rootkit.tdss.v2 & tracking cookies

February 28, 2012 at 16:12:38
Specs: Windows Vista
after googling, i keep getting referred back to here so i thought i'd try some of the recommendations from here.

norton doesn't seem it pick this virus up yet spydoctor does. it removes it everytime but it comes back. i tried root repeal but it came back with over 400 locked/hidden files? that's what confuses me plus i didn't see any with .sys like the guide said. i'm really at a lost here. i don't think there's any issue with running but i have no idea how long this has been here. also everytime i scan, there's always tracking cookies, ranging from 15-30 each scan.

help pleasee?


See More: rootkit.tdss.v2 & tracking cookies

Report •


#1
February 28, 2012 at 18:01:16
Hi there! I'm SongCloud and I'd be happy to help you get rid of this infection. Please note that I am a volunteer and may not respond immediately to questions.

There may be infected files on your machine and due to the nature of the TDSS rootkit, they may be hidden from Norton and other scanners.

Please review all of my instructions first and ensure that all of the requested files are downloaded before beginning. If you have any questions or are unsure of any of my instructions, please ask me before proceeding.

First of all, please terminate Norton's on-access or real time scanner before beginning these instructions as it will interfere with the programs will will be using. Also exit or stop SpyDoctor as well to ensure it will not conflict with our scans.

To begin with, download RKill from here: http://download.bleepingcomputer.co... and save it to your desktop.

Right click on the RKill icon and click "Run as Administrator". Click yes to the UAC prompt. Allow RKill to run and it will kill any currently running malware. Once it is done, it will open a log called RKill.log which should also be saved to C:\Rkill.log. Please copy/paste the contents of this log into your next reply.

Next download TDSSKiller from http://support.kaspersky.com/downlo... and save it to your desktop. Right click on TDSSKiller and select Run as Administrator. When the program opens, click on "Change Parameters" and check the box for "Verify driver digital signatures" and also the box for "Detect TDLFS file system". Click OK and start scan.
**IMPORTANT** DO NOT CLEAN ANY DETECTIONS THAT ARE FOUND YET.
Once the scan is done, select "Skip" as the action for any suspect files. If the TDSS infection is found or the TDLFS file system is found, these can be cleaned and a reboot will be needed. The scan/cleaning will place a log file in the root of the C: drive, please attach it to your reply.

Next download aswMBR from http://public.avast.com/~gmerek/asw... and save it to your desktop. Right click on the downloaded file and select "Run as Administrator". Once it is running, select No at the prompt to download the Avast! virus definitions. Click on the scan button and allow the program to scan for bootkit/rootkit infections. DO NOT ATTEMPT TO CLEAN ANY SUSPECT OR INFECTED FILES AT THIS TIME. Click on the button labeled "Save log" and save the log to your desktop. Please include this log in your next reply.

Finally, download OldTimer's List it from http://oldtimer.geekstogo.com/OTL.exe and save it to your desktop. Right click on the download file and select "Run as Administrator". When the program is running, check the boxes for "LOP check" and "Purity Check". If you have a 64-bit machine, be sure that the box at the top labeled "Include 64bit Scans" is checked. Now click on the Run Scan button. Allow the program to scan. When it is complete, it will open up 2 log files named Extras.txt and OTL.txt, both will be saved to your desktop. Please cut and paste these into your reply.

Once you have run these scans, please copy/paste the contents of the requested logs in your reply back here. There should be 5 total logs. (The RKill log, the TDSSKiller log, the aswMBR log, OTL.txt and Extras.txt.) I will review the logs and will let you know what we need to do next.

-----
IT Desktop & Network Consultant - MOS Master Certified, MCP, MCITP - Windows 7, CCNA Certificate Pending, A+, Network +

::geek::


Report •

#2
February 28, 2012 at 18:45:41
i think my reports are too big.. it's not letting me post?

perhaps this will work?
http://www.scribd.com/fullscreen/83...


Report •

#3
February 28, 2012 at 19:19:00
No Problem. Please PM me on here and I will give you an email address that you can send them to.

EDIT: Actually, i just saw the link that you posted. Let me review them there and see what I can find. I will let you know if I need you to email them to me or if this will work. Thanks!

