Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Home Security 2012 virus, ran various things, after TDSS Killer - will not boot


  • This topic is locked This topic is locked
36 replies to this topic

#1 halfthyme

halfthyme

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 10 January 2012 - 01:23 PM

Hello! I'm having a hell of a time with my laptop right now... Two days ago I caught that rogue malware Home Security 2012 virus. Today I downloaded Malwarebytes, the reg fix and TDSS Killer from a clean computer to combat it. Everything went fine after Malwarebytes (deleted 12 infected files) and I thought my computer was clean until I did a Google check and found that I was being redirected. I then downloaded TDSS Killer, renamed it and ran it. One threat was found and I hit "cure" and then rebooted as it suggested to complete the clean. Now it just won't reboot at all. I have tried rebooting in safe mode and going to last known configuration, but neither works. It goes to the Win 7 page, briefly flashes a BSOD and then suggests I run diagnostics to see if the problem can be fixed (it can't).

I'm not really sure what to do at this point. Any help would be much appreciated! I just don't want to fiddle with it and accidentally make it worse somehow.

I'm running Win 7 64x Professional on a Sony Vaio NW laptop.

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:55 AM

Posted 16 January 2012 - 10:50 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Not sure if this will restore you boot system but try it.


PLEASE NOTE: Most authorities say that a PC with a polymorphic file infector can never again be trusted and should be reformatted. You should seriously consider reformatting and reinstalling Windows.

That said, if you wish we can attempt disinfection but you are cautioned that theoretically you can never be sure cleaning is 100% complete.

Read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like BurnAware Free or ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?


Summarizing:
  • Go to a clean PC.
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • At the infected PC: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10?

Print the following directions:

Boot from Kaspersky Rescue Disk 10:
Restart your computer and put the disk in the drive while booting.
Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu (select Windows whatever)
Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
Click My Update Center and update if any available
Back to other tab and click Start Object Scan.
(It took 3 hours to scan my 47G)
When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
On the upper right hand corner of the Detailed report window, click on the Save button.
After clicking Detailed Report and 'SAVE', a browse window opens.
Double-click on the \
Click 'disks'.
All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
Click on the Save button.
The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

Post the content of the file for my review.
Let me know what problem persists.

#3 halfthyme

halfthyme
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 16 January 2012 - 11:52 AM

Kaspersky can't update... Hopefully that won' affect too much?

#4 halfthyme

halfthyme
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 16 January 2012 - 12:56 PM

The scan malfunctioned...

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:55 AM

Posted 16 January 2012 - 02:13 PM

Please visit the Windows 7 forum. Start a new topic and see what the experts there have to suggest.

http://www.bleepingcomputer.com/forums/forum167.html

#6 halfthyme

halfthyme
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 16 January 2012 - 04:06 PM

Originally posted here: http://www.bleepingcomputer.com/forums/topic437350.html/
I was told to re-post here

Hello! I'm having a hell of a time with my laptop right now... Two days ago I caught that rogue malware Home Security 2012 virus. Today I downloaded Malwarebytes, the reg fix and TDSS Killer from a clean computer to combat it. Everything went fine after Malwarebytes (deleted 12 infected files) and I thought my computer was clean until I did a Google check and found that I was being redirected. I then downloaded TDSS Killer, renamed it and ran it. One threat was found and I hit "cure" and then rebooted as it suggested to complete the clean. Now it just won't reboot at all. I have tried rebooting in safe mode and going to last known configuration, but neither works. It goes to the Win 7 page, briefly flashes a BSOD and then suggests I run diagnostics to see if the problem can be fixed (it can't).

I'm not really sure what to do at this point. Any help would be much appreciated! I just don't want to fiddle with it and accidentally make it worse somehow.

I'm running Win 7 64x Professional on a Sony Vaio NW160J laptop.


UPDATE: I made a boot disk of Kaspersky Rescue Disk (as suggested) but it malfunctions when I attempt to update it. It also malfunctions while I run it, so it never actually does anything.

UPDATE 2: I babysat Kaspersky and saw it just randomly end at 14%. The whole program keeps going, but the scan just ends without any notice

Any help would be so helpful! It's been a week now and I'm worried my computer is toast!

Edited by halfthyme, 16 January 2012 - 04:44 PM.


#7 hamluis

hamluis

    Moderator


  • Moderator
  • 55,748 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:55 AM

Posted 17 January 2012 - 11:06 AM

Topic has been added to Unbootable Computers list, please be patient...help is on the way :).

Louis

#8 halfthyme

halfthyme
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 17 January 2012 - 06:02 PM

Thank you!!

#9 jfruch1

jfruch1

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Hernando County, FL
  • Local time:04:55 AM

Posted 17 January 2012 - 06:37 PM

While your problem appears to be more extensive than mine was, I got rid of the same virus two weeks ago and started having a number of malfunctions afterwards. Booting problems and then other hardware. I decided to use the Recovery disks I made when the computer was new and go back to out of the box condition. It worked. Everything is running fine now.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:55 PM

Posted 20 January 2012 - 02:24 AM

Hi, I have merged the two topics, to keep things more ordered. :)

Lets first have a look at the MBR of the drive.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 halfthyme

halfthyme
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 20 January 2012 - 10:31 AM

Here you are!

Attached Files

  • Attached File  mbr.zip   596bytes   1 downloads


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:55 PM

Posted 20 January 2012 - 12:05 PM

Please start your computer and tap the F10 key until the Edit Boot Menu screen comes up. Let me know what is between the brackets ([..... ]).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 halfthyme

halfthyme
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 20 January 2012 - 12:37 PM

/DETECTHAL /MINIT RDIMAGEOFFSET=8192 RDIMAGELENGTH=3161088 RDPATH=mult i(0)disk(0)rdisk(0)partition(1)\SOURCES\vrc.wim

it doesn't end with a bracket, if that matters any

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:55 PM

Posted 20 January 2012 - 01:10 PM

Please delete this part: /MINIT

Press enter and see if you can reboot successfully.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 halfthyme

halfthyme
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 20 January 2012 - 01:28 PM

Oh... Not really! It goes to the error recovery screen. Should I attempt Window's recovery?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users