atf3doc
asked on
boot.tidsrv removal
I am working on an acer desktop , and I loaded a 90 day trial of Norton Internet Security which flashed a "Threats detected" window and said the computer was infected with the boot.tidsrv and that removal had failed. I downloaded and ran Norton Power Eraser and still received the same threat notification. I ran the Norton™ Bootable Recovery Tool still to no removal. I reloaded from the recovery partition to factory defaults. Even after that I still am getting that threats detected window. In the actions dropdown there is no fix option. If I choose rescan, the window turns from red to green and says all threats resolved. But then the windows will appear again.
How can I get rid of this nuisance?
How can I get rid of this nuisance?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
aadihm TDSSKiller came up with nothing; I also ran RogueKiller by Tigzy...nothing
Run ComboFix: < http://www.bleepingcomputer.com/download/combofix/ > with much caution and care.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are still having problems eliminating the virus, I suggest a clean install of Windows after backing up your data.
That is always the best solution for a hard to remove virus.
Hope this helps!
That is always the best solution for a hard to remove virus.
Hope this helps!
ASKER
TG-TIS
By clean install do you mean other than recovering to factory defaults from the recovery partition?
By clean install do you mean other than recovering to factory defaults from the recovery partition?
No, Clean in my suggestion means the following:
1. Backing up all data
2. Booting with the Windows Install DVD
3. Deleting all partitions
4. Creating a new windows partition
5. Installing windows in that partition
6. Running Windows Update to patch the system
7. Reinstalling your anti virus
8. Restoring your data back after the install has completed.
9. Installing any other apps you had before.
That is a Clean Install. Hope this clarifies the process.
1. Backing up all data
2. Booting with the Windows Install DVD
3. Deleting all partitions
4. Creating a new windows partition
5. Installing windows in that partition
6. Running Windows Update to patch the system
7. Reinstalling your anti virus
8. Restoring your data back after the install has completed.
9. Installing any other apps you had before.
That is a Clean Install. Hope this clarifies the process.
ASKER
I was afraid of that. I'm going to do a DoD wipe and then reload. Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Caution, however, if it's a rootkit infection, the reinstall may not solve the problem.
Recommend removing it first.
Please look at the following page (may be the solution therein may help):
< http://www.bleepingcomputer.com/forums/t/430255/infected-with-boottidserv-tdss-rootkit-virus/ >
Recommend removing it first.
Please look at the following page (may be the solution therein may help):
< http://www.bleepingcomputer.com/forums/t/430255/infected-with-boottidserv-tdss-rootkit-virus/ >
Hi aadih, I read that posting and it is not a clean install. I suggested to perform a Clean Install using the steps I outlined above. This steps were not suggested or performed in the posting you mentioned.
A Clean Install will eliminate the problem. The Author should also scan his data files before he/she copies it back to the Pc.
If you disagree, please provide the details why.
A Clean Install will eliminate the problem. The Author should also scan his data files before he/she copies it back to the Pc.
If you disagree, please provide the details why.
I neither agree nor disagree, as I don't know.
I am only cautioning (which can be ignored) that some rootkits are known to survive OS re-installations or disk formatting. Whether this infection is a virus or rootkit, I don't know.
So, if with some 'searching' and trying, it could be removed, it'd be worth the time spent.
Regards.
I am only cautioning (which can be ignored) that some rootkits are known to survive OS re-installations or disk formatting. Whether this infection is a virus or rootkit, I don't know.
So, if with some 'searching' and trying, it could be removed, it'd be worth the time spent.
Regards.
I have never seen any rootkit or virus survive a clean install unless the data they restored after the install was infected as I already mentioned.
The Antivirus and anti spyware app can be used to scan the author's data before he/she reinstalls it. That is always a great suggestion.
The Antivirus and anti spyware app can be used to scan the author's data before he/she reinstalls it. That is always a great suggestion.
[If interested:] Please read the wikipedia or many other articles on rootkits. The rootkit-survival doesn't depend on the (saved) data. As I said, not all rookits have this property but some do.
ASKER
I did a DoD wipe writing 0's to all sectors of the hard drive seven times. Then I did a clean install of windows and that rascally boot.tidsrv seems to be gone. Either the boot sector was not replaced when recovering from the recovery partition or the recovery partition was infected. At any rate the malware is gone! Thanks to all for your help.
HI atf3doc, when performing a clean install on a Pc that has been infected, I always delete app partitions on all drives in the Pc including the recovery partition. I realize that may cause a problem if you ever want to restore anything, but I've seen viruses infect the recovery partition also. If this is the case in your situation, I suggest performing that same operation after deleting the recovery partition also.
Have I answered your question completely?
Have I answered your question completely?
ASKER
Yes, thanks
Here is a comprehensive list of items I would check based on your situation.
Hope it helps!
1. Install Process Explorer to find out what runs at startup
http://technet.microsoft.com/en-us/sysinternals/bb896653
2. If you haven't also ready checked for Viruses, update your virus definitions and run a Full Scan, deleting all virus and spyware detected
3. If you don’t have any Anti Virus installed, here are a few free ones to try:
http://www.avg.com
http://www.avast.com/en-us/index
http://windows.microsoft.com/en-us/windows/security-essentials-download
http://www.bitdefender.com/solutions/free.html
4. If spyware is found, download and run these free anti spyware apps
AdwCleaner
http://www.bleepingcomputer.com/download/adwcleaner/
Kaspersky TDSSKiller
http://www.bleepingcomputer.com/download/tdsskiller/
ESET online scanner
http://www.eset.com/us/online-scanner/
Malwarebytes Anti-Rootkit
http://www.bleepingcomputer.com/download/malwarebytes-anti-rootkit/
www.malwarebytes.org
www.superantispyware.com
www.hitmanpro.com
If you are using Google Chrome and have the Conduit Search End and want to get red of it, here is how to do it.
1. Run this process to cleanup hidden adware
http://www.wikihow.com/Get-Rid-of-Conduit-Search-on-Google-Chrome
2. Make sure is completely removed
http://malwaretips.com/blogs/remove-conduit-search-virus/
Check System Logs:
Go to All programs, Administrative Tools, Event Viewer. Check the System and Application sections for errors that may be causing your problems.
Check for corrupt system files:
Open an elevated command prompt and run this to check for corrupted system files.
sfc /scannow
Run a Disk Cleanup
Start, All Programs, Accessories, System Tools, Disk Cleanup.
Include Temporary Internet Files and Temp files
Check for Disk Errors
Run Error Checking: Start, Computer, right click on C:\, Tools, Error Checking.
Select "Automatically fix file system errors" and click start
Check for all programs that start at Boot using Msconfig
Start, Run, type MSCONFIG, on the startup tab, review the programs listed. Uncheck anything that should not run on startup
Defrag all hard drives
Click My Computer, right click the C drive, click Tools, Disk Defragmenter, Click Analyze to check the amount of fragmentation or Defrag to run the process. You repeat this per drive.
General Maintenance to keep your pc up to date
1. Run Windows Update and select all Microsoft updates and security patches
2. Update your Pc's System Bios
3. Update your drivers: Motherboard Chipset, Network Adaptor, Video, Audio & Printers
4. Start Adobe reader, click Help and then click Check for updates to get the latest security and application updates.
5. Go to Control Panel, Java, advanced tab, click Check for Updates to get the latest security and application updates.
6. If you get a BSOD and want to verify if it’s related to bad Ram chips, download Memtest and make a bootable CD from the ISO. Boot it and run at least one complete set of tests to check your memory for fault
http://www.memtest.org/#downiso