Solved

how can I remove the BOO/TDss.M boot sector virus from a hard disk drive set as a slave?

Posted on 2011-09-04
7
1,663 Views
Last Modified: 2013-11-22
Hello Everyone,

            Tonight, I connected an infected hard disk drive (HDD) which had malware to a good working pc and set it as a slave.  Upon running Avira Antiviral, 11 infections were found on the HDD set as a slave.  This antivirus program was able to quarantine 8 of the 11.  It also found code of the BOO/TDss.M boot sector virus on the secondary HDD.  Avira also indicated the boot sector was not written, thus, leading me to think this virus is still embedded on the HDD.  Naturally, this explains why the pc kept restarting itself when this HDD was set to be the primary HDD.  When it kept restarting itself, I could not access the desktop of either, Safe Mode or Normal Mode.  

         At any rate, is there a way I can possibly rewrite the boot sector area, which I think is the Master Boot Record (MBR) from this good working pc with the infected HDD set as Slave?  It seems like there are some command line parameters  which can be used from the XP bootable installation CD.  I believe the area is Recovery Console, but, I am not sure on any of this.  

            Any help resolving this issue will be deeply appreciated.   Also, I have uploaded a log of the scan results from Avira as well for analysis and review.  Hopefully, that will be helpful as well with respect to coming up with the proper solution.

            Thank you.

            George
         
AVSCAN-20110904-023610-9A3836C0.LOG
0
Comment
Question by:GMartin
7 Comments
 
LVL 7

Assisted Solution

by:OxygenITSolutions
OxygenITSolutions earned 150 total points
ID: 36480094
0
 
LVL 4

Accepted Solution

by:
bloodygonzo earned 200 total points
ID: 36480232
If you are able to boot up to the drive try this: http://support.kaspersky.com/faq/?qid=208280684

If not then remove your good hdd and boot to a windows cd. Go into the recovery console and from the command line type fixmbr press enter then type fixboot and press enter. Try to boot the pc again and run the tdss killer tool above.
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 150 total points
ID: 36480239
I have had success in similar situations with the following proceedure:

1. Download TDSKiller.exe to a flashdrive;  (http://support.kaspersky.com/faq/?qid=208280684)
2. Boot to Recovery Console from an XP CD;   (http://support.microsoft.com/kb/314058)
3. Exit RC and reboot;

You will have trouble removing tdss rootkit from a slaved drive - the process needs to be running in order for it to be quarantined and deleted.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Expert Comment

by:phototropic
ID: 36480244
Sorry, the above post leaves out the vital third step:

2b.  Navigate to the tdsskiller.exe file and run it;

Damn this wireless keyboard!!!
0
 

Author Comment

by:GMartin
ID: 36480547
Hi

           I am not sure if this virus effects video card drivers, but, each time I boot to the XP CD, the video starts messing up.  It does the same thing when booting to utility CD's if the HDD is set to be a primary bootable HDD.  I will try again thought.  I was hope to be able to solve this completely with the HDD set as a slave.  

          George
0
 

Author Comment

by:GMartin
ID: 36480670
Hello adn Good Morning Everyone,

             Before I begin discussing the mechanics of what fixed this issue, I want to sincerely thank everyone for their shared input.  WOW!  I did learn so much from the input shared in addition to the resourceful links.  At this point, I will move along and start discussing the actual steps which resolved the issue just in case someone else has a similiar concern.

              First, I disonnected the infected HDD and hooked it up to a good running pc using my IDE/SATA to USB converter cable.  Before this hookup, I totally removed the jumper on the infected HDD which was set to Master.  I preferred the hookup this way to avoid opening up the case of the good working pc.  Once the good working pc was powered up, I did notice within My Computer a drive letter now for the infected pc which was now a slave HDD.  Then, I installed and ran Avira AntiVir which found 11 infected objects.  I was able to remove 8 of these 11.  While this is a great utility, it was still unable to remove the boot sector virus on the infected HDD.  So, I still had this issue to deal with.  

                The next step involved totally disconnecting the infected HDD from the good working pc and putting it back into the original pc.  Then, I set the BIOS first boot device to be CDROM while having the XP installation CD in the CDROM.  Luckly, I did not experience the messed up video this time.  Apparently, Avira removed the infected objects responsible for this symptom.  At any rate, I entered into the Recovery Console by pressing R when I saw it on the screen.  At that point, I typed fixmbr > enter>fixboot>enter and restarted the pc.  To my pleasant surprise, when I selected Normal Mode this time, the pc went straight to the desktop without restarting itself.  And, all of my applications and end user files were fine as well.  For good measures though, I still went ahead and ran TDSSKiller which did not find any infection.

                   In closing, this story has a happy ending thanks you wonderful guys : - )  Thanks so much once again for helping me through this.  I could not have done any of this without everyone's help.

                  Thank you

                  George
0
 
LVL 23

Expert Comment

by:phototropic
ID: 36481108
Glad to hear that your problem is resolved.

Thanks for the points and grade.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many HijackThis tutorials on the web already, so this article is about tips that help utilize HijackThis' full potential as a diagnostic tool. Download HijackThis from a TrendMicro link or from known reliable sources only. http://free.…
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question