Hello, I have a Dell Latitude D820 that Norton 360 has identified the Backdoor.Tideserv.I!inf virus on and has said that it requires manual removal. I have tried using Norton in safe mode as well and it is still unable to remove it. I have used the suggestions on the Norton website also and turned off system restore and again tried to remove it with no help. I have attempted to do the recommended procedures for posting on the Malwarebytes forum. Malware Bytes does not find any infected files. Ran DDS with no problem. However, when attempting to run GMER, every time shortly after starting the scan two copies of ccSvcHst.eve (one for System and one for the current user) begin taking up 100% of the CPU Usage, which prevents the scan from completing (sometimes crashes, once blue screen, sometimes save button does not appear, etc). These processes can't be stopped (Access is Denied). When trying to run the GMER scan in safe mode, it wil scan but due to the screen resolution, the save button cannot be seen, and no amount of resizing, repositioning allows it to be seen. The screen resolution option does not appear to be available in safe mode. When examining the start up programs, there are two that cannot be removed, they are NvCpl and ctfmon. They cannot even be removed in safe mode as it states that must be logged in as an admin even if logged in as an admin. I have tried to use the Norton Bootable Recovery Tool for Norton 360, but am given an error that Windows failed to start because file (\windows\system 32\boot\winload.exe) with status (0xc0000001) was missing or corrupt, after pressing enter it then says file (\Boot\BCD) status (0xc0000001) had an error while trying to read the boot configuration data. After hitting enter again it just attempts too reboot. It tells you to use the repair settings on the Windows install disk. When selecting the R, it then just proceeds to load windows normally. We would just wipe the thing and start over except there is a piece of software that was a nightmare to install (do to it being a piece of crap) that has a large amount of important data on it that we need access to, so we are hoping to find a way to recover this. Does anyone have any suggestions? Thanks in advance...
Chuck a few programs at it without really knowing I see
Malwarebytes (MBAM) won't do anything to this as its not meant to detect this type of infection
It's TDL3 \TDL4 that is on your PC trying to use the internet to reach a web address (any number of a group), Norton is blocking this happening using Intrusion Prevention.
NOTE: The Kaspersky Tool removes the variant of the family known including the Bootkit versions, Symantec's tool does not.
Try http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe
If the variant is too new a warning will appear when trying to repair, but it will list the driver involved.
If that doesn't work because it's a new variant of TDL3 or is the TDL4 Bootkit try
http://support.kaspersky.com/viruses/solutions?qid=208280684
You will see that an .exe version is available for download.
Quads
In the beginning stages of trying to remove the virus I had used the TDSS Killer and I believe that it found and removed some files. A second search with it found nothing. Recently while trying to use it with the computer booted with an xp admin bootable disk, it would not let the program run because it said it couln't load the driver and it couldn't initiate the log file.
Well you have tried using Programs CD's and disks, just anything when people should not just chuck programs at Malware.
It could be that although TDSSkiller cured the driver on reboot, Norton still has the listing in the History - Unresolved Threats list, that Norton keeps there as it has not dealt with the infection itself.
It will stay there until you go into the Unresolved Threats list and clear it.
Quads
Hi quads? There is another issue I think you missed in the op’s question. Why couldn’t the boot tool run?
Tywin7 wrote:
Hi quads? There is another issue I think you missed in the op's question. Why couldn't the boot tool run?
I haven't missed anything, Differemt issues, exactly, (Except GMER).
You could always tell the user how to fix both issues with one move, as for awhile now I no longer do advanced procedures on this forum, like I use to as the forum shows its danger.
Quads
The virus is not listed in the unresolved section of Norton. When it finds the virus it says manual removal is required, and then the button says OK, so it seems that by clicking OK it assumes you have dealt with it. The unresolved threats folder is empty. At one point I deleted the file it was saying was affected (after determining it was not a system file), and rebooted, and then rescaned, only to be told that two different files were affected as well as a browser cache. The files affected this time were in the location C:\system volume information\_restore, despite the system restore being turned of as per the Norton directions for removing this virus.
Hello planthead
I would recommend a visit to one of the malware removal sites which I will list. When you register with one of them, please put the name of the infection in the subject of the thread and tell them what you have done so far. They will tell you the proper tools to use and how to fix the problem if it is possible to fix. When Norton says a manual fix is necessary, that means it has to be done by someone who is knowledgeable enough to know how to do it.
Please go to one of these free Forums for help in removing your bad malware or rootkits.
http://www.bleepingcomputer.com
http://www.geekstogo.com/forum/
http://www.cybertechhelp.com/forums/
http://forums.whatthetech.com/
(Thanks to Delph for providing the list of sites)
Bleepingcomputer is good, but they will have the longest wait.
Please come back and let us know which one you have picked and when you hear back from them or they have started to work with you. Thanks.
If you are finding that files are being rebuilt after you have followed Quads' instructions, you may have a new variant. It takes time for the specialized tools to be updated as quickly as the malware changes. I would recommend a visit to one of these free malware removal forums. They have specialists, like Quads, but that kind of removal process is not safe on an open forum like this one.
www.bleepingcomputer.com
http://www.geekstogo.com/forum/
http://www.cybertechhelp.com/forums/
http://forums.whatthetech.com/
Great minds, floplot! 
yep
Something fishy here,
When Norton detects something and it has not been removed, with Flags like "Manual Removal is Required" "Get Help" it does stay in the Unresolved Threats list.
