Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tdsskiller/stuck at stop 0x8e loop


  • Please log in to reply
3 replies to this topic

#1 npires

npires

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 21 October 2010 - 03:53 AM

Hi. Just to try to help the other guy with a similar problem in another topic. Yesterday i've had the same problem described by someone else. While cleaning a customer computer, i've used kaspersky tdsskiller to clean a tdl4 infected mbr. After that the symptons where the same as reported by the other guy (computer bsod after some seconds with a stop 0x8e, could boot fine in safe mode, but any changes with msconfig where lost after reboot, and in my case, while the computer said it was generating a memory.dmp, no new dump as found.) Spend the afternoon disabling services & drivers with msdart, and was getting nowhere. Tried bootrec Fixmbr/fixboot, slaved the hdd to another machine and run kaspersky AV on it and nothing as found.
Almost at that point of giving up and starting rebuilding the machine from scratch, started to think for a minute and realized that the problems started after tdsskiller repaired/rebuild the mbr. So, i've used testdisk to write a new mbr, run windows startup repair, and then the machine was booting and running fine in 5 minutes again. My conclusion (may be wrong, i wish i've saved the tdsskiller mbr before generating a new one with testdisk), there is something wrong with the way tdsskiller fixes the mbr.
just my 2 cents

Nelson

Edited by Orange Blossom, 21 October 2010 - 03:56 PM.
Move to AV forum. ~ OB


BC AdBot (Login to Remove)

 


#2 iMouse

iMouse

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 28 October 2010 - 05:31 PM

You get an EPIC WIN for this post. I had the same issue with a box infected with Rootkit.Win32.TDSS.tdl4 which threw the same 0x0000008E error after TDSSkiller removed it from the MBR. I followed almost the same steps you did, thinking it was a hooked or damaged driver. Nothing...

No luck with fixmbr or fixboot either.

TestDisk wrote to the MBR in Safe Mode and the system was rebooted into Windows Vista Startup Repair from a Windows Vista disc. Fixed the box right away. Interesting how fixboot or fixmbr did not repair/rewrite the MBR to the extent that TestDisk did. Makes me wonder how effective TestDisk would be with Torpig/Mebroot/Anserin-infected boxes where the MBR has been hijacked as well.

I also noticed that it created some fake services with random file names pointing to files I removed from /Users/username/AppData/Local/Temp directory. Opening a command prompt as an administrator and running 'sc delete servicename' junked the registry entries pointing to the rogue services.

Thanks Again!

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 28 October 2010 - 07:24 PM

...there is something wrong with the way tdsskiller fixes the mbr.

TDSSKiller does the job in most cases but occassionally something goes awry during the disinfection process. While fixing the Master Boot Record (MBR) is generally safe, there is always a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted which will then required advanced tools to repair.

TestDisk is a free data recovery utility primarily designed for advanced users to help recover lost partitions and/or make non-booting disks bootable again. When attempting to remove malware which infects the Master Boot Record (MBR), the computer may become unbootable due to a corrupted MBR and TestDisk can be used to fix or rebuild it.


The above information is intended for others reading this thread who have advanced knowledge of operating systems, file systems and using tools like TestDisk. For the novice user, TestDisk can collect detailed information about a corrupted drive which can then be sent to a technician for analysis and further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:02 AM

Posted 28 October 2010 - 08:32 PM

Ir seems both posters used windows repair disk immediately after letting testdisk write a new MBR, I am wondering if test disk was even necessary?
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users