Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yup - Another TDSS Rookit Problem


  • This topic is locked This topic is locked
46 replies to this topic

#1 BickBC

BickBC

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 28 April 2010 - 01:12 AM

Hi, I've had this problem for probably a few weeks now. At first, Google redirected links to various sites, but that has since stopped. I have scanned my computer using Shaw Secure (F-Secure), Malwarebytes, Hitman Pro, SpyBot & MSE (only installed to scan, I've uninstalled it). They found a few random things and removed them, but the problem is still there.

Shaw Secure detects it in serial.sys and some other .sys files in the drivers folder but cannot clean it (it'll come back anyways). Once in a while, a random link will open up in Firefox (like once a day). I've done some scans so hopefully it's a good start.

Attached are HJT and OTL logs.

Attached Files


Edited by BickBC, 28 April 2010 - 01:15 AM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:12 PM

Posted 02 May 2010 - 03:53 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 BickBC

BickBC
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 03 May 2010 - 12:27 AM

Alright. I already made logs yesterday, but I redid the DDS one as I didn't disable my internet (just in case). Here they are thumbup2.gif

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 05 May 2010 - 05:37 PM

Hello, BickBC.

OK, the GMER log is clean, so it's either a FP, or GMER didn't see it. Let's take a deeper look.



Step 1
  1. Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  2. Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
    CODE
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
  3. Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
  4. Open your c:\folder and double-click on fixme.bat. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.



Step 2

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 BickBC

BickBC
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 05 May 2010 - 11:37 PM

I do not have the Windows XP installation CD. What can I do? This wasn't originally my computer.

Edit: My antivirus has stopped detecting it for around a week now, is it possible it's "self-destructed" or something? The file it usually detected as infected hasn't been modified since April 24 (it would usually be modified whenever the computer was on). My mouse still freezes sometimes and makes the plug in/out noise, something that has been happening since then.

Edited by BickBC, 05 May 2010 - 11:43 PM.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 06 May 2010 - 05:18 PM

Hello, BickBC.
Please click on the following link to go to Microsoft's website.
http://support.microsoft.com/kb/310994

At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.
  1. Click on the Start button.
  2. Click on the Run option.
  3. type sysdm.cpl and then hit OK
  4. A screen will appear showing information about your Windows installation. Under the System category you should see your Windows version and the installed service pack. Write this down and proceed to download the correct version as above.

Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image.
Posted Image

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer, please select NO to cancel the scan.

With that, please run both steps above.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 BickBC

BickBC
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 06 May 2010 - 06:35 PM

So I must download SP2 and not the one that my computer currently has?

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 06 May 2010 - 06:42 PM

Yes...you have Windows XP SP3, but the recovery console for SP2 works for SP3. So, download and use the one for SP2.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 BickBC

BickBC
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 07 May 2010 - 12:46 AM

I ran maxlook, rebooted and I didn't expect the selection screen to be so quick so I didn't have a chance to select the Recovery Console - it just went straight into XP. I rebooted again and this time I was aware, but it wouldn't let me select the console. Should I open maxlook again and try again or would that mess something up?

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 08 May 2010 - 08:09 AM

Hi...please don't run MaxLook again. Unfortunately the recovery console is critical to seeing the rootkit, since GMER didn't see it.

What happened to not let you select the recovery console? E.g. it was there, but it was too fast the second time, or it was there, but you couldn't select to boot there?



If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 BickBC

BickBC
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 08 May 2010 - 12:44 PM

It was there but I couldn't select it.

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 08 May 2010 - 03:02 PM

Are you on a wired or wireless keyboard? If a wireless keyboard, it's quite possible that the drivers aren't loading. Please let me know. If you had the XP CD, we'd just use that, but since you don't, if we can't get into the recovery console the next step is a very large download I'd like to avoid unless we have to.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 BickBC

BickBC
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 08 May 2010 - 09:12 PM

It's wired. What would happen if I opened maxlook again?

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 AM

Posted 09 May 2010 - 07:14 AM

Hello, BickBC.
Without doing the step in the recovery console, maxlook is useless. We also can't replace the corrupted file easily without it. Let's create a bootable CD.After you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads...you'll think it's locked up, but it's not. Go get a water or a coffee. smile.gif
  • Your system should now display a REATOGO-X-PE desktop.
  • Double click on the icon on your desktop.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
    • Copy and Paste the following code into the textbox. Do not include the word "code".

      Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      userinit.exe
      winlogon.exe
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      serial.sys
      nvstor32.sys
      nvrd32.sys
      ahcix86s.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
    • Push
    • When finished, the file will be saved in drive C:\OTL.txt
    • Please copy and paste the contents of the C:\OTL.txt file in your next reply.
    • Copy this file to your USB drive if you do not have an internet connection.
etavares

Edited by etavares, 09 May 2010 - 07:14 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 BickBC

BickBC
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 10 May 2010 - 03:08 PM

Alright well I think my post was deleted, but anyways I'm trying to download the .iso again since it wouldn't finish downloading yesterday after numerous attempts. Can I use ImgBurn to burn the .iso? Also, why do I need the bootable CD to use OTL?

Couldn't I open maxlook and try to see if it lets me select the recovery console again?

Edited by BickBC, 10 May 2010 - 03:09 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users