Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS infection


  • Please log in to reply
14 replies to this topic

#1 mysticduck

mysticduck

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Oregon
  • Local time:10:21 AM

Posted 12 January 2011 - 06:32 PM

So I've got a computer that won't boot. When I take the HD and put it into another computer I own, Bitdefender says there is an infection named "Rootkit.MBR.TDSS.A" (boot image.) BD denies access to the file but won't remove it. I've run the Dr. Web and Avira live cd's to no effect. Running MBAM on it now, but I'm pretty sure it won't fix it. I could fix the stupid thing if it would boot. Trying to avoid a full wipe/rebuild of the MBR. Any suggestions/ideas?
Stultorum infinitus est numerus

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:21 PM

Posted 12 January 2011 - 07:46 PM

Hello and welcome, I moved this to the Am I Infected forum as you did not post the required logs for this one and you topic will get passed.

We neeed to run this on that drive also.
Post this and your MBAM log and yell me how it is..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mysticduck

mysticduck
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Oregon
  • Local time:10:21 AM

Posted 12 January 2011 - 07:56 PM

Thanks for the help. You said

We neeed to run this on that drive also.

Not sure what "this" is. MBAM failed to find anything, running a BD scan now, found 1 item so far, fingers crossed.

Am I correct in assuming that since MBAM found 0 infections you don't really need to see the log?

Edited by mysticduck, 12 January 2011 - 07:58 PM.

Stultorum infinitus est numerus

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:21 PM

Posted 12 January 2011 - 08:06 PM

Sorry MBAM = MalwareBytes

and I forgot this...

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Edited by boopme, 12 January 2011 - 08:07 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mysticduck

mysticduck
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Oregon
  • Local time:10:21 AM

Posted 12 January 2011 - 08:42 PM

Sorry, miscommunication. Knew what MBAM was. It didn't find anything. TDSSkiller won't scan anything but C:, and since this drive won't boot it is currently set as I: any other ideas?
Stultorum infinitus est numerus

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:21 PM

Posted 12 January 2011 - 09:20 PM

Do you have an install disk? Is this XP?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mysticduck

mysticduck
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Oregon
  • Local time:10:21 AM

Posted 12 January 2011 - 09:35 PM

I run a computer shop so I've got all sorts of stuff. XP, BSODs with a 0x0000007b, hence it being hooked up to a different machine ATM.
Stultorum infinitus est numerus

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:21 PM

Posted 12 January 2011 - 09:40 PM

I will ask someone to look here thay starts these non booters. Yho I am sure they won't reply today.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mysticduck

mysticduck
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Oregon
  • Local time:10:21 AM

Posted 13 January 2011 - 12:30 PM

As an update, Bitdefender found 5 bugs, none of them being the MBR.TDSS infection.
Stultorum infinitus est numerus

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:21 PM

Posted 13 January 2011 - 03:15 PM

So is this machine booted as you can run bitdefender?
What was found?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 mysticduck

mysticduck
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Oregon
  • Local time:10:21 AM

Posted 13 January 2011 - 03:23 PM

The drive itself will not boot in any machine, I have it hooked to an Esata port on a backup machine I have. The backup machine has Bitdefender, so I scanned the infected drive with it for the heck of it and since BD detects the rootkit when I plug the drive in. If I can't get it figured out soon I'm just gonna wipe it, rebuild the MBR and start over.
Stultorum infinitus est numerus

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:21 PM

Posted 13 January 2011 - 03:30 PM

OK, I just wanted to check.In all honesty if you have the disks why not just Nuke and repave. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action. Then you will not have fret missing anything.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 mysticduck

mysticduck
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Oregon
  • Local time:10:21 AM

Posted 13 January 2011 - 03:37 PM

Been seeing this infection pop up more and more and was hoping to find a way to just fix it. In this case I know it's just the MBR that is infected, so was hoping for an easier fix than a format. If anyone has any more ideas that would be great, if not no skin off my teeth. Thanks for your help boopme.
Stultorum infinitus est numerus

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:21 PM

Posted 13 January 2011 - 03:43 PM

Ok, then hold on for that other person to reply. You're welcome.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 mysticduck

mysticduck
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Oregon
  • Local time:10:21 AM

Posted 13 January 2011 - 07:30 PM

Got the infection removed. Ended up booting to the XP cd, running a recovery console and using "fixmbr" to replace the infected mbr with a new one. Got it up and running now, gonna run TDSSkiller and MBAM and go from there. Thanks again.
Stultorum infinitus est numerus




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users