• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Boot.tidserv.b- A *NASTY* virus!

Hello, my friends laptop has been infected with Boot.tidserv.b and it is probably the worst virus I have ever seen, and that is saying a lot. I work in a PC shop as a computer engineer so obviously, I deal with PCs that have nasty infections all the time. This virus has COMPLETLEY bricked my friends seagate momentus; MBR reset fails, low level format fails, format fails, wiping fails, DBAN fails, spinrite fails, active@killdisk fails and obviously, installing windows XP fails (big huge BSOD every time) This is by far the most malignant and relentless virus I have EVER seen. I docked the hardrive externally using my sata x dock built into my CM 690ii case and it copied itself directly to 0x80 on C:\ MBR sector, even with NIS 2011 (all definitions updated) on 'aggressive settings' on all variables including pre boot protection. It nearly bricked my SSD. Thankfully I was able to re-image my SSD and run NIS 2011 which after a couple of tries, removed it completely (Thank goodness!) Here is the link to the Symantec writeup of which I think is absolutely erroneous in it's statements of being a "low threat" and "easy to remove" http://www.symantec.com/security_response/writeup.jsp?docid=2011-011801-4700-99 This root kit is exceptionally, extraordinarily hard to remove and is hugely, stupendously destructive! I would like a second opinion, would I have to buy in a new hard drive and a new copy of windows  for my friend (License key and disc has been lost) or is there an obscure way to fix this MBR error?

Many regards; Cameron (Cametron)

Replies

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Hello, my friends laptop has been infected with Boot.tidserv.b and it is probably the worst virus I have ever seen, and that is saying a lot. I work in a PC shop as a computer engineer so obviously, I deal with PCs that have nasty infections all the time. This virus has COMPLETLEY bricked my friends seagate momentus; MBR reset fails, low level format fails, format fails, wiping fails, DBAN fails, spinrite fails, active@killdisk fails and obviously, installing windows XP fails (big huge BSOD every time) This is by far the most malignant and relentless virus I have EVER seen. I docked the hardrive externally using my sata x dock built into my CM 690ii case and it copied itself directly to 0x80 on C:\ MBR sector, even with NIS 2011 (all definitions updated) on 'aggressive settings' on all variables including pre boot protection. It nearly bricked my SSD. Thankfully I was able to re-image my SSD and run NIS 2011 which after a couple of tries, removed it completely (Thank goodness!) Here is the link to the Symantec writeup of which I think is absolutely erroneous in it's statements of being a "low threat" and "easy to remove" http://www.symantec.com/security_response/writeup.jsp?docid=2011-011801-4700-99 This root kit is exceptionally, extraordinarily hard to remove and is hugely, stupendously destructive! I would like a second opinion, would I have to buy in a new hard drive and a new copy of windows  for my friend (License key and disc has been lost) or is there an obscure way to fix this MBR error?

Many regards; Cameron (Cametron)

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Hi. If you are able to login into the infected PC you need to run TDSS killer (Backdoor.Tidserv clearing utility from Kaspersky labs) here is a direct link:kaspersky.com. This tool is constantly updating( depending on fresh samples of this rootkit), last update was yesterday around 13:00 PM EET(+3 GMT), fast and easy to use. Just read the instructions here: http://support.kaspersky.com/viruses/solutions?qid=208280684 [edit: Please do not link to direct downloads per the Participation Guidelines and Terms of Service.]
Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Hello Cametron

Welcome to the Norton Community Forum

I would recommend a visit to one of the malware removal sites and register with them and put the name of the malware in the title of thread.

Please go to one of these free Forums for help in removing your bad malware or rootkits.


http://www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

(Thanks to Delph for providing the list of sites)

Please let us know which one you pick to register with and how you made out. Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.11.2.7 Core 213 I E 11
Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

You're right. I think TDSS killer can defeat Tidserv by itself but if PC is hard infected by other(previously undetected) malware then backdoor may be resurrected because there are many other malware which are downloading Tidserv on compromised systems.

Try Kaspersky 911 virus removal service:  http://kaspersky-911.ru/?&lang=2 - it's free. (Just my 2 cents :) )

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Boot.tidserv is not a virus, it is a TDL bootkit.  If it has downloaded other infections, it may be difficult to get the necessary scans and tools to run.  Also when the MBR is affected care must be taken if it is an OEM version with additional necessary files included.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Thanks for the replies guys however I have just managed to zero the drive using Acronis drive cleanser however the virus still remains at 0x80 :( BSOD when reinstalling Windows.

