Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Snowballing problems after TDSSKiller


  • This topic is locked This topic is locked
42 replies to this topic

#1 J Moldy

J Moldy

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 05 August 2012 - 02:40 AM

Well, I definitely got infected with something. I got problems when running in normal mode, getting blue screens, of ATAPORT.SYS causing bluescreens. Followed this. Used TDSSKiller, picked to restore to defaults. Got "Invalid partition table". Followed this next, and now it's saying there aren't any bootable devices.

Starting it up indicates that Windows 7 isn't even installed. Swapping the partitions says that BOOTMGR is missing. At this point, I'm about to just get my files off of the laptop and re-install windows. How do I salvage it?

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:08 AM

Posted 05 August 2012 - 03:11 AM

Hi -
TDSSKiller is a tool specifically designed to help you remove malware belonging to the family Rootkit.Win32.TDSS.
Blue screens are not always a show of a Rootkit infection, rather they are a hardware or driver issue that requires updates or replacements
This may give a better look at your actual problems, and what is causing them -
Please download BlueScreenView (in zip file) to your Desktop
  • Extract (right-click > Extract all) the contents of bluescreenview.zip.
  • Double-click on the Extracted Folder
  • Double-click on the BlueScreenView.exe file, to run the program. (No installation is required.)
  • When scanning is done (usually complete by the time the interface appears), go ...
  • Edit > Select All
  • File > Save Selected Items, and save the report to your Desktop as BSOD.txt.
  • Close the BlueScreenView window... ... ...
  • Open BSOD.txt using Notepad and go ... .... ..
  • Edit > Select All
  • Edit > Copy, and then paste the entire contents of the text file into your next reply.

Thank You

#3 J Moldy

J Moldy
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 05 August 2012 - 03:29 AM

Uh, at this point, I can not boot up at all, and even starting it up with the Windows 7 disk indicates that there is no OS installed.

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:08 AM

Posted 05 August 2012 - 03:43 AM

If you can, read this - Troubleshooting Windows 7 Failure to Boot
Failing all this your idea to reinstall is about all that is left - Any hope of saving anything without a bootable system is very hard.

You could wait a while as I try to find someone to assist you to create a Linux bootable CD, and this may save your existing data --
How much data do you / would you like to save - Heaps, or just a few bits ??

#5 J Moldy

J Moldy
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 05 August 2012 - 03:53 AM

Um, mostly, I want to save a few programs, most of my images and my messenger histories, other personal documents, so a fair deal.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 05 August 2012 - 04:20 AM

Lets have a look at your disk's boot sector as most likely things are messed up there.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 J Moldy

J Moldy
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 05 August 2012 - 05:03 AM

Will do as soon as a USB is found. Or bought.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 05 August 2012 - 05:32 AM

If you don't have one, you can execute the command from your windows drive (on windows 7 usually sda2, just look for the partition with the Windows and Users folders on it).

You will need to adapt the command to:

dd if=/dev/sda of=mbr.txt bs=512 count=1


After it is created, click the second tab on the left and open Firefox. Navigate to this topic and attach the created mbr.txt file.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 J Moldy

J Moldy
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 07 August 2012 - 01:40 PM

Well I finally got it working.

I burned the CD and got a USB flash drive. However, choosing to boot from the CD still says BOOTMGR is missing, press ctrl+alt+del to restart.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 07 August 2012 - 02:56 PM

Does the CD spin/light up before the error shows? Were you able to boot before you had the usb drive using xPUD?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 J Moldy

J Moldy
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 07 August 2012 - 07:15 PM

The CD does indeed spin, and if the USB is in the port at the time it tells me to remove it and restart (as it did before it got damaged).

However, I was not able to boot up before using xPUD.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 08 August 2012 - 01:58 AM

Do you remember having problems with the CD drive before (or is it old)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 J Moldy

J Moldy
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 08 August 2012 - 03:31 AM

Have not had problems with the CD drive before now.
However, this is also now failing to recognize the Windows 7 install disk.

#14 J Moldy

J Moldy
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 08 August 2012 - 03:58 AM

Burning it onto a new disk has fixed the problem.

I then noticed that there was no sdb1 at all, so I went to see if it had gotten disabled here and went to start up the windows prompt, and put in the windows install CD, and it says it found problems with the startup.
Repair details:
The following startup options will be added:
Name: Windows 7 Home PPremium (recovered)
Path: Windows
Windows Device: Partition=C: (305412 MB)

Name: Windows Recovery Environment (recovered)
Path: Recover/b3328e78-ceb9-11e0-89c3-a0f587d52f3d\Winre.wim
Windows Device: Partition=C: (305412 MB)

Should I continue with this?

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 08 August 2012 - 05:15 AM

Yes, doing a startup repair can never hurt. Let me know if it resolves the problem.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users