-----
IT Desktop & Network Consultant - MOS Master Certified, MCP, MCITP - Windows 7, CCNA Certificate Pending, A+, Network +

::geek::


Report •

Related Solutions

#4
February 28, 2012 at 19:45:18
Rayne,

I did not see the aswMBR log in the posted logs. Please post it in a reply here or PM me for an email address that you can send the log to for review.

-----
IT Desktop & Network Consultant - MOS Master Certified, MCP, MCITP - Windows 7, CCNA Certificate Pending, A+, Network +

::geek::


Report •

#5
February 29, 2012 at 05:59:20
aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-02-28 21:14:52
-----------------------------
21:14:52.948 OS Version: Windows 6.0.6001 Service Pack 1
21:14:52.948 Number of processors: 2 586 0xF0D
21:14:52.950 ComputerName: MAGDALENE-PC UserName: Magdalene
21:14:54.229 Initialize success
21:14:59.275 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
21:14:59.279 Disk 0 Vendor: Hitachi_HTS542525K9SA00 BBFOC31P Size: 238475MB BusType: 3
21:14:59.302 Disk 0 MBR read successfully
21:14:59.307 Disk 0 MBR scan
21:14:59.312 Disk 0 unknown MBR code
21:14:59.328 Disk 0 Partition 1 00 27 Hidden NTFS WinRE MSDOS5.0 10000 MB offset 2048
21:14:59.350 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 114243 MB offset 20482048
21:14:59.376 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 114230 MB offset 254451712
21:14:59.388 Disk 0 scanning sectors +488394752
21:14:59.452 Disk 0 scanning C:\Windows\system32\drivers
21:15:06.597 Service scanning
21:15:26.444 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
21:15:33.042 Modules scanning
21:15:43.650 Disk 0 trace - called modules:
21:15:43.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x85aba1f8]<<
21:15:43.698 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x866883f0]
21:15:43.710 3 CLASSPNP.SYS[8afa2745] -> nt!IofCallDriver -> [0x86688c58]
21:15:43.721 5 PCTCore.sys[8a7a5407] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85b47ba0]
21:15:43.733 \Driver\atapi[0x85b3f5b8] -> IRP_MJ_CREATE -> 0x85aba1f8
21:15:43.745 Scan finished successfully
21:15:53.571 Disk 0 MBR has been saved successfully to "C:\Users\Magdalene\Documents\MBR.dat"
21:15:53.582 The log file has been saved successfully to "C:\Users\Magdalene\Documents\aswMBR.txt"



Report •

#6
February 29, 2012 at 14:38:12
The simplest way might be to run these 3 progs in the EXACT order listed:
1- rkill.exe (stops the malware process)
2- tdss killer (removes the unwanted rootkit if found
3- malwarebytes (do a full scan and THEN reboot the PC
That should work for you as it is a TDSS rootkit you have installed

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#7
March 1, 2012 at 08:33:01
Rayne,

Could you post the original SpyDoctor logs that are detecting the rootkit? I want to verify what I am seeing in the current logs. Thanks!

-----
IT Desktop & Network Consultant - MOS Master Certified, MCP, MCITP - Windows 7, CCNA Certificate Pending, A+, Network +

::geek::


Report •

#8
March 1, 2012 at 15:42:06
how would i do that, lol?

Report •

#9
March 1, 2012 at 17:05:54
did you try response #6?
Also, as far as the tracking cookies go...just run super anti-spy....it will get rid of those culprits...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#10
March 1, 2012 at 17:08:36
oh, oops. didn't even see that! would the malwarebytes free version do the trick or would i be better off using norton or spydoctor?

Report •

#11
March 1, 2012 at 17:14:49
No problem....I would use malwarebytes....but try those 3 in that order...it does work, because you have a tdss rootkit problem

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#12
March 1, 2012 at 17:57:23
when i scan with the tdss killer it doesn't remove it, only quarantines it. is that okay?

Report •

#13
March 1, 2012 at 18:09:05
it should let you delete it, but quarantine is ok, then malwarebytes should remove it

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#14
March 2, 2012 at 15:04:37
yeah, that way didn't work.

Report •

#15
March 2, 2012 at 16:24:38

Report •

#16
March 4, 2012 at 15:11:26
that didn't work either. :/ infact, it's made the other stuff worse..

Report •

#17
Report •

Ask Question