Posted on 2009-04-16
Last Modified: 2013-11-22
I recently installed Symantec Endpoint and all seemed to be running fine. One of my clients detected Backdoor.Tidserv!inf but endpoint it will only log it and I want to get rid of it. I went to the client machine and turned on Quarantine first  and then delet if first fails. Any suggestions
Question by:marquisrh
    LVL 15

    Expert Comment


    Try to do a full scan in Safe Mode

    A Symantec Certified Specialist @ your service
    LVL 47

    Accepted Solution

    Either MalwareBytes or Combofix will remove TDSS variants. You need to rename the file before saving to your desktop.

    Download Malwarebytes' Anti-Malware to your desktop,

    Please download ComboFix by sUBs:

    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.
    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Author Comment

    I just got done running the comoputer in safe mode. Before I started I went in to make sure that it was setup to quarintine and then delete the file. It still logged only
    LVL 47

    Expert Comment

    If you can't access MBAM and Combofix links, use the link and instruction from this thread -->

    Author Closing Comment

    I used the malwarebytes link you gave me and it got rid of Backdoor.Tidserv!inf I still have tracking cookie which keeps coming back. Endpoint deletes this file when it finds it which is just about every scan
    LVL 47

    Expert Comment

    Glad to know it got rid of it.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Change your it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
    HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now