Infected with unknown virus/malware...DDS not working. :(
- Thread starter JoshProto22
- Start date
JoshProto22
New member
Hi,
I wasn't able to boot into Windows. The recovery console was available but I got the blue screen when I tried it. I also tried to use the last known good configuration but I got a screen filled with error messages. Most of the error messages involved a hidden partition.
I wasn't able to boot into Windows. The recovery console was available but I got the blue screen when I tried it. I also tried to use the last known good configuration but I got a screen filled with error messages. Most of the error messages involved a hidden partition.
JoshProto22
New member
Correction. I do not get the blue screen with the recovery console. It asks me which Windows installation would I like to log onto.
I do get the blue screen when I try to use the last known good confirmation.
I do get the blue screen when I try to use the last known good confirmation.
JoshProto22
New member
*last known good configuration
ken545
Emeritus-Security Expert
Your going to have to use another computer to download one more file to your usb drive
Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.
bash tdl_fix.sh -restore
Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it's current state.
- Download tdl_fix.sh and save it to the xPUD flash drive.
- Boot into xPUD then click the File tab.
- Press File
- Expand mnt
- Click on the folder under mnt that represents your USB drive (sdb1 ?)
- You should see the tdl_fix.sh file in the main window.
- Select Tool from the Menu
- Choose Open Terminal
- Type bash tdl_fix.sh then press Enter.
- Read the warning then type y and press Enter to continue.
- Type sda then press Enter when prompted.
- You will be shown a list of partitions to choose marking active.
- Type 2 then press Enter.
- If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
- When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
- The script will complete and prompt you to reboot the computer.
- Close the Terminal window and restart back into Windows.
- Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.
Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.
bash tdl_fix.sh -restore
Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it's current state.
JoshProto22
New member
I finished this procedure (bash tdl_fix.sh and bash tdl_fix.sh -restore) but still received the blue screen when I tried to reboot into Windows normally.
I don't know if you need this or not, but here's the "Technical Information" that the blue screen gives me:
*** STOP: 0x0000007B (0xBA4CB524, 0xC0000034, 0x00000000, 0x00000000)
Also, here are the results from tdl_fix.txt and tdl_restore.txt that were saved to my USB drive:
tdl_fix.txt:
2012-02-17-01:21:42
The following drives were found
sda
sdb
User has chosen drive sda
backing up mbr to tdl_mbr_sda.bin
Disk /dev/sda: 98.5 GB, 98522403840 bytes
255 heads, 63 sectors/track, 11978 cylinders, total 192426570 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
/dev/sda1 63 96389 48163+ de Unknown
/dev/sda2 * 96390 182659049 91281330 7 HPFS/NTFS
/dev/sda3 182675115 192410504 4867695 db Unknown
/dev/sda4 192410505 192426553 8024+ 17 Hidden HPFS/NTFS
Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden
User has chosen to make partition 2 active
Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden
User has accepted changes
tdl_restore.txt:
2012-02-17-01:27:11
The following backups were found
1 tdl_mbr_sda.bin
User selected 1
Restoring device sda mbr with tdl_mbr_sda.bin
tdl_mbr_sda.bin has been written to drive sda
I don't know if you need this or not, but here's the "Technical Information" that the blue screen gives me:
*** STOP: 0x0000007B (0xBA4CB524, 0xC0000034, 0x00000000, 0x00000000)
Also, here are the results from tdl_fix.txt and tdl_restore.txt that were saved to my USB drive:
tdl_fix.txt:
2012-02-17-01:21:42
The following drives were found
sda
sdb
User has chosen drive sda
backing up mbr to tdl_mbr_sda.bin
Disk /dev/sda: 98.5 GB, 98522403840 bytes
255 heads, 63 sectors/track, 11978 cylinders, total 192426570 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
/dev/sda1 63 96389 48163+ de Unknown
/dev/sda2 * 96390 182659049 91281330 7 HPFS/NTFS
/dev/sda3 182675115 192410504 4867695 db Unknown
/dev/sda4 192410505 192426553 8024+ 17 Hidden HPFS/NTFS
Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden
User has chosen to make partition 2 active
Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden
User has accepted changes
tdl_restore.txt:
2012-02-17-01:27:11
The following backups were found
1 tdl_mbr_sda.bin
User selected 1
Restoring device sda mbr with tdl_mbr_sda.bin
tdl_mbr_sda.bin has been written to drive sda
ken545
Emeritus-Security Expert
Where going to use xPud to see if we can find any System Restore Points.
Download http://noahdfear.net/downloads/rst.sh to the USB drive
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.
Please also note - all text entries are case sensitive
Copy and paste the enum.log for my review
Download http://noahdfear.net/downloads/rst.sh to the USB drive
- Boot the Sick computer with the USB drive again
- Press File
- Expand mnt
- Expand your USB (sdb1)
- Confirm that you see rst.sh that you downloaded there
- Press Tool at the top
- Choose Open Terminal
- Type bash rst.sh
- Press Enter
- After it has finished a report will be located at sdb1 named enum.log
- Plug that USB back into the clean computer and open it
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.
