• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 328
  • Last Modified:

boot.tidsrv removal

I am working on an acer desktop , and I loaded a 90 day trial of Norton Internet Security which flashed a "Threats detected" window and said the computer was infected with the boot.tidsrv  and that removal had failed. I downloaded and ran Norton Power Eraser and still received the same threat notification. I ran the Norton™ Bootable Recovery Tool still to no removal. I reloaded from the recovery partition to factory defaults. Even after that I still am getting that threats detected window. In the actions dropdown there is no fix option. If I choose rescan, the window turns from red to green and says all threats resolved. But then the windows will appear again.
How can I get rid of this nuisance?
0
atf3doc
Asked:
atf3doc
  • 7
  • 5
  • 5
  • +1
3 Solutions
 
Tony GiangrecoCommented:
It sounds like that Pc is infected and possibly a virus made changes to Windows or apps running on it.

Here is a comprehensive list of items I would check based on your situation.

Hope it helps!

1. Install Process Explorer to find out what runs at startup
http://technet.microsoft.com/en-us/sysinternals/bb896653

2. If you haven't also ready checked for Viruses, update your virus definitions and run a Full Scan, deleting all virus and spyware detected

3. If you don’t have any Anti Virus installed, here are a few free ones to try:
http://www.avg.com
http://www.avast.com/en-us/index
http://windows.microsoft.com/en-us/windows/security-essentials-download
http://www.bitdefender.com/solutions/free.html

4. If spyware is found, download and run these free anti spyware apps
AdwCleaner
http://www.bleepingcomputer.com/download/adwcleaner/

Kaspersky TDSSKiller
http://www.bleepingcomputer.com/download/tdsskiller/

ESET online scanner
http://www.eset.com/us/online-scanner/

Malwarebytes Anti-Rootkit
http://www.bleepingcomputer.com/download/malwarebytes-anti-rootkit/

www.malwarebytes.org
www.superantispyware.com
www.hitmanpro.com

If you are using Google Chrome and have the Conduit Search End and want to get red of it, here is how to do it.

1. Run this process to cleanup hidden adware
http://www.wikihow.com/Get-Rid-of-Conduit-Search-on-Google-Chrome

2. Make sure is completely removed
http://malwaretips.com/blogs/remove-conduit-search-virus/

Check System Logs:
Go to All programs, Administrative Tools, Event Viewer. Check the System and Application sections for errors that may be causing your problems.

Check for corrupt system files:
Open an elevated command prompt and run this to check for corrupted system files.
sfc /scannow

Run a Disk Cleanup
Start, All Programs, Accessories, System Tools, Disk Cleanup.
Include Temporary Internet Files and Temp files

Check for Disk Errors
Run Error Checking: Start, Computer, right click  on C:\, Tools, Error Checking.
Select "Automatically fix file system errors" and click start

Check for all programs that start at Boot using Msconfig
Start, Run, type MSCONFIG, on the startup tab, review the programs listed. Uncheck anything that should not run on startup

Defrag all hard drives
Click My Computer, right click the C drive, click Tools, Disk Defragmenter, Click Analyze to check the amount of fragmentation or Defrag to run the process. You repeat this per drive.

General Maintenance to keep your pc up to date
1. Run Windows Update and select all Microsoft updates and security patches

2. Update your Pc's System Bios

3. Update your drivers: Motherboard Chipset, Network Adaptor, Video, Audio & Printers

4. Start Adobe reader, click Help and then click Check for updates to get the latest security and application updates.

5. Go to Control Panel, Java, advanced tab, click Check for Updates to get the latest security and application updates.

6. If you get a BSOD and want to verify if it’s related to bad Ram chips, download Memtest and make a bootable CD from the ISO. Boot it and run at least one  complete set of tests to check your memory for fault
http://www.memtest.org/#downiso
0
 
aadihCommented:
0
 
atf3docAuthor Commented:
aadihm TDSSKiller came up with nothing; I also ran RogueKiller by Tigzy...nothing
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
aadihCommented:
Run ComboFix: < http://www.bleepingcomputer.com/download/combofix/ > with much caution and care.
0
 
