Solved

boot.tidsrv removal

Posted on 2014-04-14
18
307 Views
Last Modified: 2014-04-19
I am working on an acer desktop , and I loaded a 90 day trial of Norton Internet Security which flashed a "Threats detected" window and said the computer was infected with the boot.tidsrv  and that removal had failed. I downloaded and ran Norton Power Eraser and still received the same threat notification. I ran the Norton™ Bootable Recovery Tool still to no removal. I reloaded from the recovery partition to factory defaults. Even after that I still am getting that threats detected window. In the actions dropdown there is no fix option. If I choose rescan, the window turns from red to green and says all threats resolved. But then the windows will appear again.
How can I get rid of this nuisance?
0
Comment
Question by:atf3doc
  • 7
  • 5
  • 5
  • +1
18 Comments
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39999130
It sounds like that Pc is infected and possibly a virus made changes to Windows or apps running on it.

Here is a comprehensive list of items I would check based on your situation.

Hope it helps!

1. Install Process Explorer to find out what runs at startup
http://technet.microsoft.com/en-us/sysinternals/bb896653

2. If you haven't also ready checked for Viruses, update your virus definitions and run a Full Scan, deleting all virus and spyware detected

3. If you don’t have any Anti Virus installed, here are a few free ones to try:
http://www.avg.com
http://www.avast.com/en-us/index
http://windows.microsoft.com/en-us/windows/security-essentials-download
http://www.bitdefender.com/solutions/free.html

4. If spyware is found, download and run these free anti spyware apps
AdwCleaner
http://www.bleepingcomputer.com/download/adwcleaner/

Kaspersky TDSSKiller
http://www.bleepingcomputer.com/download/tdsskiller/

ESET online scanner
http://www.eset.com/us/online-scanner/

Malwarebytes Anti-Rootkit
http://www.bleepingcomputer.com/download/malwarebytes-anti-rootkit/

www.malwarebytes.org
www.superantispyware.com
www.hitmanpro.com

If you are using Google Chrome and have the Conduit Search End and want to get red of it, here is how to do it.

1. Run this process to cleanup hidden adware
http://www.wikihow.com/Get-Rid-of-Conduit-Search-on-Google-Chrome

2. Make sure is completely removed
http://malwaretips.com/blogs/remove-conduit-search-virus/

Check System Logs:
Go to All programs, Administrative Tools, Event Viewer. Check the System and Application sections for errors that may be causing your problems.

Check for corrupt system files:
Open an elevated command prompt and run this to check for corrupted system files.
sfc /scannow

Run a Disk Cleanup
Start, All Programs, Accessories, System Tools, Disk Cleanup.
Include Temporary Internet Files and Temp files

Check for Disk Errors
Run Error Checking: Start, Computer, right click  on C:\, Tools, Error Checking.
Select "Automatically fix file system errors" and click start

Check for all programs that start at Boot using Msconfig
Start, Run, type MSCONFIG, on the startup tab, review the programs listed. Uncheck anything that should not run on startup

Defrag all hard drives
Click My Computer, right click the C drive, click Tools, Disk Defragmenter, Click Analyze to check the amount of fragmentation or Defrag to run the process. You repeat this per drive.

General Maintenance to keep your pc up to date
1. Run Windows Update and select all Microsoft updates and security patches

2. Update your Pc's System Bios

3. Update your drivers: Motherboard Chipset, Network Adaptor, Video, Audio & Printers

4. Start Adobe reader, click Help and then click Check for updates to get the latest security and application updates.

5. Go to Control Panel, Java, advanced tab, click Check for Updates to get the latest security and application updates.

6. If you get a BSOD and want to verify if it’s related to bad Ram chips, download Memtest and make a bootable CD from the ISO. Boot it and run at least one  complete set of tests to check your memory for fault
http://www.memtest.org/#downiso
0
 
LVL 24

Assisted Solution

by:aadih
aadih earned 100 total points
ID: 39999147
0
 

Author Comment

by:atf3doc
ID: 39999284
aadihm TDSSKiller came up with nothing; I also ran RogueKiller by Tigzy...nothing
0
 
