• Welcome to Free PC Help, a free PC Help forum to get help with your computer problems.

    Free PC Help is a community that offers free computer help and support for all users, all ages, worldwide.

    In order to start asking questions or contribute on someone else's post you will first need to register. Don't worry - it's quick and easy and once you have registered you will have instant access to the entire forum.

    If you do decide to join the forums you will not have the option to send Private Messages [ PMs ] or add a Signature until you have made 5 posts or more. This is an attempt to try to stop Spammers using the PM system or adding links to their Signature.

Help removing the backdoor.tdss.aru trojan

phantomphantom

FPCH Member
Joined
Jan 13, 2009
PC Experience
Some Experience
Update - i saved the iso and burnt it as test.iso to a cd (does it matter what it's called as it didn't supply a default?)

Turned off computer with cd in and let it boot. It was definitely accessing the cd on bootup and it went straight through to windows fine.

Did a scan with Avira and it found the Boo Sinowal again on Masterboot sector HD1

Was I doing something wrong? Or is there anything else to try?

Thanks for ya continued help. Appreciate it.

Jim




That is correct. Just exit the window where it asks you to put a cd in the drive using the exit button (do not just close the window.) I would simply save it to my desktop.

There is, however one issue.
This is a boot sector repair tool. So once you have burned the ISO you should shut down the pc, put the cd you created into the drive and reboot and follow any directions you may receive. ( I have never seen this tool in action so I have no idea what, if anything , it may ask you to do.)

If that does not work you may have to adjust the boot sequence in your bios. Unfortunatly Avira seems to give little by way of instruction on the site.

Before you concern yourself with the bios, however, first see if the program works when you reboot and if not then try it again after a normal reboot and while you are in windows.
 
W

Wolfeymole

Did you go into the bios and change the first boot option to the CDROM first.

At the same time pop the disk in and make sure you save the changes in the bios by pressing usually F10.
 

phantomphantom

FPCH Member
Joined
Jan 13, 2009
PC Experience
Some Experience
Hi Wolfeymole,

Yes I checked again that the Bios was set to boot to cd drive first and it was...

Again it booted up fine from cd straight through to windows.

Should it have written a new boot sector or something?



Did you go into the bios and change the first boot option to the CDROM first.

At the same time pop the disk in and make sure you save the changes in the bios by pressing usually F10.
 

BeeCeeBee

FPCH Long Term Member
Joined
Oct 9, 2008
Well phantom I thought I knew what was wrong but you have already discounted that.

Since I do not know what directions there are for that tool I am going to suggest one more thing.

Try to run the program from the disc while you are in windows. There is a chance that it may need to start from windows and then may direct you to do a restart. That is a guess, pure and simple but it cannot hurt to try.
 

phantomphantom

FPCH Member
Joined
Jan 13, 2009
PC Experience
Some Experience
If I double click on that Iso file it opens up similar to a .rar or .zip file.

In it is a folder called CVS

and once that folder is open it contains the following files:

Template (size 0)
Root (size 55k)
Repository (size 47k)
Entries.Old (size 0)
Entries.Extra.Old (size 0)
Entries.Extra (size 65)
Entries (size 140)


Do you think its a case of extracting these files and putting them on another cd and giving that a go?



Well phantom I thought I knew what was wrong but you have already discounted that.

Since I do not know what directions there are for that tool I am going to suggest one more thing.

Try to run the program from the disc while you are in windows. There is a chance that it may need to start from windows and then may direct you to do a restart. That is a guess, pure and simple but it cannot hurt to try.
 

RandyL

Administrator
Joined
Jan 22, 2003
Location
USA, Nebraska
PC Experience
Very Experienced
OK Let's try this again. I just tested this and it worked fine for me.

Double click the exe file. Choose to Run.
It will bring up the option to burn to CD and show your optical drive.
Click Burn.
Let it finish.

The disk will now have the folder and files that you listed.

Insert the CD and reboot your computer.
At bootup it will display the text showing what it is doing.
It will not boot into Windows at any time.

It took 14 seconds to finish and show that there was no problem on mine.

If it does not do that then you have not properly set your BIOS to boot from the CD drive first or have not saved the changes.
 

phantomphantom

FPCH Member
Joined
Jan 13, 2009
PC Experience
Some Experience
Ok - I see where I was going wrong - I had burnt the cd as data rather than an image (1st time I've done that - I realise what an iso is now....)

It ran - and detected the boo.sinowal.A but didn't repair it or delete it.

