Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit virus (tidserv?)


  • This topic is locked This topic is locked
33 replies to this topic

#1 George7426

George7426

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 01 January 2012 - 01:53 PM

Have following issue

Dell Dimension E510, WinXP Media Center
System drives: 2x 160GB, Mirrored (Raid1)

Hard removed both drives and scanned as slave on clean computer running Norton Internet Security. Found Boot.Tidserv, and removed. Full scan of drive found a four other items which were removed. On reinstalling, had problem with HAL.DLL. Used Dell WinCD to boot to Recover and reinstalled HAL.DLL to System32 folder. Successfully booted to Safe Mode desktop. After some system activity, indicated of new hardware installation and requested Restart. Thinking it might be tied to RAid1 Drivers, system was restarted and stopped at BSOD Stop 7B. System now not bootable.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 01 January 2012 - 02:02 PM

Hello George


When did the computer become unbootable??

let me know any tools you have run before this happened.


I want you to press f10 at start-up and let me know what you see


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 01 January 2012 - 02:12 PM

Gr, hang on a minute

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 01 January 2012 - 02:12 PM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 01 January 2012 - 02:17 PM

F10 just reboots the system. F2 is Setup and f12 is Boot Menu

#6 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 01 January 2012 - 02:20 PM

The machine was unbootable, would freeze at Raid Screen after Post. I removed HD's, CMOS battery, pushed "ON" button to 30 sec to clear. After reinstalling CMOS battery and checking CMOS settings I was able to Boot to Safe Mode. From there is my descritpion above

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 01 January 2012 - 02:47 PM

ok run these in safe mode and let me have the reports


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 01 January 2012 - 03:07 PM

As indicated, I was stuck on BSOD 7B trying to boot. I had removed one of the mirrored HD's to copy off some data, Norton cleaned the Boot.tidserv which had returned after my previous removal. After putting HD back in computer, booted to a Hal.DLL missing or corrupt. So, went to WinCD and restored Hal.DLL to system 32 folder. Now, reboot shows file NTFS.sys in system32\drivers folder is missing or corrupt, and recommends repairing from the WinCD. Shall I try this?

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 01 January 2012 - 03:45 PM

Burn recovery console cd

  • Download recovery_console_cd.zip file to your drive and extract it to its own folder (c:\recoverycd for example).
  • Download floppy disk setup package xp Pro for your operating system (XP Pro) and save it to the folder you extracted the zip to.
  • Rename the floppy disk setup package to Bootdisk.exe.
  • Insert a blank cd into your burner.
  • Double-click the RecoveryCD.bat file and follow the prompts to burn a cd that will allow you to boot to the recovery console.

Boot into recovery console

  • insert the cd that we made into cd player
  • restart the computer
  • screen will say "Windows set up" just wait
  • at the welcome screen press "R"
  • type 1 to enter c:\windows
  • type in the following and press enter
  • fixmbr

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 01 January 2012 - 04:39 PM

Had to call an audible. The BootDisk created did not see the Raid1 Drives. It could be that the Dell WinXP Setup CD has some critical Raid drivers.

In any event, I used the Dell WinXP Setup CD to do the same thing. Started recovery console and ran Fixmbr,

message indcated new MBR was written successfully

#11 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 01 January 2012 - 04:51 PM

GR, restarted to see if I could get to Safe Boot, and got the previously described BSOD Stop 0x7B

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 01 January 2012 - 04:55 PM

Hello

when booting into safe mode menu have you tried last known config that worked




gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 01 January 2012 - 04:59 PM

yes, screen just goes black

#14 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 01 January 2012 - 05:01 PM

for what its worth, here was a thread that seemed to address this issue

http://www.geekstogo.com/forum/topic/290240-blue-screen/

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:31 PM

Posted 01 January 2012 - 05:19 PM

Hello


They did what I told you to do and that was to fix the MBR


you didn't answer my question about what tools you used to cause the computer not to boot


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users