Endpoint Protection

Hi ,

I am using symantex Antivirus and it has detected " Backdoor.Tidserv!inf " and unable to fix it. I have this problem from last one month. System is scaned on daily basis and i always get the same Backdoor.Tidserv!inf  pop-up saying unable to fix it.

-----------------------------------------------------
Risk: Backdoor.Tidserv!inf

Action: Left alone

File: atapi.sys

File location: C:\WINNT\system32\drivers\
-----------------------------------------------------

How to fix this issue?

Thanks

 

-----------------------------------------------------------------------------------------

It might be worth mentioning here that last month i had alot of problems with malwares and google links, links were redirecting to different sites and i tried different malware remover but had no luck so finaly i fixed that issue after following these steps:

 

1- Download TDSSKILLER from following link

http://support.kaspersky.com/viruses...?qid=208280684

2- unzip the folder and put the both exe and txt file on desktop not in any folder.

3- Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

4- It will take few second to scan neccessary files and might ask you to reboot your system incase it finds any error.

 

After that everyting was okay. No problem at all. But now i just have this one problem.

 

----------------------------------------------------------------------------

Please see http://www.symantec.com/security_response/writeup.jsp?docid=2008-111113-1112-99&tabid=3
for removal instructions.

Best,
Thomas

 Hello - I also am receiving messages from Antivirus 10.1.4.4000 that it is finding Backdoor.Tideserv!inf but the action is Left Alone (Action Taken: clean failed: quarantine failed: Access Denied).  I followed the removal instructions found on this forum along with the final step to expand adapi32.dl_ - restarted my system and the same warning is popping up.  I am using XP Pro.  Any other suggestions on how to remove?  Thanks much.

This is TDL/TDSS rootkit, not sure which version but I'm 100% that's it. Use Hitman Pro to clean it, currently it's the only program that detects AND remove all versions including the latest 3.25 version that has gotten released today.
http://www.wilderssecurity.com/showthread.php?t=265202 

Hitman Pro didn't remove it either - it recognizes a Rootkit in iaStor.sys and tries to rid my system of it but whenever I start my computer I get a Symantec AntiVirus Notification:

Scan type:  Auto-Protect Scan
Event:  Risk Found!
Risk: Backdoor.Tidserv!inf
File:  C:\WINDOWS\system32\drivers\iaStor.sys
Location:  C:\WINDOWS\system32\drivers
Computer:  TABLET
User:  TABLET\Owner
Action taken:  Clean failed : Quarantine failed : Access denied
Date found: Monday, February 15, 2010  10:48:24 PM

Any more tips?  Thanks in advance.

Disable SEP on-access when you do a Hitman scan and removal, it needs to have full access to file and SEP is most likely blocking it. 

Thanks much Dimitri!  That did the trick - really appreciate your help - hope some good Karma comes your way!  D.

Not me, I have nothing to do with Hitman, just a happy user who's passing the info along. :-) Glad I could help!

Try to use Process Explorer. I think you must also terminate the running application. I dont know the exact application of the said virus cause I've never been encounter it, yet.
The track of virus must be under Explorer.Exe folder. They try to manual delete.

Thanks for the tip - I am running Process Explorer but all processes running under explorer.exe look OK from what I can see.  Don't see any processes that use the A0000037.sys file. 

One strange thing that just happened is when I opened a new tab on Firefox to check my Gmail -- I typed www in the address field to bring up recent entries and then cursored down the list and selected www.gmail.com -- as soon as I clicked on www.gmail.com to open it, Symantec popped up again with a notification of the same virus and file name A0000037.sys.  So I'm not sure if it is tied to Firefox or if it was just a coincidence that caused an event for Symantec to detect.  

Don't know where to go from here...

Darn - after appearing that Hitman successfully cleaned it, I just received another notification from Symantec today that it detected BackDoor.Tideserv!inf

in file: A0000037.sys

at location: C:\System Volume Information\_restore{736B8453-93FE-477D-9F4C-E9DBA07C5B6E}\RP1\

action: Left Alone

So it looks like the virus may have moved to the restore area?

Any other tips would be appreciated on how to get rid of this bugger!  Thanks, D.

