© 2009 System-Protector.com All Rights Reserved.
Bit Defender | Kaspersky | ESET NOD32 | AVG Antivirus | F-Secure Antivirus | Trend Micro | McAfee VirusScan | Norton antivirus | CA Antivirus | Norman Antivirus | G DATA Antivirus | Panda Antivirus | AVAST Antivirus | F-Prot antivirus | PC Tools Antivirus | Webroot Antivirus | ViRobot
Latest in trend:
» viruses
W32.Tidserv.G
How to remove W32.Tidserv.G manually?
What is W32.Tidserv.G?
W32.Tidserv.G virus is also known as W32/TDSS.BU [F-Secure] W32.Tidserv.G can block website access of compromised computer by simulating a DHCP server. W32.Tidserv.G propagates by creating a copy on removable media drives.
Characteristics of the virus
W32.Tidserv.G is a worm that spreads by copying itself to removable drives. It may also simulate a fake DHCP server and download potentially malicious files on to the compromised computer.
How does it affect your PC?
Downloads additional files and redirects DNS queries..
How to remove W32.Tidserv.G manually?
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP)
It is necessary to temporarily turn off system restore as it is a feature to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
2. Update the virus definitions
There are two ways to obtain the most recent virus definitions:
- Running a Live Up-date
This is the easiest way to obtain virus definitions.
If you use Norton AntiVirus 2006, Symantec AntiVirus Corporate Edition 10.0, or newer products, LiveUpdate definitions are updated daily. These products include newer technology.
If you use Norton AntiVirus 2005, Symantec AntiVirus Corporate Edition 9.0, or earlier products, LiveUpdate definitions are updated weekly. The exception is major outbreaks, when definitions are updated more often.
- Downloading the definitions using the Intelligent Updater
The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them.
3. Run a full system scan
- • Start your Symantec antivirus program and make sure that it is configured to scan all the files. For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
- • Run a full system scan.
- • If any files are detected, follow the instructions displayed by your antivirus program.
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again. After the files are deleted, restart the computer in Normal mode and proceed with the next section.
4. Delete any values added to the registry.
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
a. Click Start > Run.
b. Type regedit
c. Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
d. Navigate to and delete the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx
HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\enum\root\legacy_gaopdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\"PendingFileRenameOperations" = "[RANDOM HEXADECIMAL CHARACTERS]"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSISERVER\0000\Control\"ActiveService" = "MSIServer"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\"PendingFileRenameOperations" = "[RANDOM HEXADECIMAL CHARACTERS]"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSISERVER\0000\Control\"ActiveService" = "MSIServer"
5. Exit the Registry Editor.
Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.
Note: Removing the threat may not automatically clear out the malicious DNS information. This may have to be manually verified and/or set, otherwise re-infection could be possible.