Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tdsskiller registry restoration (operating system won't boot!)


  • This topic is locked This topic is locked
36 replies to this topic

#1 wotak

wotak

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:52 AM

Posted 27 December 2013 - 04:25 AM

TDSSKiller delete files and operating system won't boot.
When i try windows start emit blue screen "Stop: c000021a {Fatal System Error} .... 0x0000135 0x000000.."
I restore the files through ubuntu afd.sys, ANIO.SYS, ANIWZCSdS.exe, browser.dll, WsmSvc.dll, advapi32.dll but anyway windows don't start.
I think there because windows don't start, delete the files together with registry(You agree with me?).
But I'm not sure whether it is possible to restore the registry.
I have in Quarantine object.ini files (it registers as I understand it?). As the simplest way you can restore the registry?

I using windows xp mini in this time and i can connect to my windows xp registry dabase, but i understant registry framework.

-Example
I restore browser.dll file.
I create in HKLM\SYSTEM\ControlSet001\services\ KEY Browser
and next step need create from object.ini registry. In this step i don't know like [Type] format REG_BINARY, REG_DWORD, REG_EXPAND_SZ, REG_MULTI_SZ OR REG_SZ.

if I have the data in the registry entries ControlSet001\services\Browser what afterwards entered into ControlSet001\control\safeboot\Network\Browser, HKLM\SYSTEM\ControlSet002\services\Browser, HKLM\SYSTEM\ControlSet002\control\safeboot\Network\Browser

[InfectedObject]
Type: Service
Name: Browser
Type: n/a (0x20)
Start: Auto (0x2)
ImagePath: %SystemRoot%\system32\svchost.exe -k netsvcs

 

Is it possible to restore the registry? from tdsskiller backup files.(If possible, as this is possible to do)

I using os windows xp, service pack 3.
Attaching to the message scan log.
I'm sorry for writing, I hope understand me. (bad english)
I look forward to a response.

Attached Files


Edited by hamluis, 27 December 2013 - 08:42 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:52 AM

Posted 27 December 2013 - 07:33 AM

Hi,

 

I'm interested to know why you ran TDSSKiller, and why you deleted those items. Yes, the missing registry services are what are causing the blue screen. It is not merely enough just to restore the files. It is possible to restore from the TDSSKiller backups, but not outside of normal Windows as far as I know. You would have to completely rebuild those keys since booting into Windows is non-option, and instructing someone to do this would be very difficult.

 

xXToffeeXx~


Edited by xXToffeeXx, 27 December 2013 - 10:15 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 JohnC_21

JohnC_21

  • Members
  • 24,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 27 December 2013 - 09:01 AM

You can try using the DEMO of ERD for XP to partially restore the Registry. The program does not do a full registry restore, only the system hive. This link ill walk you through the steps.the CD and do a system restore. Good luck.

 

http://www.raymond.cc/blog/restore-unbootable-windows-system-using-offline-system-restore/


Edited by JohnC_21, 27 December 2013 - 09:05 AM.


#4 wotak

wotak
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:52 AM

Posted 27 December 2013 - 09:10 AM

hi, xXToffeeXx Thanks for your reply.

 

As I ran tdsskiller to check if I have a rootkit. Delete the files because the program i wrote that there viruses.

I now am trying to restore registers. But anyway for windows will not boot.\

 

My registery key

Name - Type - Data

DisplayName - REG_SZ - WinRM

ObjectName - REG_SZ - Service

Type - REG_DWORD - 0x00000003 (3)

Start - REG_DWORD - 0x00000020 (32)

Imagepatch - REG_EXPAND_SZ - %SystemRoot%\system32\svchost.exe -k WINRM

 

See photo http://foto.terpe.lt/inkelti/20131227/i34_a.jpg

 

And... tdsskiller delete reg in HKLM\SYSTEM\ControlSet001\ and HKLM\SYSTEM\ControlSet002 i don't know why write in ControlSet002 i write the same registry.

 

Registry backup from tdsskiller

[InfectedObject]
Type: Service
Name: WinRM
Type: n/a (0x20)
Start: Demand (0x3)
ImagePath: %SystemRoot%\system32\svchost.exe -k WINRM

 

Excerpt from the log tdsskiller

08:46:13.0156 2028  E:\WINDOWS\system32\WsmSvc.dll - copied to quarantine
08:46:13.0171 2028  HKLM\SYSTEM\ControlSet001\services\WinRM - will be deleted on reboot
08:46:13.0171 2028  HKLM\SYSTEM\ControlSet002\services\WinRM - will be deleted on reboot


Edited by wotak, 28 December 2013 - 04:38 AM.


#5 hamluis

hamluis

    Moderator


  • Moderator
  • 56,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:52 PM

Posted 27 December 2013 - 09:58 AM

I deleted your topic posted in the MRL forum and moved original topic to Am I Infected, where I believe it belongs.  No DDS logs or new info were on the posted topic in MRL.

 

Louis


Edited by hamluis, 27 December 2013 - 10:01 AM.


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:52 AM

Posted 27 December 2013 - 10:18 AM

Okay, thanks Louis.

 

@wotak: Try the instructions that JohnC_21 posted, and if they don't work then I guess I can walk you through adding the services in order to attempt to get it booting.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 wotak

wotak
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:52 AM

Posted 28 December 2013 - 04:54 AM

I reading about Msdart (Windows System Restore unbootable using Offline System Restore) but it only works if you have Windows Backup, I did not win the backup. If I have a backup I use windows command [last known good configuration].
 

