We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Solved
how can I remove the BOO/TDss.M boot sector virus from a hard disk drive set as a slave?
Posted on 2011-09-04
Hello Everyone,
Tonight, I connected an infected hard disk drive (HDD) which had malware to a good working pc and set it as a slave. Upon running Avira Antiviral, 11 infections were found on the HDD set as a slave. This antivirus program was able to quarantine 8 of the 11. It also found code of the BOO/TDss.M boot sector virus on the secondary HDD. Avira also indicated the boot sector was not written, thus, leading me to think this virus is still embedded on the HDD. Naturally, this explains why the pc kept restarting itself when this HDD was set to be the primary HDD. When it kept restarting itself, I could not access the desktop of either, Safe Mode or Normal Mode.
At any rate, is there a way I can possibly rewrite the boot sector area, which I think is the Master Boot Record (MBR) from this good working pc with the infected HDD set as Slave? It seems like there are some command line parameters which can be used from the XP bootable installation CD. I believe the area is Recovery Console, but, I am not sure on any of this.
Any help resolving this issue will be deeply appreciated. Also, I have uploaded a log of the scan results from Avira as well for analysis and review. Hopefully, that will be helpful as well with respect to coming up with the proper solution.
Thank you.
George
AVSCAN-20110904-023610-9A3836C0.LOG
Tonight, I connected an infected hard disk drive (HDD) which had malware to a good working pc and set it as a slave. Upon running Avira Antiviral, 11 infections were found on the HDD set as a slave. This antivirus program was able to quarantine 8 of the 11. It also found code of the BOO/TDss.M boot sector virus on the secondary HDD. Avira also indicated the boot sector was not written, thus, leading me to think this virus is still embedded on the HDD. Naturally, this explains why the pc kept restarting itself when this HDD was set to be the primary HDD. When it kept restarting itself, I could not access the desktop of either, Safe Mode or Normal Mode.
At any rate, is there a way I can possibly rewrite the boot sector area, which I think is the Master Boot Record (MBR) from this good working pc with the infected HDD set as Slave? It seems like there are some command line parameters which can be used from the XP bootable installation CD. I believe the area is Recovery Console, but, I am not sure on any of this.
Any help resolving this issue will be deeply appreciated. Also, I have uploaded a log of the scan results from Avira as well for analysis and review. Hopefully, that will be helpful as well with respect to coming up with the proper solution.
Thank you.
George
AVSCAN-20110904-023610-9A3836C0.LOG
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
2
- +1
7 Comments
If you are able to boot up to the drive try this: http://support.kaspersky.com/faq/?qid=208280684
If not then remove your good hdd and boot to a windows cd. Go into the recovery console and from the command line type fixmbr press enter then type fixboot and press enter. Try to boot the pc again and run the tdss killer tool above.
If not then remove your good hdd and boot to a windows cd. Go into the recovery console and from the command line type fixmbr press enter then type fixboot and press enter. Try to boot the pc again and run the tdss killer tool above.
I have had success in similar situations with the following proceedure:
1. Download TDSKiller.exe to a flashdrive; (http://support.kaspersky.com/faq/?qid=208280684)
2. Boot to Recovery Console from an XP CD; (http://support.microsoft.com/kb/314058)
3. Exit RC and reboot;
You will have trouble removing tdss rootkit from a slaved drive - the process needs to be running in order for it to be quarantined and deleted.
1. Download TDSKiller.exe to a flashdrive; (http://support.kaspersky.com/faq/?qid=208280684)
2. Boot to Recovery Console from an XP CD; (http://support.microsoft.com/kb/314058)
3. Exit RC and reboot;
You will have trouble removing tdss rootkit from a slaved drive - the process needs to be running in order for it to be quarantined and deleted.
Sorry, the above post leaves out the vital third step:
2b. Navigate to the tdsskiller.exe file and run it;
Damn this wireless keyboard!!!
2b. Navigate to the tdsskiller.exe file and run it;
Damn this wireless keyboard!!!
Active 4 days ago
Hi
I am not sure if this virus effects video card drivers, but, each time I boot to the XP CD, the video starts messing up. It does the same thing when booting to utility CD's if the HDD is set to be a primary bootable HDD. I will try again thought. I was hope to be able to solve this completely with the HDD set as a slave.
