Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with TDSS.exe and most likely a ton of other stuff. (BSOD @ Normal Win7 Login)

  • Please log in to reply
2 replies to this topic

#1 Infi


  • Members
  • 3 posts
  • Local time:09:08 PM

Posted 13 February 2011 - 06:47 AM

OS: Windows 7 Ultimate 64 Bit, Main Desktop PC for College with quite a lot of precious data.

Okay so, around about 3:30 PM GMT on Wednesday, I was browsing around on the TF2 Steam Forums using Google Chrome. After opening up an image linked by the forums I suddenly get a ton of "Anti Virus" program popups that I've never even heard of before. One of them I'm sure of being AntiMalware Doctor and possibly security suite. (Many popped up.) What doesn't help is that I never got to close my 3 browsers: Google Chrome, Safari and Mozilla Firefox to save the Histories/Multiple open Tabs/Sessions. I don't know if any of these tabs in the three browsers were redirected to a virus holding site, as it would have been hard to notice.

After these popups appeared, I was flung into a paniced state, I was about to ctrl + alt + delete to kill off the processes but before I could do this, the whole PC just locked up. With no choice availble, and knowing restarting would make things a hundred times worse, I still had to do it with no other option, waiting for a bit I got to the normal Windows 7 logon screens, hoping it wouldn't be as bad as I initially thought. Obviously I was too optimistic, logging on in normal mode works for as long as between the times of 30 seconds to instantlly BSODing with an error message involving: iastorv.sys. Things like "Page not equal" and such.

To post this currently, I'm on a latptop with Internet Access.
Infected PC Wise: I've been able to login using Safe Mode with Command Prompt using a different account, launching Explorer (not Internet Explorer) and then using this to manually backup individual files. I know these backups might become infected, but the problem I have is that I've yet to make a backup in quite a while, meaning I'd like to avoid losing any data if possible. Especially with the (hopefully) partially stored browser sessions if I can restore them. Additionally I cannot use any software like XMLDriveImage since this program/service cannot/doesn't operate within Safe Mode.

I use a setup of hard drives:
C: A single SSD disc with 6.58 GB free of 119GB capacity, which was in use/where Windows 7 is installed, when the infection happened.
D: A setup of 4 Hard drives in RAID 0+1, 1.24TB is free of 1.81TB
O: Empty External drive with 931 GB capacity which I'm using to manually backup files via copy and paste. (Can't think of a better method.) However this backup is FAR from reasurring, obviously the largest problem being the backups becoming infected, and secondly I cannot copy 600GB+ worth of data via Copy and Paste. Especially when dealing with files that are in use with Windows, like TMP, and system files etc.

I don't have any anti-virus installed, not that it's a plus, but at least it will prevent any conflicts between programs if I recieve help trying to solve this I guess.
What I've tried so far: Before coming to realize this would not be a quick fix at all, I searched around and tried burning TDSSKiller.exe to a disc, then running it. The good/bad news is, it picked up an entry. However trying to run other programs like RKill and Malware AntiBtyes (MBAM) instantly BSODs my PC with the same error message as the initial problem. As I said, I have no anti-virus currently running, so I'm kind of getting stuck with what to do next.

If I could get someone to help me with this, and to "hold my hand" through the guides so to speak, you wouldn't know how grateful I'd be. I've experienced mild viruses on old computers before, but never one which could cause a BSOD and damage like this. I also have approaching deadlines for assignments in the next few weeks, so trying to get my PC back to normal, as soon as possible is really important for me at the moment.

I really don't want to have to resort to losing data or even worse, reformating due to the lack of a backup, I know it's my fault, but I really don't want to perform any risky procedures which could kill off my data. Hence why I'm asking the pros.

Edited by Infi, 13 February 2011 - 10:30 AM.

BC AdBot (Login to Remove)


#2 Infi

  • Topic Starter

  • Members
  • 3 posts
  • Local time:09:08 PM

Posted 16 February 2011 - 08:34 AM

So not to be rude or anything, but how can I find out if I'm still infected? I've done most of the work myself it seems, not being able to get any help from either TechSupportGuy or these forums, which is kind of diapointing.

I've used TDSSKiller to remove the tdl4 infection, along with using it in cmd prompt mode to remove the TDSS file system from my Hard Disk. I've been able to get into normal mode and my normal account now. I've run MBAM, Super Anti Spyware and Avira anti Virus all together and removed quite a lot of infections from both normal files, system files like registary entries and such. However these programs aren't fully updated with no Internet access. I need to start using my PC again and I'm considering trying my luck with reconnecting my Internet cable because this is taking so long. I've installed Comodo Firewall, but I can't install BitDefender Total Security Suite without an active internet connection.

Please can someone tell me the best way to find out if I've got any more infections and if it's safe to recconnect to the Internet and begin using my computer as normal again.

Edited by Infi, 16 February 2011 - 08:39 AM.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,769 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:08 PM

Posted 16 February 2011 - 10:12 AM

Please post the complete results of your TDSSkiller scan for review.

After running TDSSkiller, a log file named TDSSKiller_version_date_time_log.txt will have been created and saved to the root directory (usually Local Disk C:). Open that file in notepad, then copy and paste the contents in your next reply.

If you encounter any problems updating Malwarebytes through the program's interface (preferable method or cannot use the Internet or download any files to the infected machine, then try manually downloading the latest database definitions from one of the following locations (they may not be the most current):Download mbam-rules from another computer (family member, friend, library, etc), save to a USB stick or CD, transfer the file to the infected machine and double-click on it to install the update. If you cannot copy files to your usb drive, make sure it is not "Write Protected". Some flash drives have a switch on the side or on the back as shown here which could have accidentally been moved to write protect.

Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

You can also manually download the definitions for SuperAntispyware from here, save them to the same USB stick and transfer to the infected machine. Just double-click on SASDEFINITIONS.EXE to install the update, then perform a new scan.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users