Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit virus (tidserv?)


  • This topic is locked This topic is locked
33 replies to this topic

#16 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 01 January 2012 - 05:22 PM

I was like that when I got it. It would POST, get to the built in Intel RAID screen and hang.


User got fooled into clicking on a popup that said her computer had viruses and needed to be scanned. I have put in a call to find out more details.

BC AdBot (Login to Remove)

 


#17 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 01 January 2012 - 05:26 PM

Just a reminder, when I had the drives off the computer to check for access to data, my clean computer AV software picked up the Boot.Tidserv as soon as I plugged the infected HD into the USB (using a Drivewire universal HD adapter). Norton "removed" the infection but did not list the affected file name.

#18 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:55 PM

Posted 01 January 2012 - 05:27 PM

Hello


find out what they did right before it would not boot


Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#19 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 01 January 2012 - 06:06 PM

About 10 days ago, she opened an email attachment from her daughters email (which she later learned had been compromised) which said it was providing info about some Adobe software. After opening the attachment, a popup appeared indicating System Fix needed to be run on her machine. She clicked on it, and let it run. It found 13 viruses and inidcated it cleaned 6 of them, but that she would have to pay for the upgraded version of System Fix in order to remove the remaining infections. Unfortunately she followed the link and tried to purchase the upgrade using her credit card. Fortunately, they did not accept her brand of credit card so the purchase was not accepted (Unfortunately, they now have her credit card info). Now she was very suspicious and determined to just power down the computer. The next time it was booted, it hung on the Intel Raid Config Screen. And that is how I found it when she brought it to me.

Followed the described procedures. Got to the Welcome to xPud screen, but system locks up, so I can't select File, move mouse, no keyboard response

#20 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:55 PM

Posted 01 January 2012 - 06:19 PM

Greetings

I need you to make a bootable usb and to make a screenshot for me - follow the instructions below to do this

How to create a bootable Puppy USB Drive

  • Download and save a copy of the latest Puppy ISO file
  • Download and save a copy of Unetbootin for Windows.
  • Insert an empty formatted USB drive into a USB port on the computer that's being used to create the bootable USB.
  • Launch Unetbootin ....
  • Ensure that Disk Image is selected.
  • Using the browse button ... browse to and select the Puppy ISO file.
  • Ensure that Type: is set to USB Drive and that the Drive: letter corresponds to the USB drive.
  • Click OK
Unetbootin will now copy the Puppy files to the USB and make it a bootable device.

Next

You need to change the boot order of the computer to boot from a USB drive ....

  • Read HERE for instructions how to do this.

Now boot into Puppylinux

when you get to the desktop Click on each of the drive items found in the bottom left corner to mount them (when mounted they will have a red cross next to them)

Next - Launch GParted which is found at Menu > System > GParted partition manager,
Click to select All Drives then click Okay
I need you to take a screenshot of the window that opens up - to do this follow these instructions

To take a screenshot in Puppy ....

With the GParted window open ...

  • Click menu > Graphic > mtPaint-snapshot screen capture
  • A small window will open ....

    • Click Capture Now
    • Click OK
  • The mtPaint program will open ....
    • Click File > Save
    • Double click on ../
    • Double click on mnt/
    • Double click on sdb1/
    • Set File Format to JPEG
    • Enter screenshot1 into the text box
    • Click OK

This will save a file screenshot1.jpeg into the USB drive, paste or attach this to your next post

Next

  • Click menu > shutdown > power off computer
  • If prompted to save the session click on No

Puppy will now close down.

remove the usb and save it - we will use it again - boot back into windows and send me the screen capture

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#21 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 01 January 2012 - 07:34 PM

sorry, took a while, took a couple of tries (operator error)

see attached.Attached File  screenshot1.jpg   153.31KB   5 downloads

#22 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:55 PM

Posted 01 January 2012 - 08:09 PM

hello


boot back into GPart and right click on the partition that is called mirrored C drive and select manage flags
Check the boot flag option
Click Close, and GParted will add the boot flag
Remove the USB drive, then click menu > shutdown > reboot computer to boot the computer back into Windows.


let me know what happens during the boot


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#23 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 01 January 2012 - 08:20 PM

Steps followed, did reboot, selected Safe Mode. BSOD Stop 0x7b

#24 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:55 PM

Posted 02 January 2012 - 12:39 PM

Hello


Boot back into Gparted and set the boot flag to dell utility and see if it will boot


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#25 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 02 January 2012 - 12:52 PM

Done, rebooted to safe mode, same BSOD 7B

This morning I also did a rebuild of the bootini, has not made any difference

#26 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:55 PM

Posted 02 January 2012 - 01:17 PM

Hello


Ok George move the boot flag back to the mirrored system

once it is back to the mirrored partition use the dell CD and run the fixmbr command again


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#27 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 02 January 2012 - 01:52 PM

Done. Reset boot flag, booted to Recovery Console (Dell Wincd) and ran FixMBR. No action took place, just returned to C: Prompt

Gr, I have copied User Data from this HDD to an external drive. With the BSOD 7B error I am getting, does it make more sense to rebuild the system from the Dell Recovery Partition?

#28 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 02 January 2012 - 02:00 PM

forgot to add, rebooted to SAFE but same BSOD 7B

#29 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:55 PM

Posted 02 January 2012 - 02:38 PM

Hello

does it make more sense to rebuild the system from the Dell Recovery Partition?

at this time I believe it would be the quickest. but there is one thing you need to do

In Gparted there is a hidden partition that is 14 mg in size - this is the malware partition and you need to right click on it and select delete


if you don't do this then once you get everything up and running your AV will find it and report it


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#30 George7426

George7426
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 02 January 2012 - 03:00 PM

any tips/tricks on getting to the Dell Restore Partition. The prescribed procedure CNTRL-F11, is not working.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users