United States
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Norton Internet Security / Norton AntiVirus

Reply
Topic Options
crod55
Visitor
crod55
Posts: 7
Registered: ‎11-27-2008

backdoor.tidserv!inf

Options

‎11-27-2008 04:17 PM

I picked up this trojan yesterday and Nortons action was review and requires manual removal.  I am new at this and I do not know how to remove manually.  The location of the trojan is c:\documents and settings\owner\local settings\temp\tdss3671.tmp.  My Norton version is 15.0.0.58 and I am usind XP 2.  Can any one help me fix this problem.  I have tried scanning in safe mode but that did not work.
Report Inappropriate Content
Message 1 of 86 (58,368 Views)
0 Kudos
Floating_Red
Rootkit Eradicator
Posts: 5,220
Registered: ‎05-30-2008

Re: backdoor.tidserv!inf

Options

‎11-27-2008 04:24 PM

Removal instructions for Backdoor.Tidserv!inf: http://www.symantec.com/en/uk/security_response/writeup.jsp?docid=2008-111113-1112-99&tabid=3.

 

You can also Upgrade to N.I.S. 2009, using the Remaining Days of your Norton 2008 Product.

 

http://www.symantec.com/home_homeoffice/support/special/upgrade2007/vista/select_product.jsp?site=nu...

 

Upgrading instructions for Norton 2006 Products and Later:

01. Select your Product and Version, from the Web Link (above).

02. Save the Download on your Desktop.

03. Save your Product Key (www.mynortonaccount.com; http://service1.symantec.com/SUPPORT/custserv.nsf/docid/20020610105504925?Open&src=sym).

04. Dis-connect from the Internet.

05. Go to Add/Remove.

06. Locate "Norton Internet Security/Norton AntiVirus (Symantec Corporation)" and click on "Remove".

07. Follow the instrctions and, when asked to, re-start your computer.

08. Locate to Add/Remove upon start-up.

09. Click on LiveUpdate and "Remove" and any other LiveUpdate.

10. If requested, re-start your computer.

11. Double-click on the Saved N.I.S./N.AV. File on your Desktop.

12. Follow the instructions.

13. Open Norton Internet Security or Norton AntiVirus and "Run [Norton] LiveUpdate" manually.

14. It is now Safe to Connect to the Internet again.

15. If you notice things not running right with N.I.S. 2009/N.AV. 2009, it may be a bug; please Post them here [in the Forum].

16. If you have Other Norton Products, then you can re-install LiveUpdate, or, if you have Used the N.R.T., you can re-install your Other Norton Product(s); if you do not have the Disc, then you can re-download it via the Trailware. Norton SystemWorks users have had a "Patch" Released so that Updates are received through Norton LiveUpdate, i.e. your Norton Internet Security 2009 Product.

17. If you have problems un-installing/installing, then use the Norton Removal Tool.
Tuesday, May 21, 2013: The Symantec THREATCON was Changed to Level 1: Normal | Tuesday, May 14, 2013: Microsoft "Patch Tuesday" | Sunday, May 05, 2013: Microsoft Internet Explorer 8 Zero-Day Vulnerability (Update Released)
Report Inappropriate Content
Message 2 of 86 (58,226 Views)
crod55
Visitor
crod55
Posts: 7
Registered: ‎11-27-2008

Re: backdoor.tidserv!inf

Options

‎11-27-2008 08:34 PM

I tried this solution and it did not work I still have the Trojan,  Below is the export from Norton.

 

Scan Stats:
  Scan Time: 3870 seconds
  Scan Options:
  Scan Targets: C:
  Counts:
   Total items scanned: 356,905
   - Files & Directories: 355,657
   - Registry Entries: 252
   - Processes & Start-up Items: 866
   - Network & Browser Items: 124
   - Other: 5

   Total security risks detected: 1
   Total items resolved: 0
   Total items that require attention: 1

Resolved Threats:


Unresolved Threats:
Backdoor.Tidserv!inf
 Virus ID: 38565
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Virus
 State: Review
 -----------
 1 File
c:\documents and settings\owner\local settings\temp\tdss3671.tmp - Failed

 

Report Inappropriate Content
Message 3 of 86 (58,208 Views)
0 Kudos
Quads
Bot Obliterator
Quads
Posts: 13,255
Registered: ‎07-21-2008

Re: backdoor.tidserv!inf

Options

‎11-27-2008 08:38 PM

Did you try the full scan in Safe mode??

