BOO/TDSS.M

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Go down

BOO/TDSS.M

Post by fairydraik on Thu 05 May 2011, 6:32 am

Hello.

I sincerely apologize for my long absence (and subsequent removal) from the GPA, but that's not why I'm here.

My computer has been infected wtih what my mom and I believe to be the new TDSS variant. The title of the topic is the name of the infection Avira found before everythng went to hell.

Currently, my mom is doing everything she can to get rid of it, but nothing seems to work. None of the TDSS rootkits we found mentioned in removal guides seem to be found in the registry. It is acting like a fake AV and when the computer is connected to the internet will pop up IE windows. It also tried to add an add-on to Firefox, but I told it no.

On a subsequent restart, it seems to have killed my mouse driver; Mom is doing everthing the old-fashioned way with the keyboard. Currently, we're only using the computer in Safe Mode. We think it's reinfecting through one of my portable hard drives. We can't use Avira, and the virus is blocking MBAM. Right now, I'm on my mom's Vista, but the infected computer is the one whose specs are on my profile.

Can you help us get rid of the virus?

Thanks,
Miri

Edit: I forgot to mention, we currently have the computer disconnected from the internet to prevent the virus from spreading. SHould we reconnect and run the fixes from that computer, or should we do the burn-it-to-a-CD thing from this one?

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Thu 05 May 2011, 9:17 am

Hello.
Reconnect it to the net, we may need internet access.

Please download aswMBR from here

  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below



Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

  • Once the scan finishes click Save log to save the log to your Desktop


  • Copy and paste the contents of aswMBR.txt back here for review


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu 05 May 2011, 10:05 am

My computer appears to be taking forever to start up; I replugged the mouse into a diferent USB, mom says that on XP that resets the driver. CHecking to see if it works... Nope. Mouse doesn't work still. It'll take a little bit to tab around and stuff, so please be patient with me~ I'm not used to doing things with just the keyboard.

Edit: Now that I'm actually in my computer, it took a few minutes but my mouse appears to be working. However, my computer came up with no UI, just two windows, the fake ativirus and a "Personalised Settings: Setting up personalized settings for: Google Search Provider." It was after opening task manager and attempting to end the XP Anti-Virus program that my mouse moves but it doesn't seem to have ended. Attempting to end.... YES~ It ended and Windows' UI is coming up normally, the settings window went away with the XP anti-virus warning, most likely it was trying to simulate the virus attack it was telling me was happening. Awww, poor thing, it WAS the virus. I'm wise to your little games you hacker. Was trying to play keep-up with the infected processes in Task Manager to no avail, booting firefox (attempting) so I can access your fixes.

Crap. Virus gave me a message saying Firefox was infected. And its still running. GRAHHHH. Avira popped up with a message saying that it's in my recycle bin now?!?! Okay, trying IE. It seems to have made IE my default browser, too.

Huh. Trying to open IE and somehow Mozilla is now actually running, IE came up too. Seeing if I can get past the, "Mozilla is running in safe mode" and actually into the net with Mozilla, as IE doesn't appear to be doing any..... IE just went away, the virus told me it was infected. Okay, lets see if it'll let Mozilla run.... Hm. IE popped back up, with a fake alert ssaying that Yahoo was infected. *eyeroll* anyway, Mozilla appears to be working. I apologize for the running commentary; being on two comps at once offers a unique pportunity to describe things as they happen; I hope it's useful to you.

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Thu 05 May 2011, 10:24 am

Okay, it's not letting me download the tool. It'll come up with the "Save/Run" window, I click Save File, but nothing happens. It appears to be working for a while, then stops.T he name of the website still appears down at the bottom in the bar where it shows loading progres but nothing else. If I roll over a link, that little thing goes away, replaced by the ubiquitous "Done". Any suggestions?

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Sat 07 May 2011, 7:40 am

Can you download it via another machine and transfer it via USB? if not, we'll go to boot disc.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Sun 08 May 2011, 1:10 am

Hmmm.... I'd have to find my USB drive. Would the virus be transferrable via that USB, though, if I needed to use it again? I don't want to infect my mom's computer.

Also, I"m sorry I didn't get this message when you posted it, I was up all last night with the stomach crud... blech.

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Sun 08 May 2011, 1:28 am

No worries.

Normally TDL doesn't spread via autorun worms, very rarely see it use that method.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Sun 08 May 2011, 1:30 am

Okay. Let me go search for it, but first, I want to try downloading one more time, my computer seems to be in better shape than last time I booted it up (Mouse works from the getgo, virus letting IE run, etc.)

Edit: No, virus won't even let me go to GeekPolice website. It'll start to load, then redirect me to "About:Blank" which says that the webpage is infected. Hunting down a flash drive now; if I can't find it, we may have to burn a CD.

Edit2: Found the flashdrive, about to transfer to the other computer.