I know as others have had this and I many times with infected critical files have had this.
Quads
Yes there seems to be a lot fishy, new problems keep popping up. I am working with someone on the Malwarebytes forum, who has had me run several scans, all of which keep coming up negative. The recent Norton scan also came up negative for the first time, which makes no sense since nothing should have been changed since the last two files in system restore showed up. Thanks for the suggestions though.
Hello planthead
I'm not so sure that the Malwarebyte's Forum is the best place for you to seek help with this problem. I don't think that they deal with too many rootkits any more. I really think that perhaps you would get better help by signing up with one of the sites that I mentioned and so did delpineum. One of them will most likely be able to help you more efficiently. Thanks.
Norton and Threats that it is allowed to detect but not remove or delete, due to the file(s) being required by Windows. Once detected the entry is placed in the Unresloved Threats list.
Norton keeps notifying the user of the unresolved threat(s).
Now even if your PC is now clean due to using other tools to remove the infections, that can be any other program, Manually or turning off System Restore to delete the restore points and files. Because Norton has not removed the detection the entry is still in the Unresolved Threats list and thus still noitifing the user of the threats, causing the thought that the PC is still infected.
It use to be that to fix the problem in older versions of Norton (2009 and older) the QBackup workaround was required to be done to remove the listing
As you have had other programs remove the infection(s) Norton has the threat in the "unresolved" list (security History) So when you restart the PC Norton notifes you that you have a threat, even though you have used another program to remove it. The entry has to be removed from the Unresoved list, in the Security History. Norton still can think the threat is still there as you have not had Norton remove it, (empting the the unresoved list).
I found that out buy testing with a CD/DVD that had Malware on it, Norton detected it, I asked it to do nothing, so was placed in the unresolved list. After a restart Norton notified me that I had a threat on the F:\ drive (DVD) even though the CD / DVD is no longer in the drive so nothing to detect. Empty drive, had to remove from the Norton history for it to no longer Notify me.
Workaround
THE FIX:
It is not necesary to erase the complete Qbackup folder, neither you need to boot in safe mode also.QBackup folder (Quarantine Backup) is used by Norton AntiVirus component to store backup recoveries of repaired and removed threats when you fix/remove threats during the scan. It may also contain information about threats detected and retains the remediated data in your computer itself. It will be automatically recreated by Norton program when you run scan next time.
So to FIX this problem. Just open NIS2009 history, GO to "unresolved security risk" Press "Remove*" the item failed to remove, wait for the "failed to remove" status, this will update the "*.qbi" file which have the history of the unresolved items. Then go to NIS2009 settings, go to "miscellaneous setting" and disable the Norton Product Tamper Protection under Miscellanious Settings. Then open your windows explorer and go to
"C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup"
and erase your most recently (updated, newly) "*.QBI" file. The asteric it a long number as "{DDAB4332-ED04-4898-9C20-D231FDC4B0C5}.qbi" it will be a small file 1-10 KB. Only deleted this file. Close Windows explorer, go to NIS2009 reactived the Norton Product Tamper Protection under Miscellanious Settings and you can enter to the HISTORY and you will find it is empty (clear).
Hope this will help to not erase the whole (complete) "Qbackup folder".
BEST REGARDS (SALU2 PARA LA RAZA)
TUFE (aka JC.WILCOX or SABROSO)
Quads
Now for Norton products 2010, 2011 and beyond Symantec since being given the suggestion has created an easier way to remove the entries from the Unresolved list by giving (creating) a "Clear Entries" button to remove the listings, as an easier way to remove the entries that a user as used another program or proceedure to remove the infection. Although the QBackup way should still be able to be used.
Quads
Hello, I did actually post a request for assistance at several of the boards that were suggested, and only received a reply from one but it came in after the person on the Malwarebytes forum began helping me. It was requested that I not try to do too much that wasn't suggested by that person while they were assisting me. I did perform the suggested clear of the unresolved treats which worked, but a rescan again turned up the virus in the following location : C:\system volume information\_restore{46dde8921-1d39-44d2-a9e9-64119261f211}\rp1\a0002187.sys and 1 browser cache. As recommended by the person assisting me on the other forum I am performing an uninstall of Norton using the Norton removal tool and then reinstalling. Any other suggestions? Thanks for the help so far...
Actually I forgot, I cannot perform that task in safe mode as the touchpad/pointer stick have become disabled when in safe mode...grrrrr. Unfortunately I don't have a corded mouse.
Have succesfully uninstalled, but is there a way to instal Norton 360 without going online?
Hello planthead
You can install N360 offline, but you have to go online to have the product activated and updated. And you will need your product key which can be found at mynortonaccount.com You also have to be online to download the program unless you have another computer and use a pen drive to move it over to the other computer.
Norton 360 v4 Standard: www.norton.com/n360s_4
Norton 360 v4 Premier: www.norton.com/n360p_4
Please remember to run live update and to reboot after receiving all updates.
Thanks for the info. I do have another online computer and usb drive, is there a way I can transfer the latest updates the same way? The reason is that the infected computer contains sensitive information, and I can't risk putting it online until I am 100% sure that it is clean.