Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't boot up due to TDSS, no access to 2nd computer


  • This topic is locked This topic is locked
3 replies to this topic

#1 AkariK

AkariK

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 03 July 2012 - 11:14 PM

I'm on a tablet right now, so I can't really copy/paste anything specific.

I've currently got the TDSS virus (Windows 7 ultimate, x64) and cannot boot into Windows, so all the available tools are unavailable to me until I can at least get this figured out. I know it's TDSS because I got it 3 months ago, but was able to fix it (and now I know I definitely should have used more antivirus). The symptoms are crashing on reboot due to corrupt system file (rdyboost.sys or something like that, but I know that's not the problem), and my hard drives randomly getting repartitioned.

The main problem is that I forgot what I need to do to the boot record to just get the machine booting up so I can go get the Kaspersky tools and recovery disc for future incidents. I do have a Windows 7 CD, and this is what I did so far from the recovery console:

-delete old bcd file and build a new one using bootrec /rebuildbcd
-rebooting failed, so I repeated that, booted into console again, and ran sfc /scannow, which said there was a system repair pending and could do nothing
-rebooting failed again, so I again repeated those steps and ran sfc again with the offbootdir flag. This time it said windows resource protection found corrupt files but was unable to repair them

This is where I'm stuck. I can't find any other info that has help at the recovery console level, and I'd really like to avoid a reformat, especially knowing that TDSS survives reformats because it sits in the master boot record.

Thanks in advance.


edit: ok, I found out that the partitions on my boot drive had been set to inactive, so I set the main one to active using disk part. After doing the and a few startup repairs, I got my drive letters back, but bootrec /scanos still shows 0 installations even after I rebuild the mbr. Startup repair ran 3 times and ultimately said that it was simply unable to solve the problem. SFC is still failing with the same unable to replace corrupt files error. Hmm... I tried using win7's custom install to check partitions, and this time I don't seem to have that mysterious 7mb partition I had last time I had TDSS. I'm not sure why rebuilding the mbr is failing...

edit 2: I really wish I remembered how I got past this before. The rdyboost.sys file is completely stopping me from booting, regardless of mbr. Initially the error was 0xc0000221, and then I renamed the file and now I get 0xc000000f, but still on rdyboost.

edit 3: Damn. I randomly decided to try System Restore, despite the fact that I had not rebooted in 10 days and also that I didn't even have a point. I had been messing with Windows Update which is constantly failing on some .net framework updates, so I had uninstalled 4.0 in an attempt to reinstall. Windows was gracious enough to create a restore point for me right before the first uninstall, and loading that worked. Whew. Running TDSSkiller after that found 1 infection, which I deleted. Time to go nuts on antivirus scanning.

Edited by Orange Blossom, 04 July 2012 - 08:56 AM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,414 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:35 AM

Posted 04 July 2012 - 07:33 AM

Added to Unbootable Due To Malware List, here...someone will try to assist you soon.

Louis

#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:35 PM

Posted 04 July 2012 - 08:42 AM

Hi and :welcome:

You will need a USB Flash drive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:35 PM

Posted 21 September 2012 - 07:46 PM

Due to the lack of feedback this Topic is closed. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users