The XP installation launches, loads the appropriate drivers and kernels then when it tries to "start windows NT" I get this Bluescreen of death.

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

You have already reformatted the Hard Drive and standard 0 pass wiping, so TDSSkiller won't work any more?? As No Windows.

If so, You need to DOD the whole Hard Drive, so as to wipe everything.

Reformatting the Hard Drive doesn't work, as I have said in the past, to people who just love to say Reformat.

Quads

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

strange. Try booting from clean CD(even from NBRT) then open command line and write fixmbr \Device\HardDisk0 it will completely overwrite your current(infected) MBR with default Microsoft MBR.  

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Not Strange, it's happened in the past, where reformatting and standard wiping with 0's doesn't work, 

Quads

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

See if you can find an old version of Norton Ghost. One of it's tools on the CD is GDISK, That has a DoD wipe option. Cleaning the drive with that option could take days so be prepared. If you still have the boot virus after the DoD wipe completes, throw away the drive.

Sidebar - don't know if old Ghost versions will work on a SSD drive?

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Do not post such solutions. Boot virus(aka bootkit) hosts its startup code in MBR sectors so, if user can boot from the clean media and repair infected MBR then trojan code should be broken. There are also many tools which can handle bootkit infection(e.g. TDSS killer from Kaspersky lab). 

Kudos1 Stats

Re: Boot.tidserv.b- A *NASTY* virus!

Seeing as the user has reformated again and again, plus wiped with 0's,  Plus sounds like now can't install Windows from CD ?DVD, Just DOD'ing is the better option due to what has previously been done and now no Windows.

Programs like TDSSkiller actually need Windows to be installed on the Hard Drive and able to load first before you can use TDSSkiller

It's not a Boot virus, as it's not a Virus.

Quads

Kudos1 Stats

Re: Boot.tidserv.b- A *NASTY* virus!

would I have to buy in a new hard drive and a new copy of windows  for my friend (License key and disc has been lost) or is there an obscure way to fix this MBR error?

________________________________________________________________________________

Since the drive was wiped, were the partitions left in the same place?  How was XP installed without the disc and licence?  What brand of laptop is this and how old?  Was the licence key removed from the bottom of the machine.  I can see an issue developing where older HP's won't run without their own drivers, and the licence key being tied to an OEM installation.

It may come down to ordering a new drive and system disc from the manufacturer in order to get the machine running again as it should.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Yes you're right. I use virus term in common to identify all of the malware. But this problem it's not likely the malware infection it's more likely hardware or BIOS problems. Also he may need additional software from hardware manufacturer. "If you are trying to install the Windows XP from scratch on the laptop, please BE SURE that you put the Hard Drive on "Compatibility" mode in BIOS, which was defaulted to "AHCI" (Compatibility is also known as IDE). Otherwise, you will experience the "blue screen" issue. To change that setting, you need to do the following: 1. Press F2 when booting up the computer 2. Select 'Config', then 'Serial ATA (SATA)' 3. Change controller option to 'Compatibility' / 'IDE'

" from http://en.kioskea.net/forum/affich-118712-blue-screen-while-trying-to-install-xp

Kudos3 Stats

Re: Boot.tidserv.b- A *NASTY* virus!

Hahahahaha, I have come across Malware that can survive reformat after refomat after reformat............ and wipe with 0's 

I know Boot.tidserv.b (TDL4) and previous TDL's  infected my system with countless Malware including Rootkits, Bootkits and viruses like Ramnit and Virut, 

So I know Malware that can survive what this user has tried,  Boot.tidserv.b does not inferfer with the BIOS.

Quads

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Hi

If you cant get XP itself installed I think its time you got professionals their i do not know if bleeping and others can help(they could have before the format I guess)

Trying to sort out a problem which you know not much about can cause more problems.

Midou
Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

:P

Okay, can user post actually BSOD code when he is trying to install fresh copy of  Windows XP ?

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

See if the manufacturer of your SSD drive has a low-level format utility in a bootable DOS version. Some do and some don't. Appears Samsung and Intel have one. This should reinitialize the SSD to "factory new" state.

Of course, you have have to perform the download and creation of the bootable media on another PC.

