Link to home
Start Free TrialLog in
Avatar of GeeMoon
GeeMoonFlag for United States of America

asked on

Infected by Boot.tidserv

I have a Windows 7 Home Premium ACER Aspire laptop, a client dropped on me. It appears to be infected with the boot.tidserv.exe file according to the existing Norton Internet Security 2013. NIS states that it is unable to remove it. The desktop has changed to black and all the menu options for applications, etc. are gone. A File Restore (Trial software waiting for activation) widow appears, telling me that there is multiple issues with the hard drive.  I can open 'My Computer' only to discover that there is nothing to open - as if it had been wiped, yet I am booting to something.

I was able to boot to 'safe mode - networking' and gain access to the internet. I ran Norton Power Eraser and Malwarebytes. All boot errors have disappeared along with the 'File Restore' application. I ran the NIS again, to discover that the Boot.tidserv.exe file is still present. I also still suffer the damage of no access to my original desktop, applications or, more importantly, file access the C:\ drive contain important business data.

Through web research, I discovered a fixtdss.exe fix from Symantec. This is suppose to resolve the Boot.tidserv, derived from Backdoor.tidserv file. I did not execute this as of yet. I don't want to bury myself in fixes w/o understanding the ramifications of my actions.

I fear the above will make matters worse or clean the infection and leave me with all the damage.

Here is the question:
How do I clean this infection and get myself back to the original desktop with full access to the drive containing all applications/data? Could I attempt a windows 'System Restore' without adding to the problem, if I was successful in wiping the boot.tidserv?

I will also add:

I discovered that this infection is apparently hidding the c:\ drive globally. I was able to download to the download folder and realised (asided from the fact that there was an actual download folder) that there were other files in the folder. I right clicked the download folder an saw that it was being hidden.

I also have the ability to see some past 'System Restore' backups. Alot of times, due to Symantec suggestions while attempting to clean, they want you to disable 'System Restore'. I fear losing the potential to get back to a past correct desktop.
Avatar of Martin Liss
Martin Liss
Flag of United States of America image

Maybe you can get help at Antionline.
SOLUTION
Avatar of Lionel MM
Lionel MM
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of GeeMoon

ASKER

Thank you all, for your valuable responses

Here's the status:

I posted the question to Expert Exchange (EE). I waited some time to discover EE was under maintenance - down. So, I had no answers to work from. I was under the gun and had to act. I was successful in removing the apparent spyware pop ups, but, still suffered no access to drive or applications. Norton AV, not NIS 2013 (I originally stated in my question) still states that I am infected with the boot.tidserv.exe.

I contacted Norton support and paid 99.99. One word - 'Nightmare' - hours/hours on hold.
While I waited for Norton, I was able to review/act on the EE responses.

I executed, as per Russell, TDSSKIller/unhide. TDSSKIller did not find anything, validating that I probably took care of it in my previous attempts. The unhide program worked like a charm.

Lionelmm got me thinking about boot options. Yes Lionelmm, I checked the Symantec web site and they have a boot utility called: Norton Bootable Recovery Tool. It states to only use it if you are unable to boot or unable to install Norton AV. I checked with Norton, who verified the above statement.

Anyway, performing the NPE and runing Malwarebytes seemed to have gotten me to a good place. Running unhide opened the doors to the missing items and brought me back from the dead. I performed a Norton AV update and reran the scan. It believe I am in the clear.

Thank you
Sounds good! Make sure your router settings have not been touched as well. This varient likes to do that.