Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RloaderB or BOO.Tdss virus has disabled computer


  • This topic is locked This topic is locked
14 replies to this topic

#1 rstocum

rstocum

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 10 October 2011 - 09:54 AM

A couple of years ago, a gentleman named Schrauber helped very much to clear a virus from the same home computer I am currently having trouble with. I hope my computer can be saved this time as well. I am running Windows XP Professional - service pack 2.
This virus arrived with a malware attack about a month ago. I have cleaned out several malware attempts on my computer in the last year, so I was confident about fighting it. Perhaps I was overconfident.
My computer was still not behaving right after using Malwarebytes to clean out the malware. I got several site redirects when trying to use the internet, and the computer would not shut down when I tried to shut down normally.
I downloaded two free antivirus programs from the internet at work and took them home to load on my home computer. These programs are Avira, and Avast! Avira did not take care of the problem. Avast! was doing a great job, but when I clicked the button to remove the viruses it had detected, the computer locked up right after Avast! warned that the virus was reacting to the attempt to erase.
I restarted the computer using the Recovery Module and erased the first file Avast! said was infected. The second file was said to not be found. I assumed (hoped) that Avast had been successful erasing it. I restarted the computer and got a blue screen of death (sort of).
Avast! identified the virus as the RloaderB virus. Avira had told me the virus was BOO.Tdss
Avast! said the infection was in the following places:
MBR:\\.\Physical Drive 0
C:\Windows\System32\Drivers\acpi.sys – this is the file I deleted using the Recovery Module.
C:\Windows\System32\Drivers\c_7265240.nls
The blue screen of death said the following:
A problem has been detected. Windows has been shut down to prevent damage to your computer. Run CHKDSK /F to verify whether there is any damage to your hard drive.
Technical information: STOP: 0x0000007B (0xBA4C7524, 0xC0000034, 0x00000000, 0x00000000)
I ran CHKDSK /F from the command prompt in Safe Mode. It said my hard drive is OK. I got the same blue screen of death when I rebooted after that.
I can try to reinstall Windows XP, or upgrade to Vista. Why don’t I think this is a good idea? I cannot currently boot up to Windows at all. Can anyone help with this one?

Richard Stocum

Edited by hamluis, 10 October 2011 - 12:01 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:56 AM

Posted 10 October 2011 - 05:20 PM

You don't need to boot to Windows to reinstall. You boot from Windows CD\DVD.
If you still rather want to clean your computer I can report this topic to appropriate malware helpers.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 rstocum

rstocum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 11 October 2011 - 08:27 AM

Please, do report it to the proper people. I would prefer to clean before reinstalling. My concern is that the virus is still there, and will reassert itself during the reinstall.

Thank You

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:56 AM

Posted 11 October 2011 - 08:31 AM

Done.
Hold one there.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 Allen

Allen

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:11:56 AM

Posted 11 October 2011 - 08:46 AM

sounds like something that happened to my computer once except no bsod and it wouldn't even get pass the loading bar
Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:56 AM

Posted 11 October 2011 - 11:10 AM

Hi, :welcome:

Lets give it a try.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    acpi.sys

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 rstocum

rstocum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 13 October 2011 - 12:40 PM

Thank You,

I will get a writable CD this afternoon, and start following these instructions.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:56 AM

Posted 13 October 2011 - 01:03 PM

:thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 rstocum

rstocum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 17 October 2011 - 08:36 AM

Attached are the reports specified. At first the USB port did not appear, but after I went out of the file folder and went back in, it did appear as sdb1. Please let me kno wwhat I can do next.

Thank You

Attached Files



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:56 AM

Posted 17 October 2011 - 11:22 AM

  • Download NTBR_CD by noahdfear.
  • Extract its contents to the desktop.
  • Once extracted, open the NTBR_CD folder and click on the BurnItCD application.
  • Insert a blank CD when prompted. The .iso image will be burned to the CD.
  • Boot the computer with the CD you just burned and follow the prompts.
  • Press Enter for English.
  • At the menu type 1 to select MBRWORK then hit Enter

    This screen will show the hard drive configuration.
    Posted Image
  • Type 5 to Install standard MBR code then hit Enter
  • Type 1 to select Standard then hit Enter
  • Type Y then hit Enter to confirm
  • Type E then hit Enter to exit
  • Back at the menu, type 6 to Quit.
  • Press Ctrl+Alt+Del to restart the machine.
  • Eject the CD upon restart and boot normally.

If able to boot, run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 rstocum

rstocum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 26 October 2011 - 08:14 AM

I was not able to boot using the above CD and instructions. Is there another option? Can I copy combofix and run it from my C: drive using the command prompt? Can I use the xPUD boot option to copy combofix and run it?

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:56 AM

Posted 26 October 2011 - 11:06 AM

Please download ARCDC from Artellos.com.
  • Double click ARCDC.exe
  • Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  • You will be prompted with a Terms of Use by Microsoft, please accept.
  • You will see a few dos screens flash by, this is normal.
  • Next you will be able to choose to add extra files. Select the Default Files.
  • The last window will allow you to burn the disk using BurnCDCC

Your ISO is located on your desktop.

Once you have burned the CD, boot the ailing computer with it and reach the Recovery Console prompt. At the prompt type the following and press Enter:

Fixmbr

Confirm the writing of the MBR, then type Exit and press Enter to restart the computer. Let it start normally.


If able to boot normally, run Combofix as suggested. Combofix must be ran while in Windows.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 rstocum

rstocum
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 28 October 2011 - 07:37 AM

This one didn't work either. The attempt to boot ended in the same blue screen of death. There was no Recovery Console prompt.

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:56 AM

Posted 28 October 2011 - 09:07 AM

The main issue is that the Master boot record is infected.

  • Download xPUDtestdisk.exe and save it to the USB device on a clean computer.
  • In the working computer, double click xPUDtestdisk.exe to extract the contents in your USB device
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer with the xPUD CD
  • Follow the prompts
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
The first screen will present log options - press Enter to continue.

Posted Image

TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

Posted Image

Select [Intel] partiton and press Enter to continue.

Posted Image

Select [MBR Code] and press Enter to continue.

Posted Image

Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

Posted Image

Press Q repeatedly until TestDisk exits then reboot.

If able to boot in Normal Mode, run Combofix as suggested.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:56 AM

Posted 10 November 2011 - 05:32 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users