Help removing the backdoor.tdss.aru trojan

phantomphantom · January 15, 2009

interesting vid and writings on the sinowal virus:

YouTube - Warning Serious Internet Explorer Torpig Mebroot Sinowal Virus / Phishing scam

RandyL · January 15, 2009

OK Let's try this again. I just tested this and it worked fine for me.

Double click the exe file. Choose to Run.

It will bring up the option to burn to CD and show your optical drive.

Click Burn.

Let it finish.

The disk will now have the folder and files that you listed.

Insert the CD and reboot your computer.

At bootup it will display the text showing what it is doing.

It will not boot into Windows at any time.

It took 14 seconds to finish and show that there was no problem on mine.

If it does not do that then you have not properly set your BIOS to boot from the CD drive first or have not saved the changes.

phantomphantom · January 15, 2009

Ok - I see where I was going wrong - I had burnt the cd as data rather than an image (1st time I've done that - I realise what an iso is now....)

It ran - and detected the boo.sinowal.A but didn't repair it or delete it.

?

DirtyPolo · January 15, 2009

what exactly did it do?

Did it ask you anything after it scanned?

phantomphantom · January 15, 2009

It ran a few lines - that said it had found the virus, deleted 0 files and then just went back to the command prompt.

The only option it gave me was right at the beginning to choose english or german lang

what exactly did it do?

Did it ask you anything after it scanned?

DirtyPolo · January 16, 2009

Okay, do you have your original Windows XP installation disk?

phantomphantom · January 16, 2009

I haven't got it here - so I'd have to continue tomorrow...

What's the next kind of steps?

RandyL · January 16, 2009

Just to add to my post. When the program ends DO NOT power off the computer to quit the program. Remove the disk and use Ctrl-Alt-Delete to restart.

RandyL · January 17, 2009

Just a thought here. Exactly where was the file located when it was found?

During or after the scan was a file path listed as to where the infection was located?

The reason I ask is that I have seen Trojans being picked up by scanners that were in the System Restore files. If so then turning System Restore off and turning it back on will purge those files. Be informed though that you will lose all your previous restore points.

Not knowing Aviras Antivir antivirus program all that well I also wonder if it's scanning it's own quarantined files and picking it up on the scans from there.

Let us know what directory the infection was found in please.

phantomphantom · January 17, 2009

Hi,

The Avira isn't that descriptive and I've checked the quarantine and it hasn't moved it to there.

Avira Report:

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[DETECTION] Contains code of the BOO/Sinowal.A boot sector virus

[NOTE] The boot sector was not written!

I ran that bootrepair tool again and it just says:

Virus: The MBR contains a signature of the virus 'Boo/Sinowal.A'

Is there another way to check exactly where it is?

>Be informed though that you will lose all your previous restore points.

What will I lose if this method is followed?

I've now got my windows cd to hand btw

Thanks for your continued help with this one :)

Just a thought here. Exactly where was the file located when it was found?

During or after the scan was a file path listed as to where the infection was located?

The reason I ask is that I have seen Trojans being picked up by scanners that were in the System Restore files. If so then turning System Restore off and turning it back on will purge those files. Be informed though that you will lose all your previous restore points.

Not knowing Aviras Antivir antivirus program all that well I also wonder if it's scanning it's own quarantined files and picking it up on the scans from there.

Let us know what directory the infection was found in please.

January 17, 2009

I think at this stage Phantom your best bet is to format the hard drive and do a brand new install of the operating system.

Seeing as this virus seems only to affect the MBR then you should be able to back up your personal stuff safely.

Would you be happy to go down this road?

phantomphantom · January 17, 2009

Just wondered if there is anything else to try - as I write music for living so have loads of music progs on my system and it takes to ages to install them tweak them for my system.

I think at this stage Phantom your best bet is to format the hard drive and do a brand new install of the operating system.

Seeing as this virus seems only to affect the MBR then you should be able to back up your personal stuff safely.

Would you be happy to go down this road?

January 17, 2009

This is no easy fix Phantom so I suggest you gather all your music .exe's into a folder and burn them to a cd or dvd depending on the size. The same goes for your music, personal stuff etc.

As long as that virus is parked in your MBR your gonna have trouble and the only way to eradicate it is to format the hard drive completely.

