Help! backdoor.tidserv!inf, revolving BSOD/startup, can't access Norton log files!

Archive
1

Hello and Thank You.

 

Windows XP sp2

Norton AntiVirus 2009.

Dell Dimension 5150-P4-1gb

 

I am several hours into troubleshooting now and I think I am stuck.  I have spent some time searching the boards for this information, but I have not been successful.  If the information turns out to be there and I just didn't find it, I apologize.  Last week my brother was "doing something" on my mother's computer when a Norton alert came up alerting him to the presence of something "backdoor" and telling him that the computer needed to restart.  When he tried to restart the computer he could only restart in last known good configuration, Norton asked for another restart and now the operating system appears to be completely locked out as no boot options work.  Unfortunately, my brother does not remember what if any files where reported as infected, or what action was done.

 

I created a Norton Bootable Recovery Tool and rolled up the latest definitions which at that time was Feb... 23.  A scan of the whole hard drive found backdoor.tidserv!inf lurking in the temp directory of the user's directory in windows and where windows stores recovery data.  I let the NBRT fix both.  I still have the .dat log/undo file, but I can't read it.  I am aware of the recent windows update-no boot issue with just this sort of root kit, but I am not able to figure out if that update was actually installed on this computer yet.  Using a BartPE disk I was able to modify the registry to turn off the windows recovery option.  For kicks I deleted and re-installed atapi.sys from an OEM xp-sp2 disk using the file found in sp2.cab. I do not know if any of the other bad-actor driver files were removed from this installation, so I don't know what to restore.

 

My main issue is that I cannot get the computer to boot.  I would like to see if I can recover any logs from Norton while I have the hard drive plugged into another computer.  From what I am able to tell, the logs exist as .dat files and are part of the program.  Since they were never saved or exported, there are no .evt or .mcf files.  Starting mcui32 on the host computer only brings up information on the host installation.  I would like to see what Norton did when it found the problem.  If I know what it deleted/quarantined, I can maybe restore clean files and get the computer up and running from there.

 

Thanks,

dbrear