Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Smoked me!


  • This topic is locked This topic is locked
5 replies to this topic

#1 whatevers

whatevers

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 03 September 2009 - 05:21 PM

I have been fiddling around with this infection for two weeks, reading forums, downloading programs, running countless scans, and I STILL can't even locate this malware. So far, it has denied my access to Spybot SD, Hijackthis, and Malwarebytes. It also seems to have revoked my administration privledges for files that the rootkit has "blacklisted".
I have even renamed Malwarebytes as suggested here, and it will open up and update, but as soon as I run a scan it gets shut down and blocked. Obviously, Spyware Doctor won't detect it either. I am looking at a brick wall and desperately need my computer back! HELP!

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:07 PM

Posted 06 September 2009 - 06:51 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 whatevers

whatevers
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 07 September 2009 - 06:22 PM

Okay, when I first open it up I get an error message about not being able to open a picture of some sort. I was only able to scan the Drivers, Processes, and Stealth objects. Everything else forces the program to not respond. After I left it work out the not responding issue on its own, it gave me an error message of 0x0e95ffff, and now it won't locate the file path from the desktop.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/07 19:29
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_diskdump.sys
Image Path: C:\Windows\System32\Drivers\dump_diskdump.sys
Address: 0x8C612000 Size: 40960 File Visible: No Signed: -
Status: -

Name: dump_nvstor32.sys
Image Path: C:\Windows\System32\Drivers\dump_nvstor32.sys
Address: 0x8FC05000 Size: 118784 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\Windows\system32\Drivers\mchInjDrv.sys
Address: 0xA4114000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA419E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\Windows\win32k.sys:1
Address: 0x8FC52000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\Windows\win32k.sys:2
Address: 0x8FC57000 Size: 61440 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1244 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmnvmpshri.dll]
Process: svchost.exe (PID: 824) Address: 0x10000000 Size: 57344

==EOF==

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:07 PM

Posted 07 September 2009 - 06:24 PM

I think it's time to head on over to the HijackThis forum for a closer look.

Preparation Guide for use before posting a HijackThis Log

Go straight to Step 6. If you cannot get DDS to run just post the RootRepeal log.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 whatevers

whatevers
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 08 September 2009 - 01:08 PM

Ok, will do. Thanks for the help.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:07 AM

Posted 08 September 2009 - 09:49 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/256207/rootkittdss-malware-infection/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users