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by fairydraik on Sun 08 May 2011, 1:46 am

Aaaaalright. Everytime I try to open it, it says, "Windows cannot access device, path, or file. You may not have appropriate permissions to access this file." I am running as administrator. WHen I moved the program to the desktop, it still told me the same thing. I ended all of the active virus processes via task manager (whicch didnt' come up normaly, it went to a selection screen like my old school laptop, I clicked 'task manager', had to do that twice, and the username was bizarre, "logged on as (random numbers/letters)/Miranda (my last name)") and tried again, still got the same essage, but as I ended the processes, Avira was able to get through and told me about all kinds of infected files that it was finding, even a garbage .dll file in the system folder.

I hope that helps you somewhat.

fairydraik

Rookie Surfer
Rookie Surfer

Posts : 194
Joined : 2009-11-01
Operating System : Windows XP

View user profile

Back to top Go down

Re: BOO/TDSS.M

Post by Belahzur on Sun 08 May 2011, 1:47 am

Ah ok, try this instead, I wanna see if it runs.


  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

    • Download Win32kDiag (Win32kDiag.exe) - #1
    • Download Win32kDiag (Win32kDiag.exe) - #2
    • Download Win32kDiag (Win32kDiag.exe) - #3

  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


  • @RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur

    Manager | Tech Officer
    Manager | Tech Officer

    Posts : 34917
    Joined : 2008-08-04
    Operating System : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sun 08 May 2011, 1:52 am

    Nope, still getting the same error. Could it have something to do with me using a non-admin account on Vista to download it?

    fairydraik

    Rookie Surfer
    Rookie Surfer

    Posts : 194
    Joined : 2009-11-01
    Operating System : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Sun 08 May 2011, 1:54 am

    Possibly, but I know of an infection that throws up that error.

    We are going to be using a Windows Recovery Environment to help disinfect the system.

    Download the OTLPE Standard REATOGO Windows Recovery Environment.

    • Place a blank CD-R disc in to your CD burning drive.
    • Download OTLPEStd.exe and double-click on it to burn to a CD using ISO Burner.
    • Reboot your system using the boot CD you just created.

      Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked "Do you wish to load the remote registry", select Yes
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start. Change the following settings

    • Change Drivers to Non-Microsoft
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\_OTL\MovedFiles
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.


    @RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur

    Manager | Tech Officer
    Manager | Tech Officer

    Posts : 34917
    Joined : 2008-08-04
    Operating System : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sun 08 May 2011, 2:01 am

    .....wow. Vista says it's gonna take half an hour to download that file.

    I'm a little worried about this... I've never done anything like booting a computer from CD before.

    Edit: ALright, it's downloaded. Time to burn the CD and get this to work....


    Last edited by fairydraik on Sun 08 May 2011, 2:14 am; edited 1 time in total

    fairydraik

    Rookie Surfer
    Rookie Surfer

    Posts : 194
    Joined : 2009-11-01
    Operating System : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Sun 08 May 2011, 2:07 am

    It's not a hard thing to do, it's just gonna be easier for both of us this way. Rather than fight through whatever blocks the malware has placed, bypass the whole system and boot a CD, that way the malware can't boot as it doesn't need the HDD.


    @RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur

    Manager | Tech Officer
    Manager | Tech Officer

    Posts : 34917
    Joined : 2008-08-04
    Operating System : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sun 08 May 2011, 2:22 am

    Alright, makes sense. How long should it take for the CD to burn? OTLPEStd is at "0% extracting" right now, doesn't seem to be doing anything.

    fairydraik

    Rookie Surfer
    Rookie Surfer

    Posts : 194
    Joined : 2009-11-01
    Operating System : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Sun 08 May 2011, 2:24 am

    It can depend on the hardrive the machine has your using to burn it.

    I burnt OTLPE for me a few weeks back, took me about 1hr total I'd say, but I'm using a 2.5ghz processor so it's quicker than most.


    @RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur

    Manager | Tech Officer
    Manager | Tech Officer

    Posts : 34917
    Joined : 2008-08-04
    Operating System : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sun 08 May 2011, 2:25 am

    Mmkay. So it's normal if it doesn't seem to be doing anything at all?

    fairydraik

    Rookie Surfer
    Rookie Surfer

    Posts : 194
    Joined : 2009-11-01
    Operating System : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Sun 08 May 2011, 2:27 am

    Yes, give it a while, it may take some time to extract and burn if your on a somewhat middle ground machine.


    @RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur

    Manager | Tech Officer
    Manager | Tech Officer

    Posts : 34917
    Joined : 2008-08-04
    Operating System : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sun 08 May 2011, 3:29 am

    It's been around an hour and hasn't even made it to 1%. SHould I be worried?

    (Sorr if I sound a bit paranoid, I'm just... well... paranoid. Maybe it's 'cause I'm still sick...)

