Endpoint Protection

Using SEP 11.0.6005.562 which gives numerous warnings about HTTP Tidserv requests for internet access.

Getting numerous browser re-directs & pop-ups (ad pages) symptomatic of this rootkit.

Downloaded the Symantec FixTDSS.exe removal tool but after execution I just get an infinite re-boot loop until I boot to last known good configuration and then the rootkit is still there (the FixTDSS tool just stalls after the reboot). 

Also tried the Kaspersky TDSSKiller tool which identifies the Rootkit.Win32.TDSS.tdl4 object in the Master Boot Record, but again is not able to remove it as billed.

Would be very grateful if anyone has had any success in repairing this rootkit infection.  Otherwise I guess it's reformat and re-install windows xp.

Many thanks!

Try by scan in safe mode.If not hepls boot from symantec recovery cd and perform a scan

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

Look at your risk logs in sep? Does it show any detections? Could you export the  risk logs, and post  it?

Also, please tell me, what features of sep you have?

Also, disable auto-play, system restore.

Run sep support  tool with loadpoint analysis selected, and save the  logs, and post  it here...

Boot the machine with BartPE or similar PE disk and replace the infected file (atapi.sys?) with a known good one.

Dear Surridgn ,

It is easy to fix this . As it is in the MBR , format might not fix the problem .

If you use Windows XP , get your Windows XP installation disk , boot from it , start the Recovery Console and fix the Master Boot Sector (MBR) Instructions here (in the middle of the article) :   http://support.microsoft.com/kb/314058

If you use Windows Vista or Windows 7 , use your Vista/7 installation disk , boot from it , start Computer Repair (tools) , open Command-Prompt and use bootrec option . Instructions here:  http://support.microsoft.com/kb/927392

Use Hitman Pro (free program) http://www.surfright.nl/en/hitmanpro to perform scan and fix whatever files might be patched.

One of my users managed to get the tdl4 variant. SEP detected but could not clean it. Kaspersky detected it but could not clean it.

Hitman Pro seems to have worked. http://www.surfright.nl/en/hitmanpro

Hitman Pro kills it every time

I've seen earlier variants of the Alureon/Tidserv/TDSS, but just ran across TDL4 for the first time today. TDL3 & TDL4 variants infect the master boot record (thus, when you boot your PE disk, the system drive is not seen). I understand that it can even defeat driver signing policy and successfully infects 64-bit versions of Vista and Win 7 as well. Reading this thread I'd have to say Hitman Pro looks like a winner, and comes in 32 and 64-bit flavors. I always use ComboFix when rootkit activity is suspected, but I wouldn't want to try it on a 64-bit OS. I have not seen a rootkit yet that ComboFix couldn't break, and it made fast work of TDL4 on an XP Pro machine. Updating the McAfee AV and performing a full scan successfully cleaned the remnants.

my brothers computer got infected with this rootkit, first it was detected by Avast and only gives you the alert to quarantine or delete, but many attempts never deleted it. Ran combofix and never picked it up.. I did try hitman pro and found many bad infections..... looks like hitman pro did the trick on this particular instance...