Here's a link to a discussion on the topic: http://forums.overclockers.co.uk/showthread.php?p=14378855

Warning - If you use a low-level format utility from any source than your SSD manufacturer you do so at your own peril.

 

Update - I just checked out the Samsung web site. Appears a firmware update will cause their SSD drives to be totally reinitialized. Might be a way to "kill two birds with one stone."

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

I managed to DOD 3 pass my friend's hard drive and install Ubuntu as Windows XP wasn't installing at all. Sorry for the missing error code, I took a photo and attempted to attach it however I didn't realise it hadn't attached as I had come off the forums directly afterwards.  Ubuntu seems to have not been touched at all in any way by the virus and Ubuntu does what the user wants it to do so I'll leave it with a nice install of Ubuntu for the time being :P As for my machine, NIS 2011 stopped it in it's tracks so I am fine :) Sorry for not being as clear as I should have been and I am extraordinarily grateful for the time and effort taken out of everyone's day to help me. This rootkit was horrid and hopefully I'll never see it again :P

Many regards; Cameron.

Kudos1 Stats

Re: Boot.tidserv.b- A *NASTY* virus!

The bootkit is not that bad now as there are now tools created that are able to disinfect / cure the MBR back to pre infection state including OEM MBR's without needing to refornat or wipe.

But the Unresolved threats list in Norton's History has to be cleared afterwards otherwise the user will keep being notified of the detected threat even though it has been removed.

Quads

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Spent the last 27 days dealing with this virus on windows 7 64 bit.  I paid for the additional norton support and 27 days later it came down to a new install of the OS.  After 27 days and over 30 hours there solution was a reinstall?  Norton has the reputation of being the best and I was very disapointed.  So after a complete reinstall the virus was still there.  The tech abruptly said I would need to "take it into a local repair shop and have them fix it,"and "thank you for using norton, goodbye." 

I'll try to get some of the money back but in the fine print it says no refunds.

I can get the same quality of coverage from a cheaper vendor.  If I've got to DOD wipe the drives anyhow I may as well switch now.

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Hi SamAllison:

Unfortunately, due to constant updating of the malware versions, any one of us can become infected at any time.  It is the price we pay for internet access.  It is also unfortunate that support was unable to remove the rootkit.  There are people who do very little else but study malware and volunteer on the free malware removal forums.

They assist many users with the same infection.  I recommend any one of these.

www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos4 Stats

Re: Boot.tidserv.b- A *NASTY* virus!

TDSSkiller keeps being updated 

Secondly the Symantec techs probably are not allowed to suggest the likes of TDSSkiller,   FixTDSSkiller (by Symantec may not be up to date.

Thirdly, Reinstalling Windows won't work in removing the Bootkit, nor will reformating.   Even if another way is used to disinfect / cure / repair TDL3 and above, Norton has to have it's Unresolved threats list cleared otherwise Norton will keep notifying the user or Tech that a threat has to be removed, making the user think they are still infected when in fact they are not.

I had to notifiy the Bleeping Computer Malware crew from the top down of this fact with Norton Products as the helper(s) were thinking the users PC was still infected after the user came back saying "Norton still detects the infection" after using TDSSkiller and other tools.

http://www.bleepingcomputer.com/forums/topic379465.html/page__st__15

Quads

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

My dad appears to have this same virus. I have a couple (or few) questions that hopefully can be answered before I drive to see him:

It appears this virus may reside on an external drive that came from his last computer, which was replaced due to some sort of virus we were unable to remove. We kept the drive for the important files on it.

I believe we narrowed down it location to the external drive since Norton doesn't find it when the drive is off, but almost immediately when you turn it on.

1) If the virus resides in the MBR (I assume Master Boot Record) is he still at risk even though it's an external drive? I assume the file is only accessed during bootup, no?

2) Is it safe to transfer the important files (all be it one by one if necessary) on to another drive and be assured we aren't taking th virus too?

3) Is there a log file for Norton that lists all "threats" and it location?

Thanks....I think that's it for now/ :)

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Hello swholden

I would recommend a visit to one of the free malware removal sites that have been mentioned before or to follow Quads advice. Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.11.2.7 Core 213 I E 11
Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

He may have run the TDSS file, I'm not sure. I'll find out.

What about the fact that the virus resides on the External HDD......is this still a "major" issue? Or minor?

