Have you tried deleting it from safe mode?

i have this virus now too.  Were you able to find a solution? thx, Jeff

Here is what I usually do...

I download AutoRuns from http://live.sysinternals.com and I download and install Unlocker (current version).

I reboot in Safe mode and open up AutoRuns, make sure Unlocker is running, and open up a couple instances of Windows explorer.

Open Task Manager and kill Explorer.exe (help stabilize system if any viruses are hooked to it...you will not have a Taskbar!)

Navigate to the Root of your Drive ( i.e. C:\), and Navigate to Windows directory AND Windows/System32 Directory.

Next Go to View -> Details , then Click on 'Date Modified'  so you can sort them...You want to Scroll all the way to the bottom and take a look at anything created in the past 2-3 days, or any random files created with in seconds/minutes of eachother.

 Also  look for any files like this:

explorer.exe

explorer .exe <--There is a space

explorer.exe

explorer_.exe <-- There is an underscore

You want to Delete the regular named one, and modify the second one to be named correctly...Like so

explorer.exe <--Delete

explorer.exe -> Rename -> explorer.exe <--No space (hard to see I know)

Okay once you Delete any files created within the past 2-3 days (Excluding  *.txt, *.tmp, and *.inf files -- Harmless usually)

You want to go to AutoRuns and refresh to take a look at what loads up with your system...You should notice several "Image Not Found"  if your system is suspected to be badly infected. You can right click these and Delete (Also uncheck them if they are checked). Go through each of these tabs andclean them up.

You will also want to go through the Start-up entries and look for suspicious looking files loading up out of the Windows, Windows/System32, Documents and Settings, or Temp folders.

Something suspicsous would be like:

ffkkeechyyl.dll File Path: C:\Windows\System32 

you may also see stuff trying to load up from the Fonts directory -- big no no...

check that folder out as well and clean as necessary.

This should help you with most infections...Then run your scanners....And rememebr your online scanners to.

On 10/2/2008 I got socked with a very persistent Trojan attack.  Symantec 10.1 always grabbed it when it initiated From my computer but could never find where is resided on my system (numerous full scans).

It all started when my computer would boot up, and Windows (XP 5.1 svc pk3) Security Center would report that the fire wall was not on. I would restart the firewall, then before very long the Viruscan would pick up various Trojans were attempting to run [ Trojan Horse, Trojan.Adclicker, Trojan.KillAV, Trojan.Fakeavalert, Trojan.Flush.G, Backdoor.Tidserv, and Packed.Generic.188]

I would delete the trojan. run a quick scan, then reboot, always with the same results.

I found that updater was disabled, so I reloaded it and got the latest signatures 10/3/08. The only thing that changed after the new signatures was that the firewall stopped getting disabled.

I then joined Microsoft's SpyNet (Advanced membership) and after Symantec picked up another trojan working from my PC, I kicked on the Windows Defender and saw an "Unknown" name, with an unknown alert level requesting permission to act. but there were 16 instances of it. In the detail area this information was displayed:

Resources:

First I ran a complete Scan, but Symantec found nothing. Then I went to the System32 directory and saw that the VobF6eWo.exe file (81KB) had today's date on it. In the task directory were 16 tasks scheduled to run approx every hour.  I searched the web for the exe file name which returned nothing. So I removed the exe file, to a quarantine directory, and all files in the System32 directory with the same date [48r57yS.exe (30KB), 48r57yS.exe.a_a (0KB) and , and deleted all the .job task files (I have no standing tasks, so all these were suspicious).

I've rebooted twice and re-run the full scan, and things now seem to be clean.

Landplanner please follow the below instructions, I believe you may have a new type of rootkit.

1. Open up Device Manager
2. Click 'View' and select 'Show Hidden Devices'
3. Expand the 'Non-Plug and Play' Drivers category
4. Right-click and 'Disable' clbdriver, tdsserv, and/or seneka.sys
5. Restart machine
6. After restart, go back to Device Manager and Right-Click 'Uninstall' the above drivers
7.  Navigate to 'C:\Windows\System32\Drivers' folder and delete these files if they exist (They will be hidden, so show hidden files).
8. Navigate to System32 directory and Sort By Date and remove any recently modified traces of files that resemble clb*.*, td*.*, and seneka*.* or any suspicious looking *.exe's/*.dll's modified in the past 24 hours.
9. Run full updated antivirus scan
10. If needed go to nanoscan.com and run online scanner

Are you out of your MIND?  THIS is how symantec tells me I should fix the problem of my anti-virus software mistaking itself for a virus?  What kind of customer service is THAT?  I've found fixes that seem quite easy to implement, if I were running v11, which I'm not.  And frankly, if my AV software can't tell the difference between itself and a virus, I'm not sure I want to throw good money after bad to buy the newer version.  Isn't there any other way to fix this?  I'm running 10.2 in Vista.

I'm new at this and need HELP!!  I have a Trojan file that's found in my Endpoint xfer file.  When I run full scan - it doesn't detect it so I can't do the removal procedures with REGEDIT / Win.ini / sys.ini...  The file starts with 4a277xxx.tmp and runs every 15 seconds.  I cahnged my actions to delete on first action, but it defaults to quarantine.  It's been doing this for a long time.

How do I get rid of it an/or stop it.

Thanks

I have a machine infected with backdoor.tidserv virus/trojan.  Norton picks it up, but is unable to remove it.  i have tried some of the suggestions mentioned here, without any success

None of the other machines on my network are infected.

Any sugesstions

Hi froggie and richyoung! I suggest you to download and run the Loadpoint Diagnostic Tool from Symantec and attach the logs here.

check the start up from msconfig disable unnecessary startup, . delete files in temp folder.then reboot

Document ID: 2007111911135548

Solution:
This problem is fixed in Maintenance Patch 2 of Symantec Endpoint Protection Maintenance Release 4 (11.0.4202.75). You can apply this patch over Symantec Endpoint Protection MR4 or MR4 MP1.

Please refer to the product Download page to obtain the update:
http://www.symantec.com/business/support/downloads.jsp?pid=54619

If you are unable to migrate up at this time, here are workarounds that should alleviate the issue. These are listed in order of preference.

1. Disable rescanning of quarantine upon receipt of new virus definitions.
2. Ensure no process or services (such as Windows Indexing Service for example) can access/monitor our files.
3. Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
4. Restart in safe mode, deleting DWH files in the temporary folder, cleaning the quarantine folder.