• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

Kudos0

BOOT.Tidserv

OK here is my issue.  The other day (last week) my son came to me with a computer issue.  It had multiple pop ups saying that the hard drive and RAM had failed.  I installed Norton IS(was not on his computer I had let it lapse by accident) and ran a check.  It found 10 threats, was able to clean 9 of them.  The one it could not clean was the boot.tidserv.

I then asked friends for help and have used NORTON'S tips for getting rid of this.  I have used housecall(found and cleaned 4 threats nortons didn't see), Kaspersky( found nothing) and Nortons "POWER ERASER and The rescue tool.

To this date Nortons still says that I have this boot.tidserv threat on my computer.  The only choices I have are Get help, rescan or exclude.  What am I supposed to do with this?

Any help is GREATLY appreciated.

DClark015

Replies

Kudos0

Re: BOOT.Tidserv

1.  Sound like you had a variant of the Fake HDD family, like http://www.bleepingcomputer.com/virus-removal/remove-system-fix

2. Boot.Tidserv is the detection for the TDL TDSS boot sector, although there are now a couple of other groups that use the boot sector technique like maybe carberp.

Try TDSSkiller download by clicking on the .exe link as it can be updated quicker then the ,zip version.

If detected, after you will still have to clear Norton's unresolved threats list.

Quads

Kudos0

Re: BOOT.Tidserv

Thanks Quads..... I think Ive got it removed now however I cant find out how to get to the unresolved threats list....  I am using 32bit VISTA are you able to help me find this??

Thanks in advance

Kudos0

Re: BOOT.Tidserv

Norton's History the the Unresolved list from the drop down menu.

Quads

Kudos0

Re: BOOT.Tidserv

Thanks for the help.... Ive done everything listed in the link multiple times, However NORTONS still shows the boot.tidserv threat whenever I run it.  This DOES NOT show on any other virus program that I have used....   Any other tips or do I have to either ignore it or Fdisk my computer :(

Kudos0

Re: BOOT.Tidserv

Did you clear the unresolved threats list?

Did TDSSkiller (newest version) find anything??

Quads

Kudos0

Re: BOOT.Tidserv

I did and it still shows up after the next restart.  With the TDSSkiller I assume its the newest vision out there, I got it from the site you recomended.

Kudos0

Re: BOOT.Tidserv

The up to date page is http://support.kaspersky.com/faq/?qid=208280684

See where is says "Execute the file TDSSKiller.exe" Click on the TDSSkiller.exe

Quads

Kudos0

Re: BOOT.Tidserv

Tried again with same results....

What I am doing is going into safe mode, running Rkill (have tried all of the links multiple times) and most of the time I get a Microsoft Windows message saying that iexplore.exe has stoped working and then a windows system alert(bottom right shield with a red X) saying that windows security is not turned on.  I have ignored these incase it is the virus.

Then I get the rkill log to pop up in notpad and there are no processes listed under terminated by Rkill.

Then I try TDSSkiller.  If I run it with the standard options Services and drivers, and boot sectors.  After this is run it scans but finds nothing...  If I add the additional options Verify driver digital signatures and Detect TDLFS file system I get the bellow threats found.  They all are marked at skip and when I google them I believe they are not an actual threat and didnt want to delete.

All are unsigned file

Service: Giveio

Service: PxHelp20

Service: speedfan

Service: USBAAPL

all are also listed as Suspicious object, medium risk.

Thank you so much for thehelp with this.

Kudos0

Re: BOOT.Tidserv

It appears that Norton is now detectiong the MaxSS (SST.a, SST.b) partition as Boot.Tidserv also now, which is a little confusing.

For Vista and Windows 7 type in the search box type diskmgmt.msc  (Disc Management)

How many drives do you have listed and all the info please.

Quads


Kudos0

Re: BOOT.Tidserv

It shows 3 disks(at the top under volume) one not named one is C and the other is D. It wont allow me to attach a screen shot because its not a txt, log, or lue file. If you have an email I can send it to I would be happy to forward the jpg. Not sure what other information it is that you need.

Kudos0

Re: BOOT.Tidserv

for some reason it wont let me eit my post... I was able to PM the picture to you on these forums.

Kudos1

Re: BOOT.Tidserv

It does appear that you are infected with MaxSS (SST.a, SST.b).

Volume                                           Capacity

unallocated /unknown  (blank)  3 MB      MaxSS (SST) TDSS mod partition generally a partition between 1 and 15MB  BAD!!

HP (C:)                                           291.83 GB   The working partition with Windows installed,  DO NOT REMOVE

Recovery (D:)                                6.26 GB         Volume name says it all. It's the built in Recovery Partition for this PC, DO NOT REMOVE

The blank 3MB partition has to be removed via a partitiom manager like on this thread http://community.norton.com/t5/Tech-Outpost/Rootkit-Boot-SST-b-is-NOT-coming-off-PLEASE-help/m-p/588858/highlight/true#M4588

If you don't know what you are doing at all, Try and find someone who really does as you don't want to delete the wrong (good) partitions otherwise on exiting the boot CD and booting via Hard Drive you will or could go nowhere, no Windows.

