Symantec found Boot.Tidserv

Hello, since this morning my Symantec scan shows

Scan type: Manual Scan
Event: Risk Found!
Risk: Boot.Tidserv
File: Master Boot Record for Physical drive number 0
Location: Boot Record
Computer: HOME
User: HOMEUSER
Action taken: Clean failed : Quarantine failed
Date found: Friday, November 11, 2011 3:37:20 PM


So far I tried running a MBRCHECK, Kaspersky TDSSKiller 2.6.18.0, Symantec FixTDSS and Malwarebytes 1.51.2.1300...none of the mentioned show a risk.

Additional ran a fixmbr thru windows repair.

Do I have a new strain of TIDSERV that other products don't recognize yet ?
or SYMANTEC is going crazy?

My last Symantec scan with no alerts was on 11-6-2011

Thanks,
Tony

 

Hi and welcome to Major Geeks, TonyPTY!

According to your logs the MBR is clean and should be since you already have done fixmbr. However, let's give this program that is supposed to detect and resolve boot.tidserv if present.

Please download FixTDSS by Symantec to your desktop.

• Double-click it to run.
• Follow the prompts.
• Let me know if this one detects boot.tidserv on your system.

If you would like me to check for other malware, read and follow this: READ & RUN ME FIRST Malware Removal Guide

 

Just ran update in Malwarebytes, Search and Destroy and SuperantiSpyware....no files infected found. :crybaby

 

Did FixTDSS detect anything?

Are you actually having any problems? Normally if you have boot.tidserv, you would be getting redirected while on the internet.

 

What you might also might want to try is rerunning TDSSKiller but use the "Change Parameters" function and put a checkmark in "Detect TDLFS File system". Leave the other checkbox unchecked. Then scan.

Did it find a TDLFS File system?

 

Symantec TDSS Fix Tool 2.1.3 says Backdoor.Tidserv has not been found on your computer.

Kaspersky TDSSKiller using Detect TDLFS File system says found one warning. Its asking if skip, copy or delete?

I attached the log

 

Rerun TDSSKiller using the same parameters as before, but this time when it finds TDSS File System, let TDSSKiller delete it.
Attach this log when you are finished. Then let me know if your Symantec still reports boot.tidserv.

 

Done, file deleted...however Symantec keeps showing

Scan type: Manual Scan
Event: Risk Found!
Risk: Boot.Tidserv
File: Master Boot Record for Physical drive number 0
Location: Boot Record
Computer: HOME
User: HOMEUSER
Action taken: Clean failed : Quarantine failed
Date found: Saturday, November 12, 2011 1:28:31 PM

Should I restart PC?

 

You can, typically TDSSKiller does not need to reboot in order to remove the TDLFS. It reports that it is gone now.

What problems are you having? I know you said your other scans were clean too. Are you getting redirected in browsers or anything like that? Describe the problems you are having other than Symantec reporting there is an infected MBR.

If you are having problems I would recommend going through the READ and RUN ME FIRST thread so we can check for any leftovers that malwarebytes/SAS may be missing.

 

Not having any issues...apart from Symantec Reporting the warning.

Just nervous about going into my email and other password entry sites

 

I have conferred with chaslang about this and we are thinking it could be a false detection by Symantec. The MBR (symantec calls it "boot.tidserv") may have indeed been infected at first and that was detected by Norton. However, since you repaired it on your own, without Norton's assistance by using the fixmbr command from the Recovery Console -- Norton's security history cache is probably still (now falsely) reporting that there is still a problem since Norton was unable to resolve this issue for you on its own.

I do not know which version of Norton you have, but this link should help you clear Norton's Security History >> http://community.norton.com/t5/Nort...r-Out-Security-History-Entries-vs/td-p/269575

 

Whoops! Did not see that you ran FixTDSS prior to making this thread