Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with .tidserv (TDSS) and All Folders Hidden


  • This topic is locked This topic is locked
25 replies to this topic

#1 hanchij

hanchij

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 28 December 2011 - 09:24 PM

My dad called me this week, telling me he is having computer problems. What I found out was that it was a critical issue. A .tidserv rootkit was discovered. After doing some research, I went to Kaspersky.com and downloaded and ran the TDSSKiller. After that, I ran both Spy Doctor and Malwarebytes to remove the various infections (I believe there were over 600)! However, the same issue is there, and that issue is simply that all my dad's files are "missing." There is nothing on the desktop, nothing in My Documents, nothing in My Pictures, etc... I changed the settings so that all Hidden files would be shown, and lo and behold all his files are there. However, I know that there are still viruses and infections on the computer, and I don't believe the rootkit was properly removed? Also, those files should NOT be hidden plus the computer is running very slowly with random pop-ups on occassion. I need HELP please!

I followed every step on the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" site. I tried to run the DDS script, but after a few minutes, the black screen just freezes, and the entire computer locks up. I tried it three times and each time the computer froze. So I just moved on to the next step. Attached is the log file, however, for the GMER.

Whatever you can do to help will be GREATLY appreciated. FYI, my dad cannot locate his computer startup disk, so if a reformat is needed, I'm afraid he wouldn't be able to get much out of it without the recovery CD that came with the computer. His computer runs on Windows XP.

Thanks!

BC AdBot (Login to Remove)

 


#2 hanchij

hanchij
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 28 December 2011 - 09:30 PM

Whoops, here's the attachment for the GMER log.Attached File  ark.txt   305.05KB   14 downloads

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:07 PM

Posted 03 January 2012 - 12:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/435059 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 hanchij

hanchij
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 04 January 2012 - 12:09 AM

To Whom It May Concern:

Detailed description is above in the first message on this thread. Prior to running into this website, I had run TDSSKiller from Kaspersky along with a few free Antispyware and Antimalware software. The GMER log is attached on the second message on this thread since I forgot the attachment at the beginning. I still cannot get the DDS log to work. The computer looks like it's running it perfectly fine, and then it just stops and everything is frozen. My dad is running Windows XP. The original Windows CD as mentioned earlier cannot be located unfortunately.

Thanks!

#5 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:07 AM

Posted 04 January 2012 - 09:00 AM

Hello hanchil,

My name's ratman. I'll be helping resolve your computer issues.

Logs take a while to analyze so please be patient while I study your GMER
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#6 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:07 AM

Posted 04 January 2012 - 03:47 PM

Hello hanchij,

I'd like you to try running DDS in Safe Mode.

Boot into safe mode.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in safe Mode.
  • Login on your usual account.

Now run DDS

Please copy/paste contents of DDS.txt in your next reply and attach the Attach.txt log to the reply.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#7 hanchij

hanchij
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 04 January 2012 - 08:03 PM

Dear ratman,

I have tried as you suggested to no avail. I tried six different times, and each time the computer would freeze. The verbiage when I run the DDS file says it should take no more than 3 minutes. Each time I waited approximately 10-15 minutes (and I believe the computer would freeze around the 2 minute mark). I have tried downloading and running both DDS.scr and DDS.pif. I ran them on Safe Mode, Safe Mode with Networking, and Normal Mode, and each time I got the same result. Not sure what else to do at this point. Please advise.

Regards,
hanchij

#8 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:07 AM

Posted 05 January 2012 - 07:32 AM

Hello hanchij,

We need to create an OTL Report
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

====================================================================================


I'd like you to run a scan with aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

====================================================================================

In your next reply, please copy/paste the contents of the following:
  • OTL.txt
  • Extra.txt
  • aswMBR Log

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#9 hanchij

hanchij
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 05 January 2012 - 06:55 PM

Dear ratman,

Attached are the following files as requested: OTL.txt, Extras.txt, and aswMBR.txt.

Regards,
hanchij

Attached Files



#10 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:07 AM

Posted 06 January 2012 - 12:02 PM

Hi hanchij,


You mentioned earlier about getting pop ups. Can you tell me what they say?

To make your files visible again, I'd like you to run Unhide.exe.

Please download Unhide.exe to your desktop.

Double click on desktop icon and click Run

Let program complete (may take several minutes) and then reboot your machine.

=================================================================

Next:

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please copy/paste the contents of the following:
  • C:\Combofix.txt

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#11 hanchij

hanchij
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 06 January 2012 - 11:31 PM

Dear ratman,

The Unhide program worked beautifully!! Thank you for that. All of my dad's files can now be seen without having to Show Hidden Files. That is great progress and a little relief.

Unfortunately, however, the ComboFix program worked the same as the DDS program. It was working (by the sound of the computer running through files), and after about 10 minutes, the computer froze. I ran it two more times (once in Safe Mode), and each time the computer froze. The last time I ran it, I let it run for over 2 hours just to see if the computer would respond, but nothing. :( What else can be done? (Sidenote: it did install the Windows Recovery perfectly fine).

As far as popups, I haven't seen any popups this past week on his computer. The popups I was seeing were in regards to some HP media software and some other unused software. Prior to posting to this forum, I had gone into Control Panel and removed both software programs altogether because it wasn't needed, and since then there have been no more popups.

I hope there is another virus scanner or antimalware program that would help. I'm sure these programs (DDS and ComboFix) that aren't working are frustrating to you as it is to me. Thanks for your assistance as always!

Regards,
hanchij

Edited by hanchij, 06 January 2012 - 11:32 PM.


#12 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:07 AM

Posted 07 January 2012 - 09:03 AM

Hi hanchi,

I'd like you to try running ComboFix in a different way.

Go to Start and select Run... Type in combofix /nombr and let me know if ComboFix will execute and run through all steps properly.

Please copy log in next reply.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#13 hanchij

hanchij
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 07 January 2012 - 04:58 PM

Dear ratman,

No luck! I tried typing in combofix /nombr into the Run command. I get an error saying, "Windows cannot find 'combofix'. Make sure you typed the name correctly and try again." I have not deleted or uninstalled ComboFix since I downloaded it yesterday per your recommendation. So I'm not sure why it's not wanting to run. I tried typing in the name several different ways and possibilities with no luck. I also tried double-clicking the ComboFix icon again, and the same issue of the program running and then freezing occurs. I did some research on ComboFix, and it doesn't appear it's working at all on the computer. What I get (after the System Restore is created) is a blue screen that says something to the effect of "Scanning for affected files. This typically doesn't take more than 10 minutes. However, scan times for badly affected may easily double." Then it sounds like the computer is scanning for files as it would with any other antispyware/malware software, but I don't even see the next part which is "ComboFix has changed your clock settings" and "Completed Stage_#". So the program isn't even running at all for whatever reason.

Any other ideas would be greatly appreciated. Thanks for your time.

Regards,
hanchij

#14 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:07 AM

Posted 07 January 2012 - 07:56 PM

Hi hanchi,

Sorry, I didn't give the correct syntax, please try this:

Go to Start and select Run... Type in "C:\Documents and Settings\Administrator\Desktop\combofix" /nombr

and let me know if ComboFix will execute and run through all steps properly.

Please copy log in next reply, thanks.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#15 hanchij

hanchij
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 08 January 2012 - 10:41 AM

Dear ratman,

Thanks a bunch for the new syntax. ComboFix worked great! Here is the log report.

Regards,
hanchij

Attached Files

  • Attached File  log.txt   16.4KB   6 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users