First of all, disable System Restore, reboot and run Hitman scan once more and see what it finds. It looks like it's loading via Firefox in form of add-on. I suggest you disable any Firefox add-ons and retry scan once more.
 

dimitri:  Where can I get the Hitman to get rid of the Backdoor.Tidserv!inf in my PC?  I tried the Symantec suggested method of using Windows Recovery Console method, but it couldn't find the nvgts.sy_ file inside the folder of i386 of the recoverable XP CD that came with the PC to replace the infected nvgts.sys file under the folder System32\drivers when I typed "expand d:\i386\nvgts.sy_" (d is the location of the recoverable XP CD) .  Please advise.
Thanks a lot

Hitman Pro is here: http://www.surfright.nl/en/hitmanpro

heeeellllllllp pleaazzzz, my computer is infected by backdoor tidserv inf for several weeks now and and is giving me a lot of trouble. I have windows vista and it crashes now whenever i try to start it in normal mode. so I can only start windows in safe mode, I guess it is backdoor tidserv inf that makes windows crash. another thing is that most of the programs I try to install in safe mode do not work because it says that the installshield wizard is not available in safe mode. I have tried hitman, it detects the files infected by backdoor tidserv, but cannot fix it.

I really need you help,

Thx

ok so i also have the backdoor.tidserve!inf virus on my computer, i tried following the symantec removal instructions shown on the website and that got me no where. i have since tried to use the latest version of hitman pro without any results either:
- Norton has detected the backdoor.tidserve!inf virus on my computer but is unable to remove
- disabled system restore and norton anti virus and then ran Hitman Pro V3.5 but hitman does not detect the backdoor.tidserve!infand therefore does not delete anything

Does anyone know a reason for this? any help would be much appreciated

Try running the Norton Power Eraser Tool to remove this threat.

Note that the Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

Let us know the outcome.

Thanks,
Thomas

Norton Power eraser was also unable to detect the backdoor.tidserv!inf and so did not remove it. Any ideas why a full system scan would show the virus but neither Norton power eraser or hitman pro could detect it?
thanks for the help either way

I started having this same problem about 2 days ago -- Norton 360 detected this backdoor.tidserv thing and told me to manually remove it.   The instructions on how to do so were basically to turn off system restore and run a full scan.   No result.  Lather, rinse, repeat.

An on-line help support was less than useful.   The technician ran the Power Eraser, which deleted two of my paid-for applications despite my objection.   He claimed there was no alternative, since those were infected with something.    The entire process took a couple of hours.   

The following morning, the machine starts up but then presents a black screen.   It will boot into safe mode, but that's as far as it goes.   Now what????

I would probably have been better off leaving it alone and am less than happy about Norton's tech support right now.

From the Security Response writeup on this threat: "Backdoor.Tidserv!inf is a detection for system files infected by Backdoor.Tidserv."  (emphasis mine)

What this is really saying is: this is an informational detection letting you know that a Windows system file has been modified.  Its removal by an antivirus product would render the system unusable.  On the Backdoor.Tidserv!inf removal instruction page, step #1 is to replace the files identified as being infected via Windows Recovery Console (XP).  Why this doesn't work for some XP disks, I don't know.  It's possible that recovery disks that come with some systems for whatever reason don't allow it.  I would consult with Microsoft documentation for issues related to system file recovery.

(Since System Restore is a protected area of the computer, antivirus programs can alert you to an infected file there, but can't do anything about it.  One of the steps in the removal process for most threats is to disable System Restore... this is to flush out restore points that might hold infected files.)

As far as big picture goes, unfortunately, any machine that's had a backdoor infection (or an infection with backdoor capabilities) cannot be trusted to be 100% secure again. 

Title: 'Backdoors and What They Mean to You'
Document ID: 2008120313315548
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008120313315548

sandra

We spent about three days trying to find a good removal solution to no avail.  ("How are your tids today?)  The quickest solution is probably to have a good backup of your data files and re-install the operating system.  We ultimately moved from Win XP Pro to Win 7 on one box and ordered a new machine for the second box.  Our technician said that Win 7 should not be susceptible to the problem.

We talked to half a dozen people in India on our service contract and to engineers in Oregon until all of us were probably equally tired ot the matter.  We keep almost everything on a server that has a daily backup, and only two workstations (Win XP Pro) had the problem.  None of the Win 7 workstations had the problem.

At the time of the infection, one of the programs that appeared to be loading before we pulled the power plug was called something like "NoSym".  I wonder what that stood for . . . .

