Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

boot.tidserv


  • This topic is locked This topic is locked
26 replies to this topic

#1 geo_stroi

geo_stroi

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 14 February 2011 - 08:27 AM

Norton Internet Security keep showing message window saying that it can't remove boot.tidserv, which is very annoing. I proceed all the steps they recommend but... the same results:zero. I hope you will help me to get rid of this malware.

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 AM

Posted 14 February 2011 - 10:11 AM

Hi, :welcome:

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 geo_stroi

geo_stroi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 15 February 2011 - 07:17 AM

OK, this is the report.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 AM

Posted 15 February 2011 - 10:49 AM

You have two hard drives. One has Windows XP as the operating System. What is the use of the second drive? Is there a dual boot system installed?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 geo_stroi

geo_stroi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 15 February 2011 - 12:32 PM

I have two drives:
D: is the system drive, C: is the drive with all my data (music, movies, etc)

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 AM

Posted 15 February 2011 - 12:39 PM

Run MBRCheck.exe once again.

You will be presented with the following dialog:

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Enter Y and press Enter.

The following dialog will be presented:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:


Enter 2 and press Enter

The following dialog will be presented:

Enter the physical disk number to fix (0-99, -1 to cancel):


Enter 0 and press Enter (Meaning zero)

The following dialog will be presented:

Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive:


Enter 1 and press Enter

The following dialog will be presented:

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:


Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!

And last the following dialog will be presented:

Done! Press ENTER to exit...


Press Enter. A report will be produced on the desktop. Post that report in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 geo_stroi

geo_stroi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 17 February 2011 - 09:10 AM

OK, THIS IS THE NEW REPORT

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 AM

Posted 17 February 2011 - 09:51 AM

Has the detection of the boot.tidserv disappeared?

Lets scan the system.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Edited by JSntgRvr, 17 February 2011 - 09:55 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 geo_stroi

geo_stroi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 17 February 2011 - 10:34 AM

Here there is ComboFix.txt

#10 geo_stroi

geo_stroi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 17 February 2011 - 10:40 AM

Unfortunately, the detection alert of the boot.tidserv didn't disappeared.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 AM

Posted 17 February 2011 - 12:08 PM

Run MBRCheck.exe once again.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 geo_stroi

geo_stroi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 17 February 2011 - 01:21 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5785

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17.02.2011 20:12:00
mbam-log-2011-02-17 (20-12-00).txt

Scan type: Quick scan
Objects scanned: 146639
Time elapsed: 1 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 AM

Posted 17 February 2011 - 01:44 PM

Lets use the Recovery Console.

At startup select the Recovery Console and follow the prompts to reach the Command prompt. At the prompt type the following and press Enter:

fixmbr \Device\HardDisk0

Use the right syntax and confirm the writing of the boot sector, then type Exit and press Enter to restart the computer.

To confirm, run MBRCheck.exe in Normal Mode once again

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Edited by JSntgRvr, 17 February 2011 - 01:44 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 geo_stroi

geo_stroi
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 17 February 2011 - 03:41 PM

same problem

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:34 AM

Posted 17 February 2011 - 05:07 PM

Lets take a look at the Master Boot Record. See if you can follow these instructions:

Download MBRFix from here.

Save and extract its contents to the USB drive.

Boot the computer with the Reatogo CD and insert the USB drive. There are three files in the MBRFix folder. From these, only copy the MBRFix.exe to the root directory of the Local Drive, (C:\).

When saved, the MBRFix.exe should appear as C:\MBRFix.exe.

Bring the computer to a Command Prompt (Click on the Start button, then on Run. Type CMD and click OK).

At the prompt type the following and press Enter after each line:

C:
cd C:\
MbrFix /drive 0 savembr MBRDUMP.txt


The last command is as follows:

MbrFix[Space]/drive[Space]0[Space]savembr[Space]MBRDUMP.txt (Meaning, leave a space when typing the command where indicated)

The drive is Drive zero (Drive 0)

This will create a file in the C:\ folder labeled MBRDUMP.txt. Copy this file to the USB and attach it to a reply.

Edited by JSntgRvr, 17 February 2011 - 05:08 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users