George
I am not sure if this virus effects video card drivers, but, each time I boot to the XP CD, the video starts messing up. It does the same thing when booting to utility CD's if the HDD is set to be a primary bootable HDD. I will try again thought. I was hope to be able to solve this completely with the HDD set as a slave.
George
Active 4 days ago
Hello adn Good Morning Everyone,
Before I begin discussing the mechanics of what fixed this issue, I want to sincerely thank everyone for their shared input. WOW! I did learn so much from the input shared in addition to the resourceful links. At this point, I will move along and start discussing the actual steps which resolved the issue just in case someone else has a similiar concern.
First, I disonnected the infected HDD and hooked it up to a good running pc using my IDE/SATA to USB converter cable. Before this hookup, I totally removed the jumper on the infected HDD which was set to Master. I preferred the hookup this way to avoid opening up the case of the good working pc. Once the good working pc was powered up, I did notice within My Computer a drive letter now for the infected pc which was now a slave HDD. Then, I installed and ran Avira AntiVir which found 11 infected objects. I was able to remove 8 of these 11. While this is a great utility, it was still unable to remove the boot sector virus on the infected HDD. So, I still had this issue to deal with.
The next step involved totally disconnecting the infected HDD from the good working pc and putting it back into the original pc. Then, I set the BIOS first boot device to be CDROM while having the XP installation CD in the CDROM. Luckly, I did not experience the messed up video this time. Apparently, Avira removed the infected objects responsible for this symptom. At any rate, I entered into the Recovery Console by pressing R when I saw it on the screen. At that point, I typed fixmbr > enter>fixboot>enter and restarted the pc. To my pleasant surprise, when I selected Normal Mode this time, the pc went straight to the desktop without restarting itself. And, all of my applications and end user files were fine as well. For good measures though, I still went ahead and ran TDSSKiller which did not find any infection.
In closing, this story has a happy ending thanks you wonderful guys : - ) Thanks so much once again for helping me through this. I could not have done any of this without everyone's help.
Thank you
George
Before I begin discussing the mechanics of what fixed this issue, I want to sincerely thank everyone for their shared input. WOW! I did learn so much from the input shared in addition to the resourceful links. At this point, I will move along and start discussing the actual steps which resolved the issue just in case someone else has a similiar concern.
First, I disonnected the infected HDD and hooked it up to a good running pc using my IDE/SATA to USB converter cable. Before this hookup, I totally removed the jumper on the infected HDD which was set to Master. I preferred the hookup this way to avoid opening up the case of the good working pc. Once the good working pc was powered up, I did notice within My Computer a drive letter now for the infected pc which was now a slave HDD. Then, I installed and ran Avira AntiVir which found 11 infected objects. I was able to remove 8 of these 11. While this is a great utility, it was still unable to remove the boot sector virus on the infected HDD. So, I still had this issue to deal with.
The next step involved totally disconnecting the infected HDD from the good working pc and putting it back into the original pc. Then, I set the BIOS first boot device to be CDROM while having the XP installation CD in the CDROM. Luckly, I did not experience the messed up video this time. Apparently, Avira removed the infected objects responsible for this symptom. At any rate, I entered into the Recovery Console by pressing R when I saw it on the screen. At that point, I typed fixmbr > enter>fixboot>enter and restarted the pc. To my pleasant surprise, when I selected Normal Mode this time, the pc went straight to the desktop without restarting itself. And, all of my applications and end user files were fine as well. For good measures though, I still went ahead and ran TDSSKiller which did not find any infection.
In closing, this story has a happy ending thanks you wonderful guys : - ) Thanks so much once again for helping me through this. I could not have done any of this without everyone's help.
Thank you
George
Featured Post
WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
PREFACE
The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008.
AUDIENCE
Information Technol…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line.
I thought I’d share my experience with you.
Why is it useful to be able to update an Antivirus from the command line?…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
- Anti-Virus Apps
- Ransomware
- The Email Laundry
- Email Servers
- Cybersecurity
- Microsoft Access, *malware
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email
Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses
Course of the Month7 days, 15 hours left to enroll
715 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.