Help With TDSS.e!rootkit

Hello Guys, I have some trouble removing this TDSS rootkit virus. I read the guide on how to use the TDSS Killer program, unfortunately after I renamed and changed the extension it still doesnt work. Currently I am using the stinger tool, hopefully it will work out. Should I be thinking about reformatting my laptop?

Thanks in advance for advice and guidance.

 

Hi and welcome to Major Geeks, JuiceMane!

Please go through this thread: Fixing Google Redirection/hijacking and other redirection problems

This would be a last resort. We can typically get your PC restored without you having to reformat.

 

Ok I tried running the Root Repel tool, but it crashed on me several times. Combo-fix would run for a while before it shut off. This usually happens when it was through with extracting the files.

 

I attached the RootRepeal crash logs below just in case you will need it.

 

The highlighted is a hidden and active partition set by a new form of the TDL rootkit/bootkit.

First we need to delete this partition before we can attempt to successfully restore a clean Master Boot Record (MBR). -- This should stop the redirects.

Before we proceed, do you have your data backed up just in case I am unable to get your system booting to the correct partition again? Let me know before we proceed. We will also need 2 blank CDs to create a couple of bootable CDs to fix your MBR infection and to delete that partition.

 

Yes everything is backed up and yes I do have two blank cd's ready to go

 

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)
Windows 7 32-Bit (x86) Recovery Environment <-- you do not need this if you have your own Windows 7 DVD.

Create a bootable CD, 1 for Gparted and 1 for the Windows 7 Recovery Enviroment, from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png
You should be here...
Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 1.33 MB (1.33 MiB)
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png
Is "boot" next to your OS partition? According to your logs, the OS partition is 298 GB.

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.

You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.

Now reboot from the Windows 7 Recovery Environment CD and execute the following commands:

• bootrec /fixmbr
• bootrec /fixboot
• exit

Once back in Windows...

Rerun MBRCheck and attach the latest log to your next reply. (How to attach)

 

I'm going to sleep now. If you have any issues booting after doing the above I will be online tomorrow evening to help you.

 

Thanks everything seems to be working much better now and I just did a scan, looks like the tdss is gone.

 

Glad to hear it.

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

Can you also retry running ComboFix. You may want to download a clean copy of it if the old copy doesn't work.

I will review the rest of your logs when I get home from work.

 

Here are the logs you asked for. I did missed the part in the guide TDSS about suspicious objects(which I found out what to do after I reread the guide). Instead of skipping the threats, I just deleted them since I knew what they were.

 

What are the below files? Please delete them if you do not know.

http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:files[/COLOR]
C:\Users\Administrator\AppData\Local\Conduit
C:\Program Files\Conduit
C:\Windows\System32\E177E04D548C4006A465EEB92D3DE021
xcopy %temp%\smtmp\1 "%programdata%\start menu" /s /i /h /y /c
xcopy %temp%\smtmp\2 "%appdata%\microsoft\internet explorer\quick launch" /s /i /h /y /c
xcopy %temp%\smtmp\3 "%appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
xcopy %temp%\smtmp\4 "%programdata%\desktop" /s /i /h /y /c
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptyjava]
[emptyflash]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know what issues remain after completing the above steps and let me know if you are experiencing any problems with missing/hidden desktop, start menu and/or quick launch items.

 

Everything seems now fine, I was experiencing the hidden desktop/start menu after I restarted my computer from using OTL. The "hgggg.txt" files has something to do with my McAfee virus scanner. If I remember correctly it is a log of McAfee on access scan activity.

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

Just would like to say thanks, sorry I did not say so sooner, just been busy with school .

 

You're welcome. Surf safely!

 

Once last problem, I cant seem to be able to run windows update, keeping getting the error code 80070005, does this mean I still have Malware on my computer?

 

http://img805.imageshack.us/img805/3189/windowsrepair.gif Please download Windows Repair by Tweaking.com to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
• Now open this folder and double-click Repair_Windows.exe.
• Click the Start Repairs tab on the far right.
• Click Custom Mode so there is a bullet in it.
• Click the Start button (bottom right)
  Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
• Click Unselect All
• Put a checkmark in the following items:
  • Repair Windows Update
  Note: Leave everything else unchecked
• Now click the Start button (bottom right)
• Reboot when requested.

 

Thanks Again for your help!

 

No problem