Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
how can I remove the BOO/TDss.M boot sector virus from a hard disk drive set as a slave?
Posted on 2011-09-04
Hello Everyone,
Tonight, I connected an infected hard disk drive (HDD) which had malware to a good working pc and set it as a slave. Upon running Avira Antiviral, 11 infections were found on the HDD set as a slave. This antivirus program was able to quarantine 8 of the 11. It also found code of the BOO/TDss.M boot sector virus on the secondary HDD. Avira also indicated the boot sector was not written, thus, leading me to think this virus is still embedded on the HDD. Naturally, this explains why the pc kept restarting itself when this HDD was set to be the primary HDD. When it kept restarting itself, I could not access the desktop of either, Safe Mode or Normal Mode.
At any rate, is there a way I can possibly rewrite the boot sector area, which I think is the Master Boot Record (MBR) from this good working pc with the infected HDD set as Slave? It seems like there are some command line parameters which can be used from the XP bootable installation CD. I believe the area is Recovery Console, but, I am not sure on any of this.
Any help resolving this issue will be deeply appreciated. Also, I have uploaded a log of the scan results from Avira as well for analysis and review. Hopefully, that will be helpful as well with respect to coming up with the proper solution.
Thank you.
George
AVSCAN-20110904-023610-9A3836C0.LOG
Tonight, I connected an infected hard disk drive (HDD) which had malware to a good working pc and set it as a slave. Upon running Avira Antiviral, 11 infections were found on the HDD set as a slave. This antivirus program was able to quarantine 8 of the 11. It also found code of the BOO/TDss.M boot sector virus on the secondary HDD. Avira also indicated the boot sector was not written, thus, leading me to think this virus is still embedded on the HDD. Naturally, this explains why the pc kept restarting itself when this HDD was set to be the primary HDD. When it kept restarting itself, I could not access the desktop of either, Safe Mode or Normal Mode.
At any rate, is there a way I can possibly rewrite the boot sector area, which I think is the Master Boot Record (MBR) from this good working pc with the infected HDD set as Slave? It seems like there are some command line parameters which can be used from the XP bootable installation CD. I believe the area is Recovery Console, but, I am not sure on any of this.
Any help resolving this issue will be deeply appreciated. Also, I have uploaded a log of the scan results from Avira as well for analysis and review. Hopefully, that will be helpful as well with respect to coming up with the proper solution.
Thank you.
George
AVSCAN-20110904-023610-9A3836C0.LOG
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
2
- +1
7 Comments
If you are able to boot up to the drive try this: http://support.kaspersky.com/faq/?qid=208280684
If not then remove your good hdd and boot to a windows cd. Go into the recovery console and from the command line type fixmbr press enter then type fixboot and press enter. Try to boot the pc again and run the tdss killer tool above.
If not then remove your good hdd and boot to a windows cd. Go into the recovery console and from the command line type fixmbr press enter then type fixboot and press enter. Try to boot the pc again and run the tdss killer tool above.
I have had success in similar situations with the following proceedure:
1. Download TDSKiller.exe to a flashdrive; (http://support.kaspersky.com/faq/?qid=208280684)
2. Boot to Recovery Console from an XP CD; (http://support.microsoft.com/kb/314058)
3. Exit RC and reboot;
You will have trouble removing tdss rootkit from a slaved drive - the process needs to be running in order for it to be quarantined and deleted.
1. Download TDSKiller.exe to a flashdrive; (http://support.kaspersky.com/faq/?qid=208280684)
2. Boot to Recovery Console from an XP CD; (http://support.microsoft.com/kb/314058)
3. Exit RC and reboot;
You will have trouble removing tdss rootkit from a slaved drive - the process needs to be running in order for it to be quarantined and deleted.
Sorry, the above post leaves out the vital third step:
2b. Navigate to the tdsskiller.exe file and run it;
Damn this wireless keyboard!!!
2b. Navigate to the tdsskiller.exe file and run it;
Damn this wireless keyboard!!!
Active 1 day ago
Hi
I am not sure if this virus effects video card drivers, but, each time I boot to the XP CD, the video starts messing up. It does the same thing when booting to utility CD's if the HDD is set to be a primary bootable HDD. I will try again thought. I was hope to be able to solve this completely with the HDD set as a slave.
George
I am not sure if this virus effects video card drivers, but, each time I boot to the XP CD, the video starts messing up. It does the same thing when booting to utility CD's if the HDD is set to be a primary bootable HDD. I will try again thought. I was hope to be able to solve this completely with the HDD set as a slave.
George
Active 1 day ago
Hello adn Good Morning Everyone,
Before I begin discussing the mechanics of what fixed this issue, I want to sincerely thank everyone for their shared input. WOW! I did learn so much from the input shared in addition to the resourceful links. At this point, I will move along and start discussing the actual steps which resolved the issue just in case someone else has a similiar concern.
First, I disonnected the infected HDD and hooked it up to a good running pc using my IDE/SATA to USB converter cable. Before this hookup, I totally removed the jumper on the infected HDD which was set to Master. I preferred the hookup this way to avoid opening up the case of the good working pc. Once the good working pc was powered up, I did notice within My Computer a drive letter now for the infected pc which was now a slave HDD. Then, I installed and ran Avira AntiVir which found 11 infected objects. I was able to remove 8 of these 11. While this is a great utility, it was still unable to remove the boot sector virus on the infected HDD. So, I still had this issue to deal with.
The next step involved totally disconnecting the infected HDD from the good working pc and putting it back into the original pc. Then, I set the BIOS first boot device to be CDROM while having the XP installation CD in the CDROM. Luckly, I did not experience the messed up video this time. Apparently, Avira removed the infected objects responsible for this symptom. At any rate, I entered into the Recovery Console by pressing R when I saw it on the screen. At that point, I typed fixmbr > enter>fixboot>enter and restarted the pc. To my pleasant surprise, when I selected Normal Mode this time, the pc went straight to the desktop without restarting itself. And, all of my applications and end user files were fine as well. For good measures though, I still went ahead and ran TDSSKiller which did not find any infection.
In closing, this story has a happy ending thanks you wonderful guys : - ) Thanks so much once again for helping me through this. I could not have done any of this without everyone's help.
Thank you
George
Before I begin discussing the mechanics of what fixed this issue, I want to sincerely thank everyone for their shared input. WOW! I did learn so much from the input shared in addition to the resourceful links. At this point, I will move along and start discussing the actual steps which resolved the issue just in case someone else has a similiar concern.
First, I disonnected the infected HDD and hooked it up to a good running pc using my IDE/SATA to USB converter cable. Before this hookup, I totally removed the jumper on the infected HDD which was set to Master. I preferred the hookup this way to avoid opening up the case of the good working pc. Once the good working pc was powered up, I did notice within My Computer a drive letter now for the infected pc which was now a slave HDD. Then, I installed and ran Avira AntiVir which found 11 infected objects. I was able to remove 8 of these 11. While this is a great utility, it was still unable to remove the boot sector virus on the infected HDD. So, I still had this issue to deal with.
The next step involved totally disconnecting the infected HDD from the good working pc and putting it back into the original pc. Then, I set the BIOS first boot device to be CDROM while having the XP installation CD in the CDROM. Luckly, I did not experience the messed up video this time. Apparently, Avira removed the infected objects responsible for this symptom. At any rate, I entered into the Recovery Console by pressing R when I saw it on the screen. At that point, I typed fixmbr > enter>fixboot>enter and restarted the pc. To my pleasant surprise, when I selected Normal Mode this time, the pc went straight to the desktop without restarting itself. And, all of my applications and end user files were fine as well. For good measures though, I still went ahead and ran TDSSKiller which did not find any infection.
In closing, this story has a happy ending thanks you wonderful guys : - ) Thanks so much once again for helping me through this. I could not have done any of this without everyone's help.
Thank you
George
Featured Post
We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used.
This happens when the system is infected with…
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture?
Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
- Anti-Virus Apps
- Ransomware
- The Email Laundry
- Email Servers
- Cybersecurity
- Microsoft Access, *malware
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email
Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month6 days, 10 hours left to enroll
636 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.