Highlighted
Anthony Boyle
2 Bronze

Rootkit.Win32.TDSS.tdl4 virus

Hi,

My wife has this virus on her Dell Vostro 410 PC. From what I can gather off the web it hides in the MBR and reinfects the machine on every boot even after rootkit cleaners have erased it from the OS.

 
I have tried Kaspersy's TDSSKiller, and although it appears to have killed the OS rootkit with a tweak (renamed the file before running it), on reboot it's still in the MBR. And we are still getting redirects.
 
None of the tools I've been trying will function. Gner, unhackme, prevxcsi etc. wont run - they either freeze or shut down. I haven't tried Combofix yet but I don't expect I'll fare any better with that and I wouldn't know how to use it anyway without help. Kaspersy's online scanner freezes on the page as do all other Kaspersy pages (I managed to download TDSSkiller by downloading it to my machine and transferring it using a pendrive).  
 
One fix appears to be replacing the MBR with a copy through the recovery console using the fixmbr tool. However, Dell PCs use a proprietary MBR and replacing it in this way will bugger up the partitions, see here:

http://en.community.dell.com/support-forums/software-os/f/3524/t/19325495.aspx
 
and here:
 
 
I need help with this and if possible a copy of a Dell MBR. Apparently it doesn't matter which Dell model it comes from. The site above explains it in more detail.

Hitting F12 at boot gives me the following information:

HARD DISK 
 
      - SATA-0 Hitachihi HDP725050GLA36
      - BOOTABLE ADD-IN CARDS
CDROM
UTILITY PARTITION

I tried Dell telephone support (we still have support until 2012, but only hardware, it seems, so no help there except a remote reinstall for a fee. I'm hoping to avoid that). 

I've been at this for a days now and am exhausted looking for a fix.


Tony 


 

   

 

 

0 Kudos
55 Replies
kevinf80
4 Tellurium

Re: Rootkit.Win32.TDSS.tdl4 virus

Hello Tony and welcome

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

  • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
  • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
  • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
  • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
  • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.



I note you have been using a pen drive to transfer to the infected PC, that`s what we`ll do with Combofix. Please proceed as follows on a known clean PC.

Download Combofix from either of the following links and save to your Pen drive

Link 1
Link 2

Before you save it change the name to Gotcha.exe as below, I know it says desktop on the image, but you`ll save to you pen drive.

user posted image

Transfer to the infected PC Desktop, it must be run from the Desktop nowhere else <--- Very important

Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Double click Gotcha.exe icon to start, if CF asks to install the Recovery console, please allow it. Just follow the prompts..

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)



Kevin

[img]http://en.community.dell.com/cfs-file.ashx/__key/communityserver-components-userfiles/00-00-87-63-64-Attached+Files/0172.dellrsnew.jpg[/img]
 

 

0 Kudos
Anthony Boyle
2 Bronze

Re: Rootkit.Win32.TDSS.tdl4 virus

Kevin,

Thanks.

Just to update you - I managed to get Kaspersky's online virus check to run. I had made the mistake of using Opera,  this seems to be the reason is wasn't running. It means I can get online, but it's a bit flaky - plus I ran the Kaspersky online tool up to 19% before I stopped it, by which time it had found a lot of trojans. It's probably a good idea to keep the machine off-line from now on.

I'll run the Combofix tool and get back to you.

I'm relieved there's someone out there trying to help.

Again, thanks.

Tony

 

 

0 Kudos
kevinf80
4 Tellurium

Re: Rootkit.Win32.TDSS.tdl4 virus

OK  Tony, any time you`re ready...

Kevin

[img]http://en.community.dell.com/cfs-file.ashx/__key/communityserver-components-userfiles/00-00-87-63-64-Attached+Files/0172.dellrsnew.jpg[/img]
 

 

0 Kudos
Anthony Boyle
2 Bronze

Re: Rootkit.Win32.TDSS.tdl4 virus

Hi Kevin,

 

Sorry, I've had to deal with something else - non-pc related and haven't been able to run it yet. How long does Combofix take to run. I ask as it's late evening here in the UK and if it's hours then we'll need to pick this up again tomorrow.

Thanks again.

Tony 

0 Kudos
kevinf80
4 Tellurium

Re: Rootkit.Win32.TDSS.tdl4 virus

Hi Tony,

I`m in the UK myself, CF takes approximately 10 minutes to run, this may extend to 20 minutes on heavily infected systems..

Kevin

[img]http://en.community.dell.com/cfs-file.ashx/__key/communityserver-components-userfiles/00-00-87-63-64-Attached+Files/0172.dellrsnew.jpg[/img]
 

 

0 Kudos
Anthony Boyle
2 Bronze

Re: Rootkit.Win32.TDSS.tdl4 virus

Hi Kevin,

 

Great - get back to you soon.

 

Tony

0 Kudos
kevinf80
4 Tellurium

Re: Rootkit.Win32.TDSS.tdl4 virus

I`m usually here Tony, just post when you`re ready. Make sure you back up any important data. TDL4 is a nasty infection and always has plenty of friends with it..

 

Kevin

[img]http://en.community.dell.com/cfs-file.ashx/__key/communityserver-components-userfiles/00-00-87-63-64-Attached+Files/0172.dellrsnew.jpg[/img]
 

 

0 Kudos
Anthony Boyle
2 Bronze

Re: Rootkit.Win32.TDSS.tdl4 virus

Hi Kevin,

Unfortunatley things don't seem to be going to plan.

Attempt 1:

Downloaded the Combofix file and gave it a random name. Transferred via the pen drive to the destop, ran it, got a slash screen asking me to accept the conditions, I accepted and was greeted with the message, Combofix must have an alphanumerical name - install aborted (there was a " [ " symbol in the name).

Attempt 2:

Downloaded the Combofix file again and gave it the name Gotcha.exe this time as directed.  Transferred it via the pen drive to the desktop, ran it, blue dosbox opened with the message "access denied". Install aborted.

Attempt 3:

Renamed the Gotcha.exe file in the pendrive to zfh.exe. Transfered to the desktop. This time something popped up very briefly in a blue dosbox again before returning the "access denied" message again. However, this time after a little delay it started (is the "access denied" message normal behaviour? - if so, it foxed me).  It asked me to download and install the recovery console (done) and reboot (done).  It's now scanning.

Update:

About 10 minutes ago I heard the windows shutdown sound and went to look (I'm on a different floor to my wife's PC). It's frozen at the shutdown stage - just a blank blue screen (not a BSOD - it's the desktop colour) and the cursor.

Shall I switch off and switch back on?

Tony

 

 

 

0 Kudos
kevinf80
4 Tellurium

Re: Rootkit.Win32.TDSS.tdl4 virus

If CF is dealing with a Rootkit it may re-boot and sit idle for several minutes then boot again, leave it a while and see how it goes, if no change after 30mins force a re-start and let me know..

TDL4 is very unpredictable lets see how it goes..

Kevin

[img]http://en.community.dell.com/cfs-file.ashx/__key/communityserver-components-userfiles/00-00-87-63-64-Attached+Files/0172.dellrsnew.jpg[/img]
 

 

0 Kudos