Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with System Restore, TDSS - now comp won't reboot!


  • This topic is locked This topic is locked
53 replies to this topic

#1 veritasargent

veritasargent

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:03:12 PM

Posted 17 November 2011 - 05:58 PM

Hello,

Somehow I became infected with the System Restore malware, and the TDSS rootkit. Before posting on here, I went through the preparation guide and the self-help guides. I removed the System Restore thing with no problems, using RKill and Malwarebytes. Still frustrated with the Google redirect problem, I downloaded TDSSkiller and ran it. The scan was successful, and it seemed to find the issue. Once it was complete and I chose to reboot the system, the real headache started. The computer will not reboot. There is some sort of blue screen error message while trying to start up, but it disappears too fast to read it. The startup repair tool did not work, and I have tried multiple system restores that all failed as well. So now I am stuck with a computer that will not start. (Obviously I am using a friend's comp at the moment). It wouldn't be the end of the world if I have to reinstall Windows from scratch, but I will lose some pics and files that I'd prefer to keep.

I run Windows 7, by the way, and I do not have any kind of reboot disc.

Help please! Many thanks for your assistance!
To see a world in a grain of sand... -William Blake

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,597 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:12 PM

Posted 18 November 2011 - 03:20 AM

Hello, first of all lets have a look at the BSOD code.

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image
Please post me the error(s).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 veritasargent

veritasargent
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:03:12 PM

Posted 18 November 2011 - 05:50 PM

Thank you for your quick response!

There was nothing in the top part of the BSOD. In the bottom:


Technical Information:

***STOP: 0x0000007B (0xFFFFF880009A9928, 0xFFFFFFFFC000000D, 0x0000000000000000, 0
x0000000000000000)



Nothing else on the screen other than the standard text.

Edited by veritasargent, 18 November 2011 - 05:51 PM.

To see a world in a grain of sand... -William Blake

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,597 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:12 PM

Posted 19 November 2011 - 02:33 AM

When the advanced boot menu comes up, do you see the option Repair Windows? If so, does it load the Recovery Environment when you access it?
If it loads, do a Startup Repair and let me know if that resolves the issue.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 veritasargent

veritasargent
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:03:12 PM

Posted 19 November 2011 - 10:31 AM

I think I've already tried this, but when I go home (at work now) I will try it again and let you know.
To see a world in a grain of sand... -William Blake

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,597 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:12 PM

Posted 19 November 2011 - 11:45 AM

Okay, if the startup repair doesn't work, please let me know if you can enter the command prompt.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 veritasargent

veritasargent
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:03:12 PM

Posted 19 November 2011 - 02:31 PM

Okay, I selected Repair Your Computer, and it loaded the System Recovery Options menu fine. Chose Startup Repair, it "cannot repair this computer automatically".

Under 'Problem Details' it lists:

Problem signature:
Problem Event Name: StartupRepairOffline
Problem Signature 01: 6.1.7600.16385
Problem Signature 02: 6.1.7600.16385
Problem Signature 03: unknown
Problem Signature 04: 21200572
Problem Signature 05: AutoFailover
Problem Signature 06: 6
Problem Signature 07: NoRootCause
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033



I can access the command prompt.
To see a world in a grain of sand... -William Blake

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,597 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:12 PM

Posted 19 November 2011 - 02:46 PM

Do you remember what TDSSkiller removed? If not, at the command prompt, type notepad and press enter.
Click File > Open, and navigate to c:\tdsskiller<timestamp>.txt

Look at the end of the log and give me the name and infected object.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 veritasargent

veritasargent
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:03:12 PM

Posted 19 November 2011 - 02:53 PM

Let's see...

===================
Scan finished
===================
Detected object count: 1
Actual detected object count: 1
\Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
\Device\Harddisk0\DR0 - ok
\Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - user select action: Cure
Deinitialize success



Is this what you needed?
To see a world in a grain of sand... -William Blake

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,597 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:12 PM

Posted 19 November 2011 - 03:20 PM

Yes, that is it! :)
At the command prompt, type the following lines and press enter after each one of them:

c:

bootrec /fixmbr


Now restart your computer and let me know if your computer loads normal now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 veritasargent

veritasargent
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:03:12 PM

Posted 19 November 2011 - 03:24 PM

Nope. Same blue screen error and startup repair still doesn't fix it.
To see a world in a grain of sand... -William Blake

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,597 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:12 PM

Posted 19 November 2011 - 04:25 PM

Did the bootrec /fixmbr give a success/completed message?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 veritasargent

veritasargent
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:03:12 PM

Posted 19 November 2011 - 04:57 PM

Yes, it says the operation completed successfully.
To see a world in a grain of sand... -William Blake

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,597 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:12 PM

Posted 20 November 2011 - 03:18 AM

At the command prompt type the following:

c:

chkdsk /r


Note, checkdisk may take a long time to complete.

When done, see if your computer reboots normally.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 veritasargent

veritasargent
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:03:12 PM

Posted 20 November 2011 - 05:50 PM

Let's see. Upon trying this command, it responds:


The type of the file system is NTFS.
Cannot lock the current drive.

Chkdsk cannot run because the volume is in use by another process. Chkdsk may run if this volume is dismounted first. ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID. Would you like to force a dismount on this volume? (Y/N)



Shall I?
To see a world in a grain of sand... -William Blake




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users