Not what you were looking for? Ask our experts!
Reply
Visitor
crod55
Posts: 7
Registered: ‎11-27-2008

backdoor.tidserv!inf

I picked up this trojan yesterday and Nortons action was review and requires manual removal.  I am new at this and I do not know how to remove manually.  The location of the trojan is c:\documents and settings\owner\local settings\temp\tdss3671.tmp.  My Norton version is 15.0.0.58 and I am usind XP 2.  Can any one help me fix this problem.  I have tried scanning in safe mode but that did not work.
Rootkit Eradicator
Posts: 5,357
Registered: ‎05-30-2008

Re: backdoor.tidserv!inf

Removal instructions for Backdoor.Tidserv!inf: http://www.symantec.com/en/uk/security_response/writeup.jsp?docid=2008-111113-1112-99&tabid=3.

 

You can also Upgrade to N.I.S. 2009, using the Remaining Days of your Norton 2008 Product.

 

http://www.symantec.com/home_homeoffice/support/special/upgrade2007/vista/select_product.jsp?site=nu...

 

Upgrading instructions for Norton 2006 Products and Later:

01. Select your Product and Version, from the Web Link (above).

02. Save the Download on your Desktop.

03. Save your Product Key (www.mynortonaccount.com; http://service1.symantec.com/SUPPORT/custserv.nsf/docid/20020610105504925?Open&src=sym).

04. Dis-connect from the Internet.

05. Go to Add/Remove.

06. Locate "Norton Internet Security/Norton AntiVirus (Symantec Corporation)" and click on "Remove".

07. Follow the instrctions and, when asked to, re-start your computer.

08. Locate to Add/Remove upon start-up.

09. Click on LiveUpdate and "Remove" and any other LiveUpdate.

10. If requested, re-start your computer.

11. Double-click on the Saved N.I.S./N.AV. File on your Desktop.

12. Follow the instructions.

13. Open Norton Internet Security or Norton AntiVirus and "Run [Norton] LiveUpdate" manually.

14. It is now Safe to Connect to the Internet again.

15. If you notice things not running right with N.I.S. 2009/N.AV. 2009, it may be a bug; please Post them here [in the Forum].

16. If you have Other Norton Products, then you can
re-install LiveUpdate, or, if you have Used the N.R.T., you can re-install your Other Norton Product(s); if you do not have the Disc, then you can re-download it via the Trailware. Norton SystemWorks users have had a "Patch" Released so that Updates are received through Norton LiveUpdate, i.e. your Norton Internet Security 2009 Product.

17. If you have problems un-installing/installing, then use the Norton Removal Tool.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Visitor
crod55
Posts: 7
Registered: ‎11-27-2008

Re: backdoor.tidserv!inf

I tried this solution and it did not work I still have the Trojan,  Below is the export from Norton.

 

Scan Stats:
  Scan Time: 3870 seconds
  Scan Options:
  Scan Targets: C:
  Counts:
   Total items scanned: 356,905
   - Files & Directories: 355,657
   - Registry Entries: 252
   - Processes & Start-up Items: 866
   - Network & Browser Items: 124
   - Other: 5

   Total security risks detected: 1
   Total items resolved: 0
   Total items that require attention: 1

Resolved Threats:


Unresolved Threats:
Backdoor.Tidserv!inf
 Virus ID: 38565
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Virus
 State: Review
 -----------
 1 File
c:\documents and settings\owner\local settings\temp\tdss3671.tmp - Failed

 

Bot Obliterator
Quads
Posts: 16,453
Registered: ‎07-21-2008

Re: backdoor.tidserv!inf

Did you try the full scan in Safe mode??

 

 

Quads 

Visitor
crod55
Posts: 7
Registered: ‎11-27-2008

Re: backdoor.tidserv!inf

yes
Visitor
crod55
Posts: 7
Registered: ‎11-27-2008

Re: backdoor.tidserv!inf

In safe mode the only thing different is the error message does not show up but the results are the same.  Review and remove manually
Regular Contributor
Dieselman743
Posts: 1,909
Registered: ‎09-11-2008

Re: backdoor.tidserv!inf

Are you now running NAV/NIS 2009?
Real Time Protection = NIS 2009 + NAT
Behavior Analysis = Threatfire
On Demand = MBAM
Bot Obliterator
Quads
Posts: 16,453
Registered: ‎07-21-2008

Re: backdoor.tidserv!inf

Hi 
 
Try Downloading Malwarebytes Antimalware, install, update and run in Safe Mode 
 
If that doesn't work.  
 
Download Hijackthis and install  run and find in the list these entries
 
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
 
Place a Tick besides each on and the click fix.
 
Using Regedit to delete the entries 
 
Click Start ,  Run.
 
Then type "regedit"
 
Click OK.
 
Navigate to and delete the following registry entries: (be careful)
 
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"build" = "standart" 
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"serversdown" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"type" = "popup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"affid" = "39"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"asubid" = "v2test7"
 
Navigate to and delete the following registry subkeys:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sys
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\version
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector
 
Exit the Registry Editor and Restart the PC
 
Quads 
Stu Rootkit Eradicator
Rootkit Eradicator
Stu
Posts: 5,210
Registered: ‎04-08-2008

Re: backdoor.tidserv!inf

It looks like it is in your temp folder. Can't you just clean out this folder manually?
"All that we are is the result of what we have thought"
Bot Obliterator
Quads
Posts: 16,453
Registered: ‎07-21-2008

Re: backdoor.tidserv!inf

[ Edited ]

It seems that it uses a Rootkit Driver to even run in Safe Mode So the file would be "in use" so unable to delete...................................

 

It can be using the "Svchost.exe" to run. that is where the O4 entry above is mentioned.

 

Quads

 

 

Message Edited by Quads on 11-28-2008 06:27 PM