Solved

how can I remove the BOO/TDss.M boot sector virus from a hard disk drive set as a slave?

Posted on 2011-09-04
7
1,651 Views
Last Modified: 2013-11-22
Hello Everyone,

            Tonight, I connected an infected hard disk drive (HDD) which had malware to a good working pc and set it as a slave.  Upon running Avira Antiviral, 11 infections were found on the HDD set as a slave.  This antivirus program was able to quarantine 8 of the 11.  It also found code of the BOO/TDss.M boot sector virus on the secondary HDD.  Avira also indicated the boot sector was not written, thus, leading me to think this virus is still embedded on the HDD.  Naturally, this explains why the pc kept restarting itself when this HDD was set to be the primary HDD.  When it kept restarting itself, I could not access the desktop of either, Safe Mode or Normal Mode.  

         At any rate, is there a way I can possibly rewrite the boot sector area, which I think is the Master Boot Record (MBR) from this good working pc with the infected HDD set as Slave?  It seems like there are some command line parameters  which can be used from the XP bootable installation CD.  I believe the area is Recovery Console, but, I am not sure on any of this.  

            Any help resolving this issue will be deeply appreciated.   Also, I have uploaded a log of the scan results from Avira as well for analysis and review.  Hopefully, that will be helpful as well with respect to coming up with the proper solution.

            Thank you.

            George
         
AVSCAN-20110904-023610-9A3836C0.LOG
0
Comment
Question by:GMartin
7 Comments
 
LVL 7

Assisted Solution

by:OxygenITSolutions
OxygenITSolutions earned 150 total points
ID: 36480094
0
 
LVL 4

Accepted Solution

by:
bloodygonzo earned 200 total points
ID: 36480232
If you are able to boot up to the drive try this: http://support.kaspersky.com/faq/?qid=208280684

If not then remove your good hdd and boot to a windows cd. Go into the recovery console and from the command line type fixmbr press enter then type fixboot and press enter. Try to boot the pc again and run the tdss killer tool above.
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 150 total points
ID: 36480239
I have had success in similar situations with the following proceedure:

1. Download TDSKiller.exe to a flashdrive;  (http://support.kaspersky.com/faq/?qid=208280684)
2. Boot to Recovery Console from an XP CD;   (http://support.microsoft.com/kb/314058)
3. Exit RC and reboot;

You will have trouble removing tdss rootkit from a slaved drive - the process needs to be running in order for it to be quarantined and deleted.

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 23

Expert Comment

by:phototropic
ID: 36480244
Sorry, the above post leaves out the vital third step:

2b.  Navigate to the tdsskiller.exe file and run it;

Damn this wireless keyboard!!!
0
 

Author Comment

by:GMartin
ID: 36480547
Hi

           I am not sure if this virus effects video card drivers, but, each time I boot to the XP CD, the video starts messing up.  It does the same thing when booting to utility CD's if the HDD is set to be a primary bootable HDD.  I will try again thought.  I was hope to be able to solve this completely with the HDD set as a slave.  

          George
0
 

Author Comment

by:GMartin
ID: 36480670
Hello adn Good Morning Everyone,

             Before I begin discussing the mechanics of what fixed this issue, I want to sincerely thank everyone for their shared input.  WOW!  I did learn so much from the input shared in addition to the resourceful links.  At this point, I will move along and start discussing the actual steps which resolved the issue just in case someone else has a similiar concern.

              First, I disonnected the infected HDD and hooked it up to a good running pc using my IDE/SATA to USB converter cable.  Before this hookup, I totally removed the jumper on the infected HDD which was set to Master.  I preferred the hookup this way to avoid opening up the case of the good working pc.  Once the good working pc was powered up, I did notice within My Computer a drive letter now for the infected pc which was now a slave HDD.  Then, I installed and ran Avira AntiVir which found 11 infected objects.  I was able to remove 8 of these 11.  While this is a great utility, it was still unable to remove the boot sector virus on the infected HDD.  So, I still had this issue to deal with.  

                The next step involved totally disconnecting the infected HDD from the good working pc and putting it back into the original pc.  Then, I set the BIOS first boot device to be CDROM while having the XP installation CD in the CDROM.  Luckly, I did not experience the messed up video this time.  Apparently, Avira removed the infected objects responsible for this symptom.  At any rate, I entered into the Recovery Console by pressing R when I saw it on the screen.  At that point, I typed fixmbr > enter>fixboot>enter and restarted the pc.  To my pleasant surprise, when I selected Normal Mode this time, the pc went straight to the desktop without restarting itself.  And, all of my applications and end user files were fine as well.  For good measures though, I still went ahead and ran TDSSKiller which did not find any infection.

                   In closing, this story has a happy ending thanks you wonderful guys : - )  Thanks so much once again for helping me through this.  I could not have done any of this without everyone's help.

                  Thank you

                  George
0
 
LVL 23

Expert Comment

by:phototropic
ID: 36481108
Glad to hear that your problem is resolved.

Thanks for the points and grade.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now