A couple of days ago my computer began just shutting down.... namely when I plugged in my USB drive, then it simply stopped being able to boot up into windows, it would get as far as the loading screen, the mouse/KB would flicker then it would quit.
I ran Spybot and determined I have TDSS.RTK... I have been doing MUCH reading and have done many things at this point, but nothing seems to work.
I will try and detail the process' here as best I can but I'm at work and not supposed to be doing this.
My computer at this point will ONLY start in safe mode.
After running Spybot, I "removed" the virus, and it still wouldn't work. So I began looking through devices, I've removed "LEGACY_TDSSServ" entires from the registry, except for some entires that can't be removed and I can't give myself permission to remove. "tdssserv.sys", the entries seem to be empty.
I've uninstalled the device from the hidden devices area of the device manager, I've run malwarebytes (yes it loaded) and a2, which has removed a lot of stuff but fails to fix the problem.
I have a new HD, that was unpartitioned, I unplugged my old HD (I thought it had died) and plugged the new one in. I popped in MiniPE so I could prepare the drive.
As it was loading, UI got a warning stating that my bootsector would be modified, I allowed it (stupidly) as I thought it was part of MiniPE.... windows begins to install on the new drive, gets as far as "Installing Devices" and halfway through that process quits.... so I've also corrupted/infected a new hard drive and can't install windows on it.
I'm going to try and format the new drive when I get home and see If I get anywhere with that, but if this virus is on any of my other 4 hard drives (it must have been to somehow modify the boot sector on a totally new drive) Pklugging them in will infect me again, but there are 720GB of data on those drives that I need to save before I could format them.
I had posted this problem on another forum, Below I have quoted my posts on that board detailing what I've done. It has been cut down, so as to include only information relevant to the problem... I had opriginally suspected bad hardware so that was also a part of the discussion.... I now know it's not bad hardware.
I cant install windows on a new drive, with the old one removed...... Ive also tried with my other 4 HDs all disconnected as well.
when using a live CD (A PE environment such as MiniPE and similar) same thing happens, it gets to the loading screen and then conks out, just after my keyboard and mouse flicker (lights) after being loaded.
I suspect USB, just before this started it would just shut down when I inserted my USB flash drive.
scanning with spybot turns up win32.tdss.... which apparently is a rootkit or uses such technologies....so I removed it with that, and this gets me thinking now too.
When I installed the new unpartitioned HD, I got a warning when booting up that MBR will be modified, continue? this was when loading MiniPE as it was the first thing i popped in with the new HD, so I could set it up.
I figured it was MiniPE doing something to the boot track so I allowed it.
if this is an effect of the rootkit, how was it able to modify the boot track on a totally new drive....this happened when loading MiniPE, and with an HD with no partitions......
would a format /mbr fix it perhaps?
spybot seems to have removed it and my computer will now start in regular mode.
I did also uninstall a bunch of stuff, so my big concern here right now is, can I fix the brand new HD I have, so that windows will install on it, and since I will be formatting this one, how can I make sure I've cleaned it all off of this one?
obviously it was able to linger behind somehow when I removed this drive entirely, and plugged in the new one, so I'm really lost there...... but I gotta nail this and find a good but lightweight AVS to go with spybot.
spoke too soon..... it was running then shut down and had the same symptoms again.
there are registry entires for Legacy.TDSS that I cant delete cause it won't let me, and its referencing TDSSserv.sys that I can't find, and I have all hidden files and system files visible too.
going through device manager, showing hidden devices and looking under non-plug and play devices yeilded results... I "uninstalled" the device driver for this thing, and am now running malwarebytes.
I also went through the registry and deleted the LEGACY_TDSSSERV entires by granting myself permissions to do so (the device changes permissions so you can't delete it)
I will see what happens after this.
I tried malwarebytes and it worked a bit but now detects nothing after "fixing it" and im still having problems.
tried using recovery console to no avail.
if it's on my flash drive how the hell do i get it off of there?? same with my other drives, cause obviously it was somehow on one of those when i installed this new drive.... this new drive was installed with no partitions, and using a live CD, and it still crapped out... then i popped in the windows cd, and it craps out during the device installation.
so I can easily format the new drive, redo the partitions, and leave my other drives disconnected, but if it does work after that, I need to reconnect my other drives without infecting the new one......
This would leave me a 40GB drive for data backup, and over 720GB of data to backup in order to be able to format my 4 other hard drives.
Ive disabled the service through the recovery console, used spybot and malwarebytes to remove it, deleted the registry entries, fixed the boot record and boot sector, still the bloody thing is loading somehow.
I haven't formatted this drive yet, as I don't want to end up with absolutely no access to the internet, if it ends up infecting a new install from the old drives.
at least this way i can use safe mode and have the internet available....something has to remove this and be able to leave me using this install so it can clean it from ALL my drives.
POSTED BY NITEMARE
Try the rootkit tool, and/or the rescue system. My usual procedure is to run AntiVir after turning heuristics on high, then run Malwarebytes Anti-Malware, and that usually cleans it all up.
so the rootkit removal tool tells me it cant run because it isn't configured properly.....same error each time, even new downloads.
a2 found other stuff (reflexive/popcap games/insaniquarium are virus'??) but nothing for tdss....
So thats it up to this point I think.
Please help, I need to get rid of this...