gain further help here or apply and wait for Bleeping. I can tell you that a user infected on 3rd May 2010 and posting in Bleeping has still today 15th May had no response. So you can expect a long wait.

In most cases, the HTTP Tidserv request does not identify a rootkit.  What has been happening is that the notification indicates that a rootkit is being blocked from accessing the net.  Rootkits will download other malware, so often, you will end up with other infections if they gain access to the internet.

Norton products are not allowed to remove the infected files because they are usually crucial system files, that if removed improperly cause a boot re-boot loop. 

If Bleeping is too slow, there are other free malware forums that have experience in handling this type of problem.  They are probably the preferred forum.

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

NIS version reports 16.8.0.41, maybe I have NIS 2010? I can't tell, I purchased NIS 2009 last year and have all the updates. I'll check if I'm on NIS 10 and if not get an udpate and scan.

Anyway, the attacks are getting more frequent, screenshot attached. I usually use Firefox, as of 20 mins ago, when I load it I get a BSOD. One curious thing, if I have Firefox open, the NIS report shows that, or when not in Firefox it's srvhost, and now I have IE open, the NIS report shows that.   Any clues there?

I'm guessing it's a rootkit after a bit of googling of tidserv request intrusions, maybe the attack screenshot attached can confirm?

I'm thinking about formatting c drive and renistall, really don't want to but my PC is becoming unstable today.  All my data is on d and e partitions, would a format of C drive and reinstall of Vista do the trick of removing it, I'm resuming it's buried inside windows and data on d and E would be fine?

Hello ciarain77

Version 16.8.0.41 is the latest version for NIS 2009. I would not update to a newer version until your computer is cleaned up. Any install on a corrupted computer will result in a corrupted install also.

---

ciaran77 wrote:

 

---

My point is that what you advised and the screen shot shows is not the rootkit infection itself. It is an attempt possibly by the infected driver to connect to 85.12.46.159 to update the patch.

If you want to know more about rootkit, the loader and the mods to the hard drive get the document Backdoor.tdss.565 from www.drweb.com.

Not all TDL3 and TDL4's are "Backdoor.tdss.565" the number keeps going up, like "Backdoor.tdss.2459".

Also means documents relating to TDSS also become some what out of date.

Quads 

I decided to reformat c-drive/primary partitiion and reinstall vista, read enough about TDL to make me want to play it safe and not risk my PC. Looked like it had infected the disk controller driver, and I don't think anything would clear it as it's such a clever bit of code.

thanks for the inputs folks, just wish I knew how it got there though as it's the first real bad thing that got on my PC after 20 years in IT.