Plastic Nev · January 17, 2009

Hi Phantom, I know where you are, I am also a musician using stuff like Sibelius, Finale, and other programs, I also have masses of files, so to burn to disk as Wolfey suggested would be a bit of a marathon exercise. I suggest you could buy an external hard drive, and transfer everything musical to that. All programs and other stuff should go straight over and be available to transfer back once the reformat has been done.

I would not recommend a full back up of the system using a program such as Acronis True Image, as that would likely take the virus with it.

I am afraid it would have to be done folder and program at a time.

Tootech · January 17, 2009

In post 35 the Avira program references HDD0 and HDD1.

That appears to mean you have two hard drives connected, and the problem is with HDD1.

Since it has not been mentioned before, can you let us know how many drives you have and if you have Operating Systems installed on both of them.

phantomphantom · January 17, 2009

I have two drives C: and E:

Windows XP is installed on C:

In post 35 the Avira program references HDD0 and HDD1.

That appears to mean you have two hard drives connected, and the problem is with HDD1.

Since it has not been mentioned before, can you let us know how many drives you have and if you have Operating Systems installed on both of them.

January 17, 2009

What is on the E: drive?

phantomphantom · January 17, 2009

I had a problem last year when I tried to update my windows/install 4OD (channel 4 s/w) and it completely crashed and wouldn't boot up.

So i bought a new hard drive and did a clean install of windows on there. Which is now C:

I've just left a message with my brother as he helped sort it - I have a vague memory that windows was on this E: drive originally. And it was deleted afterwards. I'm checking if that was the case thou.

Is there a simple way to check?

E: is where the majority of all my data is stored

What is on the E: drive?

BeeCeeBee · January 17, 2009

Simply go to windows explorer and see if it still lists system files. Or right click on the drive in My Computer and select explore.

January 17, 2009

Well Windows is installed on both drives as there is a Master Boot Record showing on both drives.

Because it's not a primary boot drive and will not show as a dual boot you can get your stuff off E: and then format it.

Can you tell us what you mean by this please.

I had a problem last year when I tried to update my windows/install 4OD (channel 4 s/w)

phantomphantom · January 17, 2009

Ok kool. That's a bit better than having to install windows and all my programs again. :) I just need to buy a large external drive so I can copy all my data across.

Is there any risk /or how can I stop any virus being copied across to the external drive? I read you can stop windows autorunning it or something?

Even if it's not running from windows from that drive does the sinowal trojan still work/continue to be active?

Well Windows is installed on both drives as there is a Master Boot Record showing on both drives.

Because it's not a primary boot drive and will not show as a dual boot you can get your stuff off E: and then format it.

Can you tell us what you mean by this please.

January 17, 2009

The virus is lodged in a MBR of an operating system that is not running Phantom.

Make 2 folders, one for executable files and one for your stuff then move them to either C: or an external drive.

Then format E: to get shut of the virus once and for all.

phantomphantom · January 17, 2009

Fantastic I'll give that go once I've got a drive - thanks for all your help! Really appreciate it. :)

You've all been really helpful and prompt (and patient with a newbie)

Will defo be dontating once I'm on a clean computer!

Cheers,

Jim

The virus is lodged in a MBR of an operating system that is not running Phantom.

Make 2 folders, one for executable files and one for your stuff then move them to either C: or an external drive.

Then format E: to get shut of the virus once and for all.

January 17, 2009

Ok Jim

Please let us know how you go on and it is our pleasure to help you. :)

mrboss_x · January 23, 2009

Boo/Sinowal.A

try Dr web Cure it , it workes 100% for me to remove the damn Boo/Sinowal.A virus.

hope it useful to u asked

Sign In

Help removing the backdoor.tdss.aru trojan

Recommended Posts

phantomphantom

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

RandyL

phantomphantom

DirtyPolo

phantomphantom

DirtyPolo

phantomphantom

RandyL

RandyL

phantomphantom

Guest Wolfeymole

phantomphantom

Guest Wolfeymole

Plastic Nev

Tootech

phantomphantom

Guest Wolfeymole

phantomphantom

BeeCeeBee

Guest Wolfeymole

phantomphantom

Guest Wolfeymole

phantomphantom

Guest Wolfeymole

mrboss_x

Join the conversation

Browse

Activity

Site Info