Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System only restarts in Safe Mode after rootkit removal


  • This topic is locked This topic is locked
16 replies to this topic

#1 adam654321

adam654321

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 February 2013 - 03:32 AM

My ISP had been blocking my internet connection because they claimed I had a "bot" on one of my systems. After much dealing with them they instructed me to try running tools to remove zeroaccess. I ran the tool that can be found here 

 

http://www.mcafee.com/us/downloads/free-tools/rootkitremover.aspx

 

It found TDSS something and told me to reboot my system.

 

After rebooting my system flashes the blue screen with white writing and then reboots again asking me if I want to start in safe mode. 

The system starts normally in safe mode. 

System restore does not seem to run in safe mode.

A pop-up instructs me to run safe mode manually with a command, but it still does not work. 


Edited by hamluis, 18 February 2013 - 12:06 PM.
Moved from Vista to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:04 PM

Posted 18 February 2013 - 01:09 PM

Hello, lets first see if we can find a BSOD code here. smile.png

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    advancedoptions.png
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    bsod_c.jpg
  • Please post me the error(s).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 adam654321

adam654321
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 February 2013 - 02:08 PM

I have attached a picture of my BSOD

Attached Files


Edited by adam654321, 18 February 2013 - 02:09 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:04 PM

Posted 18 February 2013 - 02:15 PM

Lets start with having a look at your computer's MBR.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.
  • This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 adam654321

adam654321
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 February 2013 - 02:40 PM

Here it is.

Attached Files

  • Attached File  mbr.zip   557bytes   2 downloads


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:04 PM

Posted 18 February 2013 - 03:03 PM

It doesn't look like the MBR was fixed correctly. smile.png

Could you tell me what version of Windows you have (I suspect Vista or 7)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 adam654321

adam654321
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 February 2013 - 03:03 PM

Vista



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:04 PM

Posted 18 February 2013 - 03:10 PM

Right click the following download link and select "save link/target as": xPUD_MBRfix
Save the file to your USB drive.
  • Boot the ailing computer to xPUD
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Double click on xPUD_MBRfix to execute the script
  • When asked "what boot code do you want to write?" type i for Vista boot code and press enter.
  • When asked "to which one do you want to write a new mbr?" type sda and press enter.
  • Type y and press enter to confirm your choices.
  • Press enter to close the window.
  • Upon finishing, its actions will produce a report (mlog.txt)
  • Post that report in your next reply
  • When done let me know if you can boot successfully in Windows now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 adam654321

adam654321
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 February 2013 - 03:17 PM

I still cant boot windows normally

 

 

 
Mon Feb 18 14:13:54 UTC 2013
 
User has chosen Windows Vista boot code
User has chosen drive sda
Backing up mbr to backup_sda.bin
 
Boot code structure before fix
/dev/sda has an x86 boot sector,
it is an unknown boot record
 
Boot code structure after repairing
/dev/sda has an x86 boot sector,
it is a Microsoft Vista master boot record, like the one this
program creates with the switch -i on a hard disk device.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:04 PM

Posted 18 February 2013 - 03:26 PM

Please boot in xPUD and click on the Files tab (left panel).
Double click on mnt, you should then see in the right panel sda1, sda2 and sda3. Please tell me what folders you see in the root of each of these partitions.

Also, how far does your computer boot now, does Safe Mode still work, and has the BSOD for normal mode changed??

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 adam654321

adam654321
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 19 February 2013 - 01:31 AM

The BSOD seems the same. I still cannot boot windows normally. Safe Mode boots fine. 

 

I don't quite know what you mean by in the root of each of these partitions.

 

In sda1:

   $RECYCLE.BIN

    Boot

    INOV8LOG

    MFGSTAT

    preboot

    recovery

     swwork

     System Volume Information

     tvtos

     windows

     AUTORUN.INF

     bootmgr

     BOOTSECT.BAK

     LenovoSDrive.exe

      recov.wim

     sdrive.ico

     winre.wim

 

In sda2:

$Recycle.bin

A

B

C

Documents and Settings

DRIVERS

Intel

mfg

MSOCache

N360_BACKUP

PerfLogs

Program Files

ProgramData

RRbackups

SWShare

SWTools

System Volume Information

Users

Windows

autoexec.bat

config.sys

EasyCapture.log

FaceProv.log

hiberfil.sys

pagefile.sys

sysiclog.txt

veriface.log

and then there are 9 folders with Alphanumeric names enclosed in "{}"

 

In sda3:

$RECYCLE.BIN

FactoryRecovery

swtools

System Volume Information

AUTORUN.INF

LenovoQDrive.exe

qdrive.ico



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:04 PM

Posted 19 February 2013 - 02:42 AM

That looks good. Can you start the computer and tap F10 until the "Edit Boot Menu" screen comes up? Let me know what is listed between the brackets ([..... ])

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 adam654321

adam654321
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 19 February 2013 - 03:03 AM

[ /NOEXECUTE=OPTIN /MININT                                                                                           
                                                                                                                                                                       ]



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:04 PM

Posted 19 February 2013 - 03:17 AM

In safe mode do the following:

Click Start > Programs > Accessories, right click on command prompt and select "run as administrator"

 

Type the following at the prompt and press enter:

bcdedit /set {default} winpe no 

 

When done restart the computer and let me know if normal mode works now.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 adam654321

adam654321
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 19 February 2013 - 03:25 AM

IT BOOTS NORMALLY NOW! THANK YOU!icon_bananas.gif






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users