Please also note - all text entries are case sensitive
Copy and paste the enum.log for my review
ken545
Emeritus-Security Expert
Josh,
You may have chosen the incorrect partition to set active to boot from, open up your USB Drive and delete the dumpit file and follow the procedure to get me a new dumpit file so we can select the correct partition to set active to boot from..
Just hang on with the xPud system restore instructions for now, we can do that later if need be
You may have chosen the incorrect partition to set active to boot from, open up your USB Drive and delete the dumpit file and follow the procedure to get me a new dumpit file so we can select the correct partition to set active to boot from..
Just hang on with the xPud system restore instructions for now, we can do that later if need be
- xPUD
We will need a USB stick and access to an uninfected machine.
We need to prepare the USB stick. It is not absolutely essential that it is formatted, but it may help if it is:
- Insert your USB drive ino the uninfected machine.
- Click on Start > My Computer > right click your USB drive > choose Format > Quick format.
Next
- Download both http://sourceforge.net/projects/une...stom/unetbootin-xpud-windows-387.exe/download and http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of the uninfected machine.
- Make sure you have the formatted USB stick in the uninfected system.
- Double click on the unetbootin-xpud-windows-387.exe that you just downloaded.
- Press Run and then OK.
- Select the DiskImage option then click the browse button located on the right side of the textbox field.
- Browse to and select the xpud-0.9.2.iso file you downloaded.
- Verify the correct drive letter is selected for your USB device then click OK.
- It will install a little bootable OS on your USB device
- After it has completed do not choose to reboot the clean computer, simply close the installer.
Next
- Use the clean computer to download dumpit from the following link: http://noahdfear.net/downloads/dumpit
- Once dumpit is downloaded save it to the USB stick.
Next
- Take the USB to the infected computer and boot with it.
- The computer must be set to boot from the USB (as soon as BIOS is loaded tap F12 and choose to boot from the USB drive).
- A Welcome to xPUD screen will appear.
- Press File.
- Expand mnt.
- sda1,2...usually corresponds to your HDD.
- sdb1 is likely your USB drive.
- Click on the folder that represents your USB drive (sdb1 ?).
- Confirm that you see dumpit that you downloaded there.
- Double click on dumpit.
- Once completed, a file called mbr.zip will be saved to the USB drive.
- Take the USB drive back to the uninfected system and attach the mbr.zip in your next reply.
If you encounter any diffuculties just let me know.
JoshProto22
New member
Hi,
I just went through procedure again like you asked.
I've attached the new mbr.zip file. Just let me know where I need to go from here. Thanks for your help.
I just went through procedure again like you asked.
I've attached the new mbr.zip file. Just let me know where I need to go from here. Thanks for your help.
ken545
Emeritus-Security Expert
You want to set Partition 2 as active and not any other one
Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.
bash tdl_fix.sh -restore
Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it's current state.
- Download tdl_fix.sh and save it to the xPUD flash drive.
- Boot into xPUD then click the File tab.
- Press File
- Expand mnt
- Click on the folder under mnt that represents your USB drive (sdb1 ?)
- You should see the tdl_fix.sh file in the main window.
- Select Tool from the Menu
- Choose Open Terminal
- Type bash tdl_fix.sh then press Enter.
- Read the warning then type y and press Enter to continue.
- Type sda then press Enter when prompted.
- You will be shown a list of partitions to choose marking active.
- Type 2 then press Enter.
- If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
- When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
- The script will complete and prompt you to reboot the computer.
- Close the Terminal window and restart back into Windows.
- Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.
Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.
bash tdl_fix.sh -restore
Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it's current state.
JoshProto22
New member
I followed the directions exactly. I still received a blue screen when I tried to reboot into Windows normally.
