Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 won't boot after tdss removal


  • This topic is locked This topic is locked
17 replies to this topic

#1 karatekim39

karatekim39

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 27 December 2011 - 08:48 PM

Hi all,

New to community and I am having an issue with a window 7 laptop. The laptop was infected with antispayware 2012 so I followed the instructions via this link http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012

Which also lead me to run the tdss removal http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller and it did find Rootkit.Boot.SST.b and I selected to "cure" on restart, however when i performed the restart I see the windows 7 splashscreen for a few seconds a quick flash of a bsod then I loop thought reboot sequence. I have tried the standard fixes in that I have run the repair I have tried to restore to a point previous and still am unable to get the laptop booting.

Could I get some assitance to help me resolve this issue? Prior to running the TDSS I was at least booting even though it was infected with the antispyware 2012. I have attached the tdss log and a log results of frst.

Thanks,

Edited by hamluis, 27 December 2011 - 09:11 PM.
Moved from Win 7 to Am I Infected.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:34 AM

Posted 27 December 2011 - 11:15 PM

:welcome:

Lets give it a try. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 karatekim39

karatekim39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 28 December 2011 - 01:00 PM

Thanks for the reply, I have attached the requested file. I also wanted to add that I did try and perform a bootrec/fixmbr which came back quickly and succesful however upon reboot still fails with BSOD, I am also unable to boot into safemode at this time either.

What next?

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:34 AM

Posted 28 December 2011 - 02:01 PM

FRST is unable to see the OS. I will run a command to remove the hidden attributes in your files and folders caused by the infection, then CHKDSK on C:. The fix should take a while. (an hour or so)

Download the enclosed file.

Save it in the USB drive and insert it in the ailing computer.

Run FRST as you did before. This time around click on the fix button and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

After finished, click on the Scan button and post the new (FRST.txt) log.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 karatekim39

karatekim39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 28 December 2011 - 02:14 PM

Thanks,

Edited by karatekim39, 28 December 2011 - 02:26 PM.


#6 karatekim39

karatekim39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 28 December 2011 - 09:12 PM

I started the steps mentioned above, however the frst "fix" has been running for 4 hours? Not sure If I should let it go or stop and restart? Please advise.

Thanks,

#7 karatekim39

karatekim39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 28 December 2011 - 10:01 PM

Well I checked the fixlog and it looked to be stuck on the checkdisk, so I closed the frst "fix". I have attached the log, it was too big as a single file so I split it.

#8 karatekim39

karatekim39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 28 December 2011 - 10:08 PM

Second file...won't let upload the total file because of limit I had to cut it down......

Here is the result of the chkdsk




========= CHKDSK C: /r =========

The type of the file system is NTFS.

Chkdsk cannot run because the volume is in use by another
process. Chkdsk may run if this volume is dismounted first.
ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.
Would you like to force a dismount on this volume? (Y/N)

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:34 AM

Posted 29 December 2011 - 12:36 AM

We can go back to CHKDSK later. Lets take a look at the Boot Configuration.

Download the enclosed file.

Save it in the USB drive overwrting the previous one and insert it in the ailing computer.

Run FRST as you did before. This time around click on the fix button and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

After finished, click on the Scan button and post the new (FRST.txt) log also.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 karatekim39

karatekim39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 29 December 2011 - 06:34 AM

Attached are the files generated by FRST fix and scan.

Attached Files



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:34 AM

Posted 29 December 2011 - 11:24 AM

Lets try this fix:

Download the enclosed file.

Save it in the USB drive overwrting the previous one and insert it in the ailing computer.

Run FRST as you did before. This time around click on the fix button and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Attempt to boot in Normal Mode. If able to do so, run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 karatekim39

karatekim39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 29 December 2011 - 12:19 PM

After running the fix I was able to boot normal to the desktop, then i downloaded and ran the combofix. I have attached the files, here and it looks pretty good on my end!! I will be rebooting a testing, but please let me know if the logs give you any other details of something I may need to complete.

Again thanks very much for your help!!! :clapping:

Attached Files



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:34 AM

Posted 29 December 2011 - 01:04 PM

Update and lauuch Malwarebytes.

  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Lets try ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner.
  • Select the option YES, I accept the Terms of Use then click on Start.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    Scan for potentially unwanted applications
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Edited by JSntgRvr, 29 December 2011 - 01:04 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 karatekim39

karatekim39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 29 December 2011 - 02:51 PM

Files requested attached.

Attached Files



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:34 AM

Posted 30 December 2011 - 02:04 AM

Clear the Java cache.

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users