Help with Boot.Tidserv

Please attach the following logs:
TDSSKiller log
C:\MGLogs.zip

 

Ok, one of the TDSSKiller logs embedded in the MGLogs.zip shows you had a TDS infection so let's make sure it did cure it.

Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  
  • Done! Press ENTER to exit...
  
  
• Or you will see more information like below if a problem is found:
  
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
  
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message.

Then tell me what malware issues you are still having, if any.

 

What is this drive ( you have 3 listed ):
931 GB \\.\PhysicalDrive2 Unknown MBR code

 

Can you attach the Norton log so I can see what it is complaining about?

 

Both physical drive 0 and 1 are fine. I am assuming that drive 2 is your external storage drive?

What malware issues are you having?

 

What are you wanting to upload? Both your drives have the proper MBR's. As I asked, what malware issues are you having?

Sorry, you were posting as was I.

Re-run TDSKiller and attach the new log.

 

No, run it in normal mode. And tell me exactly what Norton is saying now. Is it complaining about each hard drive's MBR?

 

Yes, TDSSKiller is reporting drive 0 as infected. Let's re-run MBRCheck and see if it did cure it.

 

Still giving the same report.

* Run MBRCheck.exe
* Wait until you see the following lines:
o Enter 'Y' and hit ENTER for more options, or 'N' to exit:
o Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:

* Please push the 'Y' key and then press Enter
* When the program asks you to Enter your choice: enter 2 to Restore the MBR and press the Enter key
* Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"
o Enter 2 and press the Enter key.
* The program will show Available MBR codes as below

* You need to select your version of Windows from the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.
* The program will prompt for confirmation. Type 'YES' and hit Enter.
* Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All
* You will see all the text in the window get highlighted.
* Hit the Enter key on your keyboard to copy all of the text into the clipboard.
* Paste that text into Notepad, save it to your desktop as MBRfix.txt
* Restart your PC.
* Attach the MBRfix.txt file to your next message..

Now please re-run MBRCheck.exe and attach that log also.

 

Do you have your Vista install disc?

 

I am confused as one log reports your C drive as physical drive 1 and the other log reports it as physical drive 2.

Let's try doing this:

First boot into the bios and change the boot order to make the cd drive the first boot device. Insert the disc and reboot.
For fixing the boot issues:
To run the Bootrec.exe tool, you must start Windows RE. To do this, follow these steps:

1. Put the Windows Vista installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec.exe /fixmbr, and then press ENTER. Note the space after exe and /

Remove the disc and reboot. Then re-run MBRCheck and attach the new log.

 

Let's try it one more time:

* Run MBRCheck.exe
* Wait until you see the following lines:
o Enter 'Y' and hit ENTER for more options, or 'N' to exit:
o Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:

* Please push the 'Y' key and then press Enter
* When the program asks you to Enter your choice: enter 2 to Restore the MBR and press the Enter key
* Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"
o Enter 1 and press the Enter key.
* The program will show Available MBR codes as below

* You need to select your version of Windows from the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.
* The program will prompt for confirmation. Type 'YES' and hit Enter.
* Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All
* You will see all the text in the window get highlighted.
* Hit the Enter key on your keyboard to copy all of the text into the clipboard.
* Paste that text into Notepad, save it to your desktop as MBRfix.txt
* Restart your PC.
* Attach the MBRfix.txt file to your next message..

Now please re-run MBRCheck.exe and attach that log also.

 

You entered 2 as your choice and I wanted you to enter 1 as the choice. Please try it again and select physical drive 1.

 

Back when I had you go into the Recovery Environmnent, did you select your C: drive ( the disc that is 931 GB)?

 

You don't have a 1gig drive. You have what I suspect is a 1T drive, an 80gig drive and a 500gig drive. Your C: drive ( and your E: drive ) is the 1T drive ( 931gig's).

 

So which did you choose when you were in the Recovery Environment?

 

Did you choose the 1T drive when in the Recovery Environment???

 

And at the command prompt you typed:
Bootrec.exe /fixmbr ? with the space?

 

I am stumped. I have asked the other malware fighters for some input on this issue. Hopefully we will come up with a solution for you. The fixmbr should have worked. What manufacturer is this system? Dell? HP? Other?

 

Frankly, I don't know why the MBR repair is not working. Hang in there and we will try to figure this out. I have asked Chaslang to look at this issue with me and hopefully he will have some input.

 

Please don't think I have forgotten about you. We are still trying to figure out what is wrong.

 

Let's do this as a final try. I want you to unplug the other two drives (shut down the computer first). Pull the power plug on both drives except the 931gb drive. Do not replug them in until I tell you to.

Then with only the C: drive ( 931gb ) plugged in, boot into the Recovery Environment again and enter the command prompt and again type in:
Bootrec.exe /fixmbr

Hit enter and when done remove the disc and reboot to Windows. Now re-run MBRCheck as well as the C:\MGtools\GetLogs.bat file and attach the new logs.

If this doesn't work, we may be stuck with having to do a complete reformat and clean install.