01. What Norton Product and Version are you using, e.g. N.I.S. 2009?

02. Removal instructions for Backdoor.Tidserv: http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99&tabid=3.

03. If there is any indication of another Threat on your computer, please Post the exact Threat Name.

04. Run a Full System Scan in Safe Mode, with Updated Virus Definitions.

05. If none of the Steps have worked, please click on this Web Link: http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html.  Download, install, Update, and Run a Full Scan in Safe Mode.

06. Let us know the Results of the Scans.

---

kavanb6930 wrote:

This nasty little bugger hijacks your machine and stops you from accessing Norton, Mcafee or any spyware scanning websites. It even stops norton from starting up.

 

I can't believe there's no mention of it yet on this forum!or even in Symantecs security alerts!!!!

 

I got it by aclicking 'allow this instance'  for access to my pc. I thought it was the site 'Savefile' where I was getting a U2 video from asking so in a moment of weakness I said 'allow this instance' 2-3 times.  

 

It started by rebooting my pc, then on restart of windows, puts a red X in your active icons with a message saying your computer has been infected! no kidding!!!!!!!

 

It puts a few files on your pc :  brastk.exe and karna.dat in both c:\Windows and c:\windows\system32 and svchost.exe in c:\windows\system32\drivers. 

 

I killed it by rebooting in Safe mode and ran  a process I downloaded called Brastkremover.exe that I got from here

 

 After that, i removed all entries for brastk.exe and karna.dat that were still left in the registry and the files that were still left in windows\system32. (My boot drive is a D:\ so maybe the tool didn't fully remove it.).

 

I then rebooted and it's appeared mostly gone (No RED 'X') but I still could not go to symantec's website but  at least norton started up. I ran a quickscan and it found 'Backdoor.Tidserv'. After that I could get to the website.

 

I hope this helps someone else.

 

---

Upload those leftover files to Virustotal.com and tell us the results and general consensus of the AV engines. 

 

Also, what version of Norton are you using? 

Hi,

 

Good that you managed to solve the problem and that you share your experience. The brastk is a variant of Trojan.Virantix.C.

 

 

jAW

Hi kavanb6930

 

SONAR should have picked that up if you were using NIS09, which version are you running?

 

Thanks

Hi . sorry for the delay .

 

I'm using NIS 2008. I hadnt as yet updated to NIS2009 but I have been keeping uptodate with liveupdates.

 

 I'm still getting the svchost trying to conenct to the itnernet but i put a block always on it now.

 

So i still have remnants.

 

 

 

Do not block svchost. Its part of Windows and needs to be allowed. Sometimes malware can hide has an svchost but aslong as your system is clean then allow it. I have it allowed on my machines but outgoing only.

Hi kavanb6930

 

I advise you to update to NIS09 (for free) through the Norton Update Centre, and let us know if you are still experiencing any problems.

 

Thanks

Ive uploaded the file to virustotal but they already had it. i reanalysed anyway and click below for the results.

 

http://www.virustotal.com/analisis/2385f3ce72187c12d6769c965016ba85

 

Symantec says this is thew 'very low' risk fakeavalert.

 

I don't consider a malware that hijacks all my web queries and blocks every virus scan and spyware website a 'very low' risk!!!!!! Symantec needs to get in gear!!!

 

I just did a chat with them and got some useless guy trying to sell me services to 'clean my pc' with 30 days followup support. I told him 3 times i did not need it andf he still tried to sell it to me. Talk about annoying!!!!!

 

 

 

[edit: removed unnecessary word .]