BSoD on loading windows | After removing Boot.Tidserv

Hopefully I'm posting this in the correct area. If not, please move it to where it is most appropriate.
(I'm posing it here as the virus is seemingly cured, however caused another software-related issue).

Recently my computer became infected with the Boot.Tidserv rootkit(or bootkit, whatever you want to call it). It caused no real issues on loading my windows vista(64-bit) OS. However, the known issues it DID cause were a redirection of Google links and a more and more frequent BSoD while my computer was idle(Note: this is not my current issue.)

As the BSoD became more and more frequent(began happening maybe once every few days, to once a day, to multiple times in a day randomly), it became more of a bother and definitely needed to be fixed soon. This morning, I did more research on how I could actually fix it and came upon multiple solutions, of which I used FixTDSS.exe as was recommended not only by the Norton community, but also multiple other replies on threads related to the Boot.Tidserv infection in multiple other forums. I did try TDSSKiller.exe, however it showed no results.

After running the FixTDSS.exe, it showed that the infection laid within my MBR, and I proceeded to cure the issue(I cannot remember the exact wording of the program, but I basically just continued through the prompts). I was asked to fix my MBR, which I did. Upon restarting my computer, I now cannot load Normal Mode in Windows Vista as it will BSoD directly before the Windows Login screen comes up. It shows the GUI boot screen, my screen goes black for a moment(it always did this), then you can see the mouse load for just a moment. This is where the BSoD occurs.

I get the error code 0x1000007E.

I can boot into safe mode(with networking/cmd) and it loads perfectly fine, however, normal mode does not. I've since made multiple attempts to rewrite my MBR. I used MBRChecker.exe that was recommended from other sites and "successfully" rewrote my MBR. But, I'm currently at a standstill as it still goes straight into the BSoD as it did before.

What else can I attempt to do? Simple Google searches have stopped providing me with possible solutions. I can get any information off my system if needed with whatever programs. And, as far as I can tell, through scanning countless times with FixTDSS.exe again, NBRT, along with TDSSKiller.exe(which never showed any infections to begin with - but that may have been due to still having protected system files hidden, but they are being shown now and it picks up nothing), the infection has been disposed of. So, that shouldn't be the issue. I cannot think of any more solutions myself and, as I said, I cannot find anymore information on what may be causing this to begin with.

I do have this computer dual-booted with Ubuntu, however that has never caused any problems so far, and I can still load into it perfectly fine.

I'm mainly trying to fix this problem without having to reinstall my entire Vista OS. The "repair" disk I have has no cmd option with the DOS commands and ONLY has options to completely reinstall the OS. Through past experience, this also rewrites my ubuntu partition without any real warning - it completely wipes the disk.

So, with all that said... What now?

 

If you get any Windows screens then your MBR isn't the current problem. You get something like the flying Windows screen that says "windows is loading" or something similAR before the black screen--correct?

From Safe Mode try going to Start and typing msconfig in the Search box. In the window that opens go to the Startup tab and select Disable All and hit Apply/OK. Then restart and try Normal mode to see if any difference.

 

Yeah. The GUI bootscreen I'm talking about has a loading bar(not a progress bar) and under it has "Microsoft Corporation."

It's the basic loading screen you should get after BIOS(or for me, after GRUB since I have a dual-booted computer).

I'll attempt your suggestion and see if it works. I'll post back asap.
(although, I don't think it will since I don't even get the screen that asks me for my account password to actually log in to startup. That's where the BSoD appears)

EDIT:


Yeah, as I had assumed I still get the BSoD in the same place. Disabling all startup programs had no effect on the BSoD.

 

Ok, you can re-enable the startup items.

Then try the Services tab. Check the box at the bottom for "Hide all Microsoft Services" the list will repopulate, then Disable All for what is left in the list. See if any change in normal mode.

 

I noticed something peculiar when I went to re-enable the startup programs... They were already re-enabled when I had gone back into msconfig. Is this at all normal?

 

And a similar problem happens when I try services as well. They're already re-enabled.

I attempted to delete my administrator password in an attempt to bypass the login screen all together, but I just noticed that I'm having to re-type my password each time I log in, too.

I'm shutting down normally with the windows shutdown. I don't understand why these settings are saving? I click apply and OK in msconfig, as well.

 

I'm not sure if it is a Vista setting since I went from XP directly to Win7.

When you start msconfig does it ask for administrative permission? Try typing msconfig in the Search box and waiting for msconfig.exe to appear at the top of the list and then right-clicking msconfig.exe and choosing Run as Administrator. See if the settings stick.

 

In neither case do the settings stick when using administrator privileges.

 

I'm really not sure why msconfig changes would revert.

Let's see if someone else has a different idea. I was just trying to rule out a driver being the cause. I'm not sure how FixTDSS.exe would effect a driver but the timing of the BSOD would be right around the time drivers are loaded.

 

I'm very confused about it as well. It seems like nothing setting-wise I change stays once I power out of safemode. The only things that stay are new/edited files.

Should I, perhaps, find another 64-bit Vista install CD and trying to re-install that with my drivers CD(The CD only works once actually loaded into windows. I'm about to attempt to update all drivers this way in safe mode shortly)? I don't want to use the installation CD I have currently as, if I remember correctly, it overwrote the Ubuntu partition as well.

I'm currently trying to pull all information off of my windows partition through ubuntu and saving them there, along with more important personal files on an external drive.

I'll wait a bit and try any suggestions if anyone else has any, but it's seeming like this is one of the only options.

After the GUI boot, and before or during the screen that loads up to prompt the user for their password, what process[es] is[are] in action here? Could I attempt to rewrite the core files/drivers through safe mode/ubuntu(if I'm unable to make changes because of the file being in use - ubuntu wouldn't be using them) without causing other problems?

 

I wouldn't go overboard on reinstalling drivers until you get other opinions.

Do you have any USB devices attached? If so try to boot with no USB devices. I see USB and video drivers associated with the 7E error. You could try uninstalling your video drivers in Device Manager but wait until the morning to see if you get other responses. I don't want to steer you wrong as I haven't really given the problem much thought or looked for a more definitive answer.

 

Welcome to MGs, Caru93.
A rootkit normally brings friends along.
I'd recommend going through the Read and Run Me.
Start a new thread in Malware Removal.
Post the requested logs. You don't seem to have a choice, so do it in safe mode.
My two cents.

Cheers..

 

At the time of attempting to load windows the multiple times that I have, there have been no USB devices to quite a few(Mouse, Thumbdrive, ect). So I'd largely imagine it would have nothing to do with USB devices being attached, unfortunately.(If only things could be that simple )

I'll play around with the USB drivers and video drivers in device manager and see if anything comes of it. Now that I think about it, my computer does have an issue with one of the USB hubs constantly connecting and disconnecting. I know which ones they are, so I may be able to disable them in device manager. I'll post if anything comes of it, though.

 

The thing is, is that I'm about 99% sure that I've disinfected the computer of the malware already. Before I had used the FixTDSS.exe I had ran multiple other virus scans(AVG, Trend Micro, Avast, MBAM, ect) They all either found nothing, tracking cookies, or 1 rootkit(which were all identified to be "unknown"(name-wise) but located in the same place). While running Norton Bootable Recovery Tool(NBRT) it only located the one virus: Boot.Tidserv which it was unable to resolve that way. FixTDSS.exe, however, was able to solve it by apparently re-writing the MBR that the rootkit(or AKA Bootkit) was located in.

I've continued to run scans in safe mode, however they've found nothing so far, so I don't really think my issue is malware related anymore, but rather an issue caused by a file corruption or otherwise broken or missing file/driver after the infection had been resolved.

 

Also, one bit of information I can't add to the original post:

The BSoD isn't recording anything in its dump logs for these errors. I've tried to use BlueScreenViewer to find out the issue, however the only BSoD errors recorded were the ones before the removal, all of which were triggered by different files(there were a few that were the same, but mainly all sources).

Is there any way I can force the recording of this? Or could I manually record the BSoD error and its parameters and use that in any way?

 

I'll still advise you to go through the Read And Run- and post the logs. Won't hurt.
If may quote you.

Rootkits should be cleaned out as soon a possible, they tend to get a solid hook on the system.

Never used FixTDSS, so no comments. Does it save log?
As for MBRcheck, It does seem to get confused with some OEM systems. But at least you are booting to safe mode.

Post the R&R logs in Malware Removal.
Cheers..

 

Well, I've mainly solved my issue, albeit not quite the way I really wanted.

I ended up pulling a large portion of my personal data off of my windows partition and laid it on my ubuntu partition, from there I transferred it to a USB drive(Luckily I have a 32 GB flash drive)

I went ahead and formatted the c:\ drive and reinstalled Vista. As far as I can tell, along with all other programs at this point, that there is no infection still on my computer at this point. I feel confident in that much. Reinstalling vista wrote the MBR over GRUB(ubuntu's boot manager). I think that's where I got the notion of it over writing Ubuntu as well. But, it obviously didn't as I'm still missing the amount of disk space I allocated for it.

So my ubuntu is still there, and I'll have to go use a Ubuntu Live CD and rewrite my grub back on, and that in itself should pretty much recover the whole ubuntu partition and make it usable again without reinstalling it.

So while I have to go back and reinstall a few programs(and not install a few others;p), I suffered minimal data loss in the end. Just quite a bit of lost time.

Thank you, you two - and anyone else who took the time to read this.