Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Activity: TDSS Rootkit infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 anotherTDSSvictim

anotherTDSSvictim

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 26 January 2012 - 01:19 AM

My laptop has got infected with TDSS Rootkit. The google and bing searches get redirected to random sites. Windows 7 does not shutdown/restart correctly. Also, the Windows 7 startup repair does not work. After startup repair fails system automatically restarts sometimes or I have to choose a previous restore point. I suspect the virus has come while downloading a C/C++ compiler cygwin. Also, it suddenly changed all my files and folders on C: to "Hidden". Although I could unhide all of those, the other problems still persist. I have run the AVG antivirus software, however it has changed some of my local temp files which is further giving shutdown problems. I have attached the DDS logs. The operating system is Windows 7 Professional 64-bit, so I have not run the GMER.

Please help.

Attached Files


Edited by hamluis, 26 January 2012 - 12:19 PM.
Moved from Win 7 to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:14 AM

Posted 26 January 2012 - 08:45 PM

Hi

did you previously find the link and run unhide.exe yet, if not, please run it:

Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.



NEXT



  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 anotherTDSSvictim

anotherTDSSvictim
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 26 January 2012 - 11:59 PM

Hello CatByte,

I had previously used Windows folder option to unhide all files and folder and it seems to have worked ok. So I have not executed Unhide.exe

I have attached the files you have mentioned.

Also, I noticed that my netbeans is not working (all other s/w seem ok). Also, when i uninstalled Java and restarted my laptop, it worked fine and did not go into Startup repair unlike before. However I had to do system restore and so java is installed. I think the virus got in thru cygwin software while I was trying to execute a C++ compiler.

I am now also facing the problem of not able to uninstall or reinstall netbeans, and it isnt working as well. it gives the error org.netbeans.installer.utils.exceptions.UninstallationExceptions: Cannot get the installation files list. More information in the log file 20120126234034

The searches (Google and bing) still get redirected.

Thank you for all your help.

Attached Files


Edited by anotherTDSSvictim, 27 January 2012 - 12:01 AM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:14 AM

Posted 27 January 2012 - 12:03 AM

hi,

please execute unhide.exe as this infection can sometimes move necessary files to the temp folder which are removed when the temp is emptied

please run junction.exe while I am looking through the logs,

let's see if permissions have been changed on netbeans

  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\WINDOWS).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 anotherTDSSvictim

anotherTDSSvictim
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 27 January 2012 - 01:02 PM

Hi,

I had to uninstall JDKs as my computer had problems in shutdown/restart while JDK was installed. Without it, it seems to shutdown/restart properly.

I have executed unhide.exe. When I try to execute junction, the command prompt opens for a split second and disappears. However, if I only run cmd, command prompt opens up and stays visible.

Edited by anotherTDSSvictim, 27 January 2012 - 01:32 PM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:14 AM

Posted 27 January 2012 - 03:16 PM

Did you save junction to c:\windows?


Please run the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 anotherTDSSvictim

anotherTDSSvictim
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 29 January 2012 - 12:04 AM

Hi Catbyte,

Is there a chance my system may crash after executing COmboFix? If so, is there any safer way to remove the Rootkit infection?

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:14 AM

Posted 29 January 2012 - 09:03 AM

yes there is a chance, however this is the safest way I know

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 anotherTDSSvictim

anotherTDSSvictim
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 04 February 2012 - 02:44 AM

Hello CatByte,

I did not run ComboFix, I have reformatted my machine now. Thank you for all your help.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:14 AM

Posted 04 February 2012 - 08:42 AM

OK,

thanks for letting me know

hope everything is OK now

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:14 AM

Posted 04 February 2012 - 08:42 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users