Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.TDSS.TDL4 Infected MBR how do i remove it ?


  • Please log in to reply
26 replies to this topic

#1 MooMooCakes

MooMooCakes

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 01 May 2011 - 06:06 AM

Hello,

Yesterday my computer was compromised by a fake antivirus, it removed my background to a blue screen, disabled task manager, turned off my real time shields for Avast then when I removed the fake AV I could not run Avast properly as I could not turn the shields back on for some reason so downloaded a new antivirus which I know is also good, anyway, Thought I was rid of it and noticed my browser was being redirected when I made a search on Google, after some research on a google.com forum I downloaded a piece of software called Hitman pro 3.5 which detected it as a tdl3 variant, (This was before I realized to use AVG rootkit scan) Malwarebytes and TDSS killer didnít pick it up, itís probably ill advised but I downloaded the GMER and DDS tool and saved there logs if itís still needed that is since I know its definitely in the MBR, the main thing is how do I repair the MBR ?

BC AdBot (Login to Remove)

 


#2 MooMooCakes

MooMooCakes
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 01 May 2011 - 08:16 AM

Just like to note i dont have the windows xp recovery disk,lost it.. find it rediculous that Microsoft dont offer one on download.

#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 01 May 2011 - 10:28 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Posted Image Please post DDS.txt, Attach.txt and your GMER log for me.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 MooMooCakes

MooMooCakes
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 01 May 2011 - 01:12 PM

Ok there all the files sorry for the late reply

Attached Files



#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 01 May 2011 - 03:57 PM

MooMooCakes:

Posted Image P2P - I see you have P2P software (uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - ComboFix will not run until AVG is uninstalled. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. You may do this through Control Panel > Add/Remove Programs or you can use this tool for a more complete removal:

Download AppRemover from here saving it to your desktop.
  • Double click to run AppRemover
  • Follow the prompts to remove AVG
  • Reboot
Once you've removed AVG with this tool please continue with these instructions
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 MooMooCakes

MooMooCakes
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 01 May 2011 - 06:23 PM

Heres the log

Attached Files



#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 01 May 2011 - 06:31 PM

MooMooCakes:

Please run this next:

Posted Image Download aswMBR.exe ( 511KB ) to your desktop.
  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 MooMooCakes

MooMooCakes
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 01 May 2011 - 06:33 PM

Before Combofix rebooted the pc and did its thing it told me to take a note of c:\windows\system32\drivers\sptd.sys just to inform you.

#9 MooMooCakes

MooMooCakes
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 01 May 2011 - 06:36 PM

Heres the log

Attached Files



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 01 May 2011 - 06:36 PM

OK, we may have cross posted - look up in case you missed my last instructions.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 MooMooCakes

MooMooCakes
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 01 May 2011 - 06:44 PM

I don't mean to sound idiotic but im not clear what instructions i have not followed correctly

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 01 May 2011 - 06:46 PM

Hi,

Run aswMBR again. If the "Fix" option is available, do this:

  • Click the FIX button,
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.

If the Fix button is not available, let me know and we will go a different route.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 MooMooCakes

MooMooCakes
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 01 May 2011 - 06:51 PM

Fix button is unavailable

#14 MooMooCakes

MooMooCakes
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 01 May 2011 - 07:01 PM

Friends told me the computer crashed when loging into profile at loading personal settings not sure if hes messed it up went on about using fixmbr or something like that at bootup can it still be repaired with that in mind or does this make the situation more icky? i did tell him to leave it be... sorry if this causes any inconvenience.

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 AM

Posted 01 May 2011 - 07:02 PM

MooMooCakes:

OK - Just to clarify, you didn't do anything wrong. We were both posting at the same time and I was afraid you missed my instructions.

Your PC is infected with a rootkit, one that is attached to the Master Boot Record (MBR) of your hard disk. We usually have a good amount of success when it comes to fixing the MBR but the MBR is a delicate area and there is a possibility of data loss and/or have complete PC failure if the disinfection process does not work. Please back up any important data before proceeding.

Please also understand that some PCs have their own proprietary MBR that offer you the ability to boot directly into a Factory Restore Utility. Fixing this proprietary MBR can cause you to lose the ability to boot into the Factory Restore Utility.

Please look over these instructions before you begin and let me know in advance if you have any questions or concerns.

Posted Image Open notepad and copy/paste the text in the quotebox below into it:

@echo off
MBR.exe -c 0 1 MBR_backup.dat

Save this as dump.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Double click on dump.bat & allow it to run. Two files should be placed on your desktop; add the MBR_backup.dat as an attachment to your next post BEFORE you continue with the rest of the instructions.

Once you've posted that file, continue with these instructions:

Posted Image Earlier on ComboFix installed the Recovery Console. We're going to use that now. Please print and read the instructions and ask any questions you have before you start:

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

Posted Image

Posted Image

When you get to the above screen, take note of the number that references your operating system.
If it's '1' like the picture above, type 1 and press Enter

It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

Posted Image

Next type FIXMBR

Posted Image

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

Let me know once you've successfully completed these steps.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users