Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Boot.Tidserv.B on Win7 64bit


  • Please log in to reply
2 replies to this topic

#1 MajBoothroyd

MajBoothroyd

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 08 February 2011 - 11:18 AM

Hi there. On approximately December 21st earlier this year my computer got infected with a boot sector virus. I've waited on this issue, utilizing a backup PC, because at the time nothing could even diagnose it and also I wanted to enjoy my holidays without something awful like this looming over me.

So here goes. On the day of the event I was downloading what I thought would be some tool for helping me create human interface type macros, eg, move the mouse here click there and type in blah. I did not get this from a reputable site by any stretch of the imagination. I was foolishly looking for something for free that did this for me. Upon locating what I wanted I downloaded it and started to install it. Immediately Norton IS 2010 kicked in and said 'no'. When I looked up the reason it gave it turned out to be another of those generic names Norton hands out to suspected viruses based upon it's heuristics. In other words, the file was labeled a virus because Norton had never seen it before and didn't trust the site it came from. I thought I was smarter than Norton and was tired of such labeling so I told it to ignore the file and allow me to run it.

After that I got a UAC popup from Windows asking me if I wanted to give this thing permission to run on my computer. Unfortunately this is pretty typical of installers and I rationalized my stupid decision by convincing myself that I could beat any such infection by simply following rules we've all learned for reacting to virus infections when they happen. Instantly the computer was thrust into a Blue Screen. It lacked all the typical bits of data of a blue screen as well, but said something akin to "The System has become dangerously unstable". I'm pretty sure I heard the drives spin down as well. So I did the one thing you should never do after getting a virus, I hit reboot.

Please don't beat up on me about this, I've already done plenty of it since then and I know how daft it was.

After initial reboot my system got as far as the main login screen before I regained my wits. I did not login but instead forced another reboot to safe mode. Within there I attempted to do a system scan with Norton, which at that time did not find any infections at all. I believe I then attempted to run a MalwareBytes scan which errored out before completing. I then restarted into Safe Mode one last time and ran one more Virus Scan in hopes of turning up something to no avail. I then rebooted the system hoping for the best. Upon logging in I recieved a Stop Error.

I cannot be precise on the first stop error because I only recieved this particular one once. It was most likely IRQL_NOT_LESS_OR_EQUAL or DRIVER_IRQL_NOT_LESS_OR_EQUAL. What I can say for sure is I researched the error that day and all relevant articles stated a service driver or process was attempting to gain higher permissions than it should have. What I understood this to mean is it was trying to jump itself to a higher security level (access level) than either the process which called it and or the kernell itself. (If what I just described does not jive with the errors listed then please go by the description, and my apologies. I can recall what I read about the error but cannot find my notes on the exact error code.)

As I mentioned that was the first and last time I saw that error code. After that I restarted in safe mode once more and did a system restore to three days prior to the incident. I believe I attempted one last virus scan at this point. All virus scans at this time resulted in nothing. No detections. From this point forward all subsequent reboots resulted in an SYSTEM_SERVICE_EXCEPTION error code.
0x0000003B (0x00000000C0000005, 0xFFFFF800030D880C, 0xFFFFF8800A273D80, 00000000000000000)
That should be character for character the exact code.

At this point everything stops working. When I tried to load up Safe Mode I got that Stop Error, when it restarted windows didn't even get to logon before giving that error. Rinse and repeat, the system was a big blue brick. After this the only way to get any information off the computer was through boot disks. I tried the Win 7 Recovery tool and told it to attempt to diagnose and fix OS errors. Each time it returned an "Error Unknown" response.
Signature 4 = 21200944
Signature 5 = AutoFailover
Signature 6 = 4
Signature 7 = 0xA
LocaleID = 1033
Incase any of that is relevant.

Finally I took to the internet and forums. By this point all my research has confirmed my worst fear, that I have a boot sector virus, however virus scanners did not confirm this. I used a Norton Bootable Recovery Disk to do a scan one last time before packing it in for Christmas. It turned up nothing. As of yesterday I burned a new recovery disk with current virus defs and sure enough it finds something right away: Tronjan.Gen & Boot.Tidserv.B. Norton was unable to fix the latter but (supposedly) removed Trojan.Gen successfully. After this I read on the forums what kind of steps are preferred one takes prior to posting along with posting guidelines. I read about the AVG boot disk, downloaded it, ran it. AVG apparently looks at the partitions themselves but not the boot sector nor unpartitioned space, which Tidserve is notorious for using as I understand it. AVG did not turn up any boot virus nor Tidserv in it's scans however it found nine others where Norton did not.

Under /mnt/sda2/Users/MajBoothroyd/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/ the following was identified.

