tdss filesystem found

October 1, 2011 at 09:05:16
Specs: Windows 7 x64, i7 960, 8gb

hello; i recently ran tdss killer from kaspersky (i routinely run it since i got burned twice by rootkit pests lately) and at the end, the program says he found two suspicious object into harddisk0\dr0 and harddisk 1\dr1. he says they are tdss filesystems. now, i had the temptation to delete them with the tdss tool and try repairing the mbrs with bootrec commands, but i am not sure i'm not gonna lose or dammage the partitions and the data. i can provide tdss killer log file if needed. how should i treat this problem? thx in advance - Ian


See More: tdss filesystem found

Report •


#1
October 1, 2011 at 12:41:49

bandit78,

Before we tackle the problem, please use the following tool, it will give information on what is going on in the system, and then we will take it from there:

Download DDS from one of these locations:
http://download.bleepingcomputer.co...
http://download.bleepingcomputer.co...


Save it to the Desktop
Windows 7: Right-click the dds file and select: Run as Administrator

When done, DDS opens two logs:
-DDS.txt
-Attach.txt

Save both reports to your Desktop.

Since these reports are large, please go to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the DDS.txt, and click on 'Open'
You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Please copy the 'Download link'.

Do the same uploading for the Attach.txt.

Please copy the 'Download link', for each report, and provide them in your reply.

Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#2
October 2, 2011 at 02:40:31

hello sir, and thanks for your prompt answer. i downloaded and ran the script as you indicated; i also went through the logs it has created and i must say there is waay more info on my system than that i'm ready to give out.. i know i may sound a little paranoid but anyway, excuse me and thank you again for your time

Report •

#3
October 2, 2011 at 09:36:12

bandit78,

Without information from your system, it is very difficult to get to the root of the problem.

You mentioned: "... i can provide tdss killer log file"

If you wish to do so, post it in your reply, and we'll see where we can go with it.


Also, download aswMBR:
http://public.avast.com/~gmerek/asw...

Save it to the Desktop.

Right-click the file and select: Run as Administrator

Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop.
Note - Please do NOT attempt any fix anything!!

Also post the log produced by 'aswMBR' in your reply.
It is a short report.

You will notice that another file is created on the Desktop.
It is named MBR.dat

Please keep the file on the Desktop, and do not do anything with it.
This is important, just in case we need to have access to the Master Boot Record (MBR) information.

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Related Solutions

#4
October 2, 2011 at 11:08:44

ok, i downloaded and ran aswmbr and saved the log. the link is:

http://uploading.com/files/a91a4ce6...

it also generated mbr.dat which i left on my desktop as instructed.
here the tdss log link:

http://uploading.com/files/8544bd9d...


Report •

#5
October 2, 2011 at 18:49:31

bandit78,

Do you have a previous TDSSKiller report?

By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\

Logs have a name like:
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

If you do have a previous log, please post in your reply. (Do not upload.)

Is there any reason why you changed the TDSSKiller parameters and selected:
-Verify driver digital signatures
-Detect TDLFS file system

Did someone tell you to do so?


Also, please submit the MBR.dat file that you kept on the Desktop to Virus Total for analysis:
http://www.virustotal.com/

Use the 'Browse' button to navigate to the location of the file.

Click on the file

Then, click the 'Open' button.
The file is now displayed in the Submit Box.

Scroll down and click 'Send File', and wait for the results

If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'

Once scanned, please provide the link to the results page in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#6
October 3, 2011 at 08:54:32

hello. Here the link to virus total mbr.dat analysis

http://www.virustotal.com/file-scan...


Report •

#7
October 3, 2011 at 09:00:29

i am also trying to post the tdss log you requested, but the site doesn't seem to respond when i do so. i don't know, maybe its too long.i can tell, however, yes, i have selected the parameters you mentioned, and no, no one did tell me to do so: i did it because about two months ago i was infected with a tdss like rootkit which has destroyed one of my partitions (luckily not the system one), so i enabled the parameters just to be sure (although, even if i know what a mbr is and does, i'm not sure about which were the best options in this case). i'll try to post the log again in some time, if it doesnt work i will upload it although i am positive that the tools was configured the same as in the log you already seems, so it is likely most similar

Report •

#8
October 3, 2011 at 10:10:11

nope. no luck on pasting the log and try to post it, the site won't let me. here is the link to the log:

http://uploading.com/files/em316a72...

i'm almost sure it is pretty much like the other one you already seen. Anyway, thank you again for your time.


