Quads wrote:One sample though places a randomly named file with registry key so that when the MBR gets cured on the restart (or after using a CD/DVD to fix) on the startup the MBR gets reinfected again, and again and again. The registry key and /or random file has to be dealt with first, before dealing with the MBR, otherwise you would be going around in circles somewhat.
They never give up, do they.
Just like aftershocks 
Quads
For Peter
FixTDSS did not find or detect the infected MBR (Boot.Tidserv), here is a screenshot and the 2 logs attached. I downloaded FixTDSS from Symantec's download page again this morning incase it was updated during my night time.
Quads
Okay, I'm new here... obviously since this is my first post.
NIS is telling me that I've got Boot.Tidserv on my computer (Windows 7 64)... cant' remove it...
Tried FixTDSS and NPE: both said there is "no infection", yet every time the computer boots Norton pops up stating it's still there.
There are NO other signs/symptoms that I'm aware of, but I'm scared to do anything with a password (like online financial work) in case someone somewhere is able to access this information.
What next?
Run TDSSkiller 2.5.0.0, FixTDSS does not detect Tidserv (the newer variants) on my PC.
Quads
THANKS! that worked.... did have to clear the history on Norton to stop it from warning.
Due to the fact you used another program to cure TDL4 (boot.Tidserv) Norton do the curing so still has the Unresolved Threat listing and so still has the listing.
The same listing would have still been there if it was FixTDSS that cured the Bookit instead.
The problems woth FixTDSS are being looked into over the last few days.
Quads
There are now other Rootkit groups that have found a way to infect x64 bit systems ( like maxx++, zeloacres)
Quads
Soemvery interesting, and highly technical information on maax++ here:
Quads is probably the only one of us that actually understands it. 
We have had Maax++ infected users turn up on this forum in the past
Quads
Hi Guys
The latest version of NPE Beta can detect and cure the MBR infected with TDL4 (TDSS / Boot.Tidserv).
On the download page of NPE instead further down the page select to download the Beta version, When downloaded you should have the file NPE-Beta.exe, Version 2.0.0.51.
After starting NPE, select to Scan for Risks then choose Include Rootkit Scan, click Restart.
NPE will now restart your Computer. On the restart NPE will carry on through the process and run a scan.
After the scan has finished you will have listed a list of Risks including False Positives, I have shown in this screenshot below the False Positives as well to show users.
The TDL4 / TDSS / Tidserv detection listed above is the first listed, as PhysicalDrive# (# = the Hard Drive number, 0, 1, 2 etc.)
Have this selected / ticked to fix as I have above and then click FIX.
File Details
After clicking FIX, NPE will notify you that it's about to remove the Risk ................... Which had my eyes open further, Don't worry it's just a wrong choice of word for this fix, it should be Repair, Cure or Disinfect.
After probably restarting the Computer again NPE after the restart will show the Results
Once again don't worry about the wording of Removal or Removed. You can now click DONE.
Quads
The release version of NPE 2.0 is now available at:
http://security.symantec.com/nbrt/npe.aspx?lcid=1033
An update to the fix tool: FixTDSS.exe has also been posted at:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99
Both have new anti-tidserv features.
Thanks Peter
Quads
Peter --
I've run the new NPE and got a couple of false positives that I knew must be false but a user in N360 at my suggestion has run it and got two (different) flagged files that he fixed and now some of the PC doesn't work ...
Could you have a look
As you'll see it was done with eyes open and given the second report which seemed to say they were OK, as mine did, I would not have told it to Fix .... maybe it needs a little advisory warning there?
I'm waiting to hear what the restore function does in NPE.
There is a warning on the download site about NPE and False Positives
Quads
Yes -- and I don't know why the user used FIX it when the report back from the second stage was apparently benign but we users do things that try the patience of programmers ....... they really need to have a team of what my father used to call "idiot boys" around to try the programs out <s>
There are now TDL variants out there that NPE can't detect or who knows what it will do to the detected driver as it's a Unsupported Tidserv.
I tried a TDL3 variant that NPE could find the driver involved but as I tested with the standalone FixTDSS which is in NPE, this was the result
So unsure what NPE, which uses FixTDSS will do when standalone FixTDSS couldn't.
The other variant I tried FixTDSS could detect "redbook.sys" and correctly cure the driver, but when trying it with NPE, NPE didn't list the file after the scan.
So be careful.
Quads
I tried the new TDL modification around and it won't infect my system. BUGGER 
Quads
It's scared of you Quads.