/22/76b61fd6-632d83a9_1297128311.arl:/vmain.class Trojan horse Exploit_c.KNA
/22/76b61fd6-632d83a9_1297128311.arl Trojan horse Exploit_c.KNA
/48/472eb3f0-3a760436_1297128311.arl:/vmain.class Trojan horse Exploit_c.KNA
/53/66f20c75-7d6c6516_1297128311.arl::/vmain.class Trojan horse Exploit_c.KNA
/48/472eb3f0-3a760436_1297128311.arl Trojan horse Exploit_c.KNA
/53/66f20c75-7d6c6516_1297128311.arl Trojan horse Exploit_c.KNA

- - - - - - - - - - - - - - - - -

It also found
/mnt/sda2/Users/MajBoothroyd/Downloads/Games/Chaoslauncher_zip_1297128311.arl:/APMAlert.bwl Trojan horse Downloader.Generic10.BVKI
/mnt/sda2/Users/MajBoothroyd/Downloads/Games/Chaoslauncher_zip_1297128311.arl Trojan horse Downloader.Generic10.BVK
It should be noted that ChaosLauncher is an extremely old, nay antiquated, application built years ago to force the original StarCraft game into a window. This was in part due to the lack of support for windowed mode with that old game but also to remedy major color corruption and screen resolution errors when running this game on current systems. For example the game doesn't know how to handle widescreen aspect ratios. ChaosLauncher has been known to turn up false positives, some AV's have cleared it. I had successfully and safely used this program since summer of 2010 for nostalgia purposes. In other words, it is my belief that this particular file can be ignored for this issue.

It should be noted that the files AVG found were renamed based upon advice in what I read. Also I noticed there were two I dunno mounts or partitions? That AVG was listing. I realize AVG runs on Linux, of which I have limited experience with, but what was peculiar to me is upon scanning both it appeared to be the same files and same drive. Should I be concerned?



So here's my question:
#1. Is it possible to return this computer to full functionality without significant loss of data?
#2. If it's not possible, is there risk in connecting the drive as a secondary (non-boot) drive to another system for file retrieval? (Yes the other system will have fully updated protections as well.)
#3. Assuming a fix is not possible, how does one go about returning the infected drive to a usable condition again? I recall years ago the use of something like format c: /u in order to destroy boot sector corruptions caused by Win98. I also recall specifically unpartitioning everything, formatting, then repartitioning and reformatting as a method of "cleaning" drives. Does any of this work?


Help me Obi-Wan, you're my only hope. :-\

Edited by MajBoothroyd, 08 February 2011 - 11:28 AM.


BC AdBot (Login to Remove)

 


#2 ATGUNWAT

ATGUNWAT

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:18 PM

Posted 08 February 2011 - 02:28 PM

I can not give you any official advice here, but I suppose I can tell you about the experience I had with TDL4, which may be what you have.

The only thing that could detect it (at that time) was Kaspersky TDSSKiller.exe
I wasn't even going to try to clean it, but I had to save a clients data before wiping the drive.
It infected the machine I mounted the drive to imediately when I attempted to retrieve the data.
I ended up saving the data to an external usb hdd, and cleaning the data from a PE rescue disk, (on a usb flash drive) then overwriting the entire hard drive before reinstalling and moving the client data back to that drive.
(I didn't even trust my flash drive after that) It was the worst infection I have ever had to deal with.
(except maybe that Rustock thing, but that was 3 years ago, and no good tools around at that time)

Anyway...

If you try to retrieve the data from within windows, do yourself a favor, disable autorun of removable media, and maybe even temporarily stop the plug-n-play service, BEFORE connecting the device.

No reason 2 of us should look like this. :crazy:

ATGUNWAT B)

Edited by ATGUNWAT, 08 February 2011 - 02:34 PM.


#3 MajBoothroyd

MajBoothroyd
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 08 February 2011 - 03:49 PM

Well that's a step in the right direction. I keep spare drives around just for this very purpose. This way I don't risk damage to another system I'm already invested in. (Whether it be pure clutter from needing a fresh install or virus risk.) Anywho, sounds like sound advice. I typically throw in a drive with a fully updated OS Anti-Virus and Firewall then disconnect the net and dive into retrieval, but I hadn't considered disabling those services. If possible, I would like to disable the preview pane on the left of windows explorer as well (specifically the service that generates that). So as to eliminate yet one more avenue of continuing the infection.

For the moment I won't connect the infected drive at all. But the data on there is far to difficult and expensive to reconstitute. Between life work and play, I'm just not able to keep up with backing up data as often as I should. It takes time and I just wanna do my thing and go to sleep before my day rushes by without me.

Thanks for the reply. :)

Edited by MajBoothroyd, 08 February 2011 - 03:49 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users