Mohammed HamadaSenior IT ConsultantCommented:
I think this is one tough virus to remove. not sure if Combofix would fix it! but you could try and prepare a live CD from Kaspersky and scan your PC by booting into it.

http://support.kaspersky.com/4162

After you download the ISO file burn it on a CD and reboot your PC with this CD then run full scan and make sure you try to disinfect the infected files and delete the ones that are not able to disinfect.
0
 
Tony GiangrecoCommented:
If you are still having problems eliminating the virus, I suggest a clean install of Windows after backing up your data.

That is always the best solution for a hard to remove virus.

Hope this helps!
0
 
atf3docAuthor Commented:
TG-TIS
By clean install do you mean other than recovering to factory defaults from the recovery partition?
0
 
Tony GiangrecoCommented:
No, Clean in my suggestion means the following:

1. Backing up all data
2. Booting with the Windows Install DVD
3. Deleting all partitions
4. Creating a new windows partition
5. Installing windows in that partition
6. Running Windows Update to patch the system
7. Reinstalling your anti virus
8. Restoring your data back after the install has completed.
9. Installing any other apps you had before.

That is a Clean Install.  Hope this clarifies the process.
0
 
atf3docAuthor Commented:
I was afraid of that. I'm going to do a DoD wipe and then reload. Thanks
0
 
Tony GiangrecoCommented:
Yes, I agree, that is the very best solution. Glad I could help!!!
0
 
aadihCommented:
Caution, however, if it's a rootkit infection, the reinstall may not solve the problem.

Recommend removing it first.

Please look at the following page (may be the solution therein may help):

http://www.bleepingcomputer.com/forums/t/430255/infected-with-boottidserv-tdss-rootkit-virus/ >
0
 
Tony GiangrecoCommented:
Hi aadih, I read that posting and it is not a clean install. I suggested to perform a Clean Install using the steps I outlined above. This steps were not suggested or performed in the posting you mentioned.

A Clean Install will eliminate the problem. The Author should also scan his data files before he/she copies it back to the Pc.

If you disagree, please provide the details why.
0
 
aadihCommented:
I neither agree nor disagree, as I don't know.

I am only cautioning (which can be ignored) that some rootkits are known to survive OS re-installations or disk formatting. Whether this infection is a virus or rootkit, I don't know.

So, if with some 'searching' and trying, it could be removed, it'd be worth the time spent.

Regards.
0
 
Tony GiangrecoCommented:
I have never seen any rootkit or virus survive a clean install unless the data they restored after the install was infected as I already mentioned.

The Antivirus and anti spyware app can be used to scan the author's data before he/she reinstalls it. That is always a great suggestion.
0
 
aadihCommented:
[If interested:] Please read the wikipedia or many other articles on rootkits. The rootkit-survival doesn't depend on the (saved) data. As I said, not all rookits have this property but some do.
0
 
atf3docAuthor Commented:
I did a DoD wipe writing 0's to all sectors of the hard drive seven times. Then I did a clean install of windows and that rascally boot.tidsrv seems to be gone. Either the boot sector was not replaced when recovering from the recovery partition or the recovery partition was infected. At any rate the malware is gone! Thanks to all for your help.
0
 
Tony GiangrecoCommented:
HI atf3doc, when performing a clean install on a Pc that has been infected, I always delete app partitions on all drives in the Pc including the recovery partition. I realize that may cause a problem if you ever want to restore anything, but I've seen viruses infect the recovery partition also. If this is the case in your situation, I suggest performing that same operation after deleting the recovery partition also.

Have I answered your question completely?
0
 
atf3docAuthor Commented:
Yes, thanks
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 5
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now