Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.TDSS.RTK


  • This topic is locked This topic is locked
6 replies to this topic

#1 BigJohnny

BigJohnny

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 25 August 2009 - 08:51 AM

I apologize if this is the wrong place but I'm in such a desperate spot I really need help to fix this problem.

A couple of days ago my computer began just shutting down.... namely when I plugged in my USB drive, then it simply stopped being able to boot up into windows, it would get as far as the loading screen, the mouse/KB would flicker then it would quit.

I ran Spybot and determined I have TDSS.RTK... I have been doing MUCH reading and have done many things at this point, but nothing seems to work.

I will try and detail the process' here as best I can but I'm at work and not supposed to be doing this.

My computer at this point will ONLY start in safe mode.

After running Spybot, I "removed" the virus, and it still wouldn't work. So I began looking through devices, I've removed "LEGACY_TDSSServ" entires from the registry, except for some entires that can't be removed and I can't give myself permission to remove. "tdssserv.sys", the entries seem to be empty.

I've uninstalled the device from the hidden devices area of the device manager, I've run malwarebytes (yes it loaded) and a2, which has removed a lot of stuff but fails to fix the problem.

I have a new HD, that was unpartitioned, I unplugged my old HD (I thought it had died) and plugged the new one in. I popped in MiniPE so I could prepare the drive.
As it was loading, UI got a warning stating that my bootsector would be modified, I allowed it (stupidly) as I thought it was part of MiniPE.... windows begins to install on the new drive, gets as far as "Installing Devices" and halfway through that process quits.... so I've also corrupted/infected a new hard drive and can't install windows on it.

I'm going to try and format the new drive when I get home and see If I get anywhere with that, but if this virus is on any of my other 4 hard drives (it must have been to somehow modify the boot sector on a totally new drive) Pklugging them in will infect me again, but there are 720GB of data on those drives that I need to save before I could format them.


I had posted this problem on another forum, Below I have quoted my posts on that board detailing what I've done. It has been cut down, so as to include only information relevant to the problem... I had opriginally suspected bad hardware so that was also a part of the discussion.... I now know it's not bad hardware.

I cant install windows on a new drive, with the old one removed...... Ive also tried with my other 4 HDs all disconnected as well.

when using a live CD (A PE environment such as MiniPE and similar) same thing happens, it gets to the loading screen and then conks out, just after my keyboard and mouse flicker (lights) after being loaded.

I suspect USB, just before this started it would just shut down when I inserted my USB flash drive.


scanning with spybot turns up win32.tdss.... which apparently is a rootkit or uses such technologies....so I removed it with that, and this gets me thinking now too.

When I installed the new unpartitioned HD, I got a warning when booting up that MBR will be modified, continue? this was when loading MiniPE as it was the first thing i popped in with the new HD, so I could set it up.

I figured it was MiniPE doing something to the boot track so I allowed it.

if this is an effect of the rootkit, how was it able to modify the boot track on a totally new drive....this happened when loading MiniPE, and with an HD with no partitions......

would a format /mbr fix it perhaps?


spybot seems to have removed it and my computer will now start in regular mode.

I did also uninstall a bunch of stuff, so my big concern here right now is, can I fix the brand new HD I have, so that windows will install on it, and since I will be formatting this one, how can I make sure I've cleaned it all off of this one?

obviously it was able to linger behind somehow when I removed this drive entirely, and plugged in the new one, so I'm really lost there...... but I gotta nail this and find a good but lightweight AVS to go with spybot.


spoke too soon..... it was running then shut down and had the same symptoms again.

there are registry entires for Legacy.TDSS that I cant delete cause it won't let me, and its referencing TDSSserv.sys that I can't find, and I have all hidden files and system files visible too.


going through device manager, showing hidden devices and looking under non-plug and play devices yeilded results... I "uninstalled" the device driver for this thing, and am now running malwarebytes.

I also went through the registry and deleted the LEGACY_TDSSSERV entires by granting myself permissions to do so (the device changes permissions so you can't delete it)

I will see what happens after this.