Here are the new tdl_fix.txt and tdl_restore.txt reports:
tdl_fix.txt
2012-02-17-21:37:37
The following drives were found
sda
sdb
User has chosen drive sda
backing up mbr to tdl_mbr_sda.bin
Disk /dev/sda: 98.5 GB, 98522403840 bytes
255 heads, 63 sectors/track, 11978 cylinders, total 192426570 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
/dev/sda1 63 96389 48163+ de Unknown
/dev/sda2 * 96390 182659049 91281330 7 HPFS/NTFS
/dev/sda3 182675115 192410504 4867695 db Unknown
/dev/sda4 192410505 192426553 8024+ 17 Hidden HPFS/NTFS
Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden
User has chosen to make partition 2 active
Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden
User has accepted changes
tdl_restore.txt
2012-02-17-21:41:34
The following backups were found
1 tdl_mbr_sda.bin
User selected 1
Restoring device sda mbr with tdl_mbr_sda.bin
tdl_mbr_sda.bin has been written to drive sda
Here are the new tdl_fix.txt and tdl_restore.txt reports:
tdl_fix.txt
2012-02-17-21:37:37
The following drives were found
sda
sdb
User has chosen drive sda
backing up mbr to tdl_mbr_sda.bin
Disk /dev/sda: 98.5 GB, 98522403840 bytes
255 heads, 63 sectors/track, 11978 cylinders, total 192426570 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
/dev/sda1 63 96389 48163+ de Unknown
/dev/sda2 * 96390 182659049 91281330 7 HPFS/NTFS
/dev/sda3 182675115 192410504 4867695 db Unknown
/dev/sda4 192410505 192426553 8024+ 17 Hidden HPFS/NTFS
Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden
User has chosen to make partition 2 active
Model: ATA TOSHIBA MK1032GS (scsi)
Disk /dev/sda: 98.5GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 32.3kB 49.4MB 49.3MB primary fat16
2 49.4MB 93.5GB 93.5GB primary ntfs boot
3 93.5GB 98.5GB 4985MB primary fat32
4 98.5GB 98.5GB 8217kB primary ntfs hidden
User has accepted changes
tdl_restore.txt
2012-02-17-21:41:34
The following backups were found
1 tdl_mbr_sda.bin
User selected 1
Restoring device sda mbr with tdl_mbr_sda.bin
tdl_mbr_sda.bin has been written to drive sda
JoshProto22
New member
I used the backup to restore because the instructions that you copied and pasted for me told me to do that if Windows did not start normally.
I've gone back through the tdl_fix.sh procedure again several times now without using the restore option and I am still getting the same blue screen when trying o boot into windows.
I do notice when I select partition 2 that a message pops up saying the hidden partition becomes inactive.
You asked me to go back to the system restore procedure if the above did not work. I don't have a clean computer to download the file again right now. I had deleted the original rst.sh file from my usb drive because we went away from that course of action a few steps ago.
The xpud instructions said I can connect to the internet with FireFox if I have an Ethernet connection. I do have an Ethernet connection. However, the internet setup screen does not allow me to type my full pass key. It only allows for a certain amount of characters and my password has more than it allows.
I really need my computer back soon. I could at least access and use windows before we tried combo.fix. It has been dead in the water since then.
Is there a way that other helpers could let me know exactly what is going on? I need detailed feedback and explanations on everything that is happening. I have seen that other virus removal forum sites have blue screen specialists that take over once the removal process gets to that point. I would even be willing to use a pay site right now.
Thanks for your help. Let me know what I can do from here.
I've gone back through the tdl_fix.sh procedure again several times now without using the restore option and I am still getting the same blue screen when trying o boot into windows.
I do notice when I select partition 2 that a message pops up saying the hidden partition becomes inactive.
You asked me to go back to the system restore procedure if the above did not work. I don't have a clean computer to download the file again right now. I had deleted the original rst.sh file from my usb drive because we went away from that course of action a few steps ago.
The xpud instructions said I can connect to the internet with FireFox if I have an Ethernet connection. I do have an Ethernet connection. However, the internet setup screen does not allow me to type my full pass key. It only allows for a certain amount of characters and my password has more than it allows.
I really need my computer back soon. I could at least access and use windows before we tried combo.fix. It has been dead in the water since then.
Is there a way that other helpers could let me know exactly what is going on? I need detailed feedback and explanations on everything that is happening. I have seen that other virus removal forum sites have blue screen specialists that take over once the removal process gets to that point. I would even be willing to use a pay site right now.
Thanks for your help. Let me know what I can do from here.
ken545
Emeritus-Security Expert
Sorry for your frustration, with the severity of infections going around your not alone in your situation. Remember what I said about how serious the infections you have are, at this point a format and fresh reinstall of windows would guarantee that the infection is gone and everything else will run normally, but like you stated you do not have the CD. A good option maybe to look around on eBay or Amazon, with the new Operating Systems out now you may be able to pick up a copy of Windows XP fairly reasonable.
Why dont you post here , all us forums work together and I will give them a heads up that your posting and lets see if they can get you up and running. Be sure to use JoshProto22 so that we can find you.
http://forums.whatthetech.com/index.php?showforum=119
After they get you going post back here and lets take another look.
Why dont you post here , all us forums work together and I will give them a heads up that your posting and lets see if they can get you up and running. Be sure to use JoshProto22 so that we can find you.
http://forums.whatthetech.com/index.php?showforum=119
After they get you going post back here and lets take another look.
JoshProto22
New member
Thanks for the recommendation. I just posted at wtt. I posted under the virus and malware removal section but now I see that your link had me going to the Windows section. Hopefully this will be ok. Let me know if I should have posted on the windows area instead.
JoshProto22
New member
Thank you. :bigthumb: