Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.
how can I remove the BOO/TDss.M boot sector virus from a hard disk drive set as a slave?
Hello Everyone,
Tonight, I connected an infected hard disk drive (HDD) which had malware to a good working pc and set it as a slave. Upon running Avira Antiviral, 11 infections were found on the HDD set as a slave. This antivirus program was able to quarantine 8 of the 11. It also found code of the BOO/TDss.M boot sector virus on the secondary HDD. Avira also indicated the boot sector was not written, thus, leading me to think this virus is still embedded on the HDD. Naturally, this explains why the pc kept restarting itself when this HDD was set to be the primary HDD. When it kept restarting itself, I could not access the desktop of either, Safe Mode or Normal Mode.
At any rate, is there a way I can possibly rewrite the boot sector area, which I think is the Master Boot Record (MBR) from this good working pc with the infected HDD set as Slave? It seems like there are some command line parameters which can be used from the XP bootable installation CD. I believe the area is Recovery Console, but, I am not sure on any of this.
Any help resolving this issue will be deeply appreciated. Also, I have uploaded a log of the scan results from Avira as well for analysis and review. Hopefully, that will be helpful as well with respect to coming up with the proper solution.
Thank you.
George
AVSCAN-20110904-023610-9A3836C0.LOG
Tonight, I connected an infected hard disk drive (HDD) which had malware to a good working pc and set it as a slave. Upon running Avira Antiviral, 11 infections were found on the HDD set as a slave. This antivirus program was able to quarantine 8 of the 11. It also found code of the BOO/TDss.M boot sector virus on the secondary HDD. Avira also indicated the boot sector was not written, thus, leading me to think this virus is still embedded on the HDD. Naturally, this explains why the pc kept restarting itself when this HDD was set to be the primary HDD. When it kept restarting itself, I could not access the desktop of either, Safe Mode or Normal Mode.
At any rate, is there a way I can possibly rewrite the boot sector area, which I think is the Master Boot Record (MBR) from this good working pc with the infected HDD set as Slave? It seems like there are some command line parameters which can be used from the XP bootable installation CD. I believe the area is Recovery Console, but, I am not sure on any of this.
Any help resolving this issue will be deeply appreciated. Also, I have uploaded a log of the scan results from Avira as well for analysis and review. Hopefully, that will be helpful as well with respect to coming up with the proper solution.
Thank you.
George
AVSCAN-20110904-023610-9A3836C0.LOG
Asked:
3-
2
- +1
3 Solutions
If you are able to boot up to the drive try this: http://support.kaspersky.com/faq/?qid=208280684
If not then remove your good hdd and boot to a windows cd. Go into the recovery console and from the command line type fixmbr press enter then type fixboot and press enter. Try to boot the pc again and run the tdss killer tool above.
If not then remove your good hdd and boot to a windows cd. Go into the recovery console and from the command line type fixmbr press enter then type fixboot and press enter. Try to boot the pc again and run the tdss killer tool above.
I have had success in similar situations with the following proceedure:
1. Download TDSKiller.exe to a flashdrive; (http://support.kaspersky.com/faq/?qid=208280684)
2. Boot to Recovery Console from an XP CD; (http://support.microsoft.com/kb/314058)
3. Exit RC and reboot;
You will have trouble removing tdss rootkit from a slaved drive - the process needs to be running in order for it to be quarantined and deleted.
1. Download TDSKiller.exe to a flashdrive; (http://support.kaspersky.com/faq/?qid=208280684)
2. Boot to Recovery Console from an XP CD; (http://support.microsoft.com/kb/314058)
3. Exit RC and reboot;
You will have trouble removing tdss rootkit from a slaved drive - the process needs to be running in order for it to be quarantined and deleted.
Sorry, the above post leaves out the vital third step:
2b. Navigate to the tdsskiller.exe file and run it;
Damn this wireless keyboard!!!
2b. Navigate to the tdsskiller.exe file and run it;
Damn this wireless keyboard!!!
