Unsolved
This post is more than 5 years old
29 Posts
0
11173
Rootkit.Win32.TDSS.tdl4 virus
Hi,
My wife has this virus on her Dell Vostro 410 PC. From what I can gather off the web it hides in the MBR and reinfects the machine on every boot even after rootkit cleaners have erased it from the OS.
I have tried Kaspersy's TDSSKiller, and although it appears to have killed the OS rootkit with a tweak (renamed the file before running it), on reboot it's still in the MBR. And we are still getting redirects.
None of the tools I've been trying will function. Gner, unhackme, prevxcsi etc. wont run - they either freeze or shut down. I haven't tried Combofix yet but I don't expect I'll fare any better with that and I wouldn't know how to use it anyway without help. Kaspersy's online scanner freezes on the page as do all other Kaspersy pages (I managed to download TDSSkiller by downloading it to my machine and transferring it using a pendrive).
One fix appears to be replacing the MBR with a copy through the recovery console using the fixmbr tool. However, Dell PCs
use a
proprietary
MBR and replacing it in this way
will bugger up the partitions, see here:
http://en.community.dell.com/support-forums/software-os/f/3524/t/19325495.aspx
and here:
I need help with this and if possible a copy of a Dell MBR. Apparently it doesn't matter which Dell model it comes from. The site above explains it in more detail.
Hitting F12 at boot gives me the following information:
HARD DISK
- SATA-0 Hitachihi HDP725050GLA36
- BOOTABLE ADD-IN CARDS
CDROM
UTILITY PARTITION
I tried Dell telephone support (we still have support until 2012, but only hardware, it seems, so no help there except a remote reinstall for a fee. I'm hoping to avoid that).
I've been at this for a days now and am exhausted looking for a fix.
Tony
Anthony Boyle
29 Posts
0
October 8th, 2010 11:00
Hi Kevin,
By CCleaner do you mean this:
http://www.filehippo.com/download_ccleaner
There was no link in your last reply.
Tony
kevinf80_1d0ac6
1.1K Posts
0
October 8th, 2010 12:00
Download and scan with CCleaner
1. Starting with v 1.27.26 (This version no. will differ), CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK " Only delete files in Windows Temp folder older than 24 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
In the Applications Tab:
4. Click the " Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click " OK" and it will scan and clean your system.
7. Click " exit" when done.
Kevin
Anthony Boyle
29 Posts
0
October 8th, 2010 12:00
Kevin,
No need to apologize - this has been a marathon and you look like you are run off your feet.
Tony
kevinf80_1d0ac6
1.1K Posts
0
October 8th, 2010 13:00
You`re right there Tony, lot of guys seeking help. I`ve got no work this weekend but am sure to be kept busy here. Let me know when you`ve completed the clean up and if all is OK, We`ve been on a bit of a journey, plenty of hurdles along the way....
Kevin
kevinf80_1d0ac6
1.1K Posts
0
October 8th, 2010 14:00
Not at all Tony, only temp files etc created by the said apps, nice program to have, keeps your system free of clutter. Its got other handy functions as well
Kevin
Anthony Boyle
29 Posts
0
October 8th, 2010 14:00
Hi Kevin,
I'm a bit fuzzy about what ccleaner is about to do here. E.g. It's got Google Earth, Office 2007, Winzip, and Regedit amongst others in the applications section ticked. Is this going to delete these?
Tony
Anthony Boyle
29 Posts
0
October 8th, 2010 14:00
Hi Kevin,
Combofix found McAfee still running, despite being turned off, and complained. I disabled everything associated with McAfee in services, bar two that refused, and it completed the uninstall. Couple of Combofix folders masquerading under different names e.g zfh had to be manually deleted. No further issues to report, other than the media sound controls on the keyboard have gone. Not sure if this is related or not, could just be a driver that needs resetting, or something.
OTC ran fine, as did CCleaner. Apart from that keyboard thing, the PC seems back to normal.
Are we done?
Tony
kevinf80_1d0ac6
1.1K Posts
0
October 8th, 2010 15:00
We are done when you are satisfied you`re system is stable and all Malware issues are resolved. From the logs and your feed back i`m confident we`ve acheived our goal and finally removed all traces of the infection.
Regarding the sound issue, yep I agree more than likely driver issue. Check in Device manager to see if any yellow exclaimation marks or red x`s against sound devices or controllers. Other than that, you`re good to go.
I`ll give you my standard close out speech, make sure you run Secunia, link in speech; this will check your system for vulnerable applications and give fixes for any found.
Regarding CCleaner, as well as the excellent cleaning fuction, select tools, from there select "Uninstall" you can uninstall any application from there. Select "Startup" from here, highlight any program, you can enable, disable or delete any start up entry. There is more, in the bottom lefthand corner is "online help" click on that to go to the website for help and instructions on CCleaner, a very handy utility.
Your latest logs are clean and you say that your system is running well, it would be an excellent idea to keep it that way. The following advice will go along way to keeping you secure so that you can enjoy safe and happy surfing.
Here are some tips to reduce the potential for malware infection in the future; I strongly recommend that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.
Make proper use of your antivirus and firewall
Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.
You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.
You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.
Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
Firefox,
Opera, and
Chrome.
All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.
These browser add-ons will help to make your browser safer:
Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:
Available for Firefox and Internet Explorer.
Green to go,
Yellow for caution, and
Red to stop.
Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.
These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.
Here a couple of links by two security experts that will give some excellent tips and advice.
So how did I get infected in the first place by Tony Klein
How to prevent Malware by Miekiemoes
Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.
Please reply so I know you have read this, its been a pleasure to work with you.
Take care,
Kevin
Anthony Boyle
29 Posts
0
October 8th, 2010 16:00
Hi Kevin,
Things are running smoothly now, I'm happy to say - you are free to help some other poor soul. I can't thank you enough for all the patient help you've given. I have no idea what we would have done without it. My wife was almost tearing her hair out and ready to throw the PC out the window. That you do this on a voluntary basis is amazing.
This has been both a journey and an education. I'll definitely be keeping some of those tools - CCleaner, for example, and I'll certainly be following your advice.
Take care yourself - and try and get some rest.
All the best.
Tony
kevinf80_1d0ac6
1.1K Posts
0
October 8th, 2010 17:00
Since this issue appears to be resolved the topic has been closed. Glad we could help.:emotion-21:
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.