Link to home
Start Free TrialLog in
Avatar of atf3doc
atf3doc

asked on

boot.tidsrv removal

I am working on an acer desktop , and I loaded a 90 day trial of Norton Internet Security which flashed a "Threats detected" window and said the computer was infected with the boot.tidsrv  and that removal had failed. I downloaded and ran Norton Power Eraser and still received the same threat notification. I ran the Norton™ Bootable Recovery Tool still to no removal. I reloaded from the recovery partition to factory defaults. Even after that I still am getting that threats detected window. In the actions dropdown there is no fix option. If I choose rescan, the window turns from red to green and says all threats resolved. But then the windows will appear again.
How can I get rid of this nuisance?
Avatar of Tony Giangreco
Tony Giangreco
Flag of United States of America image

It sounds like that Pc is infected and possibly a virus made changes to Windows or apps running on it.

Here is a comprehensive list of items I would check based on your situation.

Hope it helps!

1. Install Process Explorer to find out what runs at startup
http://technet.microsoft.com/en-us/sysinternals/bb896653

2. If you haven't also ready checked for Viruses, update your virus definitions and run a Full Scan, deleting all virus and spyware detected

3. If you don’t have any Anti Virus installed, here are a few free ones to try:
http://www.avg.com
http://www.avast.com/en-us/index
http://windows.microsoft.com/en-us/windows/security-essentials-download
http://www.bitdefender.com/solutions/free.html

4. If spyware is found, download and run these free anti spyware apps
AdwCleaner
http://www.bleepingcomputer.com/download/adwcleaner/

Kaspersky TDSSKiller
http://www.bleepingcomputer.com/download/tdsskiller/

ESET online scanner
http://www.eset.com/us/online-scanner/

Malwarebytes Anti-Rootkit
http://www.bleepingcomputer.com/download/malwarebytes-anti-rootkit/

www.malwarebytes.org
www.superantispyware.com
www.hitmanpro.com

If you are using Google Chrome and have the Conduit Search End and want to get red of it, here is how to do it.

1. Run this process to cleanup hidden adware
http://www.wikihow.com/Get-Rid-of-Conduit-Search-on-Google-Chrome

2. Make sure is completely removed
http://malwaretips.com/blogs/remove-conduit-search-virus/

Check System Logs:
Go to All programs, Administrative Tools, Event Viewer. Check the System and Application sections for errors that may be causing your problems.

Check for corrupt system files:
Open an elevated command prompt and run this to check for corrupted system files.
sfc /scannow

Run a Disk Cleanup
Start, All Programs, Accessories, System Tools, Disk Cleanup.
Include Temporary Internet Files and Temp files

Check for Disk Errors
Run Error Checking: Start, Computer, right click  on C:\, Tools, Error Checking.
Select "Automatically fix file system errors" and click start

Check for all programs that start at Boot using Msconfig
Start, Run, type MSCONFIG, on the startup tab, review the programs listed. Uncheck anything that should not run on startup

Defrag all hard drives
Click My Computer, right click the C drive, click Tools, Disk Defragmenter, Click Analyze to check the amount of fragmentation or Defrag to run the process. You repeat this per drive.

General Maintenance to keep your pc up to date
1. Run Windows Update and select all Microsoft updates and security patches

2. Update your Pc's System Bios

3. Update your drivers: Motherboard Chipset, Network Adaptor, Video, Audio & Printers

4. Start Adobe reader, click Help and then click Check for updates to get the latest security and application updates.

5. Go to Control Panel, Java, advanced tab, click Check for Updates to get the latest security and application updates.

6. If you get a BSOD and want to verify if it’s related to bad Ram chips, download Memtest and make a bootable CD from the ISO. Boot it and run at least one  complete set of tests to check your memory for fault
http://www.memtest.org/#downiso
SOLUTION
Avatar of aadih
aadih
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of atf3doc
atf3doc

ASKER

aadihm TDSSKiller came up with nothing; I also ran RogueKiller by Tigzy...nothing
Run ComboFix: < http://www.bleepingcomputer.com/download/combofix/ > with much caution and care.
SOLUTION
Avatar of Mohammed Hamada
Mohammed Hamada
Flag of Portugal image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you are still having problems eliminating the virus, I suggest a clean install of Windows after backing up your data.

That is always the best solution for a hard to remove virus.

Hope this helps!
Avatar of atf3doc

ASKER

TG-TIS
By clean install do you mean other than recovering to factory defaults from the recovery partition?
No, Clean in my suggestion means the following:

1. Backing up all data
2. Booting with the Windows Install DVD
3. Deleting all partitions
4. Creating a new windows partition
5. Installing windows in that partition
6. Running Windows Update to patch the system
7. Reinstalling your anti virus
8. Restoring your data back after the install has completed.
9. Installing any other apps you had before.

That is a Clean Install.  Hope this clarifies the process.
Avatar of atf3doc

ASKER

I was afraid of that. I'm going to do a DoD wipe and then reload. Thanks
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Caution, however, if it's a rootkit infection, the reinstall may not solve the problem.

Recommend removing it first.

Please look at the following page (may be the solution therein may help):

http://www.bleepingcomputer.com/forums/t/430255/infected-with-boottidserv-tdss-rootkit-virus/ >
Hi aadih, I read that posting and it is not a clean install. I suggested to perform a Clean Install using the steps I outlined above. This steps were not suggested or performed in the posting you mentioned.

A Clean Install will eliminate the problem. The Author should also scan his data files before he/she copies it back to the Pc.

If you disagree, please provide the details why.
I neither agree nor disagree, as I don't know.

I am only cautioning (which can be ignored) that some rootkits are known to survive OS re-installations or disk formatting. Whether this infection is a virus or rootkit, I don't know.

So, if with some 'searching' and trying, it could be removed, it'd be worth the time spent.

Regards.
I have never seen any rootkit or virus survive a clean install unless the data they restored after the install was infected as I already mentioned.

The Antivirus and anti spyware app can be used to scan the author's data before he/she reinstalls it. That is always a great suggestion.
[If interested:] Please read the wikipedia or many other articles on rootkits. The rootkit-survival doesn't depend on the (saved) data. As I said, not all rookits have this property but some do.
Avatar of atf3doc

ASKER

I did a DoD wipe writing 0's to all sectors of the hard drive seven times. Then I did a clean install of windows and that rascally boot.tidsrv seems to be gone. Either the boot sector was not replaced when recovering from the recovery partition or the recovery partition was infected. At any rate the malware is gone! Thanks to all for your help.
HI atf3doc, when performing a clean install on a Pc that has been infected, I always delete app partitions on all drives in the Pc including the recovery partition. I realize that may cause a problem if you ever want to restore anything, but I've seen viruses infect the recovery partition also. If this is the case in your situation, I suggest performing that same operation after deleting the recovery partition also.

Have I answered your question completely?
Avatar of atf3doc

ASKER

Yes, thanks