Oddly, depending on how Norton finds/reports the virus, the threat level is either high or low. 

Kudos1 Stats

Re: Boot.tidserv.b- A *NASTY* virus!

swholden:

This infection is not a virus.  It's a TDL3/TDL4 rootkit.  Unless Norton is advising you of it's position, it might or might not be in the MBR.  It can infect critical Windows sytem files, which is why Norton is not allowed to remove it.  Since rootkits download other malware, we don't have enough information to know what else could be on the hard drive, or whether it is safe to remove files from it.  The malware removal forums will give you the best advice.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Boot. xxxxxxx, as the detection for a piece of malware equals an infection in the Boot Sector / MBR (or should be) that is what the Boot in the detection name is for,  it the user downloads or the installer is downloaded by drive-by etc. and Norton detects the .exe then it should be detected as Backdoor.Tidserv Norton then knows it is allowed to delete.

If a file is detected as Backdoor.Tidserv!inf, Norton should not be deleting as this should mean it's detected a infected legitimate critical Windows file.

Some Boot.xxxxx detections

Boot.Bootlock

Boot.ChanBoot.DelParBoot.MebratixBoot.MebrootBoot.SmitnylBoot.StonedbootkitBoot.TidservBoot.Tidserv.BBoot.666.ABoot.Abra1881Boot.Adde.aBoot.Adde.bBoot.Altx.2900Boot.Altx.2900 (2)Boot.AragonBoot.Babec.cBoot.Babec.c (2)Boot.BootDr204Boot.BootEXE.382Boot.BrainBoot.caca.391Boot.Caper.1248Boot.ChineseBoot.DAN.WMA.423Boot.DeadfaceBoot.Deflo.6600Boot.DelAutoexBoot.Dragon1.bBoot.Ebo.mpBoot.EightBoot.**bleep**enBoot.FalconBoot.FlameBoot.FormatFDBoot.Gomaboot.aBoot.Gomaboot.bBoot.Hide-and-SeekBoot.HideMBRBoot.HitlerBoot.HiveBoot.HoppityBoot.Incubus.aBoot.Kfpro.cBoot.KillerBoot.KilroyBoot.Lamerman.cBoot.MalmoBoot.Mebratix.BBoot.Megast.907Boot.Megast.907 (2)Boot.Mia.9000Boot.Oroch.3982Boot.Pinquin.915Boot.Pow.bBoot.QwertyBoot.RainbowBoot.RamonesBoot.School1180Boot.School1180 (2)Boot.Sierra.aBoot.Stoned.familyBoot.Stoned.March6Boot.Tchechen.3420Boot.Tequila.fBoot.TronBoot.TumenBoot.Volga.familyBoot.Voodoo.3666Boot.XexylBoot.XOR

Quads

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

How to avoid getting infected by TDSS class rootkits.

Has anyone ever heard of this old saying " A ounce of prevention is worth a pound of cure?"

Below is per Microsoft and I have posted the link to the entire article. I have also highlighted the most inportant points.

I would also strongly recommend disabling Java's catch since I had a TDSS bad guy loaded there on a PC that I luckily caught before rebooting and was able to easily remove. BTW - I was running as an ADMIN on a XP box when this occured. I learned my lesson and now never connect to the Internet with ADMIN privleges. 

Prevention

Take the following steps to help prevent infection on your computer:
  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Limit user privileges on the computer.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to webpages.
  • Avoid downloading pirated software.
  • Protect yourself against social engineering attacks.
  • Use strong passwords.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWinNT%2fAlureon.L

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Thanks for your help all.

After comfirming the threat resided on the external HDD, I was able to clear this threat using the removal tool in this post!

Thanks again!

Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Hello swholden

Thanks for coming back and giving us an update. I'm glad you were able to get your computer cleaned up.  Could you please indicate which removal tool you used? Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.11.2.7 Core 213 I E 11
Kudos0

Re: Boot.tidserv.b- A *NASTY* virus!

Hi,

I used: kaspersky.com as indeicated earlier in this post (about the 3rd post I think).

I noticed that it seemed to only scan the drive that the file was executed on. At least it seemed that way, since it didn't find a threat right away.

I copied the file over to the drive(s) I suspected had the threat, and it found it almost immediately.

[edit: Please do not post direct links per the Participation Guidelines and Terms of Service.]

This thread is closed from further comment. Please visit the forum to start a new thread.