Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fix for Boot.Tisderve.B and/or IE redirection


  • This topic is locked This topic is locked
25 replies to this topic

#1 Seedtart

Seedtart

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 05 February 2011 - 02:58 AM

Sequence of events:

The first appearance of a virus came via an internet explorer redirection from a selection from a google search. This kept re-occurring.
The second thing that appeared was a security virus alert which showed a window with a virus alert and then it asked me if I wanted to fix it and then finally to buy software. I kept canceling and the final result was that I could not execute any program because it told me that it had a virus.
I tried many virus programs avast, Mcafee and finally Norton which seemed to remove the virus alert but the redirection remains.
After a number of scans I finally ended doing a Norton scan with their boot disc and this found one Trojan which it fixed and a second Trojan called Boot.Tisderve.B which Norton could not repair. Any Norton scan in normal mode or safe mode does not detect the this virus. It can only be found by booting from a recovery disc.
The internet redirection is still occurring I do not know whether it is the Boot.Tisderve.B which causes it or something else. Norton web support site has suggested I use your site for help.
I also had trouble running your gmer software as this crashed my machine and gave me a blue screen with a error (damage to my machine??) and shut down.
Attached File  Attach.txt   13.58KB   1 downloads

Attached Files

  • Attached File  DDS.txt   14.13KB   2 downloads


BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 AM

Posted 05 February 2011 - 05:14 AM

Hello! My name is Baabiouz and I'll be glad to help you! :thumbup2:
Let's start with Combofix, it should solve most of problems in this case.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
Posted Image

#3 Seedtart

Seedtart
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 05 February 2011 - 05:22 PM

Thanks Baabiouz,

Ran Combofix and loaded the recovery console and while running it came up with the message "Rootkit - TDL3 is detected". My machine was restard and Combofix continued and went through a number of scans completed I think about 50 and then it crashed the machine with a bluse screen and page of text with message which I could not read quickly enough. Then the machine restarted. I have since rinIE and google searches and linked to them OK. It appears that the problem has been fixed but will continue to monitor if ther are any issues.

I HIGHLY APPRECIATE THE PROMPT RESPONSE AND HOPEFULLY A PERMANENT FIX YOU PROVIDED. I WILL RECOMMEND YOUR SITE AS MUCH AS I CAN.

THANK YOU VERY MUCH!!!!!

#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 AM

Posted 06 February 2011 - 04:52 AM

Hello

It's not sure that your computer is clean yet. Please check if you can find Combofix log C:\Combofix.txt and post it back here :)
Posted Image

#5 Seedtart

Seedtart
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 06 February 2011 - 03:43 PM

I could not find the file you suggested. My computer crashed (blue screen) and did not compltete Combofix properly.

What next?
Thanks

#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 AM

Posted 06 February 2011 - 03:54 PM

Hello

You can try run it again. Let's have also Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Posted Image

#7 Seedtart

Seedtart
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 07 February 2011 - 02:50 PM

Hi Baabiouz,

Thanks again for your help. Ran Combofix again and got to complete Stage 50 and crashed, blue screen and restarted with a serious error message. Then ran the Malware software as you suggested and I have attached the log file. I again ran Combofix with same result. I have also attached screen dump of the error produced after restarting itself after the blue screen. I hope this all helps. Please let me know what is next.
Thanks
Seedtart

Attached Files



#8 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 AM

Posted 08 February 2011 - 03:11 AM

Hello

Can you attach the mini020811.dmp file? (you can see the patch in the error screen.bmp)
Posted Image

#9 Seedtart

Seedtart
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 08 February 2011 - 04:46 AM

Baabiouz,
I cannot find the file in the path in the error .bmp but found it C;\windows\minidump. There seemed to be at least four of these files. I have tried to attach the file and got the following messsage. "Error You aren't permitted to upload this kind of file"
Seedtart

#10 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 AM

Posted 08 February 2011 - 04:48 AM

You can upload files to example rapidshare.de and post the link here.
Posted Image

#11 Seedtart

Seedtart
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 08 February 2011 - 05:00 AM

I hope this works


http://rapidshare.com/files/446815322/Mini020811-01.dmp

#12 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 AM

Posted 08 February 2011 - 07:26 AM

Hello

Catchme crashes in Combofix. It's not possible to run Combofix without gmer so please post a fresh DDS log back here :)
Posted Image

#13 Seedtart

Seedtart
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 09 February 2011 - 02:46 AM

Attached File  DDS.txt   12.38KB   1 downloadsHello,

I ran DDS and have attached the log file.
I ran gmer and I got a blue screen and message BAD_POOL_HEADER and I have the dmp file link below.

http://rapidshare.com/files/446970995/Mini020911-02.dmp

SeedtartAttached File  DDS.txt   12.38KB   1 downloads

#14 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 AM

Posted 09 February 2011 - 03:12 AM

Hello

Let's run first OTL and then use it's fix to remove baddies.

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Posted Image

#15 Seedtart

Seedtart
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 09 February 2011 - 03:38 AM

Ran programs as requested.
http://rapidshare.com/files/446975092/OTL.Txt
http://rapidshare.com/files/446975067/Extras.Txt

Seedtart




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users