Symanec Protection Suites

I have spent much of the last two days trying to fix a computer for a neighbor which has a Search Engine redirection issue which for all the world looks like backdoor.tidserv, I have tried to follow the instructions that are in the Symantec threat database including downloading and scanning with the file FixTDSS.EXE.

The process does not find an infection, however I am unable to boot the XP installation disc to run the repair console.  The infection has disabled the ability of the CDROM/DVDROM drivers to show the existence of files on the cdrom.  USB port devices are similarly affected.

Since the neighbor does not use a printer, I have worked around their problem by disabling the print spooler service.  This appears to interrupt the threats loading pattern.  They are satisfied, but I am not.  It is an older computer, and they are going to replace it when they are able.

Has this threat evolved beyond last known behavior?  Are there other variants that I should be aware of?

Any additional information, comments, or experience anyone can share will be appreciated.

Thanks

Nathan Manning

Nashville, TN

Check this :-

http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99

http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99&tabid=2

Thank you. Yes.

These are the articles I had already read and attempted to follow.  This is where I downloaded the removal tool that failed to work on this infection.

Nathan

Nathan,

What AV product is your neighbor running? Are they keeping there definitions up to date?

Is their System full patched and all software products updated with the security fixes?

Make sure they educated on safe surfing practices.

You can try running the Norton Power Eraser on the system. This is a good tool to remove threats that traditional virus scanning cannot always detect.

Note: There is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

I would recommend this user install the Norton Safe Web lite product from Symantec.

Safe Web Lite provides a safer search experience by warning you of dangerous Web sites right in your search results, and the product is free.

https://safeweb.norton.com/lite

Good luck,

Thomas

Hi Thomas,

As soon as I removed many of the extraneous programs the infection had installed so that the computer would stop crawling, I downloaded and installed the Norton Security Suite that is available free to COMCAST customers which may neighbor and I both are.  I immediately updated the signatures and ran a comprehensive scan which found nothing.  I assumed that the threat had been removed by the removal of the spyware and other bogus software, and internet add-ins that I had disabled.  However, the Google search redirection persisted in IE 8.

At that point, I switched the default browser to Chrome which the user had already installed, checked to see if the behavior continued, and went home (it worked for me??).  I knew I still had a problem and that is when I began the search for information that led to the articles sighted above.

When I returned the next day the neighbor reported that Chrome had begun to exhibit redirection, and sure enough it had.  I felt confident that the TDSS removal tool would do the job.  So I ran it. It found nothing.  I found that I could not uploaded from the memory stick I had prepared, or from the floppy I had created - so I had to download it directly to the infected computer from Symantec. (I didn't check the signature, but I was sure I was on your site.)

When the Removal tool failed to find and destroy the infection, I tried to boot from the XP PRO CD and found that the DVD reader driver had been compromised and would not allow this, so I could not run the Repair Console to use fixmbr or to replace the compromised drivers.

So what do you really think is going on?  Have I miss identified this as backdoor.Tidserv?  Could it be something else?  It's definitely some kind of root kit that acts a lot like it.

Thanks,

Nathan 

This could be a new variant. Have you tried going into Safe-mode and running a full scan? If that fails to detect the threat then run the Power Eraser tool and see if anything gets detected.

Here is a good article on Rootkits - Rootkit -- An Intruder Living in your Kernel

https://www-secure.symantec.com/connect/articles/rootkit-intruder-living-your-kernel

Hi Thomas, 

Yes, that is why I wanted to get to your attention - besides my own discomfort in not beating it.

Unfortunately, the neighbor was a $30 fix customer ( I am on a fixed income and have put up flyers in my apt complex to make extra money).  I said $30 before I realized what I was actually dealing with. Was pretty sure it was an IE BHO or add-in :( 

The neighbor does not print, and doesn't use the CD, and now is considering a new computer. This is an old 1GHz - 512MB-PC133 Dell.  They are satisfied as long as killing the spooler keeps working.  I don't know if that leaves this machine and active BOT or not.

I have been semi-retired and these ROOT kits are new to me - I am disgusted that anyone would do this nasty crap.

Thanks for the link to the article and I will ask them if I can bring their computer to my apt for a day.  Everything else I have done - I did sitting in their home.  If they say yes I will try Power Eraser.  Where do I get it? Is it installed with N360/Sec Suite?

Thanks,

Nathan

Power Eraser is free and can be downloaded from here -

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

You can also try running our SEP support tool. There is an option to run the

Load point Analysis Tool. This tool generates a detailed report of the programs loaded on your system. It is helpful in listing common loadpoints where threats can live.

Support Tool with Power Eraser Tool included –

http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US

How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402

Good luck, and keep us posted on your progress.

Thomas

Thomas, 

I appreciate your prompt responses and interest.  I spoke with my Client/Neighbor this afternoon, but they are "satisfied" with my workaround, and are not interested in having me diagnosis their system further.

I am not comfortable with unsolved computer problems, because these are finite machines in a finite universe right?

This was an eye opening foray into helping ppl with their computer issues for $ again.  I will read what you recommended and keep my eyes open.  Most problems are not like this.

I appreciate you guys do.  Keep me posted if you find more evidence of this possible variant. BTW - I found NO TDSS or W???? whatever files or entries in the registry.  Does that mean anything?

Nathan