IPB

Welcome Guest ( Log In | Register )

 
Closed TopicStart new topic
> TDSSKiller not running, rootkit., fixed mbr.
jarodss
post 16.11.2011 02:05
Post #1


Newbie
*

Group: Members
Posts: 3
Joined: 16.11.2011




There is a new strand of rootkit going around, I can user combofix to remove most of it and malwarebytes but the rootkit remains. I know I have the problem when I cannot run tdsskiller. If i pull the drive and I can remove it with microsoft security essentials and it removes it but messes up the boot record. I used to be able to just do a fixmbr and fixboot and it would be fine. But this does not work on it anymore. In the past I was able to use resource tuner and change the Exe and remove all the tdss and kaspersky information in the application and it would run and resolve the issue. However resource tuner no longer works with TDSSkill, HELP!!!!!
Go to the top of the page
 
+Quote Post
richbuff
post 16.11.2011 04:27
Post #2


Oldtimer
****************

Group: Moderators
Posts: 48812
Joined: 14.06.2007




Welcome. Let's take a peek at some logs. Four, for starters.

Please post the first two preliminary logs. Instructions are located in the first Important topic.

Also, please attach the other two logs:

3: Attach a Combofix log, please review these instructions carefully before downloading Combofix, and follow these instructions carefully after downloading Combofix.

Before downloading and Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the Combofix file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

--------------------
The instructions posted here are for the original poster Only. If you have same or other issue, please see the first Important read me topic, and then open a New Topic for yourself.

And 4: Scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't remove anything yet, until the log is reviewed.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
jarodss
post 16.11.2011 19:59
Post #3


Newbie
*

Group: Members
Posts: 3
Joined: 16.11.2011




I figured it out, just for your guys reference and everyone else who runs into this "I do IT support and I have seen this now on about20machines and had to reload them from scratch" This virus creates a mysterious 8MB partition, if you slave this drive to another machine and remove the virus then delete that partition, all you have to do is make the correct partition active and then do your fixmbr and fixboot it will work like a charm again.

edit: del quote.

This post has been edited by richbuff: 17.11.2011 06:09
Go to the top of the page
 
+Quote Post
zstray
post 18.11.2011 00:01
Post #4


Newbie
*

Group: Members
Posts: 3
Joined: 17.11.2011




I have confirmed the above post. I work in a repair shop and this was new to me. On this PC it created a 9MB partition at the end of the drive. I removed the partition which cause antivirus to detect Alureon. I then made the main partition active. Put drive back in customers PC, boot into recovery console and run fixmbr and fixboot c:

All is well.
Go to the top of the page
 
+Quote Post
zstray
post 18.11.2011 00:29
Post #5


Newbie
*

Group: Members
Posts: 3
Joined: 17.11.2011




I also want to add this variant will not allow Combofix to finish it's run. It will get to the screen where it says it's scanning but goes inactive. It is still using the same website get-answers-fast to do it's redirecting so seems to be basically the same things that have been going around, just installed in a new way.
Go to the top of the page
 
+Quote Post
zstray
post 18.11.2011 01:00
Post #6


Newbie
*

Group: Members
Posts: 3
Joined: 17.11.2011




Also this was on a Windows XP machine. Have not seen this variant on Vista/7.
Go to the top of the page
 
+Quote Post
jarodss
post 18.11.2011 23:13
Post #7


Newbie
*

Group: Members
Posts: 3
Joined: 16.11.2011




QUOTE(zstray @ 17.11.2011 15:00) *
Also this was on a Windows XP machine. Have not seen this variant on Vista/7.



Confirming this variant is on windows vista and 7 as well. Same procedure works, only difference is the command is bootrec /fixmbr and bootrec /fixboot
Go to the top of the page
 
+Quote Post
thisisu
post 20.11.2011 12:04
Post #8


Member
**

Group: Members
Posts: 10
Joined: 20.11.2011




Confirming this as well.

First one I saw was 8.5MB.

The rest have been ~1.5MB
Go to the top of the page
 
+Quote Post
sheckay
post 26.11.2011 22:12
Post #9


Newbie
*

Group: Members
Posts: 1
Joined: 26.11.2011




I think I have a computer with either the same infection, or some variant of it. I just have a few questions. 1- What do you use to get rid of the infection while scanning the drive in slave mode? 2- Can that 8 to 9 mg partition be seen while the infected system is booted? 3- can I just boot to an Ubuntu live CD and delete that 8 or 9 mg partition?

Thanks


QUOTE(jarodss @ 16.11.2011 18:59) *
I figured it out, just for your guys reference and everyone else who runs into this "I do IT support and I have seen this now on about20machines and had to reload them from scratch" This virus creates a mysterious 8MB partition, if you slave this drive to another machine and remove the virus then delete that partition, all you have to do is make the correct partition active and then do your fixmbr and fixboot it will work like a charm again.

edit: del quote.

Go to the top of the page
 
+Quote Post

Closed TopicStart new topic

 



Lo-Fi Version Time is now: 21.08.2014 10:16