• Announcements

    • Rodion Nagornov

      Недоступность форума // Forum maintenance   08/16/2017

      В связи с техническими работами форум будет недоступен с 20.00 (МСК) 18.08.2017. Максимальное время недоступности - до 20.00 (МСК) 20.08.2017. *** Due to maintenance forum will be unavailable since 8pm (+3 GMT) 18-Aug-2017. The longest possible time of maintenance - till 8.pm (+3 GMT) 20-Aug-2017.
Jarodss

TDSSKiller not running, rootkit.

9 posts in this topic

There is a new strand of rootkit going around, I can user combofix to remove most of it and malwarebytes but the rootkit remains. I know I have the problem when I cannot run tdsskiller. If i pull the drive and I can remove it with microsoft security essentials and it removes it but messes up the boot record. I used to be able to just do a fixmbr and fixboot and it would be fine. But this does not work on it anymore. In the past I was able to use resource tuner and change the Exe and remove all the tdss and kaspersky information in the application and it would run and resolve the issue. However resource tuner no longer works with TDSSkill, HELP!!!!!

Share this post


Link to post
Share on other sites

Welcome. Let's take a peek at some logs. Four, for starters.

 

Please post the first two preliminary logs. Instructions are located in the first Important topic.

 

Also, please attach the other two logs:

 

3: Attach a Combofix log, please review these instructions carefully before downloading Combofix, and follow these instructions carefully after downloading Combofix.

 

Before downloading and Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

 

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the

option "resume manually" if still active) until after the scanning and removal process has taken place.

 

Please double click on the Combofix file you downloaded. Follow the onscreen prompts to start the scan.

Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.

It may take a while to complete scanning and this is normal.

 

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after

scanning has completed.

 

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't

forget to resume the Kaspersky that you paused.

 

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

--------------------

The instructions posted here are for the original poster Only. If you have same or other issue, please see the first Important read me topic, and then open a New Topic for yourself.

 

And 4: Scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't remove anything yet, until the log is reviewed.

Share this post


Link to post
Share on other sites

I figured it out, just for your guys reference and everyone else who runs into this "I do IT support and I have seen this now on about20machines and had to reload them from scratch" This virus creates a mysterious 8MB partition, if you slave this drive to another machine and remove the virus then delete that partition, all you have to do is make the correct partition active and then do your fixmbr and fixboot it will work like a charm again.

 

edit: del quote.

Edited by richbuff

Share this post


Link to post
Share on other sites

I have confirmed the above post. I work in a repair shop and this was new to me. On this PC it created a 9MB partition at the end of the drive. I removed the partition which cause antivirus to detect Alureon. I then made the main partition active. Put drive back in customers PC, boot into recovery console and run fixmbr and fixboot c:

 

All is well.

Share this post


Link to post
Share on other sites

I also want to add this variant will not allow Combofix to finish it's run. It will get to the screen where it says it's scanning but goes inactive. It is still using the same website get-answers-fast to do it's redirecting so seems to be basically the same things that have been going around, just installed in a new way.

Share this post


Link to post
Share on other sites

Also this was on a Windows XP machine. Have not seen this variant on Vista/7.

Share this post


Link to post
Share on other sites
Also this was on a Windows XP machine. Have not seen this variant on Vista/7.

 

 

Confirming this variant is on windows vista and 7 as well. Same procedure works, only difference is the command is bootrec /fixmbr and bootrec /fixboot

Share this post


Link to post
Share on other sites

Confirming this as well.

 

First one I saw was 8.5MB.

 

The rest have been ~1.5MB

 

Share this post


Link to post
Share on other sites

I think I have a computer with either the same infection, or some variant of it. I just have a few questions. 1- What do you use to get rid of the infection while scanning the drive in slave mode? 2- Can that 8 to 9 mg partition be seen while the infected system is booted? 3- can I just boot to an Ubuntu live CD and delete that 8 or 9 mg partition?

 

Thanks

 

 

I figured it out, just for your guys reference and everyone else who runs into this "I do IT support and I have seen this now on about20machines and had to reload them from scratch" This virus creates a mysterious 8MB partition, if you slave this drive to another machine and remove the virus then delete that partition, all you have to do is make the correct partition active and then do your fixmbr and fixboot it will work like a charm again.

 

edit: del quote.

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.