    Edit: Avira was evidently running a scan, so I turned it off; it was probably interfering with the process....

    Edit2: When checking to see if it was still respondin, according to the Task Manager, I found that Windows Defender was running in the background. I ended that as well.

    fairydraik

    Rookie Surfer
    Rookie Surfer

    Posts : 194
    Joined : 2009-11-01
    Operating System : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Sun 08 May 2011, 5:26 am

    After about three hours, it was still at 0%, so I turned it off. WHen I did so, Windows told me something about it not installing correctly, but I didn't want to mess with it. What now?

    fairydraik

    Rookie Surfer
    Rookie Surfer

    Posts : 194
    Joined : 2009-11-01
    Operating System : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Tue 10 May 2011, 6:51 am

    Fair enough then, lets see if we can cut through the malware.

    Please download Ice Sword from HERE

    1. Download the zip to your desktop and extract it.
    2. Open the Ice Sword folder and then launch IceSword.exe.
    3. Now, on the left hand side tool, hit the Process button at the top of the list.
    4. Just above the list, there is a log button, press that and save the log to your Desktop.
    5. Next, hit the Startup on the left side list.
    6. Press the log button again.
    7. Post the two logs in your next reply.


    @RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur

    Manager | Tech Officer
    Manager | Tech Officer

    Posts : 34917
    Joined : 2008-08-04
    Operating System : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed 11 May 2011, 8:03 am

    oooookay. I got a BSoD when I tried to turn my computer on, I think we need to try the boot disk again.

    Edit: No, it's going to let me get in this time. Let's try the IceSword..... if it doesn't work, I can try re-downloading OTLPE

    Edit2: On a hunch, I started aswMBR before the computer fully loaded up, and it's RUNNING. I clicked Scan and it's currently working

    fairydraik

    Rookie Surfer
    Rookie Surfer

    Posts : 194
    Joined : 2009-11-01
    Operating System : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed 11 May 2011, 9:28 am

    Here's the text from the scan. I noticed that one of the items ("IRP_MJ_CREATE") is the same or similar to the one that caused my comp to BSoD.

    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-10 18:06:27
    -----------------------------
    18:06:27.468 OS Version: Windows 5.1.2600 Service Pack 3
    18:06:27.468 Number of processors: 1 586 0x403
    18:06:27.546 ComputerName: D94LZ971 UserName:
    18:06:50.703 Initialize success
    18:07:06.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    18:07:06.859 Disk 0 Vendor: ST380013 8.12 Size: 76293MB BusType: 3
    18:07:06.859 Disk 0 MBR read error 0
    18:07:06.859 Disk 0 MBR scan
    18:07:06.875 Disk 0 unknown MBR code
    18:07:06.875 MBR BIOS signature not found 0
    18:07:06.875 Disk 0 scanning sectors +156232125
    18:07:06.875 Disk 0 scanning C:\WINDOWS\system32\drivers
    18:09:10.156 Service scanning
    18:09:22.546 Disk 0 trace - called modules:
    18:09:22.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89d52730]<<
    18:09:22.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a724ab8]
    18:09:22.578 3 CLASSPNP.SYS[b8168fd7] -> nt!IofCallDriver -> [0x89cd8de0]
    18:09:22.578 \Driver\iaStor[0x89d93d78] -> IRP_MJ_CREATE -> 0x89d52730
    18:09:23.093 Scan finished successfully
    18:11:16.265 Disk 0 MBR has been saved successfully to "I:\MBR.dat"
    18:11:16.343 The log file has been saved successfully to "I:\aswMBR.txt"

    fairydraik

    Rookie Surfer
    Rookie Surfer

    Posts : 194
    Joined : 2009-11-01
    Operating System : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Belahzur on Wed 11 May 2011, 10:22 am

    Yep, TDL4.

    Do you have the XP disc? incase we need it, the fix for this can be dangerous.


    @RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


    Belahzur

    Manager | Tech Officer
    Manager | Tech Officer

    Posts : 34917
    Joined : 2008-08-04
    Operating System : XP SP3 Media Centre

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by fairydraik on Wed 11 May 2011, 10:24 am

    Ummmm.... I don't think so, I'd have to ask my mom and dad, and I do have Recovery COnsole installed.

    Okay, Mom says I'd have to ask Dad, but like I said, I do have Recovery Console, if that helps any.

    fairydraik

    Rookie Surfer
    Rookie Surfer

    Posts : 194
    Joined : 2009-11-01
    Operating System : Windows XP

    View user profile

    Back to top Go down

    Re: BOO/TDSS.M

    Post by Sponsored content Today at 4:15 am


    Sponsored content


    Back to top Go down

    Page 1 of 3 1, 2, 3  Next

    View previous topic View next topic Back to top


     
    Permissions in this forum:
    You cannot reply to topics in this forum