Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Rootkit


  • This topic is locked This topic is locked
29 replies to this topic

#1 Bdod

Bdod

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 26 April 2011 - 06:45 PM

Hi! I am new to this forum and I looking through, I wish I had found it much earlier! I currently am struggling with a rootkit problem that I would really appreciate any help with.

Here's my situation so far:

Last week, I got a TDSS rootkit, and started getting the regular symtoms of computer slowdown and google redirects. After that, I scanned with AVG and MalwareBytes, and they found some trojans that were supposedly removed. However, the google redirects persisted. I downloaded the TDSSKiller from Kaspersky, and renamed it, but it wouldn't run.

As a result, I downloaded and ran Combofix (I wish I hadn't! I wish I saw the rules on your forum first!); however, after nearing the end of the scan, Combofix popped up with an error message that told me to uninstall AVG first. I had disabled it, but I guess it needed it uninstalled. So I uninstalled it with CCleaner, and then rebooted my computer.

At that point, a BSOD flashed and then a Windows Error screen started up and said there was an error booting my computer. It asked me if I wanted to start the Windows Recovery, and I did. However, that didn't help and I tried system restore, which didn't help either.

I haven't tried anything since then, and I would greatly appreciate any help you could give me. If anything, I would like to get some of my personal documents and files off the computer first before I have to reformat it, if it comes to that. However, right now I can't even get into windows.

Thank you so much for any help you can give me, and I'll be subscribing to this thread so I will be able to reply quickly.

Best Regards,

Ben

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:11 PM

Posted 26 April 2011 - 08:39 PM

Hi Ben,

Posted Image

Don't you worry at all. At the very least you'll be able to get everything you need from the drive, but there's also a good chance we can get you up and running normally again, without losing anything. :thumbup2:

Can you please tell me if you've tried to boot into Safe Mode? I see you said you booted into recovery, but that's different. Also, was there any message at all with the error? You said a bsod flashed....did you happen to see the error message there?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Bdod

Bdod
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 26 April 2011 - 09:13 PM

Hi Tea,

Thanks very much for the fast reply!

I tried to boot into Safe Mode and it doesn't work either. The BSOD flashes too quickly for me to see the error message. It only appears for half a second and disappears.

Thanks again!

Best Regards,

Ben

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:11 PM

Posted 26 April 2011 - 09:32 PM

One last question, then I'll get something together for you. :) You said you tried system restore, but it didn't help......did it restore and there was no change? Or did it refuse to restore all together?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Bdod

Bdod
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 26 April 2011 - 09:35 PM

I think it refused to restore. There was no indication that a restored occurred, although I pressed system restore for a week ago.

Basically, nothing happened and I would restart and the same BSOD came up.

#6 Bdod

Bdod
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 28 April 2011 - 10:56 PM

Hi! Wanted to give you an update as to some of the things I've tried to get it to start booting over the past two days.

First, I tried using the Kaspersky Rescue Disk 10 loaded on a USB. Ran some scans from it, but no luck in detecting anything.

Then, I went into the System Recovery Tools and went into the command prompt. I typed:

bootsect.exe /FixMbr

This was carried out successfully, and then I restarted. However the blue screen persisted after this too.

I'm completely stumped and would really appreciate any assistance you could give.

Thanks so much, and hope to hear from you soon!

Best,

Ben

#7 Bdod

Bdod
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 29 April 2011 - 03:15 PM

Hi Tea,

I ran xPUD on my computer after trying to fix the MBR (probably should have done this prior....), but I saved a copy of the mbr.bin on a usb from and have attached it to this email.

Hope this helps, and looking forward/really hoping to hear back from you soon.

Thanks!

Attached Files

  • Attached File  mbr.zip   577bytes   1 downloads


#8 Bdod

Bdod
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 29 April 2011 - 07:59 PM

Hello,

Was wondering if this thread was still being watched? It's been 72 hours with no response, so I'm just wondering.

Thanks!

Best,
Ben

#9 Bdod

Bdod
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 30 April 2011 - 06:17 PM

Bump!

#10 Bdod

Bdod
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 01 May 2011 - 01:36 PM

Double bump.

My laptop is dying...someone please help me save it! =(

#11 Bdod

Bdod
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 01 May 2011 - 01:46 PM

Oh sorry, i just noticed the thing about bumping topics. I apologize and won't bump anymore.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:11 PM

Posted 01 May 2011 - 02:21 PM

Are you done now so we can move on? :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Bdod

Bdod
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 01 May 2011 - 03:01 PM

Ahh, yes please. Sorry about the bumps. =/ I haven't done anything since the last posts.

Thanks! =)

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:11 PM

Posted 01 May 2011 - 05:42 PM

Is this an XP? If it is, we'll see about getting a restore point first. I need some logs so I can see what's wrong....don't get rid of Xpud!
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Bdod

Bdod
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 01 May 2011 - 10:10 PM

I'm using Windows 7 right now. I still have xPud. Which logs would you like to see?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users