Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tdsskiller wrecked my computer


  • Please log in to reply
5 replies to this topic

#1 E3E3

E3E3

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 09 October 2010 - 01:30 AM

For a while now, my comp has needed to have the dchp started manually and recently i've needed to start other services like themes and audio manually to. So yesterday I googled it and read that tdsskiller should fix my problem. It found 2 threats. It reccomended to skip the 2nd one and cure the first one. After restarting all services worked fine. But after like 2 hours it got a blue screen. I opened it a 2nd time and same thing. Worked fine until it'd been on for a few hours. Then the third time I tried to start up my pc the loading screen showed up and almost right after it appears it blue screens. I've tried opening it since and it always goes to the bluescreen. I have a log from the tdsskiller that i've gotten access to with Higgins boot disk. The file that was "cured" was cdrom.sys and i can find out what the skipped file was. I'm using windows xp media center and I really don't want to have to recover my comp. Thanks for any help!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 AM

Posted 09 October 2010 - 08:51 AM

Blame the malware infection, not the tool used to remove it.

TDSS, TDL3/TDL4 (Backdoor.Tidserv) is the third and fourth generation of TDSS which uses rootkit technology to hide itself on a system by infecting system files/drivers like atapi.sys which is a common target because it loads early during the boot process and is difficult to detect. Newer varinats, however, can target a number of other legitimate drivers in the Windows drivers folder. Common symptoms/signs of this infection include:
  • Google search results redirected as TDL3 modifies DNS query results.
  • Infected (patched/forged) files in the Windows drivers folder.
  • Slowness of the computer and poor performance.
  • Multiple instances of IEXPLORE.exe in Task Manager.
  • Internet Explorer opens on its own.
  • BSODs that occur immediately after splash screen appears.
For more specific analysis and explanation of the infection, please refer to: TDL3: The Rootkit of All Evil?

Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by backdoor Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Edited by quietman7, 09 October 2010 - 08:56 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 E3E3

E3E3
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 12 October 2010 - 06:01 PM

My computer got bluescreens only AFTER i ran tdsskiller so I doubt it was because it was compromised. And even if it was I can't reformat it because the computer came with windows and I have no windows cd. I've already backed up everything so how can I reformat it without a windows cd?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 AM

Posted 12 October 2010 - 08:20 PM

Crashes (BSOD), unexpected shutdowns, sudden freezing, random restarting, and booting problems could be symptomatic of a variety of things to include hardware/software issues, overheating caused by a failed processor fan, bad memory (RAM), failing or underpowered power supply, CPU overheating, motherboard, video card, faulty or unsigned device drivers, CMOS battery going bad, BIOS and firmware problems, dirty hardware components, programs hanging or unresponsive in the background, and sometimes malware. Rootkits in particular can trigger a BSOD, various stop error messages and crashes before or during disinfection. TDSS uses rootkit technology.

If you're using an IBM, Sony, HP, Compaq, Toshiba, Gateway or Dell machine, you may not have an original CD Disk Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. Also be sure to read Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recover disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support.

Edited by quietman7, 12 October 2010 - 08:21 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 E3E3

E3E3
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 16 October 2010 - 09:12 PM

I have the install disc, but it goes to a blue screen when i try to use it. Any suggestions?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:01 AM

Posted 18 October 2010 - 10:03 AM

If you need assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.

When Windows detects a problem from which it cannot recover, it displays Stop Error Messages which contain specific information that can help diagnose and resolve the problem detected by the Windows kernel. An error message can be related to a broad number of problems such as driver conflicts, hardware issues, read/write errors, and software malfunctions and malware. In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You may not see the error code because the computer reboots too fast.

An easier alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD). To change the recovery settings and Disable the Automatic Restart on System Failure in Windows XP, go to Start > Run and type: sysdm.cpl
Click Ok to open System Properties.

Alternatively you can just press WINKEY + Pause/Break keys to bring up System Properties.
  • Go to the Advanced tab and under "Startup and Recovery", click on the "Settings" button and go to "System failure".
  • Make sure "Write an event to the system log" is checked and that "Automatically restart" is unchecked.
  • Click "OK" and reboot manually for the changes to take effect.
This can also be done in the Windows Advanced Options Menu as shown here by pressing the F8 key repeatedly like you would do for entering safe mode.

-- Vista users can refer to these instructions: How To Disable the Automatic Restart on System Failure in Windows Vista.
-- Windows 7 users can refer to these instructions: How To Disable the Automatic Restart on System Failure in Windows 7.

Doing this won't cure your problem but instead of crashing and restarting you will get a blue diagnostic screen with an error code and other information to include file(s) that may be involved which will allow you to better trace your problem. Write down the full error code and the names of any files/drivers listed, then provide that information in your new thread to help determine the cause. Without that specific information, helpers would only be guessing rather than troubleshooting.

Edited by quietman7, 18 October 2010 - 10:04 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users