Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSSKiller won't execute during SMART HDD removal


  • Please log in to reply
10 replies to this topic

#1 stcarl

stcarl

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 02 April 2012 - 12:47 AM

Running XP on infected PC. Followed the steps for removal of SMART HDD operating in safe mode with networking. Everything was fine until we tried to run the tdsskiller. It will not execute. We have downloaded it to the desktop, renamed it multiple times using both .exe and .com, downloaded the file onto another computer and loaded the files onto a jump drive. Then we tried to copy and paste those files into the infected computer but still the tdss file won't go. We tried skipping this step and downloading malwarebytes but that was terminated by the infection.

We read your steps involving the defogger software but it said to reboot and if we do that then we am back to where we started. All the steps until then have emphasized that we shouldn't reboot until the infection is cleaned.

Not sure how to send information about the computer in question because it acts as if everything is gone. We are unable to access our files and programs.

Any suggestions? Thanks in advance.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:40 AM

Posted 02 April 2012 - 10:28 AM

Please reboot the PC into safemode with networking



Download

http://www.bleepingcomputer.com/download/anti-virus/unhide

Run the UNHIDE tool

Download

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Click on SHOW results.Select all infections and remove it

Reboot the PC and scan MBAM once in regular mode until you get a clean log


FIXTDSS

Launch it ,It may ask for restart,reboot the PC

On reboot let me know what it finds

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Follow the steps as instructed

good luck

Edited by narenxp, 02 April 2012 - 04:17 PM.


#3 stcarl

stcarl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 02 April 2012 - 11:51 AM

Thanks for your suggestions. We have a few questions, though. Also we are in safe mode with networking now.

1. We can't see our documents, etc. to back up. Is there a way to do this? I think this is going to be a problem creating a restore point also.

2. After launching FIXTDSS, if it asks for reboot, do we reboot into safe mode with networking again?

3. Are you saying that after launching FIXTDSS, we should be able to launch TDSSKILLER? Right now, we would not be able to change any parameters because we can't even get the welcome screen up.

4. Again, after running TDSSKILLER (Do we need to rename this file like before?), do we reboot into safe mode with networking to unhide files?

5. Each time we reboot, do we need to run RKILL? It seems to us that each reboot loses the benefit of the original RKILL run. Our understanding was to stay in safe mode until the infection was cleaned up. Is this a misunderstanding?

Thanks, Terry

#4 engineeredwithlayton

engineeredwithlayton

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 02 April 2012 - 12:45 PM

Running XP on infected PC. Followed the steps for removal of SMART HDD operating in safe mode with networking. Everything was fine until we tried to run the tdsskiller. It will not execute. We have downloaded it to the desktop, renamed it multiple times using both .exe and .com, downloaded the file onto another computer and loaded the files onto a jump drive. Then we tried to copy and paste those files into the infected computer but still the tdss file won't go. We tried skipping this step and downloading malwarebytes but that was terminated by the infection.


Hello

I am having the same problem (as above) and as I am seeing across this and other boards with the instructions and tdsskiller. I am running Win 7 (64 bit). I have tried renaming tdsskiller with no luck. When running in safe mode (after rkill step) I would only get a spinning circle for a few moments. Tried to skip step to Mbytes and it installs, fails, gives some "runtime error '5'". After getting stuck with your guide I found (from another guide) where to find the active virus (chain of letters and numbers.exe) and change the extension to .com. I can now boot into regular windows mode without all the popups and start of S.M.A.R.T. HDD. Now when running tdsskiller (renamed as per instructions) I now get a spinning circle then the user account control "do you want to allow..." windows notification. I say yes...then the spinning circle...then nothing happens.

I think it should be noted that we are instructed in several places to "run as administrator" in Win Vista/7. This choice is unavailable when the tdsskiller is renamed a .com file. You will only get this when it is a .exe file. I would also like to ask why someone said "64-bit may be the issue". It appears from the tdsskiller site that this tool is for both 32 and 64 bit systems.

I have now been able to run MS security essentials. It did find "VirTool:Win32/Obfuscator.QD" which it quarantined and "Trojan:Win32/FakeSysdef" which was removed. Tried to now go back to start of the instructions and still hanging up at the tdsskiller step. Malewarebytes is still also not starting or installing correctly.

I would like to note. I had Malewarebytes (paid version) as my security software and it did not stop this infection. I am not quite sure why if it did allow this virus through it can now remove it.

I would also like to note that I got infected from installing "Handbrake.fr" version 0.9.6 (MS Vista/7 version, 64 bit) from http://handbrake.fr/downloads.php. Immediately after download, install and reboot the S.M.A.R.T. HDD issues started.

My wife told me "just pay the $" and after several hours of poor Dell tech support I was tempted to do such...but it didn't seem right. Thanks for all the help so far, and in advance for your assistance.

Edit 1: Sorry...will start over with Narenxp instructions also and provide feedback.