LVL 24

Expert Comment

by:aadih
ID: 39999292
Run ComboFix: < http://www.bleepingcomputer.com/download/combofix/ > with much caution and care.
0
 
LVL 23

Assisted Solution

by:Mohammed Hamada
Mohammed Hamada earned 50 total points
ID: 40002404
I think this is one tough virus to remove. not sure if Combofix would fix it! but you could try and prepare a live CD from Kaspersky and scan your PC by booting into it.

http://support.kaspersky.com/4162

After you download the ISO file burn it on a CD and reboot your PC with this CD then run full scan and make sure you try to disinfect the infected files and delete the ones that are not able to disinfect.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40002418
If you are still having problems eliminating the virus, I suggest a clean install of Windows after backing up your data.

That is always the best solution for a hard to remove virus.

Hope this helps!
0
 

Author Comment

by:atf3doc
ID: 40003633
TG-TIS
By clean install do you mean other than recovering to factory defaults from the recovery partition?
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40003688
No, Clean in my suggestion means the following:

1. Backing up all data
2. Booting with the Windows Install DVD
3. Deleting all partitions
4. Creating a new windows partition
5. Installing windows in that partition
6. Running Windows Update to patch the system
7. Reinstalling your anti virus
8. Restoring your data back after the install has completed.
9. Installing any other apps you had before.

That is a Clean Install.  Hope this clarifies the process.
0
 

Author Comment

by:atf3doc
ID: 40003926
I was afraid of that. I'm going to do a DoD wipe and then reload. Thanks
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 25

Accepted Solution

by:
Tony Giangreco earned 350 total points
ID: 40003928
Yes, I agree, that is the very best solution. Glad I could help!!!
0
 
LVL 24

Expert Comment

by:aadih
ID: 40003969
Caution, however, if it's a rootkit infection, the reinstall may not solve the problem.

Recommend removing it first.

Please look at the following page (may be the solution therein may help):

< http://www.bleepingcomputer.com/forums/t/430255/infected-with-boottidserv-tdss-rootkit-virus/ >
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40003986
Hi aadih, I read that posting and it is not a clean install. I suggested to perform a Clean Install using the steps I outlined above. This steps were not suggested or performed in the posting you mentioned.

A Clean Install will eliminate the problem. The Author should also scan his data files before he/she copies it back to the Pc.

If you disagree, please provide the details why.
0
 
LVL 24

Expert Comment

by:aadih
ID: 40004023
I neither agree nor disagree, as I don't know.

I am only cautioning (which can be ignored) that some rootkits are known to survive OS re-installations or disk formatting. Whether this infection is a virus or rootkit, I don't know.

So, if with some 'searching' and trying, it could be removed, it'd be worth the time spent.

Regards.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40004033
I have never seen any rootkit or virus survive a clean install unless the data they restored after the install was infected as I already mentioned.

The Antivirus and anti spyware app can be used to scan the author's data before he/she reinstalls it. That is always a great suggestion.
0
 
LVL 24

Expert Comment

by:aadih
ID: 40004043
[If interested:] Please read the wikipedia or many other articles on rootkits. The rootkit-survival doesn't depend on the (saved) data. As I said, not all rookits have this property but some do.
0
 

Author Comment

by:atf3doc
ID: 40009959
I did a DoD wipe writing 0's to all sectors of the hard drive seven times. Then I did a clean install of windows and that rascally boot.tidsrv seems to be gone. Either the boot sector was not replaced when recovering from the recovery partition or the recovery partition was infected. At any rate the malware is gone! Thanks to all for your help.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40010234
HI atf3doc, when performing a clean install on a Pc that has been infected, I always delete app partitions on all drives in the Pc including the recovery partition. I realize that may cause a problem if you ever want to restore anything, but I've seen viruses infect the recovery partition also. If this is the case in your situation, I suggest performing that same operation after deleting the recovery partition also.

Have I answered your question completely?
0
 

Author Comment

by:atf3doc
ID: 40010288
Yes, thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now