?
 

phantomphantom

FPCH Member
Joined
Jan 13, 2009
PC Experience
Some Experience
It ran a few lines - that said it had found the virus, deleted 0 files and then just went back to the command prompt.



The only option it gave me was right at the beginning to choose english or german lang


what exactly did it do?

Did it ask you anything after it scanned?
 

phantomphantom

FPCH Member
Joined
Jan 13, 2009
PC Experience
Some Experience
I haven't got it here - so I'd have to continue tomorrow...

What's the next kind of steps?
 

RandyL

Administrator
Joined
Jan 22, 2003
Location
USA, Nebraska
PC Experience
Very Experienced
Just to add to my post. When the program ends DO NOT power off the computer to quit the program. Remove the disk and use Ctrl-Alt-Delete to restart.
 

RandyL

Administrator
Joined
Jan 22, 2003
Location
USA, Nebraska
PC Experience
Very Experienced
Just a thought here. Exactly where was the file located when it was found?

During or after the scan was a file path listed as to where the infection was located?

The reason I ask is that I have seen Trojans being picked up by scanners that were in the System Restore files. If so then turning System Restore off and turning it back on will purge those files. Be informed though that you will lose all your previous restore points.

Not knowing Aviras Antivir antivirus program all that well I also wonder if it's scanning it's own quarantined files and picking it up on the scans from there.

Let us know what directory the infection was found in please.
 

phantomphantom

FPCH Member
Joined
Jan 13, 2009
PC Experience
Some Experience
Hi,

The Avira isn't that descriptive and I've checked the quarantine and it hasn't moved it to there.

Avira Report:

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[DETECTION] Contains code of the BOO/Sinowal.A boot sector virus
[NOTE] The boot sector was not written!

I ran that bootrepair tool again and it just says:
Virus: The MBR contains a signature of the virus 'Boo/Sinowal.A'

Is there another way to check exactly where it is?

>Be informed though that you will lose all your previous restore points.

What will I lose if this method is followed?

I've now got my windows cd to hand btw

Thanks for your continued help with this one :)


Just a thought here. Exactly where was the file located when it was found?

During or after the scan was a file path listed as to where the infection was located?

The reason I ask is that I have seen Trojans being picked up by scanners that were in the System Restore files. If so then turning System Restore off and turning it back on will purge those files. Be informed though that you will lose all your previous restore points.

Not knowing Aviras Antivir antivirus program all that well I also wonder if it's scanning it's own quarantined files and picking it up on the scans from there.

Let us know what directory the infection was found in please.
 
W

Wolfeymole

I think at this stage Phantom your best bet is to format the hard drive and do a brand new install of the operating system.

Seeing as this virus seems only to affect the MBR then you should be able to back up your personal stuff safely.

Would you be happy to go down this road?
 

phantomphantom

FPCH Member
Joined
Jan 13, 2009
PC Experience
Some Experience
Just wondered if there is anything else to try - as I write music for living so have loads of music progs on my system and it takes to ages to install them tweak them for my system.




I think at this stage Phantom your best bet is to format the hard drive and do a brand new install of the operating system.

Seeing as this virus seems only to affect the MBR then you should be able to back up your personal stuff safely.

Would you be happy to go down this road?
 
W

Wolfeymole

This is no easy fix Phantom so I suggest you gather all your music .exe's into a folder and burn them to a cd or dvd depending on the size. The same goes for your music, personal stuff etc.

As long as that virus is parked in your MBR your gonna have trouble and the only way to eradicate it is to format the hard drive completely.
 

Plastic Nev

Deceased - sadly missed
Joined
Oct 19, 2008
Location
Lancashire
Hi Phantom, I know where you are, I am also a musician using stuff like Sibelius, Finale, and other programs, I also have masses of files, so to burn to disk as Wolfey suggested would be a bit of a marathon exercise. I suggest you could buy an external hard drive, and transfer everything musical to that. All programs and other stuff should go straight over and be available to transfer back once the reformat has been done.
I would not recommend a full back up of the system using a program such as Acronis True Image, as that would likely take the virus with it.
I am afraid it would have to be done folder and program at a time.
 

Tootech

FPCH Member
Joined
Oct 16, 2008
In post 35 the Avira program references HDD0 and HDD1.

That appears to mean you have two hard drives connected, and the problem is with HDD1.

Since it has not been mentioned before, can you let us know how many drives you have and if you have Operating Systems installed on both of them.
 
Top Bottom