Vista won't boot after deleting file with TDSSkiller

Long story short:

Windows Vista x64

Ran TDSSKiller in response to "winrscmde has stopped working" pop-ups, which resulted in one malicious and one suspicious file found. Following the advice of a website, I selected "clean" for the malicious one and "delete" for the suspicious one (which seems so stupid now that I think about it).

Upon restarting, I got an invalid partition error

Tried windows recovery, which did not work

Tried /fixmbr and /fixboot which resulted in getting rid of the invalid partition error, but it still hangs at the same spot during boot

Not sure how to proceed from here, or even how I can track down the TDSSkiller log to try and find what was deleted.

Thanks for any help.

 

Welcome to Major Geeks, bobmarley753

For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

__

Which spot exactly?

 

I see the Motherboard splash screen
Then a screen full of numbers (like a big matrix)
Then "verifying DMI pool data........................"

Now this is where it used to say "invalid partition error," but after I ran /fixmbr and/fixboot it now just flashes a cursor at this point indefinitely

Output from the scan tool attached, thanks again for your help

 

No obvious sign that this was caused by malware but give this a try. You will have higher chance of success of all the commands completing successfully if you use the Vista DVD (if you have one). If not, continue anyways with the built in System Recovery Options.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

 

Good Morning,

Ran the script, and the result is attached. I did notice that the bootsect command didn't work, which seems odd:

Thanks again!

 

Hello
Is the computer still hanging up on the flashing underscore?

Yes I added this one in there incase you had the Vista DVD handy.

P.S. - You did take the correct actions using TDSSKiller. It just had some difficulties. Now this is malware related.

__

Have you tried using System Recovery Options -> Startup Repair yet?
If not, try this twice in a row now.

Let me know the results

 

Yep. Same story.

All actions were in fact performed by booting to the Vista cd and using the command prompt :confused

Yes. This was actually the first thing I tried (and I ran it again last night). Each time it runs for only a few seconds and says something like "no problems were found" (which I find highly humorous). I checked the "more detail" option and saw where it listed out all of the checks it was performing, and they all passed. Apparently it is not checking the files that were quarantined/deleted by TDSSkiller. I could make a record of what it is checking for when I get home if that would help?

Thanks.

 

Actually I believe it's only the Windows Vista Recovery Console CDs that have it, not the full install DVD. I will double-check soon.

By the way, make sure you do not have any type of USB storage device inserted into the system when you are trying to boot. For example, sometimes this flashing underscore is caused by users having their iPod plugged in when they are trying to boot (and the system hangs because it is trying to boot from it).

Whenever you get a chance can you attach a new scan of FRST?

 

Ahh, that would make sense then.

I'll do it first thing when I get home from work in about 3 hrs.

 

Log attached.

 

Nothing wrong according to this log.

Did you read my edited post about potential USB devices? This includes your STORE'N'GO USB device.

 

Yea, saw the updated post. I restarted after I did the scan just now while loading the log from my thumb drive onto my laptop.

Something just occurred to me...I'm using an external cd drive to load the vista cd(internal one is dead). Maybe this is an issue. I'll try unplugging it and restarting.

 

Unfortunately no change when nothing (except keyboard and mouse) hooked up.

Incidentally I have my BIOS set up to boot from the HDD first, and the 2nd and 3rd priority disabled, to make sure that it wasnt looking for something else to boot from. No change.

 

Can you boot off the Vista DVD again and try this command while in System Recovery Options -> Command Prompt:

• bootrec /rebuildbcd

Then press ENTER and let me know what text appears.

Afterwards, attempt to reboot normally into Windows.

 

Here is the result:

I find this odd, since you have to select your Windows installation when the Vista DVD starts, and it finds it fine there...?

 

This is normal. Have you tried rebooting?

 

Well I'm glad these things are normal

Unfortunately no change to boot process.

 

You have your Windows Vista DVD right? If so, do you know how to browse the DVD from a clean computer?

• Try to use Windows Explorer to open explore the contents of the DVD
• You should see 5 folders in the root of the DVD:
  • boot
  • efi
  • sources
  • support
  • upgrade
• Open the boot folder
• Inside is bootsect.exe
• Copy bootsect.exe to your flash drive in the same place FRST64.exe at.

Let me know if you were able to do this or not.

 

Done. Shall we try and run the command from earlier?

 

Well since it is on your flash drive which is the letter F: according to your logs, try this command:

• f:\bootsect /nt60 c: /mbr

This assumes that bootsect.exe is on the root of your flash drive.

 

Hmm. Got the response that "bootsect" is not recognized as an internal or external command, operable program, or batch file. It is in the root folder in the flash drive.

 

Checked the drive letter with the notepad trick again...it is labeled as "E" now. Will retry with E.

 

Ok
Yeah you always have to double-check because they can change

 

Unfortunately, no change in boot.

 

Hello,

Here is what I would like you to try next.

Create this bootable CD: GParted

Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

Now boot off of the newly created GParted CD.

You should be here...
Press ENTER

By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.

Choose your language and press ENTER. English is default [33]

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below. However, DO NOT DELETE anything. Ignore the instructions in the screenshot below. All I want you to do is tell me what is listed for you. A picture would be even better.

 

I'm actually running Ubuntu right now backing up my personal files. I seem to recall reading that GParted was installed with that.

I'll see if I can get that picture for you.

 

Picture attached.

 

• Highlight the 465.76 GiB partition.
• Click Partition in the top menu
• From the drop down menu, select Check
• Now click the Apply checkmark button.
• "Are you sure?" - Apply
• Let me know if operation was completed successfully or not.

If it was successful, click Close and try to restart the computer normally.

 

Most of the options in the Partition menu are greyed out...including "check." The only ones that are available are unmount, manage flags, and information. Perhaps because I was copying files in that session of Ubuntu? I seem to remember the check feature being active when I ran Gparted directly from cd yesterday (didn't run it or make any changes though). I'll give that a try.

 

Running GParted from CD let me perform the check, which was completed successfully, I don't think any errors were found.

Same behavior upon restart.

Thanks again for all of your help. I saw the comments from the guy on the Kaspersky site, hopefully those will provide some insight (though they don't mean much to me).

I've got to head back to work in 5 hours so i'll check back in the morning before I head out.

 

Let's see if I can get a handle on where we are right now.

Following the other thread:

I looked into trying to get ERD Commander, but it looks like MSDART and the associated recovery tools are not available for download (at least, not one that I could find).

I downloaded a bootable cd for MiniTool Partition Wizard, I wonder if this will work. If I understand correctly, I'm looking for a tool that will show a "hidden" first partition (sda1 perhaps) that GParted didn't.

As to the second suggestion about writing the ldrm file to the MBR...I am clueless in that area

Am I on the right track?

Thanks again!

 

Yes you are on the right track. You can try creating that bootable CD and see if it finds sda1. It should be 0 kilobytes and type 0 and it will be at the start of the partition table (sda1)

It is recommended to toggle Active/boot twice in ERD Commander or a similar tool that at least can find the sda1 malware partition. You want to make sure that your OS partition is set to active/boot. Which according to GParted, it is.

This process should silently delete the 0KB partition that is screwing up the boot process.

I will try to find a malware sample of this, pretty fascinating variant of Pihar.

 

In Gparted there was an option to "manage flags." So I'm looking for something similar to this to toggle my main partition from active to not and back again (twice). But this will only work if the partition tool finds the sd1 partition?

I will give it a shot with Partition Wizard when I get home, but in the case it doesn't find it either, do you have any recommendations of how I can get ERD Commander?

Thanks

 

In theory yes, you could even try toggling the Boot flag when you're in GParted. Even though it does not see the sda1 malware partition, it may still silently delete it. This is also why I want to get a sample of this so I can test what will work versus it and what won't.

As far as I know, this is paid software in the $150 range.

 

I'll give it a shot when I get home from work

 

SUCCESS!!!:-D:-D:-D

So here's what happened with Partition Wizard:

It did not show the hidden partition, so I selected the main one and toggled it

Inactive - Apply
Active - Apply
Inactive - Apply
Active - Apply

I then observed two things which I thought were odd:

The option to set it as the boot drive was there, so I selected it. It responded that a "windows" folder could not be found. A quick inspection of the drive with the tool of course showed the windows folder to be there in the root of the drive.

Also, the option to view/edit the boot.ini file was there, so I tried that. The response was that there was no boot.ini to be found.

I thought both of those things were bad signs, but I guess that jjust shows you how much I know!

So the restart was successful booting into windows! My next priority should be to verify that the virus has indeed been cleared, though I will not take any steps on my own this time for fear of a repeat of what happened on Monday

Thanks again, I couldn't have gotten this far without your help

 

I'm glad to hear that worked

Thank you for the descriptions too as I am sure others will appreciate it.

By the way, can you zip and upload the files in your TDSS_Quarantine folder as an attachment here for further analysis?

Let me know how the system is performing as well before we proceed.

 

Seems to be performing fine...Recall I did a system restore from two weeks prior to try and fix it, so it's pretty much my computer from two weeks ago. Did a scan with my regular virus protection software (McAfee) which came up clean.

File Attached.

 

I'd like to make sure it is gone too.
Scan only with TDSSKiller version 2.7.33.0 (update!).
Skip any threats found for now. Attach the updated log when finished.

 

No threats found:cool

 

Good

Since you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. You can delete the c:\FRST folder if present.
9. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
10. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

thisisu,

Just wanted to thank you one more time for all of the help you gave me in getting my computer back up and running. I would have certainly ended up having to reinstall windows on a new drive without your help.

Is there any way I can make a donation to you as a thank you for your time and effort?

Thanks,

Mark

 

Hi Mark,

You are very welcome.
We do not accept donations but we would appreciate if you would tell your friends about MajorGeeks / like us on Facebook. You could also "Thank" my posts

Surf safely!