I will post on the other thread how to using 2 other boot CD's with screenshots borrowed, may take awhile.

Quads

Kudos0

Re: BOOT.Tidserv

Oh by the way, It's not 3 disks (drives) but it's actually 1 Hard Drive with now 3 partitions when it should be only 2 partitions.

Here is a cropped screenshot of the 1 hard drive with 3 partitions.

Quads

Kudos0

Re: BOOT.Tidserv

Thanks again for the GREAT help....   I will try and get with my neighbor to see if he can help me with this step of the process.  The one other question I have is would F disking the drive fix the issue as well?? 

Kudos0

Re: BOOT.Tidserv

FDisking the drive does not help as you would reformat the partition you are in (more than likely HP (C:)) and then when you clean install Windows, and eveything else including Norton again,  Norton will once updated again detect the 3MB partition.

As seen by another users comment,

" A Norton technician advised me to wipe the hard drive and reinstall the OS. I did this, and after reinstalling Norton a full scan revealed Boot.Tidserv still infecting the PC. Norton directed me to try NPE and FixTDSS again, which were ineffective. I am also running the full version of MBAM and a full scan does not register the infection. I have also tried Kaspersky's tdsskiller which also does not register the infection.

I am not experiencing any overt symptoms but Norton scans continue to show it as an infection. I understand that Boot.Tidserv can survive OS reinstalls and I have been unable to resolve it with any of my usual tools"

I have the screenshots for using Gparted step by step, using the example of a 1MB MaxSS partition, I just have to place them in order and figure out what to type simply put.

Quads

Kudos0

Re: BOOT.Tidserv

OK that answers my question... I guess Ill wait till you have the time to post what/how I can do this myself.  I will also check the link you provided as help.  . Is this something that a tech can do remote?  or does it have to be in person?

Kudos0

Re: BOOT.Tidserv

Well one other question, the computer itself seems to run ok, although I have not used it for anything special at this time.  If I just ignore the warning will it cause any major issues in the future?  Or is that 3MB partician the virus hiding in wait until I stop trying to kill it to come back?

Again thank you for the help.

Accepted Solution
Kudos0

Re: BOOT.Tidserv

Kudos0

Re: BOOT.Tidserv

Sorry its taken me so long to reply.  I will be looking at the other thread over the next couple days.  Its been a busy work week and Xmas this weekend.  I will update and let you know if it worked or if I screwed the pooch :)

Thanks again and Merry Christmas

Kudos0

Re: BOOT.Tidserv

Don't worry slow and steady is better, and oh the earthquakes screwed my pooch,, not me infecting it 

Quads

Kudos0

Re: BOOT.Tidserv

Hi, I have the same problem too...........I have tried many things but that BOOT.Tidserv still pop up in Norton. Any expert can help pls? Thanks

Kudos0

Re: BOOT.Tidserv

Ok I found a way to do it........................run diskmgmt.msc. Locate the drive that is less than 15mb..........Right click on it and select delete. You Don't need to do any  partiction .............................~_~! After deleting that drive (make sure that , that drive is just a few mb large)........................That pop up message from Norton regarding boot.tidserv will change to Problem Been Fix!!!!!

Kudos0

Re: BOOT.Tidserv

NOTE:

My instructions with pics, to use a partition manager is much safer for the system and user, as found out by just deleting a partition that may be in use means possible BSOD from the forceful hit.  Secondly if the flag is not set correctly then after no partition will load causing a bigger hole.

Modify my instructions at your risk, but then please don't complain as you modified what I did as a step by step guide.

Quads

Kudos0

Re: BOOT.Tidserv

icic. Thanks 

Kudos0

Re: BOOT.Tidserv

BEfore you Deleting that partition please make sure that one is not the Active or Boot Partition. If that one is a Active or Boot Partition Remove that one from Active or Boot Partition and Make the System Drive (The drive in which OS is installed ) as the Active or Boot Partition...

Kudos0

Re: BOOT.Tidserv

My instructions state about the flag, or maybe people are not reading the instructions properly.

Quads

Kudos1

Re: BOOT.Tidserv

Looks like the listed correction may have fixed my issue.  I no longer have the third partition and when I start the computer the warning does not come up any longe. (although I had to remove it from the un-resolved list after the first boot up)

Thank you very much, now I can get this moved back to where my son can continue using and my wife will no longer complaine about it :)

Again Quads THANK YOU for all the help!!!!

Kudos1

Re: BOOT.Tidserv

No Problem.

Quads

Kudos0

Re: BOOT.Tidserv

Hey Quads...I want to thank you too.  I had a very similar issue and was able to work my way through it due to your excellent instructions.  I appreciate it a lot!  Thanks! 

Replies are locked for this thread.