 

 

Quads 

Report Inappropriate Content
Message 4 of 86 (58,203 Views)
0 Kudos
crod55
Visitor
crod55
Posts: 7
Registered: ‎11-27-2008

Re: backdoor.tidserv!inf

Options

‎11-27-2008 08:55 PM

yes
Report Inappropriate Content
Message 5 of 86 (58,200 Views)
0 Kudos
crod55
Visitor
crod55
Posts: 7
Registered: ‎11-27-2008

Re: backdoor.tidserv!inf

Options

‎11-27-2008 08:57 PM

In safe mode the only thing different is the error message does not show up but the results are the same.  Review and remove manually
Report Inappropriate Content
Message 6 of 86 (58,195 Views)
0 Kudos
Regular Contributor
Dieselman743
Posts: 1,909
Registered: ‎09-11-2008

Re: backdoor.tidserv!inf

Options

‎11-27-2008 08:57 PM

Are you now running NAV/NIS 2009?
Real Time Protection = NIS 2009 + NAT
Behavior Analysis = Threatfire
On Demand = MBAM
Report Inappropriate Content
Message 7 of 86 (58,196 Views)
0 Kudos
Quads
Bot Obliterator
Quads
Posts: 13,255
Registered: ‎07-21-2008

Re: backdoor.tidserv!inf

Options

‎11-27-2008 09:32 PM

Hi 
 
Try Downloading Malwarebytes Antimalware, install, update and run in Safe Mode 
 
If that doesn't work.  
 
Download Hijackthis and install  run and find in the list these entries
 
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - S-1-5-18 Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
O4 - .DEFAULT User Startup: IEHOME.LNK = C:\Documents and Settings\Default User\Local Settings\Temp\iehome.bat (User 'Default user')
 
Place a Tick besides each on and the click fix.
 
Using Regedit to delete the entries 
 
Click Start ,  Run.
 
Then type "regedit"
 
Click OK.
 
Navigate to and delete the following registry entries: (be careful)
 
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"build" = "standart" 
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"serversdown" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"type" = "popup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"affid" = "39"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"asubid" = "v2test7"
 
Navigate to and delete the following registry subkeys:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sys
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\version
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector
 
Exit the Registry Editor and Restart the PC
 
Quads 
Report Inappropriate Content
Message 8 of 86 (58,192 Views)
Stu Rootkit Eradicator
Rootkit Eradicator
Stu
Posts: 5,210
Registered: ‎04-08-2008

Re: backdoor.tidserv!inf

Options

‎11-27-2008 10:16 PM

It looks like it is in your temp folder. Can't you just clean out this folder manually?
"All that we are is the result of what we have thought"
Report Inappropriate Content
Message 9 of 86 (58,178 Views)
0 Kudos
Quads
Bot Obliterator
Quads
Posts: 13,255
Registered: ‎07-21-2008

Re: backdoor.tidserv!inf

[ Edited ]
Options

‎11-27-2008 10:25 PM - edited ‎11-27-2008 10:27 PM

It seems that it uses a Rootkit Driver to even run in Safe Mode So the file would be "in use" so unable to delete...................................

 

It can be using the "Svchost.exe" to run. that is where the O4 entry above is mentioned.

 

Quads

 

 

Message Edited by Quads on 11-28-2008 06:27 PM
Report Inappropriate Content
Message 10 of 86 (58,177 Views)
0 Kudos

Products

Services

Support

Norton on Facebook
Norton on Twitter
Norton's YouTube Channel
Symantec on Linked In
Norton on Google+