Edit 2: Feedback on Narenxp instructions in this thread - System restore and backup are not supported in safe mode (according to my infected machine). Rebooting to "non safe mode" to attempt prior to proceeding.

Edited by engineeredwithlayton, 02 April 2012 - 01:49 PM.


#5 Bill_L

Bill_L

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 02 April 2012 - 04:03 PM

I also ran my antivirus scanner, which did NOT however identify this malware as a virus or shut it down. However, once I regained control of my computer, I activated Task Manager and shut down the process I could not identify (Bsy05V4MFLu7iT.exe). This shut down the malware.

A File Search on Bsy05 led to some very recently installed files, which I deleted. I also deleted everything associated with Bsy05V4MFLu7iT in my Registry Editor.

My computer now seems under control, and I can see my files although several icons are still missing from my desktop. The fact that using Task Manager to kill Bsy05V4MFLu7iT.exe shut down the malware suggests however that this is a good solution.

I also reported this incident as Internet crime to the FBI (http://www.ic3.gov/default.aspx) because, as far as I know, it is a felony to install a virus on another person's computer. I pointed out very specifically that the program kept me from accessing my control panel, Task Manager, and most of my file system.

Edited by Grinler, 02 April 2012 - 04:26 PM.


#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:40 AM

Posted 02 April 2012 - 04:14 PM

@engineeredwithlayton

Start a new topic

Thanks

@stcarl

Run the UNHIDE tool first and then run malwarebytes

Ignore system restore

Run fixtdss and it should automatically reboot you to normal mode

Do not run fixtdss before removing infections with malwarebytes

good luck

Edited by narenxp, 02 April 2012 - 04:16 PM.


#7 engineeredwithlayton

engineeredwithlayton

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 02 April 2012 - 05:10 PM

@engineeredwithlayton

Start a new topic

Thanks


Sorry Narenxp. I come from forums that want (and even require you) to keep similar topics in the same threads. Some moderators will delete or move your thread if you are too lazy to do a search and find solutions and just start numerous new threads of the same topic. I was not trying to hijack another users questions. I only was trying to keep from creating duplicate threads. I can see why in this type of forum / help situation this could get confusing.

Please refer to my new thread as necessary. I have also included response from Malewarebytes since this was my anti-virus program (pro paid version). They have provided a suggestion for resolution of the virus not using the tdsskiller program that seems to be the hangup of many users...instead using something they call Chameleon. I was going to try their suggestion after your follow-up suggestion above. Perhaps I should be a guinea pig and go straight for the Malewarebytes solution to see if this would work better than messiness with tdsskiller. Any requests? I have about an hour (till the backup finishes) and will check back prior to proceeding.

http://www.bleepingcomputer.com/forums/topic448601.html

#8 stcarl

stcarl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 02 April 2012 - 11:46 PM

Narenxp:

Following your 8:28am post, we got to this step 'Reboot the PC and scan MBAM once in regular mode until you get a clean log' and started the full scan. My question is, did you mean to keep running a new scan until it is clean or did you mean, run the scan only once and then clean whatever it finds?

At that point, do I run FIXTDSS? This is where I am a bit confused. I am already in normal mode but your post of 2:14 pm said to run FIXTDSS after running MBAM in safe mode with networking. Does it matter if it is run in normal or safe mode?

What happens if we run FIXTDSS and there is residual infection? Your post said to run it after infections were gone. It seems that everytime we run MBAM, there are more infections.

After running FIXTDSS, should I follow will TDSSKiller or not? One post says to and the other doesn't mention it.

Thanks, Terry

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:40 AM

Posted 02 April 2012 - 11:54 PM

Following your 8:28am post, we got to this step 'Reboot the PC and scan MBAM once in regular mode until you get a clean log' and started the full scan. My question is, did you mean to keep running a new scan until it is clean or did you mean, run the scan only once and then clean whatever it finds?

Run until you get a clean log.If an infection reoccurs on every scan let me know

At that point, do I run FIXTDSS? This is where I am a bit confused. I am already in normal mode but your post of 2:14 pm said to run FIXTDSS after running MBAM in safe mode with networking. Does it matter if it is run in normal or safe mode?


When you launch fixtdss,it will ask for a reboot which will take you to normal mode.You cannot work on the PC in normal mode due to rogue pop ups.So i asked you to run mbam once in safemode with networking to remove infections and then launch FIXTDSS


After running FIXTDSS, should I follow will TDSSKiller or not? One post says to and the other doesn't mention it.


Yes,run TDSSkiller,after fixtdss

good luck

#10 stcarl

stcarl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 03 April 2012 - 10:35 PM

Thank you so much for your help. The computer appears to be fine.

After running FIXTDSS, one infection was found: mbr detected. We repaired it and that was successful.

Then we ran TDSSKiller and it found nothing. We have a log that you asked for but we weren't sure if we could post it to this forum. The rules seem to say otherwise. If you would like it, let me know where to send it.

Thanks again.

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:40 AM

Posted 05 April 2012 - 04:48 AM

Yes please post the log

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply


Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users