Win7/vista machine flasshing cursor fix?

[ThanatosOfOne]

I have had 6 machines brought in since Friday that will not boot, only give a flashing cursor in the top left corner. It acts for the world like an MBR issue. All the standard MBR fixes (startup repair, bootrec, bootsect, EasyBCD, MS DaRT, etc) do absolutely nothing. Bootrec /ScanOS actually cannot find an installed copy of windows.

It appears to be a variant of the TDSS/Alureon rootkit/bootkit.

The only "fix" that I have found is to ghost the drive to an image, load it up on another drive, run the startup repair, then ghost back to the old drive. This works, but seems like a ton of extra time to deal with this.

I can only guess that maybe there is still more code hidden in the MBR that points it to maybe some super secret hidden partition and then back to the MBR. There has got to be an easier way to fix this BS, and I hope that one of you guys could maybe point me to a quick fix.

 

[arrow_runner]

I've had to put a copy of bootmgr on the root of several drives this year and run the bootrec commands after that. It works but the loading screen changes so I'm sure it's more of a 'workaround' than a '100% repair' but it's sufficient and works just the same.

 

[ThanatosOfOne]

Bootmgr is on the root of C: on the one that is on my desk currently, so that fix won't work for the current batch of crap that I have.

 

[arrow_runner]

Make sure it's a good copy. I also forgot that I had to open diskpart and tell it that the C: 'volume' should be the active 'volume'. Hope that helps

 

[ThanatosOfOne]

Good copy, and I have made sure it's active, even set it active with other tools. Normally that would fix it, but this appears to be something weird and new.

 

[shamrin]

It appears to be a variant of the TDSS/Alureon rootkit/bootkit.

Try slaving the drive and running TDSSkiller from Kaspersky. I've got one here and that seems to be the only thing that finds it. Unfortunately, that machine has come back to me with a re-infection after a 4 days. This may be a user issue but it's occurred to me that there could be something deep in the MBR.

 

[ThanatosOfOne]

TDSS killer says they are clean. I believe it as well. Thanks for the input though.

 

[ThanatosOfOne]

If anyone cares, it was a hidden partition that my version of TDSSkiller couldn't find, Updated it and and it found and killed the hidden partition, at which point the standard startup reapair could fix it. You must click "change parameters" and make sure the "detect TDLFS file system" box is checked.

 

[cypress]

Very nice thank you for that information! ^

 

[WDHIII]

Anyone know why 'detect TDLFS file system' is not checked by default? What is the harm in looking for it everytime I run TDSSKiller?

Thanks Wil