I tried malwarebytes and it worked a bit but now detects nothing after "fixing it" and im still having problems.
tried using recovery console to no avail.


if it's on my flash drive how the hell do i get it off of there?? same with my other drives, cause obviously it was somehow on one of those when i installed this new drive.... this new drive was installed with no partitions, and using a live CD, and it still crapped out... then i popped in the windows cd, and it craps out during the device installation.

so I can easily format the new drive, redo the partitions, and leave my other drives disconnected, but if it does work after that, I need to reconnect my other drives without infecting the new one......

This would leave me a 40GB drive for data backup, and over 720GB of data to backup in order to be able to format my 4 other hard drives.

Ive disabled the service through the recovery console, used spybot and malwarebytes to remove it, deleted the registry entries, fixed the boot record and boot sector, still the bloody thing is loading somehow.

I haven't formatted this drive yet, as I don't want to end up with absolutely no access to the internet, if it ends up infecting a new install from the old drives.

at least this way i can use safe mode and have the internet available....something has to remove this and be able to leave me using this install so it can clean it from ALL my drives.


POSTED BY NITEMARE
http://www.avira.com/en/support/support_downloads.html

Try the rootkit tool, and/or the rescue system. My usual procedure is to run AntiVir after turning heuristics on high, then run Malwarebytes Anti-Malware, and that usually cleans it all up.


so the rootkit removal tool tells me it cant run because it isn't configured properly.....same error each time, even new downloads.

a2 found other stuff (reflexive/popcap games/insaniquarium are virus'??) but nothing for tdss....


So thats it up to this point I think.

Please help, I need to get rid of this...

BC AdBot (Login to Remove)

 


#2 BigJohnny

BigJohnny
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 25 August 2009 - 11:51 AM

did i put this in the wrong place?? I cant even find it manually in these forums. (hijack this forum)

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:55 AM

Posted 25 August 2009 - 01:51 PM

There is a new variant of the rootkit out that needs to be handled in a special way
Please read and follow these instructions


Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 BigJohnny

BigJohnny
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 25 August 2009 - 04:25 PM

Thanks I will get on those right now. And I wanted to apologize for posting in the wrong area, I ended up finding a bunch of threads in there relating to what I have, but I was at work and had limited time to go through the board and find the appropriate place, I realized after that was for logs.

btw, why can't I find this topic through the forum..... I've looked through 7 pages and didn't see this topic anywhere.

#5 BigJohnny

BigJohnny
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 25 August 2009 - 04:32 PM

ok...I've run into a hitch, scr files are setup as screen saver files. I'm currently stuck running in only safe mode, and the file basically has no association, so when I try to open it, windows wants to know what program should open the file.

I need to setup an association but don't know which program should be running it.

got it to run.... had to use cmd

Edited by BigJohnny, 25 August 2009 - 05:42 PM.


#6 BigJohnny

BigJohnny
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 25 August 2009 - 08:05 PM

that stuff is done.

I'm beginning to think this has gotten into my BIOS or something.

On my new HD, I popped in a win98 boot disk, and ran fdisk, dropped the partition, and left it at that.
There were no other drives connected to my computer at this time, it was simply one new HD and a windows 98 boot cd, that had not previously been used.

upon deleting the partition I had created earlier, I immediately recieved a warning saying that the boot sector is about to be modified. This time I did not allow it.

So at this point the new HD should have no partition, and henceforth, no data on it, Including the previously half finished windows install that quit every time it tried to install devices.

I reboot the computer, and instead of being asked to boot from CD like it always does, it boot directly to the unfinished windows install, and continued it, crashing once again after getting halfway through "Installing Devices" (it ALWAYS happens just after my mouse and keyboard flash/flicker while being loaded)

so on a drive with no apparent partitions, the previous windows install was able to continue.

explain that?! I hadn't re-created the partitions at this point, so this shouldn't have happened.

Also of note is the fact that with ALL of my HD's disconnected, attempting to run MiniPE again results in the same thing, it gets to its loading/splash screen and then quits.

so how bad is this?? am I going to ever be able to get windows installed and running again??? will the 720GB of stuff I have on my other hard drives be able to be saved? Those drives are storage only and have no active windows installs on them.... no installs period.

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:55 AM

Posted 25 August 2009 - 08:25 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/252452/win32tdssrtk-new-variant/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users