 

I guess I can walk you through adding the services in order to attempt to get it booting.

 

 

I did not understand what you have in mind. I simply need to restore the deleted registry tdsskiller.

Attaching to the message tddkiller backup files.

 

http://speedy.sh/dygZ4/TDSSKiller-Quarantine.rar


Edited by wotak, 28 December 2013 - 04:54 AM.


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:52 AM

Posted 28 December 2013 - 07:10 AM

Hi,

 

I believe the TDSSKiller backups only work in bootable Windows.

 

The services that TDSSKiller removed, I will try and walk you through to re-add them. First to see if it possible this way:

 

Boot into Mini XP, and click the Hiren menu icon in the tray -> Registry -> Registry Editor PE. When asked to, set the remote Windows directory (to E:\Windows) and press OK. Click OK on each window to select the related registry hive. Expand HKEY_LOCAL_MACHINE and the hives will automatically load with the _REMOTE_ prefix. Navigate to _REMOTE_SYSTEM -> ControlSet001 -> Sevices.

 

Post back here if you can get to that point, if you have any trouble then make a note of it and explain it best you can.

 

xXToffeeXx~


Edited by xXToffeeXx, 28 December 2013 - 03:07 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 wotak

wotak
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:52 AM

Posted 28 December 2013 - 07:29 AM

hi, xXToffeeXx

 

In #4 post I wrote about his attempt to restore the registry. I have tried to restore the registry through Registry Editor PE.

Registry Editor PE work well i can connect to my win xp registry database. Read my #4 post I try restore registry but dont' work.

This way possible, what do I do next?



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:52 AM

Posted 28 December 2013 - 04:32 PM

Hi wotak,
 
It doesn't work like that, you need to add all sorts of information about all of those deleted services and not just one.
 
So you managed to get to services, correct?
 
xXToffeeXx~

Edited by xXToffeeXx, 28 December 2013 - 05:43 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:52 AM

Posted 28 December 2013 - 05:45 PM

Hi,

I'm just talking with another member of the team to figure out what is best to do. If you saw the above post before it was edited, do not follow it. Thank you

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:52 AM

Posted 29 December 2013 - 04:37 AM

Hi wotak,

Sorry about the delay. I would like to know the following if you please:
What version of Windows is this (I.e. home edition, pro if you know this)?
Also, do you have a Windows installation CD, or can borrow one?

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 wotak

wotak
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:52 AM

Posted 29 December 2013 - 05:56 AM

Hi wotak,
 
It doesn't work like that, you need to add all sorts of information about all of those deleted services and not just one.
 
So you managed to get to services, correct?
 
xXToffeeXx~

hi,

 

i know this tip, need restore all deleted registry that windows boot. Yes i managed with Registry Editor PE.

I found an interesting thing, in object.ini very little information about the registery.

 

In Registry Editor PE i found SYSTEM windows xp mini registry and _REMOTE_SYSTEM(my registry).

In SYSTEM registry i found 1 registry that I need, and I looked in the structure. Registry name Wmi.

Structure is very different in SYSTEM windows xp mini registry[Wmi] more information than object.ini.

Watch:

 

My registry from object.ini looks like this:

 

[HKEY_LOCAL_MACHINE\_REMOTE_SYSTEM\ControlSet001\Services\Wmi]
"DisplayName"="Wmi"
"ObjectName"="Service"
"Start"=dword:00000003
"Type"=dword:00000020
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,57,00,49,00,4e,00,52,00,4d,00,00,00

 

My found registry:

 

[HKEY_LOCAL_MACHINE\_REMOTE_SYSTEM\ControlSet001\Services\Wmi]
"Displayname"="Windows Management Instrumentation Driver Extensions"
"ObjectName"="LocalSystem"
"Start"=dword:00000003
"Type"=dword:00000020
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="Provides systems management information to and from drivers."
"ErrorControl"=dword:00000001
 
[HKEY_LOCAL_MACHINE\_REMOTE_SYSTEM\ControlSet001\Services\Wmi\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,\
  00
"ServiceMain"="WdmWmiServiceMain"
 
[HKEY_LOCAL_MACHINE\_REMOTE_SYSTEM\ControlSet001\Services\Wmi\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

 

What I did with the registry, attaching information to post.

http://www.speedyshare.com/gv2Rd/registrai.txt

 

 

Hi wotak,

Sorry about the delay. I would like to know the following if you please:
What version of Windows is this (I.e. home edition, pro if you know this)?
Also, do you have a Windows installation CD, or can borrow one?

xXToffeeXx~

 

Microsoft Windows XP Professional  (Build 2600)

I have windows installation CD.

 


Edited by wotak, 29 December 2013 - 05:58 AM.


#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:52 AM

Posted 29 December 2013 - 06:17 AM

Hi wotak, 

 

Yes, the system hive (not to be confused with the remote_system hive) is the registry for the disk. You tried to create the values, but you didn't do it completely correctly or create all of them, hence why it will not boot I believe. There is also far more to some of these services than just the service key just to let you know. 

 

Well, as long as that disk is the pro version then I would suggest doing a repair install. This should repair any missing files and registry entries, and will avoid us having to completely restore those keys. See how to do this here.

 

If you are not comfortable doing this, then tell me, and I will provide other instructions.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 wotak

wotak
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:52 AM

Posted 29 December 2013 - 06:21 AM

I got a tip from another forum to do a scan (Farbar Recovery Scan Tool) good tool. Watch the scan log should help.
Frst log: http://www40.zippyshare.com/v/77025648/file.html






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users