BleepingComputer.com: Malware Activity: TDSS Rootkit infection

My laptop has got infected with TDSS Rootkit. The google and bing searches get redirected to random sites. Windows 7 does not shutdown/restart correctly. Also, the Windows 7 startup repair does not work. After startup repair fails system automatically restarts sometimes or I have to choose a previous restore point. I suspect the virus has come while downloading a C/C++ compiler cygwin. Also, it suddenly changed all my files and folders on C: to "Hidden". Although I could unhide all of those, the other problems still persist. I have run the AVG antivirus software, however it has changed some of my local temp files which is further giving shutdown problems. I have attached the DDS logs. The operating system is Windows 7 Professional 64-bit, so I have not run the GMER.

Please help.

This post has been edited by hamluis: 26 January 2012 - 12:19 PM
Reason for edit: Moved from Win 7 to Malware Removal Logs.

Hi

did you previously find the link and run unhide.exe yet, if not, please run it:

Please download Unhide.exe to your desktop:

• Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  
• This program will remove the hidden attributes from all the files on your system.
  
• Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.

NEXT

• Please download aswMBR.exe and save it to your desktop.
  
  
• Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  
  
• When asked if you want to download Avast's virus definitions please select Yes.
  
  
• Click Scan
  
  
  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
    
    
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Hello CatByte,

I had previously used Windows folder option to unhide all files and folder and it seems to have worked ok. So I have not executed Unhide.exe

I have attached the files you have mentioned.

Also, I noticed that my netbeans is not working (all other s/w seem ok). Also, when i uninstalled Java and restarted my laptop, it worked fine and did not go into Startup repair unlike before. However I had to do system restore and so java is installed. I think the virus got in thru cygwin software while I was trying to execute a C++ compiler.

I am now also facing the problem of not able to uninstall or reinstall netbeans, and it isnt working as well. it gives the error org.netbeans.installer.utils.exceptions.UninstallationExceptions: Cannot get the installation files list. More information in the log file 20120126234034

The searches (Google and bing) still get redirected.

Thank you for all your help.

This post has been edited by anotherTDSSvictim: 27 January 2012 - 12:01 AM

hi,

please execute unhide.exe as this infection can sometimes move necessary files to the temp folder which are removed when the temp is emptied

please run junction.exe while I am looking through the logs,

let's see if permissions have been changed on netbeans

• Please download Junction.zip and save it to your desktop.
  
• Unzip it and put junction.exe in the Windows directory (C:\WINDOWS).
  
• Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:
  
  
  cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  
  
  
• A command window will open and the system will be scanned.
  
• Wait until a log file opens.
  
• Copy and paste or attach the content of it in your next reply

Hi,

I had to uninstall JDKs as my computer had problems in shutdown/restart while JDK was installed. Without it, it seems to shutdown/restart properly.

I have executed unhide.exe. When I try to execute junction, the command prompt opens for a split second and disappears. However, if I only run cmd, command prompt opens up and stays visible.

This post has been edited by anotherTDSSvictim: 27 January 2012 - 01:32 PM

Did you save junction to c:\windows?


Please run the following:

Refer to the ComboFix User's Guide

• Download ComboFix from one of these locations:
  
  Link 1
  Link 2
  
  * IMPORTANT !!! Place ComboFix.exe on your Desktop
  
  
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  You can get help on disabling your protection programs here
  
  
• Double click on ComboFix.exe & follow the prompts.
  
• Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
  ---------------------------------------------------------------------------------------------
  
  
• Ensure your AntiVirus and AntiSpyware applications are re-enabled.
  
  ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Hi Catbyte,

Is there a chance my system may crash after executing COmboFix? If so, is there any safer way to remove the Rootkit infection?

yes there is a chance, however this is the safest way I know

Hello CatByte,

I did not run ComboFix, I have reformatted my machine now. Thank you for all your help.

OK,

thanks for letting me know

hope everything is OK now

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.