In our attempts to remove the malware, we found numerous suspicious files that were removed and the IP address in Russia that was identified was partially blocked, but it came back with a slightly different number.  The browsers on the affected machines were redirected to worldcup sweepstakes websites and surprise, surprise, computer antivirus and registry protection companies.

Please post any  solutions that are faster than using a disk re-format or recovery that removes all application programs.  Thanks.

@ lwmosher, Try using the Symantec Endpoint Recovery Tool to revove this threat. For more information see - https://www-secure.symantec.com/connect/forums/w32downadupb-infection#comment-4164991

Keep us updated on your progress.

Best,
Thomas

I have been trying to clean a machine infected with the Backdoor.Tidserv!.inf using the SEP Recovery Tool but sadly it couldn't.
I am going to try some of the other solutions suggested on the thread.

We tried this on both infected machines more than once without success under the directions of the people at Symantec.  No luck.  The problem is apparently that the malware is in windows/system32 and is difficult to remove without disrupting the operating system.

I paid $99.99 to Norton for premium remote service to fix this virus.  We started last week and it came back.  We are now on day 2 of Norton remotely accessing my computer to diagnose and fix the problem.  They have invested at least tne hours so far in trying to resolve the issue.  We are still in process, however.  We'll see what happens and I will keep you posted.

From the document, emphasis mine:

Title: 'Backdoors and What They Mean to You'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008120313315548

------

Backdoors are a particular method for malicious code to affect your computer.  Malware with backdoors can permit unauthorized users to perform actions on your system that you may not wish.  In short, if your computer has hosted malware with a backdoor component, the computer's security integrity has been compromised as there is no means for confirming if the backdoor has been actively used but the potential is present.

Removing the malware from your system is an excellent first step and is only a short-term means for addressing the situation.  Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system.

Some effects possible using a backdoor include:

• new users/groups added
• additional programs loaded
• new shares established
• permissions altered/increased
• data altered
• core operating system functions could be altered

 
There are only a few ways to return a compromised system to a confident security configuration.  These include:

• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Installing a new version of the operating system over the compromised operating is not a good solution as files may have been altered that could affect the new system.  Even copying business critical information from a compromised system is a risk as that data may have been altered in some manner by use of the backdoor.

What is SEP? And how do you disable it?

Please start a new thread with your questions.

 

Thanks,

Thomas

I pull out the drive and hook it up to another machine and run a virus scan on c:\windows\system32\drivers. Let SEP tell me what file is corrupt. Delete it and copy over a new one from another machine. Works everytime. Just make sure System Restore is disabled.

How big a risk is this virus?

Also, you said, "Even copying business critical information from a compromised system is a risk as that data may have been altered in some manner by use of the backdoor."  I have copied I believe all my important date from this hard drive.  What kind of files can't I trust?

If I format the hard drive, should I then be secure?

I have already placed a fraud alert with one of my financial instituations.

Hi,

     i m Graig from Haiti, my ploblem is

 i run symantec AntiVirus, every time i try to scan my pc it detect a virus call     backdoor.tideserv!inf that infect my system files like c\windows\system32\drives\atapi.sys.  

i tried every thing i could to get rid of it so that s hopeless and the worse is every time i try do sometime that require some resources like full scan or to install a software automatically my pc get closed even i try to Format the pc to get a new windows installation the virus refused by closing the computer seems the virus as total control of what i am doing on my Laptop.

The atapi.sys file is a critical Windows system file so it is always locked and cannot be cleaned, even in safemode, due to this reason.

What you have to do is pull the hard and connect it another system and replace atapi.sys with a known good one.

graig,

Symantec has a recovery tool that should be effective against most varieties of tidserv.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99

In most cases, the original driver file can be restored because the malware itself presents an uninfected image to the operating system.

The fact that your anti-virus can detect the infection suggests that this "clean" image is not available. The repair tool may fail to fix the file. (Even if the tool fails, the malware will be temporarily disabled until the next reboot so you might be able to manually replace the infected driver during this interval.)

If you are not able to repair the driver using the tool, use the procedure described lower down on the same page under "Manually restoring infected drivers" using your Windows distribution medium.

If you're really ready to reformat your drive, you should be able to configure your BIOS to boot directly from your Windows distrubution medium. Malware cannot prevent this operation.

Why are we discussing possible fixes here?  When Norton identifies a threat like this, why isn't there a link to the INSTRUCTIONS THAT WORK?

People who create these problems--viruses, etc.--need to lined up and...well, it's what is done to traitors.

