Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv B


  • This topic is locked This topic is locked
46 replies to this topic

#1 dantilley

dantilley

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 20 January 2011 - 11:01 AM

^^^ boopme, thanks for the reply but I can't boot my computer, even in Safe Mode.

I am now actually using my computer though with a Ubuntu LiveCD - first I've heard of this kind of thing and it actually works surprisingly well! I really need my Windows 7 64 Bit back though. Can I run anything in this Ubuntu LiveCD environment which might help?

Edit: To answer your other question, no it isn't on a network, it is a home PC.

Edited by dantilley, 20 January 2011 - 11:02 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 20 January 2011 - 11:25 AM

Hello I had to split you here to a separate topic.. This one needs different attention. I have asked some one that handles this type to look here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 20 January 2011 - 08:18 PM

Hello and welcome to Bleeping Computer

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.



To start, please reply to this thread so I know you're there.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 20 January 2011 - 08:38 PM

Hello,I moved this to the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.
Thanks for grabbing this etavares...
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 dantilley

dantilley
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 20 January 2011 - 08:42 PM

Hi etavares - thank you for the reply. Yes I'm still here, and many thanks in advance for your help.

FYI I'm now at work and the infected computer is at home. I don't have another working computer at home so it would be a case of checking this site while at work and then trying things out from home. The only other way I can get online from home (that I'm aware of) is if I run my PC using a LiveCD, as I was doing last night with the Ubuntu CDROM.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 21 January 2011 - 03:57 PM

Ok, please bear with me a bit. I'm used to the xPud Linux environment, but we'll do this in Ubuntu instead of having you create a new bootable disc.

First, I need to know how many hard drives you have on that system. Just one, or more than one? It will change the commands we need to run to back up and analyze your MBR.

I will also warn you that Tidserv.B is a backdoor rootkit that overwrites the Master Boot Record (MBR). We can restore the MBR once we back it up and confirm it's infected.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please let me know the number of hard drives on that computer.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 dantilley

dantilley
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 21 January 2011 - 08:22 PM

Hi etavares,

Thanks for the advice. I've never done any online banking (or similar) on this PC; in fact I can safely say I've never bought anything online using it either, so no credit card details will every have been entered on it. I'm willing to have a go at cleaning it anyway.

To answer your initial question, I have one hard drive, one partition on this PC.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 22 January 2011 - 10:14 AM

That does make it easier in regards to the setup. Ok, let's proceed. We will need a USB flash drive for this. You'll probably also want to print these instructions.

From your WORKING computer:
  • Download Test Disk for Ubuntu from your clean computer.
  • Save it directly to the USB flash drive.
  • Run Utestdisk.exe from the flash drive. It will create a testdisk folder on the flash drive. Please confirm that is there. This is the program that will look at your MBR for us.
  • Please download OpenTerminalHere.exe from your clean computer.
  • Please also save it directly to the flash drive and run it from there. Two files will then appear on the flash drive. This makes running commands a bit easier in Ubuntu.

If either of the above doesn't go as expected, please let me know.

From the INFECTED computer:
  • Boot the sick computer into Ubuntu from the CD.
  • Once it's booted, insert the USB flash drive.
  • Open the file system and navigate to the flash drive and double-click install-right-click.sh to run it. A terminal window will quickly open and close.
  • Next, navigate to the testdisk folder on your flash drive. Right-click in the background (e.g. not on file) and select Scripts -> Open Terminal Here.
  • At the prompt type sudo testdisk/testdisk_static and press Enter (all lowercase, please). The testdisk window will open.
  • The TestDisk command window will open
  • Choose Create and press Enter
  • TestDisk will now detect all local hard drives
  • Use the arrow (up and down) keys to highlight the disk called /dev/sda if it represents your primary hard drive and press Enter
  • If your not sure then note everything you see and post it for my review
  • Select Intel (even if you have an AMD processor) and press Enter
  • Select Advanced and press Enter
  • Select [Boot] and press Enter
  • Select [Dump] and press Enter
  • Select [Quit] to exit
  • A log will be created in the root of the usb device
  • Next, navigate back to the flash drive in the main directory of it (e.g. not in testdisk). Right-click on the background and select Scripts -> Open Terminal Here.
  • At the prompt type sudo dd if=/dev/sda of=mbr.bin bs=512 count=1 exactly as shown and press Enter. You should now have mbr.bin on your flash drive. Make sure to double-check for errors when you type it in.

Please plug that flash drive into the working computer and copy/paste the contents of the testdisk log here. Please also attach MBR.bin to your reply. If that doesn't work (e.g. if BIN files are banned), please ZIP it then attach it.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 dantilley

dantilley
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 22 January 2011 - 12:05 PM

Hi,

OK great, thank you very much for your help, I'll do all this on Monday, which is the earliest opportunity I will have to gain access to a clean computer. So I'll paste the contents of the log file here some time on Monday evening.

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 22 January 2011 - 12:37 PM

Sounds good. You can post directly from Ubuntu at home if you want.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 dantilley

dantilley
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 24 January 2011 - 08:49 AM

Hi,

OK, no joy I'm afraid. I did all the steps on my clean computer at work, now at home on the sick computer (I'm on it now, posting from Ubuntu LiveCD), when I try to run install-right-click.sh it just opens in a text editor. Right clicking on it doesn't seem to present any options other than opening it in OpenOffice, open with text editor, cut/copy, etc. Is this supposed to be an executable file or similar? Doesn't seem to be recognised as such anyway.

Any ideas?

#12 dantilley

dantilley
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 24 January 2011 - 09:01 AM

Managed to run it actually - I had to copy the install-right-click.sh file onto my desktop first (still within Ubuntu LiveCD environment) and then ran it from there. I'm navigating back in the Flash drive now and ready to take the next steps. Right-clicked already and seen that the Scripts option is now in the right-click menu.

Any issue with having to copy the file to the desktop first, do you think?

Edited by dantilley, 24 January 2011 - 09:02 AM.


#13 dantilley

dantilley
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 24 January 2011 - 09:10 AM

OK, nope, this time I definitely am stuck. I get this when typing sudo testdisk/testdisk_static:

sudo: testdisk/testdisk_static: command not found

Should I have ran the exes (UTestDisk.exe and OpenTerminalHere.exe) on the infected computer rather than the clean computer?

Any other ideas / solutions?

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 PM

Posted 24 January 2011 - 04:40 PM

No, from the clean computer...it just extracts the necessary files to the flash drive. Odd that it's handling the USB differently. Try copying the testdisk folder to the Ubuntu computer, open that folder, right-click in the background to open a terminal window and try the sudo command in there.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 dantilley

dantilley
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 24 January 2011 - 07:02 PM

Nope, still no joy. By the way, I had to go into the properties and tick the following for the install-right-click.sh file in order to get it to work: "Allow executing file as program". Whenever I tried to tick this on the USB drive it didn't allow it, but it worked when copied onto the desktop, However, the terminal window commands still don't work. Should I do anything similar on the other file permissions? I tried it already with the testdisk_static file by the way and it makes no difference (tried it both ticked and un-ticked, neither works).

This is what I see when I try to run the sudo testdisk/testdisk_static command from a folder on my desktop called USB:

Posted Image

Edited by dantilley, 24 January 2011 - 07:03 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users