Hi
I am not sure if this virus effects video card drivers, but, each time I boot to the XP CD, the video starts messing up. It does the same thing when booting to utility CD's if the HDD is set to be a primary bootable HDD. I will try again thought. I was hope to be able to solve this completely with the HDD set as a slave.
George
I am not sure if this virus effects video card drivers, but, each time I boot to the XP CD, the video starts messing up. It does the same thing when booting to utility CD's if the HDD is set to be a primary bootable HDD. I will try again thought. I was hope to be able to solve this completely with the HDD set as a slave.
George
Hello adn Good Morning Everyone,
Before I begin discussing the mechanics of what fixed this issue, I want to sincerely thank everyone for their shared input. WOW! I did learn so much from the input shared in addition to the resourceful links. At this point, I will move along and start discussing the actual steps which resolved the issue just in case someone else has a similiar concern.
First, I disonnected the infected HDD and hooked it up to a good running pc using my IDE/SATA to USB converter cable. Before this hookup, I totally removed the jumper on the infected HDD which was set to Master. I preferred the hookup this way to avoid opening up the case of the good working pc. Once the good working pc was powered up, I did notice within My Computer a drive letter now for the infected pc which was now a slave HDD. Then, I installed and ran Avira AntiVir which found 11 infected objects. I was able to remove 8 of these 11. While this is a great utility, it was still unable to remove the boot sector virus on the infected HDD. So, I still had this issue to deal with.
The next step involved totally disconnecting the infected HDD from the good working pc and putting it back into the original pc. Then, I set the BIOS first boot device to be CDROM while having the XP installation CD in the CDROM. Luckly, I did not experience the messed up video this time. Apparently, Avira removed the infected objects responsible for this symptom. At any rate, I entered into the Recovery Console by pressing R when I saw it on the screen. At that point, I typed fixmbr > enter>fixboot>enter and restarted the pc. To my pleasant surprise, when I selected Normal Mode this time, the pc went straight to the desktop without restarting itself. And, all of my applications and end user files were fine as well. For good measures though, I still went ahead and ran TDSSKiller which did not find any infection.
In closing, this story has a happy ending thanks you wonderful guys : - ) Thanks so much once again for helping me through this. I could not have done any of this without everyone's help.
Thank you
George
Before I begin discussing the mechanics of what fixed this issue, I want to sincerely thank everyone for their shared input. WOW! I did learn so much from the input shared in addition to the resourceful links. At this point, I will move along and start discussing the actual steps which resolved the issue just in case someone else has a similiar concern.
First, I disonnected the infected HDD and hooked it up to a good running pc using my IDE/SATA to USB converter cable. Before this hookup, I totally removed the jumper on the infected HDD which was set to Master. I preferred the hookup this way to avoid opening up the case of the good working pc. Once the good working pc was powered up, I did notice within My Computer a drive letter now for the infected pc which was now a slave HDD. Then, I installed and ran Avira AntiVir which found 11 infected objects. I was able to remove 8 of these 11. While this is a great utility, it was still unable to remove the boot sector virus on the infected HDD. So, I still had this issue to deal with.
The next step involved totally disconnecting the infected HDD from the good working pc and putting it back into the original pc. Then, I set the BIOS first boot device to be CDROM while having the XP installation CD in the CDROM. Luckly, I did not experience the messed up video this time. Apparently, Avira removed the infected objects responsible for this symptom. At any rate, I entered into the Recovery Console by pressing R when I saw it on the screen. At that point, I typed fixmbr > enter>fixboot>enter and restarted the pc. To my pleasant surprise, when I selected Normal Mode this time, the pc went straight to the desktop without restarting itself. And, all of my applications and end user files were fine as well. For good measures though, I still went ahead and ran TDSSKiller which did not find any infection.
In closing, this story has a happy ending thanks you wonderful guys : - ) Thanks so much once again for helping me through this. I could not have done any of this without everyone's help.
Thank you
George
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
Does this help?