There is:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-111113-1112-99&tabid=3

Buster, whose post just a couple above this one is wrong. The instructions he gives don't work. I suspect, even as an employee, he does not know what he's talking about.

Does anyone know that if you back up everything and only copy data and program files, other than operating system files files, to another machine whether those transfered files are safe?

this is a infection hiding in the system volume information..

Turn-off system restore.

run a disk-cleanup and remove all the system volume information folders..

Right click c drive.

Properties, disk cleanup.

Look for the options where you see , remove old system restore points.

then run the cleanup.

go to msconfig and check if there are any suspicious entries in the startup.

go to hklm-sw-microsoft-windows-currentversion-run and check if there are any unwanted entries.

Also in hklm-sw-microsoft-windows-currentversion-run and check if there are any unwanted entries

and delete them.

remove all the temporary files from %temp%, temp, prefetch, you can open these folders by

start-> run -> prefetch      or   %temp%     or     temp

Reboot the machine in safe mode with n/w and run a full scan,( in safe mode, right click the drive letter and click scan for viruses..

 

Good Luck!

the last fewsteps about the hklm and so on.. there is a typo...

Please open registry editor.

Go to hkey local machine and hkey current user     .............. and remaining information is as given above...

Does anyone know that if you back up everything and only copy data and program files, other than operating system files files, to another machine whether those transfered files are safe?

In all honesty, you can't really know. The tool buster mentioned may allow you to clean the detection, but ultimately, you can't know what else may have been changed that you can't detect. Please see the following.

Backdoors and What They Mean to You
http://www.symantec.com/docs/TECH91216

Help: I Got Hacked. Now What Do I Do?
http://technet.microsoft.com/en-us/library/cc512587.aspx

The pertinent bit to take away from the bottom of the Microsoft link:

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.

sandra

I used "momar"'s suggesting below and it worked for me. I had to remove the "-v" from th cmd line.   1- Download TDSSKILLER from following link http://support.kaspersky.com/viruses...?qid=208280684 2- unzip the folder and put the both exe and txt file on desktop not in any folder. 3- Click Start > Run and copy/paste the following bold command into Run box and hit Enter. "%userprofile%\Desktop\TDSSKiller.exe" -v 4- It will take few second to scan neccessary files and might ask you to reboot your system incase it finds any error.

I'm sorry for the typo's. Also, you must go to the main web page and drill down to the tool.

TDSS/Alureon rootkit (and its variants) is very dangerous malware, hooking system processes (to accquire higher privileges), injecting code and registering itself as a driver/chaing system drivers, for example atapi.sys oder afd.sys. Newer versions modifies MBR (Master Boot record) of primary harddisk to ensure the malware is loaded first. Newer versions also bring their own filesystem with them which is unreadable for any OS.

Every version is able to hide itself and other malware from being detected/removed!

Every virus scan engine based on definition scans is unable to clean this infection!

Machines infected by TDL/TDSS/Alureon/Tidserve have to be cleaned manual by a trained malware removing specialist beacause it is necessary to replace the infected driver files and perhaps repair the MBR.

If possible: the most secure answer on TDSS is to backup files and completely erase the HD for reinstall because of the backdoor funcionalities of this malware!

Regards,

Marius

So practically there's no way of removing this threat other than formatting the computer? Seems to me like a victory for the bad guys. I just got infected by with malware, but my SEP managed to remove it with a restart, but now it says that it's removed "partially". What's that supposed to mean?

You can remove the threat. You cannot know the extent to which damage was done to the operating system. That is the nature of a backdoor. (See link above in my post from 14 July.)

Sometimes a restart is needed to remove the detected file.

What Does "Risk was partially removed" Mean?
http://www.symantec.com/docs/TECH94475

BTW, that's an old SAV icon in the top left corner. Which version of SEP are you using, and what is this screen you're displaying?

sandra

It IS possible to remove the created files on your harddisk and the changes made to the registry. But due to the fact that this malware brings backdoor funtions with it, you can´t ever be sure that there were no changes made to your system which allows attackers to further manipulate the machine (for example by getting remote access...) or mine sensible data...

So, if a risky machine is infected (for example, a client that handles personal data or classified information), the best answer will ever be: format c!

See your screenshot - TDL4 registered itself as a driver service!

Have a look at this (explains what rootkits are): http://en.wikipedia.org/wiki/Rootkit

 

Regards,

Marius