Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems removing AV Security 2012 and TDSS


  • This topic is locked This topic is locked
54 replies to this topic

#1 wapiti23fads

wapiti23fads

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 01 December 2011 - 11:56 PM

On the infected laptop, I'm running Windows XP SP3. A couple of months ago, I noticed that my firewall had been turned off. My Trend Micro AV subscription had recently expired so I renewed and loaded the new definitions. Soon thereafter, while streaming audio over Google Chrome, a window popped up saying that the machine did not have enough memory and shut down. Every time I tried to restart, I got a blue screen with XLDR ATA error. So I ran all of the disk diagnostics and everything came back clean. I did not have the XP disk so I brought the laptop to a friend who works in IT. He booted from a disk, gave me a new profile, renamed the old one "infected" and a made a third one named "root." He also loaded Symantec AV. He ran some removal programs (not sure which) and apparently removed some infections. But did not run the full gamut of tests because we ran out of time.

I took the machine home and it seemed fine at first, but very soon I started getting the AV Security 2012 pop-up. Symantec would not update and my browser got hijacked, among other symptoms. I followed the removal guide, but looking back I don't think TDSSKiller worked properly. I got through the rest of the guide and MBAM removed a lot of stuff. When I run Trend Micro, MBAM or SAS now, they don't detect an infection. But I'm still having problems with browser doing strange things like closing by itself. Mouse pad flickers and clicks on things just by hovering and some programs won't run. I revisited the TDSS removal guide and reloaded TDSSKiller but it will not run. I ran DDS but could not get a log. It ran for a bout 15 minutes, slowly adding hash marks across the screen, and finally froze the computer. GMER won't load properly either because, it says, "Cannot create a stable subkey under a volatile parent key."

Please help . . .

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 07 December 2011 - 12:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430336 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 wapiti23fads

wapiti23fads
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 08 December 2011 - 03:00 PM

The machine is running Windows XP, Home Edition, Version 2002, Service Pack 3. It does not say 64-bit so I think it is 32-bit . I still can't get a DDS or GMER log as described in the original post. In addition, Trend Micro takes several minutes to load. That is, it shows up in the tray immediately but just says "starting protection." Other programs start up immediately on start-up or on command so it looks like Trend Micro may be compromised too.
Thanks!

#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:02:34 AM

Posted 08 December 2011 - 05:10 PM

Hi,

Welcome to Bleeping Computer. My name is oneof4 and I will be helping you with your log.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic box to the right of your topic title and selecting Immediate Notification.


Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

I will return with your first instructions ASAP.


Thanks :thumbup2:

Best Regards,
oneof4.


#5 wapiti23fads

wapiti23fads
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 08 December 2011 - 05:15 PM

Great. thank you.

#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:02:34 AM

Posted 09 December 2011 - 10:13 PM

Just to let you know, I've not forgot about you. I'm waiting on my fix to be approved by a Malware Removal Team Coach, as soon as it is I'll post it for you.

Best Regards,
oneof4.


#7 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:02:34 AM

Posted 10 December 2011 - 08:57 AM

Hello wapiti23fads, and :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am oneof4, and I am here to help you!

  • I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.
  • At the top right-center of the topic you will see a button called Watch Topic. If you click on this, another page will open. Please choose Immediate Notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.
  • I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. :heart: Please be courteous and appreciative for the assistance provided!
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Now, let's get started:

Boot your computer into Safe Mode by tapping the F8 key repeatedly during the boot up process. A menu will come up with various start-up options, choose Safe Mode.

Now, attempt to run TDSSKiller from within Safe Mode, and Copy & Paste the log into your next reply.

Best Regards,
oneof4.


#8 wapiti23fads

wapiti23fads
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 10 December 2011 - 03:13 PM

I booted into safe mode and logged in to my usual profile. If I double click TDSSKiller or right click on it and choose to "Run As.." current user, nothing happens. If I choose to "Run As" any other user, I get the error message: "This service cannot be started in Safe Mode"
The result was the same when logged in as Administrator.

#9 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:02:34 AM

Posted 11 December 2011 - 08:36 AM

Hey, :)

What we may have here is an infected MBR (Master Boot Record).

I trust that you have a second "clean" computer, that we can use for the procedure that follows?

==========

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

Best Regards,
oneof4.


#10 wapiti23fads

wapiti23fads
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 11 December 2011 - 01:21 PM

I succeeded on the second try. MBR is attached. The first time, I did not get the Welcome screen but instead got the following message:


[ 6.190787] sd 2:0:0:0: [sdb] Assuming drive cache: write through
[ 6.193178] sd 2:0:0:0: [sdb] Assuming drive cache: write through
[ 6.197779] sd 2:0:0:0: [sdb] Assuming drive cache: write through
giving up.
xinit: No such file or directory (errno 2): unable to connect to X server
xinit: No such process (errno 3): Server error.
xauth: (argv):1: bad display name “(none):0” in “remove” command
sh: no job control in this shell
sh-4.0#

Attached Files

  • Attached File  mbr.zip   534bytes   12 downloads


#11 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:02:34 AM

Posted 12 December 2011 - 06:43 PM

Hey :)

Just to let you know, I'm working on the steps necessary to get your computer working again. I've submitted the fix to my MRT coach for approval, and will post it for you sometime tomorrow.

Best Regards,
oneof4.


#12 wapiti23fads

wapiti23fads
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 12 December 2011 - 10:31 PM

Thanks for the update.

#13 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:02:34 AM

Posted 14 December 2011 - 07:42 AM

Hey wapiti23fads :)

One day later than promised...sorry.

==========

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the

PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where

applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and

there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected

with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more

information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you opt for attempting to clean the computer, please follow the next set of instructions.

==========

  • Download tdl_fix.sh and save it to the xPUD flash drive.
  • Boot into xPUD then click the File tab.
  • Press File
  • Expand mnt
  • Click on the folder under mnt that represents your USB drive (sdb1 ?)
  • You should see the tdl_fix.sh file in the main window.
  • Select Tool from the Menu
  • Choose Open Terminal
  • Type bash tdl_fix.sh then press Enter.
  • Read the warning then type y and press Enter to continue.
  • Type sda then press Enter when prompted.
  • You will be shown a list of partitions to choose marking active.
  • Type 2 then press Enter.
  • If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 3 to select partition 3 then press Enter.
  • When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
  • The script will complete and prompt you to reboot the computer.
  • Close the Terminal window and restart back into Windows.
  • Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.

Best Regards,
oneof4.


#14 wapiti23fads

wapiti23fads
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 16 December 2011 - 10:44 AM

Can you tell me which backdoor trojan was identified?

I have taken the precautionary measures and I don't mind doing a reformat/reinstall. But I bought the machine refurbished and it did not come with a disk.

#15 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:02:34 AM

Posted 16 December 2011 - 01:11 PM

Hey :)

Can you tell me which backdoor trojan was identified?

It's the latest and greatest version of TDL4, referred to as TDL4/MaxSS Partition Rootkit.

I have taken the precautionary measures and I don't mind doing a reformat/reinstall. But I bought the machine refurbished and it did not come with a disk.

That's ok, we can clean this infection. The only issue is if you use this computer for banking, or other financial transactions, you could "possibly" still be at risk, even after cleaning.

I noticed that the machine has a partition that's dedicated to either utility, or restore, but since this was a refurb, it may or may not allow us to use that for a reformat/reinstall.

If you want to proceed with the cleaning, please perform the fix procedure I gave in the previous post, and we'll move forward from there.

Best Regards,
oneof4.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users