Report •

#9
October 3, 2011 at 12:47:59

bandit78,

VirusTotal sees a clean file in MBR.dat
There is no malware showing there.

TDSSKiller detects the TDL file system only when forced to run with the "TDLFS" parameter.

After removing an active TDSS infection, its file system poses no threat.


As far as fixing the MBR, I am really reluctant to do that.
It does not show as being infected.

Will do some more digging' on the issue, but we do not want to mess up Windows 7.

What kind (make/model) of computer is this?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#10
October 3, 2011 at 13:43:38

the computer is an intel i7 960, lga 1366, mostly devoted to gaming.
me too think theres no need to fiddle with the mbr if the tool only detected some leftover fs of the pest.

Report •

#11
October 3, 2011 at 14:44:37

Intel Core i7-960 Processor 3.20 GHz 8 MB Cache Socket LGA1366

This is a CPU...

Is this a custom made PC with that CPU unit, or is it a purchased computer with a specific Brand Name and Model Number?

The reason for the question, is the computer one for which there is a recovery partition?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#12
October 4, 2011 at 04:06:09

this pc is custom built.. i always pick components according to my needs and build my systems, seems more cost-effective to me than buying branded models with preinstalled os and sw. i think the drawback here is that i don't get recovery partitions and other useful features..

Report •

#13
October 4, 2011 at 08:01:39

Do you have any TDSSKiller report showing the TDLFS file system which the TDL rootkit created in the last sectors of the hard disk drives?

They would probably look like:

\HardDisk0\TDLFS\cfg.ini
\HardDisk0\TDLFS\mbr
\HardDisk0\TDLFS\bckfg.tmp
\HardDisk0\TDLFS\cmd.dll
\HardDisk0\TDLFS\drv64
\HardDisk0\TDLFS\cmd64.dll
\HardDisk0\TDLFS\drv32

If they showed up, were the files copied to quarantine?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#14
October 5, 2011 at 07:34:39

i am afraid not. i have only three reports on my sys which were created only recently, including the ones i uploaded. i went through them looking for strings like the ones you mentioned but could not find any. regretfully, i don't have any reports from the time in which the infection really hit.

Report •

#15
October 5, 2011 at 11:08:33

bandit78,

To remove the TDLFS entry, did you select the "Delete" action in the 'Threats Detected' action choice window?

See image:
http://forum.kaspersky.com/index.ph...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#16
October 5, 2011 at 14:12:10

no; i left the default option, which was "skip". I wanted to know a little more before doing this because i was afraid damaging the partitions

Report •

#17
October 5, 2011 at 14:14:22

when i was really infected howeve, i had tdss delete the threats (but clearly i ran it withouth the "detect tdl file system" option on

Report •

#18
October 6, 2011 at 02:14:44

excuse me, please disregard the last post, i meant "detect tld file system option off"

Report •

#19
October 6, 2011 at 09:12:05

After doing a little more diggin', as we already know, the TDLFS file system which the TDL 3/4 rootkits use is created in the last sectors of hard disk.
The Master Boot Record (MBR) consists of a sequence of bytes located at the first sector of a data storage device such as a hard disk.

So, removing the TDLFS File System entries can be done by selecting 'Delete' in the 'Threats Detected' action choice window.
http://forum.kaspersky.com/index.ph...

There should be no repercusions on the MBR.

However, whether those useless files remain on your hard disk, or whether they go, is a decision you would need to make. There is always a risk in this world of computers. Nothing is guaranteed.

If you decide to Delete the TDLFS, you may want to consider doing the following: http://www.sevenforums.com/tutorial...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#20
October 7, 2011 at 11:58:41

very well; i will probably delete the suspect objects, but first i 'll take some measures like creating a os backup image and securing some data i don't want to lose, just in case. anyway, i thank you again for your support, i really appreciate the work you people do to help out troubled users.. goodbye then aaflac44

Report •

#21
October 7, 2011 at 12:41:17

Good luck, bandit78!!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •


Ask Question